Hello all !

About time for any other blogpost I reckon! And neatly conscious about that undeniable fact that I could also be opening Pandora’s field right here, to not point out a can of worms, let’s take a look at what our choices are in view of preserving our Macs up to the moment.

Disclaimer: My intent with this blogpost is to talk about the to be had choices for macOS Large Sur replace methods as issues are nowadays in view of a few adjustments local to Large Sur and Apple Silicon Macs. No judgements calls are made on this submit. The one intent is to lend a hand fellow Mac Admins to know the present demanding situations.

Let’s first get started with list what’s to be had as gear and capability to reach our purpose:

  1. Do not anything and train your finish customers to stay their gadgets up to date, possibly remind them now and again with a notification by means of a Jamf Professional smartgroup and coverage.
  2. Deploy a configuration profile to put in force computerized updates
  3. Use the ‘Tool Replace’ payload in a Jamf Professional coverage
  4. Use the ‘Information and Processes’ payload in a Jamf Professional coverage
  5. Bundle the overall installer and use a Jamf Professional coverage
  6. Use MDM instructions
  7. Use some other third birthday party software and or script, like nudge (see under)

As you’ll see, somewhat some choices, however are all of them even environment friendly? Smartly, in a great global we’d be able to select a flavour which suites our deployment technique, and opt for it. Sadly, like I discussed above, issues were given just a little sophisticated, and with some surprising behaviour and insects, I imply options, we’re in truth just a little restricted in view of what in truth works.

That stated I’d like to begin with the next Jamf tech write up at the subject: https://doctors.jamf.com/technical-papers/jamf-pro/deploying-macos-upgrades/9.96/Evaluate.html

I’m positive my colleague-tech writers are gonna forgive me for the usage of the under flowchart, so let’s have a better have a look at it:

I didn’t come with the ‘erase’ state of affairs in my listing right here above, however yeah, in case your purpose is to wipe and re-install macOS, the usage of the –eraseinstall flag at the startosinstall binary could be my most well-liked means of doing issues. Until you might be most effective having tech wizards as finish customers, who can organize an erase/set up/re-enroll on their very own, however even then, chances are you’ll need to stay issues simple. For example by way of caching the installer and supply a one click on button in Self Carrier to hurry issues up. I’ll go away this trail at offering you the hyperlink the place this method is defined intimately: https://www.jamf.com/weblog/reinstall-a-clean-macos-with-one-button

Word: Something I do need to spotlight is the truth that for Apple Silicon gadgets, this may increasingly most effective paintings when you supply a username and password of a SecureToken-enabled admin account within the command. This alternatively, brings up the dialogue on passing admin (or any for that subject) credentials in transparent textual content in a command or script. As discussed at the hyperlink above, Directors will want Apple to lend a hand discovering a greater answer for this. The command you would use if you wish to cross that path could be like:
echo 'mYsup3rS3cur3P4sSw0rdW1ch1w1LLn3v3RpUt1N4Scr1Pt' | '/Packages/Set up macOS Large Sur.app/Contents/Assets/startosinstall' --eraseinstall --agreetolicense --forcequitapps --newvolumename 'Macintosh HD' --user adminuser --stdinpass

Transferring to the left aspect of the chart, the place we retain pc information, ignoring the usage of restoration mode, we now have:

  • Bundle the installer
  • Run device replace the usage of a coverage
  • Use MDM instructions

The ones are mainly the principle 3 choices we will be able to use, however as you noticed firstly of this submit, I added a couple of extra. Why? Smartly, to start with, as a result of they’re to be had and don’t seem to be proscribing us to make use of the natural inbuilt capability of Jamf Professional, but in addition as a result of what came about over the new macOS and Jamf Professional variations.

In view of preserving this submit inside applicable period, I’m now not going to elaborate each and every factor or roadblock we noticed, however as an alternative summarise it as follows.

To begin with, beginning with Macs geared up with a T2 chip, we noticed that the usage of a Jamf Professional coverage with that ‘Tool Replace’ payload ended in failing updates if the replace required a shutdown as an alternative of a reboot. This used to be mounted in Jamf Professional 10.23, however Apple Silicon / M1 Macs made this factor resurface. On Intel-equipped Macs the most efficient workaround previous to Jamf Professional 10.23 could be to make use of the ‘Information and Processes’ payload and factor a softwareupdate -iaRcommand:

Even though this used to be mounted in Jamf Professional 10.23, to stay issues easy, I’d nonetheless take away that from the listing and opt for choice 4, ‘Information and Processes’ with the softwareupdate -iaRcommand, when you most effective have Intel-equipped Macs to control.

  1. Do not anything and train your finish customers to stay their gadgets up to date, possibly remind them now and again with a notification by means of a Jamf Professional smartgroup and coverage.
  2. Deploy a configuration profile to put in force computerized updates
  3. Use the ‘Tool Replace’ payload in a Jamf Professional coverage
  4. Use the ‘Information and Processes’ payload in a Jamf Professional coverage
  5. Bundle the overall installer and use a Jamf Professional coverage
  6. Use MDM instructions
  7. Use some other third birthday party software and or script, like nudge (see under)

However as you’ll see, I’ve simply put choice 4 (our ‘Information and Processes’ choice which I simply stated to make use of as an alternative), in addition to packaging a complete installer or the usage of a third birthday party script, in RED. Why?

