Posted on 02-22-2023 02:50 AM
Hello All,
Please let me know what is the best way to upgrade Ventura (in place upgrade).
If the create two policies one is to download the OS installer under /applications folder by softwareupdate command and second policy to upgrade it by startosinstall command with a display messgae to end user screen would be great? Or better solution we have through Jamf?
02-22-2023 05:11 AM - edited 02-22-2023 05:16 AM
Something like this would use JAMF helper, and trigger the OS installer based on their response. You could just hard code the OS installer in to the script, or have the script call another JAMF policy based on user input. You can get a lot more complex then this if you like. Doing things like checking power status and aborting the install in the script, but the OS installer handles this on its own.
#!/bin/bash
#*=============================================================================
#JAMF Helper
jamfHelper="/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper"
OSVersion="$4"
Date="$5"
ComplianceDate="$6"
windowType="hud"
description="Hello,
We are upgrading your junk and not asking questions. Well I was too lazy to update this JAMF Helper script so you do have an Acknowledge, but don't think that helps your case any.
"
heading="Its Ventura time"
button1="Acknowledge"
button2="Cancel"
icon="/Library/Desktop Pictures/Some_Evil_Image.jpg"
title="MacOS Hardware Configuration"
defaultButton="1"
cancelButton="2"
iconSize="240"
#JAMF Helper
#*=============================================================================
#*Begin JAMF Helper
#*=============================================================================
#Running JAMF Helper
userChoice=$("$jamfHelper" -windowType "$windowType" -title "$title" -heading "$heading" -description "$description" -defaultButton "$defaultButton" -cancelButton "$cancelButton" -icon "$icon" -iconSize "$iconSize" -alignHeading "$alignHeading" -button1 "$button1" -button2 "$button2")
#Rebooting device or canceling based on user choice
if [ "$userChoice" == "0" ]; then
echo "User clicked Acknowledge, Running Ventura installer"
'/Applications/Install macOS Ventura.app/Contents/Resources/startosinstall' --agreetolicense --nointeraction --forcequitapps
exit 0
elif [ "$userChoice" == "2" ]; then
echo "User clicked Cancel; now exiting."
osascript -e 'tell app "Finder" to display dialog "Cancel? Ha, you had no choice. Upgrading anyway."'
'/Applications/Install macOS Ventura.app/Contents/Resources/startosinstall' --agreetolicense --nointeraction --forcequitapps
exit 1
fi
02-22-2023 06:32 AM - edited 02-22-2023 06:33 AM
@Asifahmed @grahamrpugh 's erase-install script is extremely popular for doing Self Service initiated macOS upgrades because it handles all download, preflight, user notification, and user credential prompting on Apple Silicon Macs for you (ignore the erase in the name, it also does updates). There is a section in the Wiki that describes use via Jamf Pro: https://github.com/grahampugh/erase-install/wiki/6.-Use-in-Jamf-Pro
Nudge is another option that's popular to drive users to initiate macOS updates. There is an extensive Wiki for Nudge (https://github.com/macadmins/nudge/wiki), and @dan-snelson 's Nudge Post-install provides an easy configuration process.
Posted on 02-22-2023 06:55 AM
erase-install script is going to erase all my data and deploy new OS or it is just inplace upgrade without any data loss?
I use Nudge for Apple updates. I used JSON schema to control the Apple update, version and last date. But dont understand how Nudge will be able to upgrdae to next version of OS like Monterey to Ventura. Do you think using by JSON schema it is possible to upgrade the OS from 12.x to 13.x ?
Posted on 02-22-2023 07:06 AM
@Asifahmed erase-install supports both update/upgrade and erase scenarios.
Nudge definitely supports upgrading from Monterey to Ventura. It doesn't care what version of macOS the update being forced is, just the minimum macOS version you're looking for users to install.
Posted on 02-22-2023 09:48 AM
So for the link mentioned https://github.com/grahampugh/erase-install/wiki/6.-Use-in-Jamf-Pro
What I understood if I follow the 1st method then I need to execute the command with the latets version to upgrade on the
/Library/Management/erase-install/erase-install.sh --os 13.2.1 --update --reinstall --confirm
Any execute on user's device. If any new OS comes next year again I need to create another policy with --os 14 to upgrade the 13.x OS to 14.x OS
Any for second method I need to create multiple policies for different operation like 1. Upgradation, 2. Updates, 3. Erase and reinstall OS etc?
For Nudge, I use JSON schema and if I apply the config profile to OS 12.x with target vrsion 13.x Nudge doesn't popup on those 12.x machines, it will popup on 13.x there x less than the target value I mentioned in my config profile. Any other way you wanted to follow me or it is same you wanted to mean what I said?
Posted on 02-22-2023 10:25 AM
@Asifahmed By "Upgradation" do you mean upgrading from one major version of macOS to another (e.g. 12.6.3 to 13.2.1)? If so, that is a process I usually put into Self Service so that I can pair the running of erase-install with any prerequisite updates that may be required for other software we normally install.
For minor release updates of macOS (e.g. 13.1 to 13.2) Nudge has become my preferred tool, but macOS Ventura is somewhat better about responding to MDM update commands that macOS Monterey and Big Sur were, so I'm hoping to leverage those in the near future.
