Help

Unable to Update M1s to Ventura

Go to solution
mtucker_
New Contributor III

Posted on ‎12-08-2022 11:22 AM

Hello all.

I am working on getting a project to upgrade Macs to Ventura (or Monterey if they wont support Ventura) and I am having trouble. I have reviewed a number of posts on Jamf Nation and setup what others seem to mention works. However, I am not able to get it working and I am hoping someone can help me understand what I am missing. Intel Macs update w/o issue but M1s will not update and error with the "must be volume owner" error.

I have created a policy to install, erase-install and dialog packages, and then start the erase-install with the --reinstall --current-user --depnotify switches using dialog as the prompt. The notification pops up to start the update then I get the error regarding volume owner.

mtucker__0-1670526031103.png

 

I also reviewed the Apple document https://support.apple.com/guide/deployment/use-secure-and-bootstrap-tokens-dep24dbdcf9e/web and it appears our keys are escrowed. We do bind our Macs and use mobile accounts and I am wondering if that is the issue.I am by no means a Mac or Jamf expert and have been stumped by this. I have seen others use Nudge as well, and I don't care what we use just as long as our mobile accounts can update/upgrade.

 

Can anyone confirm they have been able to use-this process for M1 updates or if I have to use a local account for updates?

 

Any help is greatly appreciated.

Thanks,

Matt

 

0 Kudos
Reply
1 ACCEPTED SOLUTION

Go to solution
Jason33
Contributor III

Posted on ‎12-08-2022 01:33 PM

What result do you get if you run sudo fdesetup list in Terminal?  Is the user account you're logged in as listed?  What result do you get if you also run this command sysadminctl interactive -secureTokenStatus 'username' (replace 'username' with the username of the account you're checking.  You should get something back like this:

Secure token is ENABLED for user  'username'

OR

Secure token is DISABLED for user 'username'

View solution in original post

Reply
5 REPLIES 5

Go to solution
Jason33
Contributor III

Posted on ‎12-08-2022 12:10 PM

You might need to add a couple of flags to your command.  here's my command, which has successfully upgraded M1 and Intel systems:

/Library/Management/erase-install/erase-install.sh --reinstall --os=13 --update --min-drive-space=60 --current-user --check-power --depnotify --cleanup-after-use

You might also want to doublecheck and ensure the user account you're logged in as has a securetoken, and is part of the volume owner group.  My guess?  The user account doesnt have a securetoken.

Reply

Go to solution
mtucker_
New Contributor III
In response to Jason33

Posted on ‎12-08-2022 12:52 PM

Agreed. I am just having trouble assigning a secure token. I will try another macbook. Thanks for the info.

0 Kudos
Reply

Go to solution
Jason33
Contributor III

Posted on ‎12-08-2022 01:33 PM

What result do you get if you run sudo fdesetup list in Terminal?  Is the user account you're logged in as listed?  What result do you get if you also run this command sysadminctl interactive -secureTokenStatus 'username' (replace 'username' with the username of the account you're checking.  You should get something back like this:

Secure token is ENABLED for user  'username'

OR

Secure token is DISABLED for user 'username'

Reply

Go to solution
mtucker_
New Contributor III

Posted on ‎12-08-2022 01:54 PM

Yep that is it. For some reason my test macbook will not display the status but another one will. Thanks!

0 Kudos
Reply

Go to solution
GabeShack
Valued Contributor III

Posted on ‎01-04-2023 12:19 PM

There was also a bug that if you enrolled m1s with a recovery password, that there was no volume owner listed.  We have about 30-40 of these that we imaged before we found the issue.  Seems we have to wipe them since the user cannot approve the install.

Gabe Shackney
Princeton Public Schools
0 Kudos
Reply