Smartly, on account of Apple Silicon / M1. For the reason that advent of M1 geared up Macs, ALL non-MDM programmatic device updates, on M1 Macs, require person interplay by way of a ‘Quantity Consumer’. The TLDR of what that suggests is mainly that the person should be a cryptographic person, aka ‘have a SecureToken’. Which means each and every device replace motion which is triggering the ‘Softwareupdate binary’ ( does now not follow to MDM instructions – see under), will outcome within the popup suggested under on Apple Silicon Macs:

The truth that I’ve put ‘packaging the overall installer and use a Jamf Professional Coverage’ in purple isn’t on account of this popup, however on account of the requirement of passing the credentials of a SecureToken-enabled admin in transparent textual content within the command or script.

So for Intel-equipped Macs the ones choices will nonetheless be possible, however for M1 Macs this isn’t absolutely automatic or is going towards highest observe in view of scripted credentials.

That stated, I do just like the nudge software! It’s only a pity that M1 geared up Macs deliver that further problem of person interplay to the combo. https://github.com/macadmins/nudge

So the place does that go away us? What do we now have left to construct a long term evidence replace technique for macOS Large Sur which is able to paintings for each Intel and M1? Smartly, whilst the above mentioned choices might nonetheless give you the results you want when you most effective have Intel-equipped Macs, I’m afraid I’ve to scale back my listing to the three choices under when you’ve got M1 Macs within the combine:

  1. Do not anything and train your finish customers to stay their gadgets replace, possibly remind them now and again with a notification by means of a Jamf Professional smartgroup and coverage.
  2. Deploy a configuration profile to put in force computerized updates
  3. Use MDM instructions

The primary choice is self-explanatory I suppose, so let’s temporarily take a look at choice 2. “Put in force” computerized updates by means of a Configuration Profile…. what does that truly do?

Ignoring the deprecated SUS URL choice, the principle surroundings within the Tool Replace of a Configuration profile would right here be “Routinely set up macOS updates”, which alternatively, does not anything greater than whilst you would manually allow it in Device Personal tastes. As mentioned right here.

And this is able to then notify the top person and be offering some choices when updates are to be had.

This along side instructing and reminding finish customers (with Jamf Professional Insurance policies, further Notifications, and so forth…) generally is a technique when you don’t require a lot implementing of updates at a particular time.

However when you do want to truly drive updates with out person interplay or passing of credentials in scripts and also you do have Apple Silicon / M1 Macs within the combine… there may be, as issues are at this second, just one choice left: MDM / Far off Instructions !

The explanation why, is as a result of Apple Silicon Macs can now use the ‘Bootstrap Token’ (if escrowed into MDM), to put in updates caused by way of MDM instructions with out person interplay. Sure, in the entire above I discussed that every one updates on M1-equipped Macs require person interplay by way of a cryptographic person /Quantity Proprietor, leading to a suggested for the SecureToken-enabled admin account password. The exception is alternatively that if the ‘Bootstrap token’ is escrowed into the MDM server, MDM instructions to replace M1 Macs don’t require this person interplay!

And that is the one means, nowadays of penning this blogpost, to automate MacOS Large Sur updates on M1 Macs with out passing or prompting person credentials.

All excellent proper? We have now an answer… ?

NO! Wait! I did point out that penning this weblog submit used to be like opening a Pandora’s field taste can of worms proper? Sure, certainly. Even though I’m presenting MDM / Far off instructions to take on each Intel as Apple Silicon Mac updates, we don’t seem to be somewhat there but, as a result of (as issues are nowadays of penning this), there are nonetheless a couple of roadblocks / problems.

To begin with we now have macOS Large Sur ahead of 11.2. In macOS Large Sur pre macOS 11.2, there used to be a topic with the AvailableOSUpdates command. How?

Smartly, let’s first take a look at how the MDM instructions to replace a Mac paintings. Whilst you instruct a Mac to test for updates by means of MDM there are in truth more than one MDM instructions concerned. In series:

  • ScheduleOSUpdateScan – Instruct the Mac to scan for to be had updates.
  • AvailableOSUpdates – Instruct the Mac to record the to be had updates again to the MDM server
  • ScheduleOSUpdate – Instruct the Mac to obtain (and set up) particular updates. This relying the choice decided on at the preliminary MDM motion:
    • In Jamf Professional previous to model 10.29:
      • “Obtain Simplest” command would ship the NotifyOnly motion, which might obtain the replace and notify a person of the replace’s availability.
      • “Obtain and Set up Updates” command would ship the Default motion, which might obtain and cause the set up of an replace.
    • See under for Jamf Professional 10.29 or later

This all labored neatly ahead of macOS Large Sur. On the other hand, on macOS Large Sur previous to 11.2, there may be/used to be a topic with AvailableOSUpdates command. On every occasion this command is issued to macOS Large Sur pre-11.2, it might in truth lead to a state of affairs the place the to be had replace disappears from Device Personal tastes and the set up by means of MDM fails.

