Skip to main content
Question

Updating Mac OS to Monterey via Policy Script


Forum|alt.badge.img+4

Hi everyone,

I'm currently trying to run an OS update to my environment for mostly M1 Macs that is supposed to allow my users to upgrade their machines to Monterey (as standard users) through Self Service. I'm trying to avoid the user's installing the update themselves since currently they cannot. Filevault 2 is enabled, and if users attempt to update to Monterey themselves, the error comes up that "You must provide authorization for this volume by setting it as your startup disk." I'm currently testing a Policy that contains two policies:

1. softwareupdate --fetch-full-installer --full-installer-version 12.0.1 command to grab Monterey. This first one is working fine.

2. I then have a second script set to run after this as follows:

echo "adminpassword" | /Applications/Install\\ macOS\\ Monterey.app/Contents/Resources/startosinstall --nointeraction --agreetolicense --user My\\ IT --stdinpass

Yes, my admin username (changed here to a generic example) has a space in it. It gets applied during Prestage Enrollment. Does this matter? The error coming up at the moment in the policy logs is:

Script result: Error: failed to authorize for installation. Provide a password with --stdinpass or --passprompt. Error running script: return code was 7.

If I attempt to create a local admin without spaces, I get nothing but:

Error running script: return code was 18.

I'm a bit novice with Jamf so any help would be appreciated! Please let me know if I can provide more info!

13 replies

ljcacioppo
Forum|alt.badge.img+17
  • Jamf Heroes
  • 183 replies
  • December 23, 2021

Your "My IT" username. Is that the Full Name of the account or the short name? If you run this:

dscl . list /Users


does "My IT" show up here or is there a different short name like "myit" as typically short names dont have spaces


Forum|alt.badge.img+4
  • Author
  • Contributor
  • 16 replies
  • December 23, 2021
ljcacioppo wrote:

Your "My IT" username. Is that the Full Name of the account or the short name? If you run this:

dscl . list /Users


does "My IT" show up here or is there a different short name like "myit" as typically short names dont have spaces


My IT does appear to be the full username. I don't believe there is a shortname. When I ran the command you suggested it appeared exactly as is, with the space in it. I don't know that its technically a separate account, but rather an IT login we set up in Prestage. Do I need to create an admin account that does not have a space for this to work?


ljcacioppo
Forum|alt.badge.img+17
  • Jamf Heroes
  • 183 replies
  • December 23, 2021
JSKeller wrote:

My IT does appear to be the full username. I don't believe there is a shortname. When I ran the command you suggested it appeared exactly as is, with the space in it. I don't know that its technically a separate account, but rather an IT login we set up in Prestage. Do I need to create an admin account that does not have a space for this to work?


I'm not positive, as I haven't seen a space in a username before. I passthrough a username in quotes though. Have you tried "My IT" instead of using the escape to see if that fares any better?


ljcacioppo
Forum|alt.badge.img+17
  • Jamf Heroes
  • 183 replies
  • December 23, 2021
ljcacioppo wrote:

I'm not positive, as I haven't seen a space in a username before. I passthrough a username in quotes though. Have you tried "My IT" instead of using the escape to see if that fares any better?


Similarly, instead of passing through your credentials in the script, which I would recommend against for that generic account, you can use something like erase-install (despite the name, you can use to upgrade without erasing) where users can get prompted for their credentials to pass through to upgrade

Standard users can authenticate for that as long as they are seen to have volume ownership. They do not need to be admins to upgrade to Monterey. We're having standard users upgrade this way.
https://github.com/grahampugh/erase-install


Forum|alt.badge.img+4
  • Author
  • Contributor
  • 16 replies
  • December 23, 2021
ljcacioppo wrote:

I'm not positive, as I haven't seen a space in a username before. I passthrough a username in quotes though. Have you tried "My IT" instead of using the escape to see if that fares any better?


Adding quotations returns "error running script: return code was 18" again.


