Addigy strives to provide admins with the tools to help keep the devices in their fleet up-to-date. One of the main avenues of keeping devices up to date is upgrading devices using Apple's Install macOS app.
Fun Fact: Apple has released a new macOS major version every year since 2011. That's over eleven years of brand-new operating systems!
Addigy adds software to deploy to devices to upgrade the desired macOS system in the Public Software Library, found in the Catalog.
Addigy accomplishes this upgrade with Apple's macOS versioning and appends our version number at the end if changes are recognized as needed to the installer version. We will also add a ".0" after Apple's version number if the macOS version only has two versioning numbers.
Our version number is added to the end to ensure that Addigy can correctly differentiate version numbers from possibly the same macOS Installer within the Catalog.
Example:
Install macOS Monterey (12.1.0.1)
12.1 is the macOS version
.0 is the extra value by Addigy to keep the 3 number versioning schema
.1 is Addigy’s version number to check for different versions of the same Installer in the Catalog
Addigy's Install macOS Public Software uses the startosinstall CLI tool in the Install macOS app to remotely start installing the upgrade.
Adding the Public Software Item to your Policy
Assigning to an individual policy:
- Navigate to a Policy. Since this is a Public Software item, you will find it under the Public Library section of the Software tab within the policy you select:
- After selecting the software and adding it to your policy by clicking Add/Remove, it will be added to the next automatic policy deployment. It can be deployed immediately by clicking Deploy Now.
Assign to multiple policies:
- Navigate to Catalog > Software > Public Libary. From there, locate the upgrade version you would like to deploy, and under the Actions column, select the 3 dots "..." > Assignments.
Installer Location
/Applications/Install macOS [Version].app/Contents/Resources/startosinstall
Storage
A compressed Install macOS app is downloaded and saved from Addigy at the following path
/Library/Addigy/ansible/packages/Install macOS [Version] ([Version Number])/
Once the end-user has approved the installation, the compressed file will be decompressed and moved to /Applications
Logs
Any time that Install macOS Public Software deploys and the end-user is notified for installation; the installation logs will be stored at the following path:
/Library/Addigy/logs/Install macOS [Version] ([Version Number])-[timestamp].log
Dependencies and Changes
Starting on macOS Big Sur (11.0), any device attempting to use the startosinstall CLI tool on an Apple M1 device WILL REQUIRE a Secure Token user to authenticate the installation.
To adhere to the requirements on Apple M1 devices, we added an extra prompt to the installation process to request the current logged-in Secure Token user's password via AppleScript. Then, we pass the required passcode with expect into the startosinstall command.
Note: This process has only been made available from Install macOS Big Sur (11.6.2.1) and onward.
There have been many critical differences in install behavior and requirements based on processor type since the inception of Apple M1 devices.
Intel
-
Install command:
/Applications/Install macOS [Version].app/Contents/Resources/startosinstall --agreetolicense --nointeraction --rebootdelay 10
- It does not require an end user to be logged in to initiate the installation. If no user is logged in, we will skip the prompt and start the upgrade process immediately
- No SecureToken is required to start the upgrade process
- Only one prompt to end user asking to start the installation process
- In the installation script, it is referred to as startLegacyInstall
Apple Silicon
-
Install command:
/Applications/Install macOS [Version].app/Contents/Resources/startosinstall --agreetolicense --nointeraction --forcequitapps --passprompt --user [Current User]
- Requires a logged in SecureToken user to provide password in order to continue installation
- If no user is logged-in, will skip the installation process and return that the upgrade could not be completed.
- Even if there is a logged in user, the user must have SecureToken in order to continue the installation process.
- There will be an additional prompt for the end-user to provide the User's SecureToken password. If the password is incorrect, the startosinstall will fail, and we will re-prompt for the password. The end-user will only have three attempts before ultimately failing. The end-user will be prompted to contact their IT Administrator for next steps
- In the installation script, it is referred to as startNewInstall
Install Process
Once an Addigy Administrator deploys an Install macOS Public Software to a device and the installation process is ready to begin, we will check if a user is logged into the device. If there is not, we will automatically start the installation process. If there is a user signed in to the device, we will send out a MacManage.app prompt asking the end user to Install the upgrade or choose Not Now:
Note: The logo above is the default logo where a Self Service logo is not configured
If the device is on an Intel processor, we will silently start the installation, and the device will reboot to complete the installation once the upgrade process is complete.
We estimate devices will restart about 10-20 minutes after the upgrade process starts.
While the device upgrades in the background, there will be an Upgrade in Progress notification that will show on the screen that cannot be closed. This notification will show an estimated time range when the device might restart.
If the device is on an Apple M1 processor, we will check if a SecureToken user is logged in to the device. If no one logged into the machine, we would fail the installation process. We will kill the installation process if a user is logged in but does not have SecureToken. If there is a user logged in that does have a Secure Token, we will prompt the user for their password, as shown below:
First Password Prompt
Incorrect Password Prompt
Too many incorrect password attempts Prompt
The end user will have three attempts to enter their password correctly. If too many passwords are attempted, we will ask the end user to contact their IT Admin. The password is checked for validity by checking if the install command executes or not. We are not validating the password; we are only passing it into the startosinstall command and waiting for its validation from different expected outputs.
If the password is correct, the installation process will continue and will restart the device once it is complete.
Note: Once the installation is approved, and if the M1 password passed correctly, you can check the progress of the installation before restarting by running the following command:
sudo tail -f “/Library/Addigy/logs/Install macOS [Version] ([Version Number])-[timestamp].log”
After restarting, the device will be upgraded to the desired version.
Key
[Version] = macOS version (ex. Monterey)
[Version Number] = Public Software Install macOS version number (ex. (12.0.1.1))
[timestamp] = The timestamp of when the Install macOS software was prompted for install
[Current User] = The current user on the device