For the "erase and Re-install of macOS" I do make a Self Service policy available, but with the arrival of "Erase All Contents and Settings" in macOS Monterey for x86 Macs with the T2 chip, and all Macs with Apple Silicon processor, it's much easier and faster to have the user run the Erase Assistant. I keep the Self Service re-image policy around for users who are still on Monterey and want tp re-image with Ventura.
Posted on 02-22-2023 10:43 AM
Yes i am talking about major change(12.x to 13.x). So for all different operation i need to create separate policy for each? Reimage, OS upgradation.
I use Nudge for minor change like 13.1 to 13.2.1 or so. But i am still confused now Nudge will popup for 12.x OS for upgradation to 13.x , i noticed it doesnt popup. Nudge i have seen only for Apple updates/patching i kean minor change(12.1 to 12.3 or 13.1 13.2 etc)
Posted on 02-28-2023 12:46 PM
@Asifahmed , to implement a Delta upgrade with Nudge, you need to set the requiredMinimumOSVersion to 13.0.
You'll also need to set the actionButtonPath to /System/Library/PreferencePanes/Softwareupdate.prefpane.
Posted on 03-01-2023 03:05 AM
I use Nudge and it works fine. I was looking for best OS upgradation(12.x->13.x)
BTW thanks for all help. :)
Posted on 03-01-2023 09:58 AM
My post above shows you how to upgrade Monterey to Ventura with Nudge.
Posted on 03-01-2023 10:13 AM
Make sense now, but what this path does technically? I mean how does it help us to start upgradation from 12.x to 13.x
Posted on 03-01-2023 11:02 AM
It allows users to use the delta upgrade for Ventura.
Posted on 03-02-2023 02:11 AM
If I dont put this path still Nudge is moving to Softwareupdate Pane if user click on Update Device button, and user is able to see minor updates under More Info and Upgrade option to Ventura. What is the exact advantage to use this command in Nudge?
Posted on 06-07-2023 04:43 PM
#!/bin/bash
softwareupdate --fetch-full-installer --full-installer-version "$4"
###############################################
# This script will provide temporary admin #
# rights to a standard user right from self #
# service. First it will grab the username of #
# the logged in user, check if they are #
# already an administrator, and then either #
# skip the elevation or proceed accordingly. #
# Finally, it will create a launch daemon #
# that will count down from 10 minutes and #
# then run a secondary script to demote the #
# user back to a standard account. The launch #
# daemon will continue to count down no matter #
# how often the user logs out or restarts #
# their computer. #
###############################################
#############################################
# Find the logged in user and let them know #
#############################################
currentUser=$(who | awk '/console/{print $1}')
echo $currentUser
################################################
# Check if the user is already an administrator #
################################################
if dseditgroup -o checkmember -m $currentUser admin > /dev/null 2>&1; then
echo "User $currentUser is already an administrator. No elevation needed."
sudo open "$5"
exit 0
fi
#########################################################
# Write a daemon that will let you remove the privilege #
# with another script and chmod/chown to make #
# sure it'll run, then load the daemon #
#########################################################
# Create the plist
sudo defaults write /Library/LaunchDaemons/removeAdmin.plist Label -string "removeAdmin"
# Add program argument to have it run the update script
sudo defaults write /Library/LaunchDaemons/removeAdmin.plist ProgramArguments -array -string /bin/sh -string "/Library/Application Support/JAMF/removeAdminRights.sh"
# Set the run interval to run every 10 minutes
sudo defaults write /Library/LaunchDaemons/removeAdmin.plist StartInterval -integer 600
# Set run at load
sudo defaults write /Library/LaunchDaemons/removeAdmin.plist RunAtLoad -boolean yes
# Set ownership
sudo chown root:wheel /Library/LaunchDaemons/removeAdmin.plist
sudo chmod 644 /Library/LaunchDaemons/removeAdmin.plist
# Load the daemon
launchctl load /Library/LaunchDaemons/removeAdmin.plist
sleep 10
#########################
# Make file for removal #
#########################
if [ ! -d /private/var/userToRemove ]; then
mkdir /private/var/userToRemove
echo $currentUser >> /private/var/userToRemove/user
else
echo $currentUser >> /private/var/userToRemove/user
fi
##################################
# Give the user admin privileges #
##################################
/usr/sbin/dseditgroup -o edit -a $currentUser -t user admin
########################################
# Write a script for the launch daemon #
# to run to demote the user back and #
# then pull logs of what the user did. #
########################################
cat << 'EOF' > /Library/Application\ Support/JAMF/removeAdminRights.sh
if [[ -f /private/var/userToRemove/user ]]; then
userToRemove=$(cat /private/var/userToRemove/user)
echo "Removing $userToRemove's admin privileges"
/usr/sbin/dseditgroup -o edit -d $userToRemove -t user admin
rm -f /private/var/userToRemove/user
launchctl unload /Library/LaunchDaemons/removeAdmin.plist
rm /Library/LaunchDaemons/removeAdmin.plist
log collect --last 10m --output /private/var/userToRemove/$userToRemove.logarchive
fi
EOF
sudo open "$5"
exit 0