Allow a mobile account to install the upgrade (on M1s)

[cipineda]

Is your feature request related to a problem? Please describe.

If the logged in user is an Active Directory account (mobile) the upgrade on an M1 fails because the user is not member of 'staff' group. This could be fixed by checking if these mobile users are members of the 'everyone' group.

But the next validation in your script is to check if the user is a volume owner, here it looks like only local accounts are considered by the binary '/usr/sbin/diskutil apfs listUsers /'

Describe the solution you'd like A clear and concise description of what you want to happen. Allow mobile accounts to install the upgrade on macOS

Describe alternatives you've considered None

Additional context

[grahampugh]

If you can let me know of a method of determining if a mobile account is a Volume Owner, I'll try and add this to the script.

[cipineda]

trying to get that, I've read a bit about this and looks like mobile accounts leverage the bootstrap token, maybe that is the way to go. Per some Internet lookups, the command to get who has tokens is: fdesetup list -extended

[cipineda]

hello, Looks like the volume owner issue has been resolved. I do have an enhancement though.

Currently your script looks to see if a user is member of the staff group with this command: if ! /usr/sbin/dseditgroup -o checkmember -m "$account_shortname" staff ; then invalid_user exit 1 fi

I'd add as follows to do an additional check, as LDAP accounts are never part of the staff but are are part of the everyone group:

if ! /usr/sbin/dseditgroup -o checkmember -m "$account_shortname" staff ; then if ! /usr/sbin/dseditgroup -o checkmember -m "$account_shortname" everyone ; then # Added 10/25/22 to allow AD users to upgrade. CP echo " [get_user_details] $account_shortname account cannot be used to perform reinstallation!" invalid_user exit 1 fi fi

[cipineda]

I see you have the everyone group on version 27.1