The workaround here’s/used to be to check out rebooting the Mac to peer if the replace turns into to be had in Device Personal tastes once more, however that appears to be a hit or miss. However, deploying a complete installer may well be an choice, however as mentioned above, this will require to cross credentials within the ‘startosinstall’ command for M1-equipped Macs.

Now, that is mounted in macOS 11.2, alternatively, there may be extra.

Whilst the to be had updates don’t appear to vanish fro Device Personal tastes (and fail MDM caused set up) anymore when an AvailableOSUpdates command is distributed to gadgets on 11.2 or later, there may be nonetheless some voodoo happening. If as an example our Mac is working 11.2, and we despatched a ScheduleOSUpdateScan command, the Mac will record all to be had updates again to the MDM server. In this day and age of penning this blogpost this is able to be:

  • macOS 11.2.1 Replace
  • macOS 11.2.2 Replace
  • macOS 11.2.3 Replace
  • macOS 11.3 Replace
  • macOS 11.3.1 Replace
  • but in addition the macOS 11.2 Complete Installer (complete installer of the present put in model)

And that is the place the thrill truly begins.

If we’re sending a ‘Obtain Simplest’ command (pre-Jamf Professional 10.29 this effects right into a NotifyOnly motion. See under for Jamf Professional 10.29 or later), and the Mac returns a listing together with a complete macOS installer, the next ScheduleOSUpdate will fail. This each on Intel as M1.

If we’re sending a ‘Obtain and Set up’ command, the listing of more than one to be had updates effects having the ScheduleOSUpdate command triggering a simultaneous preparation of ALL updates… in flip ensuing right into a, what seems to be random, number of which replace to put in…

On Intel-equipped Macs, this may occasionally lead to a a hit set up of the replace, however with out a while travelling abilities, unattainable to are expecting which one.

On M1-equipped Macs, the result’s undefined. It will lead to a a hit set up, a suggested to go into the password or a notification resulting in the Device Personal tastes- Tool Updates when clicked.

However, … there may be extra…

Let’s take a look on the unlock notes of Jamf Professional 10.29:

Jamf Professional now contains the next improvements to the Obtain/Obtain and Set up Updates far flung command to make the replace procedure extra dependable and make allowance for updates with out person interplay on computer systems with Apple silicon (i.e., M1 chip):

Obtain the replace for customers to put in choice—Jamf Professional now contains the DownloadOnly key when sending the far flung command to computer systems with macOS 11 or later and the NotifyOnly key when sending the command to computer systems with macOS 10.15.4 or previous.

Obtain and set up the replace, and restart computer systems after set up choice—Jamf Professional now contains the InstallASAP key when sending the far flung command to computer systems with macOS 10.12 or later.

In view of the problem with the listing of to be had updates and the number of results mentioned above, the consequences are nonetheless identical.

  • ‘Obtain Simplest’ will nonetheless lead to a topic if the to be had replace listing features a complete installer of the present macOS model
  • ‘Obtain and Set up’ now effects into an ‘InstallASAP’ motion and nonetheless turns out to outcome into numerous results. On the other hand, the excellent news is that it kind of feels to act higher on M1-equipped Macs, and extra a hit replace installations. But, it’ll or would possibly not set up the newest or most up-to-date to be had replace, and it’ll nonetheless cause the notification citing “A brand new replace used to be asked to be put in by way of an Administrator” if macOS picked the overall installer. If there is not any Bootstrap token escrowed within the MDM server, the person might nonetheless be precipitated for a password, however this is anticipated.

Yet another factor, if the set up an replace triggers effectively, no matter to be had replace of the listing this can be, there may be intended (?) to be a countdown of 60 seconds ahead of the Mac reboots to finish the replace. Similar to when you don’t have any MDM concerned, however you may have computerized updates enabled, there will have to then even be a dropdown menu to permit the person to defer the replace with one hour, take a look at this night or remind the next day.

It does appear alternatively that this countdown / deferral notification does now not occur and the Mac reboots out of he blue. Until an app with out auto-save capability blocks the reboot…

That’s it! As discussed within the disclaimer firstly of this submit, my intent here’s most effective to demystify the present demanding situations chances are you’ll face when designing a way to replace your macOS Large Sur Macs nowadays. Intel or M1-equipped.

Oh… however wait, what will have to we use now… neatly, if I had to select nowadays, I’d return to the primary two pieces of my listing:

  1. Do not anything and train your finish customers to stay their gadgets up to date, possibly remind them now and again with a notification by means of a Jamf Professional smartgroup and coverage.
  2. Deploy a configuration profile to put in force computerized updates

Simply to save lots of me the headache and wait to peer the place this is going with macOS 11.3 => 11.4 updates and past…

As all the time, when you favored the submit, hit the like button, inform your folks about it and go away a remark down under!

Brgds,
TTG

https://macbookblackfriday.com/