I have about 300 macs that need to be upgraded to macOS Monterey, what should be the best policy to do this and how should it be set up in jamf?
Question
Upgrading 300+ macs from macOS Catalina to Monterey
+5
+16The short answer: it depends.
Do your users have admin rights? Are they primarily mobile or on-premise? Do you have Apple Silicon devices?
Take a look at Jamf's macOS Monterey ebook and at HCS' older Big Sur ebook as good references. There's also Nudge and erase-install.
+26If it was me, I would deploy a dmg containing Monterey and a script to run the installer.
MacOS Big Sur and newer must be packaged as a dmg, a pkg wont work. There are other ways to get the installer on the mac, but deploying a dmg is the most reliable. I use JAMF parameters to allow me to set the variables from the policy, but all of this can be hard coded.
#!/usr/bin/env bash
#* FileName: Install_PKG_from_DiskImage
#*=============================================================================
#* Script Name: Install_PKG_from_DiskImage
#* Created:
#* Author:
#*=============================================================================
#*
#*=============================================================================
#*=============================================================================
#* FUNCTION LISTINGS
#*=============================================================================
## Define global Variables
dmgName="$4" #Name of the DMG to be mounted
dmgPath="$5" #Location of the DMG to be mounted, if deployed by JAMF it will be in /Library/Application Support/JAMF/Waiting Room
intallerPath="$6" #Path to the MacOS Installer App within the DMG
installerDestination="$7" #Path to where the MacOS Installer App is to be moved
volumeName="$8" #Name of the mounted volume
# Use Example, quotes are not needed in the parameter as they are defined with the variables above.
# dmgName="Apple_macOS_Big_Sur_11.2.1.dmg"
# dmgPath="/Library/Application Support/JAMF/Waiting Room/Apple_macOS_Big_Sur_11.2.1.dmg"
# intallerPath="/Volumes/Apple_macOS_Big_Sur_11.2.1/Applications/Install macOS Big Sur.app"
# installerDestination="/Applications/Install macOS Big Sur.app"
# volumeName="/Volumes/Apple_macOS_Big_Sur_11.2.1"
## Mount DMG file with no browse to hide the desktop icon
echo "...Mounting $dmgName"
sudo hdiutil attach "$dmgPath" -nobrowse
## Install PKG
echo "Copying MacOS Installer to /Applications"
sudo cp -R "$intallerPath" "$installerDestination"
## Wait 20 seconds to allow for package to transfer
sleep 20
## Unmount DMG
echo "Unmounting $volumeName"
sudo hdiutil unmount "$volumeName"
## Wait 20 sec to make sure DMG unmounts
sleep 20
## Delete DMG
sudo rm -rfv "$dmgPath"
In the past I used a modified version of a script that JAMF provided. Ultimately the JAMF script did not behave very well with newer macOS versions, so I just stripped it to the basics. Do the thing and let the OS installer decide if its going to install. I have removed a bit from this as it is a bit sensitive to our environment. Ultimately you just need to run the last line to run the OS upgrade.
#!/bin/bash
#* FileName: macOS_Monterey_Upgrade_No_Interact_Basic
#*=============================================================================
#* Script Name: macOS_Monterey_Upgrade_No_Interact_Basic
#* Created:
#* Author:
#*=============================================================================
#* Purpose: Provide a basic script to upgrade to macOS Monterey.
#*=============================================================================
#*=============================================================================
#* SCRIPT BODY
#*=============================================================================
"/Applications/Install macOS Monterey.app/Contents/Resources/startosinstall" --agreetolicense --nointeraction --forcequitapps
exit 0
As for how I would set it up.
- I would force deploy the installer to all devices on recurring checkin with a inventor update payload. Exclude this policy from devices with macOS cached which will need an extension attribute.
- Have a selfservice policy scoped to devices with macOS cached that has the script to run the installer.
- Have a second policy to force the OS upgrade scoped to all devices with macOS cached on reoccurring checkin once per day
Put the installer on all devices. Advised users that on {date} they will have the update run, and they can self update before {date} at which the upgrade will be forced. Give the illusion of control if users can selfupdate before you force them.
+5The short answer: it depends.
Do your users have admin rights? Are they primarily mobile or on-premise? Do you have Apple Silicon devices?
Take a look at Jamf's macOS Monterey ebook and at HCS' older Big Sur ebook as good references. There's also Nudge and erase-install.
They don't have admin rights, they're all intel based macs. They're remote.
+5If it was me, I would deploy a dmg containing Monterey and a script to run the installer.
