Stalling on M1 Mac - "Failed to authorize for installation"

[rjtort]

Working fine on Intel Macs ,but on M1 Macs it stalls out. Startosinstall.log says;

Error: failed to authorize for installation. Provide a password with --stdinpass or --passprompt.
By using the agreetolicense option, you are agreeing that you have run this tool with the license only option and have read and agreed to the terms.
If you do not agree, press CTRL-C and cancel this process immediately.

Apparently Apple now requires authentication to use startosinstall command on Apple Silicon Macs. If you run it as root from terminal, it'll ask a second time for you to enter credentials, but running the macOSUpgrade script via Self Service, just stalls out.

Any way to work around this?

More info in thread here; https://www.jamf.com/jamf-nation/discussions/37297/big-sur-upgrade-bash-command

[UESCDurandal]

Apple Silicon Macs require authorization from a user that has a Secure Token. Others have been able to permit startosinstall to run by passing the Secure Token user's credentials into the command. For example,

/usr/bin/su -l secureTokenAdmin -c "echo 'password' | /Applications/Install\ macOS\ Big\ Sur.app/Contents/Resources/startosinstall --eraseinstall --newvolumename 'Macintosh HD' --nointeraction --agreetolicense --forcequitapps --user secureTokenAdmin --stdinpass"

Some organizations may have a specific account on every Mac that retains a Secure Token, however ours does not. In most cases the employee's local user is the only account that has a token. Ideally Apple and Jamf would find a way for MDM to authenticate the command via Bootstrap Token, but until then I have a suggestion to solve for this issue.

My suggestion would be to write a two step process wherein an array of Secure Token holder accounts is generated and if your organization's dedicated admin account is present then the script should use known credential variables to run the command silently (recommend encrypting credentials). However, if your organization's dedicated admin account does not have a token then a prompt should appear on screen with a dropdown menu listing all token holders and a text field for the password.

An area for text on this prompt would be beneficial here to instruct technicians to use Apple Configurator 2 on another Mac to restore the whole computer if no known secure token credentials are available. https://support.apple.com/guide/apple-configurator-2/revive-or-restore-a-mac-with-apple-silicon-apdd5f3c75ad/mac

[tsinghzf]

@kc9wwh can you provide a script tweaked to meet the conditions above. It will be super helpful. We do filevaulting and generate a recovery key and secure token is enabled

[stondelier]

Hello,

Can you update script with fix please

Best regards

[staze]

I have a workaround for this but not sure if I can do a pull request since it's going to be very environment specific. You have to pass the installer an admin username and password, and putting those in the script, or pulling them from jamf, is going to be specific to the environment...

[GabeShack]

I'd be much happier continuing to use this script to perform the upgrades in our fleet, however this M1 difference is hampering it. I'd figure we could add a few variables for an admin user that we create on the system in our Jamf Pro. I know gregnagle has a more complex script available that handles a lot of this same thing, I just like the simplicity of @kc9wwh work better. Hoping this enhancement can be added soon.

[mpermann]

@GabeShack I had been using this workflow for many years but I recently switched to using https://github.com/grahampugh/erase-install which handles Apple Silicon Mac upgrades properly and it also properly calculates free space (taking into account purgeable space). It's pretty straightforward to setup. I still prefer to push an installer to the computer with Jamf Pro prior to running the workflow but it's not necessary. If you need some assistance getting it working let me know. I'd be happy to help.

[GabeShack]

@mpermann Thanks, yea I looked at it. It's just more of a pain to change. So many options in the grahampugh script that its really overkill. I just want one script that does either an erase and install or upgrade, that can handle a few variables (ie version number of the installer wanted). I definitely dont need localizations for every language lol.

But looks like if I use their installer pkg I can just call the things i need.