Updating Mac OS to Monterey via Policy Script

JSKeller
New Contributor III

Hi everyone,

I'm currently trying to run an OS update to my environment for mostly M1 Macs that is supposed to allow my users to upgrade their machines to Monterey (as standard users) through Self Service. I'm trying to avoid the user's installing the update themselves since currently they cannot. Filevault 2 is enabled, and if users attempt to update to Monterey themselves, the error comes up that "You must provide authorization for this volume by setting it as your startup disk." I'm currently testing a Policy that contains two policies:

1. softwareupdate --fetch-full-installer --full-installer-version 12.0.1 command to grab Monterey. This first one is working fine.

2. I then have a second script set to run after this as follows:

echo "adminpassword" | /Applications/Install\ macOS\ Monterey.app/Contents/Resources/startosinstall --nointeraction --agreetolicense --user My\ IT --stdinpass

Yes, my admin username (changed here to a generic example) has a space in it. It gets applied during Prestage Enrollment. Does this matter? The error coming up at the moment in the policy logs is:

Script result: Error: failed to authorize for installation. Provide a password with --stdinpass or --passprompt. Error running script: return code was 7.

If I attempt to create a local admin without spaces, I get nothing but:

Error running script: return code was 18.

I'm a bit novice with Jamf so any help would be appreciated! Please let me know if I can provide more info!

13 REPLIES 13

ljcacioppo
Contributor III

Your "My IT" username. Is that the Full Name of the account or the short name? If you run this:

dscl . list /Users


does "My IT" show up here or is there a different short name like "myit" as typically short names dont have spaces

JSKeller
New Contributor III

My IT does appear to be the full username. I don't believe there is a shortname. When I ran the command you suggested it appeared exactly as is, with the space in it. I don't know that its technically a separate account, but rather an IT login we set up in Prestage. Do I need to create an admin account that does not have a space for this to work?

I'm not positive, as I haven't seen a space in a username before. I passthrough a username in quotes though. Have you tried "My IT" instead of using the escape to see if that fares any better?

Similarly, instead of passing through your credentials in the script, which I would recommend against for that generic account, you can use something like erase-install (despite the name, you can use to upgrade without erasing) where users can get prompted for their credentials to pass through to upgrade

Standard users can authenticate for that as long as they are seen to have volume ownership. They do not need to be admins to upgrade to Monterey. We're having standard users upgrade this way.
https://github.com/grahampugh/erase-install

@JSKeller for sure try what @ljcacioppo is sharing as it works great for our admin and if I'm not mistaken admin users as we've been using this for about a year now.  Absolutely a game changer!

JSKeller
New Contributor III

Thanks for the suggestion! I'll give it a try next time I get my hands on a test machine. I'm currently navigating around things but quietly deploying the get-latest-installer script in the background and then suggesting that users run this update after activating the temporary admin script that is also set up. It's another click or two, but not beyond them to complete fairly easily.

mowtnmn
New Contributor II

Hi @ljcacioppo - sorry for bringing up an old thread but how can I use this script without erasing peoples drives? I simply want to use it for an upgrade.

It is possible to just use for upgrades. Here is the documentation from the erase-install GitHub that talks about what flags to use for upgrading:

https://github.com/grahampugh/erase-install/wiki/4.-Upgrading-macOS

The entire wiki is a good place to find a lot of information around usage for it.

mowtnmn
New Contributor II

This is great. Thank you.

JSKeller
New Contributor III

Adding quotations returns "error running script: return code was 18" again.

JSKeller
New Contributor III

I appreciate the suggestion, btw. I do have a bit of a cumbersome workaround for now, which is essentially to allow users to download the installer, run a temp admin script to make them admins for 30 minutes, then install the update. I'm reaching out to Jamf support to see if there is a better way to get this done.

lstrehlau
New Contributor II

This is also an issue for us with student laptops in my district. And they are not volume owners so I don't think

erase-install will work for us. I'm working with Jamf support to come up with another option, but we haven't succeeded so far. 

lstrehlau
New Contributor II

Just to update: I actually did get erase-install working here! I had a config profile restricting .dmg. Once I removed that it ran the update!