Updating macOS with Jamf

jhuls
Contributor III

We have a few labs with Ventura 13.1 installed and need to update to 13.2. Is there a solution that works that does not require signing into each system, passing credentials through jamf policies to the endpoint, or using a script needing api access ran from a jamf policy? I've tried multiple times to use the "send remote commands" feature and it comes up with nothing when it's all said and done. Under Monterey this worked pretty bad where about 50% of the systems would work each time but under Ventura thus far it's been zilch.

Is this common for everyone else or has anyone experienced this and have some insight or fix?

Edit: Felt I should elaborate more...the process needs to be done without signing in. When I do the remote commands I can see "AvailableOSUpdates - Scheduled" show up as a pending command. It eventually disappears and nothing happens.

2 REPLIES 2

bcrockett
Contributor III

@jhuls I ran into this same issue when trying to update my fleet from Ventura 13.1 to 13.2. 

The remote management command worked for about 1% of my fleet. 
Next, I moved to use nudge with the following configuration:

a. Prompt user to update in 3 weeks' time. When they click to update it opens systems settings and where they can update the apple way. Like in this film.  This worked for about 25% of my clients. However, 75% were presented with an "Enter an administrator's name and password to allow this." They are standard users. 

 

Next, I configured the Nudge to activate erase install and prompt the standard user for their volume password which has a token from the MDM.

 

Like in this film. Basically the same work flow I used to do the major update from macOS12 to macOS 13

Based on my experience apple does not allow you to update client computers without their interaction which sounds like what you are going for with the "without singing in" workflow.  You will haft to work around that constraint for now. 

 

Best of luck! 

 

 

 

 

whiteb
Contributor II

MDM update commands seemed to have gotten a little more reliable from Big Sur > Monterey. This makes it sound like it went the opposite direction which is unfortunate.

You may want to look into this: https://github.com/Macjutsu/super

I know it has the capability to silently install minor updates, but I'm not sure if a user has to be logged in.

Also, starting with erase-install v28.0, you can create a custom keychain with a username + password, and pass that along with the script to leverage an account with volume ownership to do an update. Also new in that version is a --silent mode. Graham says the inclusion of the keychain feature is for 'testing' but it seems like it could be used for like I mentioned leveraging an existing account with volume ownership to do minor/major updates without end-user interaction. Worth looking into. All still pretty new, only came out a few weeks ago.