Skip to main content

Hello all.

I am working on getting a project to upgrade Macs to Ventura (or Monterey if they wont support Ventura) and I am having trouble. I have reviewed a number of posts on Jamf Nation and setup what others seem to mention works. However, I am not able to get it working and I am hoping someone can help me understand what I am missing. Intel Macs update w/o issue but M1s will not update and error with the "must be volume owner" error.

I have created a policy to install, erase-install and dialog packages, and then start the erase-install with the --reinstall --current-user --depnotify switches using dialog as the prompt. The notification pops up to start the update then I get the error regarding volume owner.

 

I also reviewed the Apple document https://support.apple.com/guide/deployment/use-secure-and-bootstrap-tokens-dep24dbdcf9e/web and it appears our keys are escrowed. We do bind our Macs and use mobile accounts and I am wondering if that is the issue.I am by no means a Mac or Jamf expert and have been stumped by this. I have seen others use Nudge as well, and I don't care what we use just as long as our mobile accounts can update/upgrade.

 

Can anyone confirm they have been able to use-this process for M1 updates or if I have to use a local account for updates?

 

Any help is greatly appreciated.

Thanks,

Matt

 

You might need to add a couple of flags to your command.  here's my command, which has successfully upgraded M1 and Intel systems:

/Library/Management/erase-install/erase-install.sh --reinstall --os=13 --update --min-drive-space=60 --current-user --check-power --depnotify --cleanup-after-use

You might also want to doublecheck and ensure the user account you're logged in as has a securetoken, and is part of the volume owner group.  My guess?  The user account doesnt have a securetoken.

You might need to add a couple of flags to your command.  here's my command, which has successfully upgraded M1 and Intel systems:

/Library/Management/erase-install/erase-install.sh --reinstall --os=13 --update --min-drive-space=60 --current-user --check-power --depnotify --cleanup-after-use

You might also want to doublecheck and ensure the user account you're logged in as has a securetoken, and is part of the volume owner group.  My guess?  The user account doesnt have a securetoken.


Agreed. I am just having trouble assigning a secure token. I will try another macbook. Thanks for the info.

What result do you get if you run sudo fdesetup list in Terminal?  Is the user account you're logged in as listed?  What result do you get if you also run this command sysadminctl interactive -secureTokenStatus 'username' (replace 'username' with the username of the account you're checking.  You should get something back like this:

Secure token is ENABLED for user  'username'

OR

Secure token is DISABLED for user 'username'

Yep that is it. For some reason my test macbook will not display the status but another one will. Thanks!

There was also a bug that if you enrolled m1s with a recovery password, that there was no volume owner listed.  We have about 30-40 of these that we imaged before we found the issue.  Seems we have to wipe them since the user cannot approve the install.

Reply


Terms & ConditionsCookie settings