Hi guys,
I had a couple of problems with macOS patching and since Apple moved that to MDM, I spent some time in finding a way to anyway perform macOS updates with SMA.
HINT: This only applies to Intel macs. If you execute this on Silicon macs, you will get a prompt from the macOS update where you have to "allow" that the macOS update can be installed.
If you want to avoid the prompt on Silicon macOS, you need to use DEP or you can allow remote command execution and software updates. Here you can see, how to do it.
You can find the exported packages here.
First problem at all was, that scripting didn't work as expected in my first tests. I tried just the command “softwareupdate -l” but nothing happened.
I figured out, that macOS has currently a problem, that some commands can´t be executed as root. I found the following solution in scripting that worked to upgrade macOS to the latest version. Please run the following script as "Online Shell-Script" in SMA:
#!/bin/bash
# Get logged in username
LOGGEDINUSER=$(ls -l /dev/console | awk '/ / { print $3 }')
echo "$DATE LOGGEDINUSER = $LOGGEDINUSER"
# Get UID for LOGGEDINUSER
LoggedInUserUID=$(id -u "$LOGGEDINUSER")
echo "LoggedInUserUID = $LoggedInUserUID"
SoftwareUpdateList=$(/bin/launchctl asuser $LoggedInUserUID sudo -iu "$LOGGEDINUSER" softwareupdate -i --os-only --verbose)
echo "SoftwareUpdateList = $SoftwareUpdateList"
Afterwards another problem came up. macOS clients that are enrolled as a supervised device to a MDM solution don´t get the latest Ventura update, because Apple disables it for 30 days automatically.
So next challenge was then, to get the full installer on a mac and install it to avoid the 30 days and always be able to upgrade to the latest macOS. By the way, macOS has also problems sometimes with upgrading to Ventura because Apple changed the upgrade path and this bug is fixed in 12.6.1.
I tried again scripting but I figured out fast, that our script module isn´t able to upgrade with the full installer. Problem is, that over scripting, the upgrade wizard came always up and wanted kind of approval from the logged in user.
I switched then to Managed Installations and tried back and forth to get a solution with the full installer and I finally found it.
So I have two options now.
Option 1: With the first option, you can download the full installer directly from the Apple Appstore and install the latest macOS. In this command we of course have to change in the future the name or path of the startosinstall script but this is not a big change that is needed.
Option 2: With option two we are able to upload the macOS update as DMG file, extract it to /Applications and install it so that we can use replication shares for example in your environment. You should always download and create the DMG file on your own to avoid problems with copy/paste. This is also why I just exported the managed installs and not the DMG file.
Here is a link on how to create a DMG from an APP file that worked well for me:
https://kb.parallels.com/en/123895
After the upload of the DMG file, we need to have a MI to download and extract it.
This “installs” the APP file into the /Applications folder.
Afterwards we can just run the installation command with startosinstall and it will not ask us for approval with the wizard on the local client.
I had to split that up because when I add the install command with && to the extraction command, it didn´t work.
I hope this helps some of you to patch your macOS and of course next year we also get it to our KACE Cloud so stay tuned to co-manage your macOS devices in the future ;)
Cheers Sven
I removed the --os-only script and replaced it with -a to install all updates, but this only works for things like Safari, and not any OS updates for Big Sur. I have a CIR that will identify updates required by the Mac, and it confirms that 11.7.1 is needed, but when I run the amended script, the script log says that it has downloaded the 11.7.1 update, but there was no action to install it. Any ideas? - seanboy 2 years ago