Zero Touch Mac OS Lab Upgrade?

cstierman
New Contributor

I have a hundred or so machines in labs running Catalina that I need to upgrade to Monterey over the summer. I found this blog: https://www.jamf.com/blog/reinstall-a-clean-macos-with-one-button/ and thought that I would be able to modify the workflow to allow for a zero touch upgrade but I am running into a snag. 

 

In the caching policy I have it copy down the OS install assistant and run the package. This puts the Monterey installer in the applications folder as intended and then I have the Mac reboot.  This is working correctly, the installer is in applications and the machine reboots when it is done. 

I have a second policy that runs on a restart that kicks off the startosinstall script.  This policy also seems to be working as the status shows the script was run and exited and is marked as complete, however, the Mac never actually does the OS upgrade or restarts as it should.  I let it sit overnight and nothing. Still on Catalina.

 

To troubleshoot I modified the second policy to be Self Service and tried that and it worked correctly running the script, restarting and doing the wipe and install. 

What am I missing?  Why will it run via Self Service and not run when no users are logged in?  

 

8 REPLIES 8

sdagley
Esteemed Contributor II

@cstierman The startosinstall tool that runs the macOS upgrade process requires a logged in user.

Well, that stinks.  Don't suppose there is a way to login a user via a script and run that command....I'll settle even if I have to send the password in the script as it would be a temporary user just until the machine is wiped.

sdagley
Esteemed Contributor II

@cstierman If you aren't using FileVault then setting up a user for automatic login should work. It looks like @brunerd has done some work on scripting user creation you should find useful: https://www.brunerd.com/blog/2021/08/24/automating-automatic-login-for-macos/

 

AJPinto
Honored Contributor II

Hrm. I don't think I have ever checked again that as I have never needed to. Dang you apple and wanting to give users control. I wonder if the softwareupdate (upgrade) MDM command would work for unattended devices. 

AJPinto
Honored Contributor II

Zero touch upgrades are not hard for intel devices, you just need to run the terminal command below. For Apple Silicon, bootstrap tokens complicate things a bit.

 

Cache the Monterey installer (I like to package with a DMG and deploy with a policy and an inventory update to get away from Appstore shenanigans) and run the following command in a policy to devices with Monterey cached. 

"/Applications/Install macOS Monterey.app/Contents/Resources/startosinstall" --agreetolicense --nointeraction --forcequitapps 

 

Depending on your version of JAMF and device status. You can use MDM commands to tell macOS to update and install the latest upgrade. FileVault can complicate this, so you may want to turn off FileVault first. This will work on both Apple Silicon and Intel Macs.

 

As far as I can tell that will not run when sent as an MDM command via a script or by processes and files at the end of a policy.  It needs to be run from the machine in Self Service. 

AJPinto
Honored Contributor II

Nope, runs fine via script or policy from JAMF. At least for Intel Macs, for Apple Silicon needs a bootstrap token to run which JAMF cannot provide. You would need to use the MDM command for Apple Silicon Macs.

 

Here is JAMFs doc on this use case.

Automate upgrades to macOS Big Sur | Jamf | Blog

That use case doc is for using Self Service to kick off the install. I have had zero luck getting it to run. I have the same policy scoped to run at startup and also be in Self Service. Never kicks off at startup and works every time in Self Service.