MacOS Big Sur and newer must be packaged as a dmg, a pkg wont work. There are other ways to get the installer on the mac, but deploying a dmg is the most reliable. I use JAMF parameters to allow me to set the variables from the policy, but all of this can be hard coded.
#!/usr/bin/env bash
#* FileName: Install_PKG_from_DiskImage
#*=============================================================================
#* Script Name: Install_PKG_from_DiskImage
#* Created:
#* Author:
#*=============================================================================
#*
#*=============================================================================
#*=============================================================================
#* FUNCTION LISTINGS
#*=============================================================================
## Define global Variables
dmgName="$4" #Name of the DMG to be mounted
dmgPath="$5" #Location of the DMG to be mounted, if deployed by JAMF it will be in /Library/Application Support/JAMF/Waiting Room
intallerPath="$6" #Path to the MacOS Installer App within the DMG
installerDestination="$7" #Path to where the MacOS Installer App is to be moved
volumeName="$8" #Name of the mounted volume
# Use Example, quotes are not needed in the parameter as they are defined with the variables above.
# dmgName="Apple_macOS_Big_Sur_11.2.1.dmg"
# dmgPath="/Library/Application Support/JAMF/Waiting Room/Apple_macOS_Big_Sur_11.2.1.dmg"
# intallerPath="/Volumes/Apple_macOS_Big_Sur_11.2.1/Applications/Install macOS Big Sur.app"
# installerDestination="/Applications/Install macOS Big Sur.app"
# volumeName="/Volumes/Apple_macOS_Big_Sur_11.2.1"
## Mount DMG file with no browse to hide the desktop icon
echo "...Mounting $dmgName"
sudo hdiutil attach "$dmgPath" -nobrowse
## Install PKG
echo "Copying MacOS Installer to /Applications"
sudo cp -R "$intallerPath" "$installerDestination"
## Wait 20 seconds to allow for package to transfer
sleep 20
## Unmount DMG
echo "Unmounting $volumeName"
sudo hdiutil unmount "$volumeName"
## Wait 20 sec to make sure DMG unmounts
sleep 20
## Delete DMG
sudo rm -rfv "$dmgPath"
In the past I used a modified version of a script that JAMF provided. Ultimately the JAMF script did not behave very well with newer macOS versions, so I just stripped it to the basics. Do the thing and let the OS installer decide if its going to install. I have removed a bit from this as it is a bit sensitive to our environment. Ultimately you just need to run the last line to run the OS upgrade.
#!/bin/bash
#* FileName: macOS_Monterey_Upgrade_No_Interact_Basic
#*=============================================================================
#* Script Name: macOS_Monterey_Upgrade_No_Interact_Basic
#* Created:
#* Author:
#*=============================================================================
#* Purpose: Provide a basic script to upgrade to macOS Monterey.
#*=============================================================================
#*=============================================================================
#* SCRIPT BODY
#*=============================================================================
"/Applications/Install macOS Monterey.app/Contents/Resources/startosinstall" --agreetolicense --nointeraction --forcequitapps
exit 0
As for how I would set it up.
- I would force deploy the installer to all devices on recurring checkin with a inventor update payload. Exclude this policy from devices with macOS cached which will need an extension attribute.
- Have a selfservice policy scoped to devices with macOS cached that has the script to run the installer.
- Have a second policy to force the OS upgrade scoped to all devices with macOS cached on reoccurring checkin once per day
Put the installer on all devices. Advised users that on {date} they will have the update run, and they can self update before {date} at which the upgrade will be forced. Give the illusion of control if users can selfupdate before you force them.
they don't have admin rights, would that make a difference?
+26they don't have admin rights, would that make a difference?
Nope. JAMF is doing everything and JAMF runs everything as root.
Getting in to Apple Silicon and Volume Ownership this work flow would not work, but Apple Silicon cant run Catalina so you are good. For Apple Silicon you need to use MDM commands, so JAMF needs a bootstrap token but that is a problem for future you :).
+3I'd second erase-install for this.
I just recently used this via a Self-Service policy to update ~30 Catalina Intel MacBooks to Monterey. All users were standard, non-admins and remote.
+7I'd recommend an MDM command as a first step. Then optionally deploy erase-install for the ones left behind. The reason for that is because erase-install needs the user to input their password on M1 macs.
+26I'd recommend an MDM command as a first step. Then optionally deploy erase-install for the ones left behind. The reason for that is because erase-install needs the user to input their password on M1 macs.
Keep in mind OP said the devices are running Catalina, so they cannot have any Apple Silicon devices in the Mix. Apple Silicon started with Big Sur. Otherwise I totally agree with you.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.