I noticed this, especially on the M1 Macs. I am new to the Mac world, but my understanding is that on the M1 Macs, only the first account created on the computer is able to run OS updates. This is the account with the "Secure Token"
It seems like the Mass Update Action command only works if the computer is turned on and not asleep. But, it also seems to only update when it feels like it. I ran a Mass Update Action and one of my iMacs got the update a day later. Most of our Macs do not update AT ALL using the Mass Update Action. I've heard suggestions to use the softwareupdate command and use --stdinpass to pass through the Secure Token Account's password, but that does not work for me.
I have seen scripts to update macOS, but for the M1, you would need to pass the Secure Token Account's password through the script. Maybe someone else out there knows a solution to this? I can share the script I have, but it might not be the best as I'm still new to the Mac world
Well, i dont think so that the problem is "Secure Token". It is correct that only the first account receives the "Secure Token" but if you create a second account on the Mac, this account will also have the "Secure Token". Account created on the device but from outside(z.B Domain user, or using a script to create a user account) will NOT get the "Secure Token". To give the "Secure Token " to a User requires an authentification from an account which already has the secure Token.
From this week, I also see that most of our users are getting more popup than usual. Apple has changed something, maybe. I have experienced it but cant say for sure. Can anyone confirm it?
Maybe Apple or Jamf PPPC Profile need to be updated on the jamf server.
Did you confirm that the Bootstrap Token has been escrowed?
I create a Smart Group for deploying updates via MDM, part of the criteria for that group is an extension attribute. The extension attribute returns whether or not the Bootstrap token is escrowed.
#!/bin/bash bootstrap=$(profiles status -type bootstraptoken) if [[ $bootstrap == *"escrowed to server: YES"* ]]; then result="Escrowed" else result="Not Present" fi echo "<result>$result</result>"
@Hugonaut Thanks for posting the Bootstrap Token is escrowed check EA. I'm trying to use sh for all my EAs these days since Apple's removal of Python 2 in 12.3 seems to indicate they may follow through with removing bash, so here's an sh-ified version:
#!/bin/sh # Checks to see if the Bootstrap token has been escrowed with the MDM server # Returns: "Escrowed" if yes, "No" if not # # An sh compatible implementation of https://community.jamf.com/t5/jamf-pro/updating-macos-by-sending-a-mass-action-command-require-to-have/m-p/263035/highlight/true#M242120 result="No" bootstrap=$(/usr/bin/profiles status -type bootstraptoken | /usr/bin/grep "escrowed to server: YES") if [ -n "$bootstrap" ]; then result="Escrowed" fi echo "<result>$result</result>"
You're scaring me with that "Bash Removal" Talk! 🤣
This has come up a few times, they dont need admin. When you send the mass action command with defferal or allowing users to install it prompts the users for thier mac password, not a admin password. If they type inthier local password it should complete, on the intel machines this is not needed. If you send a mass action command without a defferal and set to install straight away it does not prompt for a password on m1's but it just restarts with 1min notice, which is something most companies dont want to do. You cant do these updates via policy anymore on m1's