Forum|alt.badge.img+4
  • Author
  • Contributor
  • 16 replies
  • December 27, 2021
JSKeller wrote:

Adding quotations returns "error running script: return code was 18" again.


I appreciate the suggestion, btw. I do have a bit of a cumbersome workaround for now, which is essentially to allow users to download the installer, run a temp admin script to make them admins for 30 minutes, then install the update. I'm reaching out to Jamf support to see if there is a better way to get this done.


daniel_ross
Forum|alt.badge.img+18
  • Jamf Heroes
  • 186 replies
  • January 11, 2022
ljcacioppo wrote:

Similarly, instead of passing through your credentials in the script, which I would recommend against for that generic account, you can use something like erase-install (despite the name, you can use to upgrade without erasing) where users can get prompted for their credentials to pass through to upgrade

Standard users can authenticate for that as long as they are seen to have volume ownership. They do not need to be admins to upgrade to Monterey. We're having standard users upgrade this way.
https://github.com/grahampugh/erase-install


@JSKeller for sure try what @ljcacioppo is sharing as it works great for our admin and if I'm not mistaken admin users as we've been using this for about a year now.  Absolutely a game changer!


Forum|alt.badge.img+4
  • Author
  • Contributor
  • 16 replies
  • January 11, 2022
daniel_ross wrote:

@JSKeller for sure try what @ljcacioppo is sharing as it works great for our admin and if I'm not mistaken admin users as we've been using this for about a year now.  Absolutely a game changer!


Thanks for the suggestion! I'll give it a try next time I get my hands on a test machine. I'm currently navigating around things but quietly deploying the get-latest-installer script in the background and then suggesting that users run this update after activating the temporary admin script that is also set up. It's another click or two, but not beyond them to complete fairly easily.


Forum|alt.badge.img+5
  • New Contributor
  • 6 replies
  • December 8, 2022

This is also an issue for us with student laptops in my district. And they are not volume owners so I don't think

erase-install will work for us. I'm working with Jamf support to come up with another option, but we haven't succeeded so far. 


Forum|alt.badge.img+2
  • New Contributor
  • 11 replies
  • February 9, 2023
ljcacioppo wrote:

Similarly, instead of passing through your credentials in the script, which I would recommend against for that generic account, you can use something like erase-install (despite the name, you can use to upgrade without erasing) where users can get prompted for their credentials to pass through to upgrade

Standard users can authenticate for that as long as they are seen to have volume ownership. They do not need to be admins to upgrade to Monterey. We're having standard users upgrade this way.
https://github.com/grahampugh/erase-install


Hi @ljcacioppo - sorry for bringing up an old thread but how can I use this script without erasing peoples drives? I simply want to use it for an upgrade.


ljcacioppo
Forum|alt.badge.img+17
  • Jamf Heroes
  • 183 replies
  • February 9, 2023
mowtnmn wrote:

Hi @ljcacioppo - sorry for bringing up an old thread but how can I use this script without erasing peoples drives? I simply want to use it for an upgrade.


It is possible to just use for upgrades. Here is the documentation from the erase-install GitHub that talks about what flags to use for upgrading:

https://github.com/grahampugh/erase-install/wiki/4.-Upgrading-macOS

The entire wiki is a good place to find a lot of information around usage for it.


Forum|alt.badge.img+5
  • New Contributor
  • 6 replies
  • February 9, 2023

Just to update: I actually did get erase-install working here! I had a config profile restricting .dmg. Once I removed that it ran the update!

 


Forum|alt.badge.img+2
  • New Contributor
  • 11 replies
  • February 9, 2023
ljcacioppo wrote:

It is possible to just use for upgrades. Here is the documentation from the erase-install GitHub that talks about what flags to use for upgrading:

https://github.com/grahampugh/erase-install/wiki/4.-Upgrading-macOS

The entire wiki is a good place to find a lot of information around usage for it.


This is great. Thank you.


Reply


Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings