Addigy strives to provide admins with the tools to help keep the devices in their fleet up-to-date. One of the available options to keep devices up to date is by leveraging Apple's Install macOS app.
Previously, we added software to deploy to devices to upgrade the desired macOS system in the Public Software Library, found in the Catalog. However, with the deprecation of Public Software on May 1st, 2026, the macOS installer was moved to the Community > Scripts page.
With the new iteration that lives in Community > Scripts, there are some important things to note:
- Addigy will only be offering the latest available installer. When a new OS version comes out, the script in the Community page will be updated
- Since this lives in the Community page, you must either make a Smart Software item or send it as a one-off Saved Script
- You can still assign this item via Self Service, but if you plan on doing so, we suggest making a Smart Software
Use Case
Managing updates/upgrades with the OS installer should only be used if you have devices that are unable to upgrade regularly via System Settings > Software Update. If your devices are on a newer OS version that supports Declarative (DDM) updates, and are not on a version affected by bugs that impact software update reliability, we highly suggest you send updates via DDM.
If you have a certain workflow that DDM OS updates cannot accomplish, please reach out to our support team, and we can further discuss options to accomplish said workflow.
Option 1: Copying as a Saved Script
Copying and running the installer as a saved script will be easier if you have a small group of devices that need this installer. Do note that at the moment, a saved script can only be assigned per-device, and not per-policy. If you need to assign this policy-wide, refer to option 2 below.
- Go to the Community Script
- Click Copy to My Scripts
- Navigate to the Devices page
- Filter the devices you want to send the script to. In the example below, I am filtering for all Macs that are below 26.5
- Choose the saved script in the Run command... dialog box
- Click Send
- Choose whether you want to Run Now or Add to Self Service
Option 2: Creating Smart Software
- Navigate to Catalog > Software > Smart Software and begin creating a new Smart Software item
- Name the Smart Software item something identifiable, like "Install macOS 26.5"
- Go to the Community Script, highlight the contents of the script, copy it, and paste it into the Smart Software Installation Command box
- Expand the Condition for Install option
- Choose Advanced: Custom Conditional Commands
-
Paste the script below as the custom condition script
Note: You must edit the targetVersion variable to match the version you are sending. For example:
targetVersion="26.5"#!/bin/bash targetVersion="ENTER VERSION NUMBER HERE" versionName="macOS Tahoe" currentVersion="$(sw_vers -productVersion)" vercomp () { if [[ $1 == $2 ]] then echo "Device is already on ${1}" echo "Skipping install..." return 1 fi local IFS=. local i ver1=($1) ver2=($2) # fill empty fields in ver1 with zeros for ((i=${#ver1[@]}; i<${#ver2[@]}; i++)) do ver1[i]=0 done for ((i=0; i<${#ver1[@]}; i++)) do if [[ -z ${ver2[i]} ]] then # fill empty fields in ver2 with zeros ver2[i]=0 fi if ((10#${ver1[i]} > 10#${ver2[i]})) then echo "Current Version ${2} is older than Target Version ${1}" echo "Installing..." return 0 fi if ((10#${ver1[i]} < 10#${ver2[i]})) then echo "Current Version ${2} is newer than Target Version ${1}" echo "Skipping install..." return 1 fi done return 0 } echo "Checking if already running." if ps aux | grep -v grep | grep "Install ${versionName}.app"; then echo "Install ${versionName} is already running or being downloaded. Skipping install." exit 1 fi vercomp "$targetVersion" "$currentVersion" - Now that the condition and install scripts have been entered, create the Smart Software item
If you plan on having users install this via Self Service, review this guide on how to assign this to Self Service. Adding or Removing Software in the Self Service Catalog
If you plan on deploying this via policy, please note that users will be prompted every 30 minutes.
