Help

Updating Mac OS to Monterey via Policy Script

JSKeller
New Contributor III

Posted on ‎12-23-2021 09:17 AM

Hi everyone,

I'm currently trying to run an OS update to my environment for mostly M1 Macs that is supposed to allow my users to upgrade their machines to Monterey (as standard users) through Self Service. I'm trying to avoid the user's installing the update themselves since currently they cannot. Filevault 2 is enabled, and if users attempt to update to Monterey themselves, the error comes up that "You must provide authorization for this volume by setting it as your startup disk." I'm currently testing a Policy that contains two policies:

1. softwareupdate --fetch-full-installer --full-installer-version 12.0.1 command to grab Monterey. This first one is working fine.

2. I then have a second script set to run after this as follows:

echo "adminpassword" | /Applications/Install\ macOS\ Monterey.app/Contents/Resources/startosinstall --nointeraction --agreetolicense --user My\ IT --stdinpass

Yes, my admin username (changed here to a generic example) has a space in it. It gets applied during Prestage Enrollment. Does this matter? The error coming up at the moment in the policy logs is:

Script result: Error: failed to authorize for installation. Provide a password with --stdinpass or --passprompt. Error running script: return code was 7.

If I attempt to create a local admin without spaces, I get nothing but:

Error running script: return code was 18.

I'm a bit novice with Jamf so any help would be appreciated! Please let me know if I can provide more info!

Reply
13 REPLIES 13

ljcacioppo
Contributor III

Posted on ‎12-23-2021 11:11 AM

Your "My IT" username. Is that the Full Name of the account or the short name? If you run this:

dscl . list /Users


does "My IT" show up here or is there a different short name like "myit" as typically short names dont have spaces

Reply

JSKeller
New Contributor III
In response to ljcacioppo

‎12-23-2021 11:19 AM - edited ‎12-23-2021 11:20 AM

My IT does appear to be the full username. I don't believe there is a shortname. When I ran the command you suggested it appeared exactly as is, with the space in it. I don't know that its technically a separate account, but rather an IT login we set up in Prestage. Do I need to create an admin account that does not have a space for this to work?

0 Kudos
Reply

ljcacioppo
Contributor III
In response to JSKeller

Posted on ‎12-23-2021 11:20 AM

I'm not positive, as I haven't seen a space in a username before. I passthrough a username in quotes though. Have you tried "My IT" instead of using the escape to see if that fares any better?

0 Kudos
Reply

ljcacioppo
Contributor III
In response to ljcacioppo

Posted on ‎12-23-2021 11:24 AM

Similarly, instead of passing through your credentials in the script, which I would recommend against for that generic account, you can use something like erase-install (despite the name, you can use to upgrade without erasing) where users can get prompted for their credentials to pass through to upgrade

Standard users can authenticate for that as long as they are seen to have volume ownership. They do not need to be admins to upgrade to Monterey. We're having standard users upgrade this way.
https://github.com/grahampugh/erase-install

Reply

daniel_ross
Contributor III
In response to ljcacioppo

Posted on ‎01-10-2022 05:31 PM

@JSKeller for sure try what @ljcacioppo is sharing as it works great for our admin and if I'm not mistaken admin users as we've been using this for about a year now.  Absolutely a game changer!

0 Kudos
Reply

JSKeller
New Contributor III
In response to daniel_ross

Posted on ‎01-11-2022 08:02 AM

Thanks for the suggestion! I'll give it a try next time I get my hands on a test machine. I'm currently navigating around things but quietly deploying the get-latest-installer script in the background and then suggesting that users run this update after activating the temporary admin script that is also set up. It's another click or two, but not beyond them to complete fairly easily.

0 Kudos
Reply

mowtnmn
New Contributor II
In response to ljcacioppo

Posted on ‎02-09-2023 07:52 AM

Hi @ljcacioppo - sorry for bringing up an old thread but how can I use this script without erasing peoples drives? I simply want to use it for an upgrade.

0 Kudos
Reply

ljcacioppo
Contributor III
In response to mowtnmn

Posted on ‎02-09-2023 08:15 AM

It is possible to just use for upgrades. Here is the documentation from the erase-install GitHub that talks about what flags to use for upgrading:

https://github.com/grahampugh/erase-install/wiki/4.-Upgrading-macOS

The entire wiki is a good place to find a lot of information around usage for it.

0 Kudos
Reply

mowtnmn
New Contributor II
In response to ljcacioppo

Posted on ‎02-09-2023 08:33 AM

This is great. Thank you.

0 Kudos
Reply

JSKeller
New Contributor III
In response to ljcacioppo

Posted on ‎12-23-2021 11:28 AM

Adding quotations returns "error running script: return code was 18" again.

0 Kudos
Reply

JSKeller
New Contributor III
In response to JSKeller

Posted on ‎12-27-2021 09:37 AM

I appreciate the suggestion, btw. I do have a bit of a cumbersome workaround for now, which is essentially to allow users to download the installer, run a temp admin script to make them admins for 30 minutes, then install the update. I'm reaching out to Jamf support to see if there is a better way to get this done.

0 Kudos
Reply

lstrehlau
New Contributor II

Posted on ‎12-08-2022 08:05 AM

This is also an issue for us with student laptops in my district. And they are not volume owners so I don't think

erase-install will work for us. I'm working with Jamf support to come up with another option, but we haven't succeeded so far. 

0 Kudos
Reply

lstrehlau
New Contributor II

Posted on ‎02-09-2023 08:19 AM

Just to update: I actually did get erase-install working here! I had a config profile restricting .dmg. Once I removed that it ran the update!

 

0 Kudos
Reply