/build/static/layout/Breadcrumb_cap_w.png

macOS patching with SMA

Endorsed by Nick The Ninja

Hi guys,

 

I had a couple of problems with macOS patching and since Apple moved that to MDM, I spent some time in finding a way to anyway perform macOS updates with SMA.


HINT: This only applies to Intel macs. If you execute this on Silicon macs, you will get a prompt from the macOS update where you have to "allow" that the macOS update can be installed.

If you want to avoid the prompt on Silicon macOS, you need to use DEP or you can allow remote command execution and software updates. Here you can see, how to do it.

You can find the exported packages here.

 

First problem at all was, that scripting didn't work as expected in my first tests. I tried just the command “softwareupdate -l” but nothing happened.


I figured out, that macOS has currently a problem, that some commands can´t be executed as root. I found the following solution in scripting that worked to upgrade macOS to the latest version. Please run the following script as "Online Shell-Script" in SMA:

 

#!/bin/bash

 

# Get logged in username

LOGGEDINUSER=$(ls -l /dev/console | awk '/ / { print $3 }')

echo "$DATE LOGGEDINUSER = $LOGGEDINUSER"

 

# Get UID for LOGGEDINUSER

LoggedInUserUID=$(id -u "$LOGGEDINUSER")

echo "LoggedInUserUID = $LoggedInUserUID"

 

SoftwareUpdateList=$(/bin/launchctl asuser $LoggedInUserUID sudo -iu "$LOGGEDINUSER" softwareupdate -i --os-only --verbose)

echo "SoftwareUpdateList = $SoftwareUpdateList"

 

Afterwards another problem came up. macOS clients that are enrolled as a supervised device to a MDM solution don´t get the latest Ventura update, because Apple disables it for 30 days automatically.

 

So next challenge was then, to get the full installer on a mac and install it to avoid the 30 days and always be able to upgrade to the latest macOS. By the way, macOS has also problems sometimes with upgrading to Ventura because Apple changed the upgrade path and this bug is fixed in 12.6.1.

 

I tried again scripting but I figured out fast, that our script module isn´t able to upgrade with the full installer. Problem is, that over scripting, the upgrade wizard came always up and wanted kind of approval from the logged in user.

 

I switched then to Managed Installations and tried back and forth to get a solution with the full installer and I finally found it.

 

So I have two options now.

 

Option 1: With the first option, you can download the full installer directly from the Apple Appstore and install the latest macOS. In this command we of course have to change in the future the name or path of the startosinstall script but this is not a big change that is needed.


CEis82euNVIREAEREIEcJVDqYr13794cRaVui4AIiEDmCegemvk5yEQPSlWsy5Qpk4kxqk0REAEROKAI6F56QE1nSoMpn1KuYszEh0wrw2IEqqpEQATyioCEOq+mOzrYUhdrWtaHLcpfByIgAiIgAiKQlECpusGT9kYZREAEREAEREAE9iMgsd4PiU6IgAiIgAiIQHYRkFhn13yoNyIgAiIgAiKwHwGJ9X5IdEIEREAEREAEsouAxDq75kO9EQEREAEREIH9CEis90OiEyIgAiIgAiKQXQT+B5ScO987JPjQAAAAAElFTkSuQmCC 


 

Option 2: With option two we are able to upload the macOS update as DMG file, extract it to /Applications and install it so that we can use replication shares for example in your environment. You should always download and create the DMG file on your own to avoid problems with copy/paste. This is also why I just exported the managed installs and not the DMG file.

 

Here is a link on how to create a DMG from an APP file that worked well for me:

https://kb.parallels.com/en/123895

 

After the upload of the DMG file, we need to have a MI to download and extract it.


wE8K+ObVnzUkAAAAABJRU5ErkJggg== 

 

This “installs” the APP file into the /Applications folder.

 

Afterwards we can just run the installation command with startosinstall and it will not ask us for approval with the wizard on the local client.

 

w8hzce+HvdOmgAAAABJRU5ErkJggg==

 

I had to split that up because when I add the install command with && to the extraction command, it didn´t work.


I hope this helps some of you to patch your macOS and of course next year we also get it to our KACE Cloud so stay tuned to co-manage your macOS devices in the future ;)


Cheers Sven


Comments

  • Thanks for your hard work on this Sven. Unfortunately I am having issues getting the script to work. When using the script on a Big Sur intel Mac for example, it completes successfully but when you look at the output log it says "softwareupdate: unrecognized option '--os-only'" and doesn't do anything.
    I removed the --os-only script and replaced it with -a to install all updates, but this only works for things like Safari, and not any OS updates for Big Sur. I have a CIR that will identify updates required by the Mac, and it confirms that 11.7.1 is needed, but when I run the amended script, the script log says that it has downloaded the 11.7.1 update, but there was no action to install it. Any ideas? - seanboy 1 year ago
    • When you run softwareupdate --help on big sur, what is the outcome of that? Do you see there the --os-only command. I only tested it on macOS 12.0 actually. - sven.hain 1 year ago
  • No, alas the --os-only command isn't available for Big Sur when I enter that command. That explains that. Though even after removing that switch from the script and running the script with the -iar switch instead, it still only downloads the Big Sur update, but doesn't automatically install it. I'll test out 12.0 when I get a chance too. thanks! - seanboy 1 year ago
    • I would recommend to use the managed installation then. That should install the update directly :) - sven.hain 1 year ago
      • haha yeah, will do :) Apple have went out of their way to make patching macs as difficult as possible it seems (at least with Kace)! - seanboy 1 year ago
      • yeah that is true unfortunately but I hope you get it done with the managed installs :) - sven.hain 1 year ago
This post is locked
 
This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