updating macos by sending a mass action command require to have an administrator account

Mohamad
New Contributor II

Hi all,

 

When I am try to make Update by sending a mass action command, ask from end user to enter an Administrator account and PW to install the update, anyone have the same problem?

10 REPLIES 10

ImAMicrosoftGuy
New Contributor III

Hello,

I noticed this, especially on the M1 Macs.  I am new to the Mac world, but my understanding is that on the M1 Macs, only the first account created on the computer is able to run OS updates.  This is the account with the "Secure Token" 

It seems like the Mass Update Action command only works if the computer is turned on and not asleep.  But, it also seems to only update when it feels like it.  I ran a Mass Update Action and one of my iMacs got the update a day later.  Most of our Macs do not update AT ALL using the Mass Update Action.  I've heard suggestions to use the softwareupdate command and use --stdinpass to pass through the Secure Token Account's password,  but that does not work for me.

I have seen scripts to update macOS, but for the M1, you would need to pass the Secure Token Account's password through the script.  Maybe someone else out there knows a solution to this?  I can share the script I have, but it might not be the best as I'm still new to the Mac world

MehdiYawari
New Contributor III

Hello
Well, i dont think so that the problem is "Secure Token". It is correct that only the first account receives the "Secure Token" but if you create a second account on the Mac, this account will also have the "Secure Token". Account created on the device but from outside(z.B Domain user, or using a script to create a user account) will NOT get the "Secure Token". To give the "Secure Token " to a User requires an authentification from an account which already has the secure Token. 
From this week, I also see that most of our users are getting more popup than usual. Apple has changed something, maybe. I have experienced it but cant say for sure. Can anyone confirm it?
Maybe Apple or Jamf PPPC Profile need to be updated on the jamf server.

Hugonaut
Valued Contributor II

Did you confirm that the Bootstrap Token has been escrowed?

 

I create a Smart Group for deploying updates via MDM, part of the criteria for that group is an extension attribute. The extension attribute returns whether or not the Bootstrap token is escrowed.

 

 

 

#!/bin/bash

bootstrap=$(profiles status -type bootstraptoken)

if [[ $bootstrap == *"escrowed to server: YES"* ]]; then
 	result="Escrowed"

else
	result="Not Present"

fi

echo "<result>$result</result>"

 

 

 

Screen Shot 2022-04-06 at 10.27.14 AM.png

________________
Looking for a Jamf Managed Service Provider? Look no further than Rocketman
________________


Virtual MacAdmins Monthly Meetup - First Friday, Every Month

sdagley
Esteemed Contributor II

@Hugonaut Thanks for posting the Bootstrap Token is escrowed check EA. I'm trying to use sh for all my EAs these days since Apple's removal of Python 2 in 12.3 seems to indicate they may follow through with removing bash, so here's an sh-ified version:

#!/bin/sh

# Checks to see if the Bootstrap token has been escrowed with the MDM server
#	Returns: "Escrowed" if yes, "No" if not
#
# An sh compatible implementation of https://community.jamf.com/t5/jamf-pro/updating-macos-by-sending-a-mass-action-command-require-to-have/m-p/263035/highlight/true#M242120

result="No"

bootstrap=$(/usr/bin/profiles status -type bootstraptoken | /usr/bin/grep "escrowed to server: YES")

if [ -n "$bootstrap" ]; then
 	result="Escrowed"
fi

echo "<result>$result</result>"

 

Hugonaut
Valued Contributor II

You're scaring me with that "Bash Removal" Talk! 🤣

________________
Looking for a Jamf Managed Service Provider? Look no further than Rocketman
________________


Virtual MacAdmins Monthly Meetup - First Friday, Every Month

sdagley
Esteemed Contributor II

:-) It's coming eventually, but bog knows when.

Hugonaut
Valued Contributor II

giphy.gif

________________
Looking for a Jamf Managed Service Provider? Look no further than Rocketman
________________


Virtual MacAdmins Monthly Meetup - First Friday, Every Month

SCCM
Contributor III

This has come up a few times, they dont need admin. When you send the mass action command with defferal or allowing users to install it prompts the users for thier mac password, not a admin password. If they type inthier local password it should complete, on the intel machines this is not needed. If you send a mass action command without a defferal and set to install straight away it does not prompt for a password on m1's but it just restarts with 1min notice, which is something most companies dont want to do. You cant do these updates via policy anymore on m1's

cucaracha
New Contributor III

I did send a mass action command with a 2x limit deferral and got prompted for the user password, but nothing occurred after that. Later, in management commands, it says: ScheduleOSUpdate  Unsupported InstallAction for this ProductKey.

SCCM
Contributor III

it might have been to do withthe OS they were on, ive seen this break in 12.0, 12.1 and 12.4 (could be other versions too).