Installer Location
/Applications/Install macOS [Version].app/Contents/Resources/startosinstallStorage
A compressed Install macOS app is downloaded and saved from Addigy at the following path
/Library/Addigy/ansible/packages/Install macOS [Version] ([Version Number])/Once the end-user has approved the installation, the compressed file will be decompressed and moved to /Applications
Logs
Any time that Install macOS Public Software deploys and the end-user is notified for installation; the installation logs will be stored at the following path:
/Library/Addigy/logs/Install macOS [Version] ([Version Number])-[timestamp].logDependencies and Changes
Starting on macOS Big Sur (11.0), any device attempting to use the startosinstall CLI tool on an Apple M1 device WILL REQUIRE a Secure Token user to authenticate the installation.
To adhere to the requirements on Apple M1 devices, we added an extra prompt to the installation process to request the current logged-in Secure Token user's password via AppleScript. Then, we pass the required passcode with expect into the startosinstall command.
Note: This process has only been made available from Install macOS Big Sur (11.6.2.1) and onward.
There have been many critical differences in install behavior and requirements based on processor type since the inception of Apple M1 devices.
Intel
-
Install command:
/Applications/Install macOS [Version].app/Contents/Resources/startosinstall --agreetolicense --nointeraction --rebootdelay 10 - It does not require an end user to be logged in to initiate the installation. If no user is logged in, we will skip the prompt and start the upgrade process immediately
- No SecureToken is required to start the upgrade process
- Only one prompt to end user asking to start the installation process
- In the installation script, it is referred to as startLegacyInstall
Apple Silicon
-
Install command:
/Applications/Install macOS [Version].app/Contents/Resources/startosinstall --agreetolicense --nointeraction --forcequitapps --passprompt --user [Current User] - Requires a logged in SecureToken user to provide password in order to continue installation
- If no user is logged-in, will skip the installation process and return that the upgrade could not be completed.
- Even if there is a logged in user, the user must have SecureToken in order to continue the installation process.
- There will be an additional prompt for the end-user to provide the User's SecureToken password. If the password is incorrect, the startosinstall will fail, and we will re-prompt for the password. The end-user will only have three attempts before ultimately failing. The end-user will be prompted to contact their IT Administrator for next steps
- In the installation script, it is referred to as startNewInstall
Install Process
Once an Addigy Administrator deploys an Install macOS Public Software to a device and the installation process is ready to begin, we will check if a user is logged into the device. If there is not, we will automatically start the installation process. If there is a user signed in to the device, we will send out a MacManage.app prompt asking the end user to Install the upgrade or choose Not Now:
Note: The logo above is the default logo where a Self Service logo is not configured
If the device is on an Intel processor, we will silently start the installation, and the device will reboot to complete the installation once the upgrade process is complete.
We estimate devices will restart about 10-20 minutes after the upgrade process starts.
While the device upgrades in the background, there will be an Upgrade in Progress notification that will show on the screen that cannot be closed. This notification will show an estimated time range when the device might restart.
If the device is on an Apple M1 processor, we will check if a SecureToken user is logged in to the device. If no one logged into the machine, we would fail the installation process. We will kill the installation process if a user is logged in but does not have SecureToken. If there is a user logged in that does have a Secure Token, we will prompt the user for their password, as shown below:
First Password Prompt
Incorrect Password Prompt
Too many incorrect password attempts Prompt
The end user will have three attempts to enter their password correctly. If too many passwords are attempted, we will ask the end user to contact their IT Admin. The password is checked for validity by checking if the install command executes or not. We are not validating the password; we are only passing it into the startosinstall command and waiting for its validation from different expected outputs.
If the password is correct, the installation process will continue and will restart the device once it is complete.
Note: Once the installation is approved, and if the M1 password passed correctly, you can check the progress of the installation before restarting by running the following command:
sudo tail -f “/Library/Addigy/logs/Install macOS [Version] ([Version Number])-[timestamp].log”After restarting, the device will be upgraded to the desired version.
Key
[Version] = macOS version (ex. Monterey)
[Version Number] = Public Software Install macOS version number (ex. (12.0.1.1))
[timestamp] = The timestamp of when the Install macOS software was prompted for install
[Current User] = The current user on the device