- Jamf Nation Community
- Community & Events
- Jamf Nation
- Re: erase-install.sh Issue
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
erase-install.sh Issue
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 07-18-2023 11:36 AM
I ran into a weird issue with the erase-install.sh script. I got the script to run successfully a few times with other users in my department. On one laptop, I logged in and I got a keychain error. It wouldn't take any of my previous password and I created a new keychain. I launched the script via a Self Service policy and entered my password, and it took my credentials, downloaded the Ventura update and stalled on the Preparing Update screen for a very long time.. I broke out of the GUI for erase-install.sh and noticed in the log that the startosinstall said "startosinstall could not get authorization"
I ran the script again with another local account that has a token and everything worked as it should. Did something happen with my account, did I lose the token after my keychain reset?
6 REPLIES 6
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 07-18-2023 12:21 PM
Have you reached out to their GitHub and sent them an issue report?
https://github.com/grahampugh/erase-install/issues
Probably a better place to start. Also, verify the primary FileVault user and or primary secure token user.
I have not run into this error but sounds like there is an issue with the primary FVE user or users.
Good luck, Graham will get back to you but he is a stickler for all the correct troubleshooting information.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 07-19-2023 05:14 AM
Give us a little more background information.
Are your systems bound to Active Directory (AD)?
Are you using AD Mobile Accounts? Is that why your Keychain was messed up?
If the above is true you may not have a “Secure Token” and thus not be a volume owner.
You must be a volume owner to apply software updates or upgrade the OS.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-19-2023 08:52 AM - edited 07-19-2023 08:54 AM
Hi All,
We are using AD with Mobile Accounts. I hadn't logged into the machine in sometime, which is why it prompted me to update the keychain. I had to reset the keychain. The script seemed to think I was a Volume Owner. It ran just like it did on all the other machines, but stalled out preparing the update.
2023-07-18 09:01:15 | v30.0 | [get_user_details] ask for user credentials (attempt 1/5)
2023-07-18 09:01:15 | v30.0 | [get_default_dialog_args] Invoking utility dialog
yes christech is a member of everyone
2023-07-18 09:01:24 | v30.0 | [get_user_details] christech is a Volume Owner
2023-07-18 09:01:24 | v30.0 | [check_password] Success: the password entered is the correct login password for christech.Script ran all the way to the end but failed to launch startosinstall
2023-07-18 09:13:36 | v30.0 | [erase-install] Sending password to startosinstall
Error: could not get authorization...
Does resetting the keychain break Volume Owner?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-21-2023 01:04 PM
I do not believe so:
Clicking on resetting keychain means when you enter in user library by clicking on finder and taking the cursor on the top menu bar, clicking on Go and hold option key clicking on a keychain the old keychain items inside this folder will be deactivated, and a new keychain folder be activated and you have to fill up the passwords agin for your websites, login keychain.
resetting the Keychain does not affect the Volume Owner. It should be the first person who logs in.
There are ways to validate this from the macOS Terminal.app
/usr/sbin/diskutil apfs listCryptoUsers /
DerFlounder is the best check this out:
https://derflounder.wordpress.com/2023/03/10/granting-volume-owner-status-on-apple-silicon-macs/
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 07-26-2023 09:48 PM
I encountered an unusual issue with the erase-install.sh script. It ran successfully several times with other users in my department, but on one laptop, I faced a keychain error that prevented my previous passwords from working. After creating a new keychain, I initiated the script through a Self Service policy, entered my password, and it accepted my credentials. However, it stalled on the Preparing Update screen for an extended period. Upon inspecting the log, I noticed that "startosinstall could not get authorization." Running the script again with another local account that had a token worked flawlessly. I'm wondering if something happened with my account or if I lost the token after the keychain reset.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 11-13-2023 10:07 AM
I am struggling with this same issue. The local administrator that I am using for startosinstall is a confirmed Cryptographic user and is also confirmed to have a Secure Token, and yet even with these to things in place, I am still getting the dreaded "Error: could not get authorization..."
I am rapidly running out of ideas as I seem to get the same answer every time.
