Upgrading to Mojave on closed network

New Contributor

We have a fleet of laptops on a closed-end network that never reach the internet. I update their apps and OS by bringing things into the environment manually and pushing via Jamf. I have been trying to update these machine running 10.13.6 to 10.14.X but results have been blocked by the installer that appears to keep looking for "The recovery server could not be contacted".

I have downloaded the full offline installer (6.05GB) and cache it to the systems before running the install command. Everything seems to kick off just fine but it stops when it tries to call home to Apple for app compatibility checks, software update catalog, and recovery info.

I know the installer is good and have run it manually on a few systems to confirm it completes out. Oddly enough it seems I don't hit the errors when running manually on the systems. I can't do that manually on each machine though from a logistics standpoint.

Is there a command or method I can use to suppress such pre-update checks on the systems to just allow the update to run?


Legendary Contributor III

What's the exact command you're using to kick off the installer? Are you using the startosinstall command? If so, have you included the --nointeraction and --agreetolicense flags? Those might prevent the issue you're seeing if you aren't currently using them.

New Contributor

/Applications/Install macOS Mojave.app/Contents/Resources/startosinstall --nointeraction --agreetolicense &
This is what I am running from the Files and Processes field so it runs as root.

The error I am getting is pulled from the Console on the machine once I have pushed the install policy and of course after the installer is cached and extracted to the Applications directory from a previous policy.

Valued Contributor

What model Macs are you trying to update? In general, Apple has advised an internet connection is needed during the update process since Yosemite.

If your Macs have the T2 security chip, then an internet connection is required unless you're booting into Recovery and setting Secure Boot to "medium" or "no" security.

New Contributor

@sshort We are using newer Gen MacBook Pro laptops. The oldest being about 3 years old.

Valued Contributor II

Hello long-time lurker.

Even the T1 equipped Macs will need to phone home to validate a firmware update.

What’s your use case for offline, closed circuit laptops? Sounds like the wrong device for that purpose.

My suggestion would be to expose a controlled, limited-access, open WiFi network into this area during the OS installation, then turn it off when they are done. Network policy should whitelist all URLs with *.apple.com (including final DNS resolution of CNAME records). No hard proxy or SSL termination.

The way you sell this to the powers that be is that Apple’s online verification is the only sure way to know that someone hasn’t injected malware into an OS payload a la Stuxnet. Microsoft lacks this capability; you’d have no idea if Windows was compromised by an insider.