Closed Lotusshaney closed 5 years ago
If we make a standard user an administrator, during the installation the user is supposed to be able to perform other operations as an administrator. Therefore, your patch may not be a very good means.
Use the full screen dialog to stop the user doing anything while admin. However the admin privileges only last for the time startosinstall takes to start the process.
Use the full screen dialog to stop the user doing anything while admin. However the admin privileges only last for the time startosinstall takes to start the process.
When the users do restart or shutdown the computer with full screen, I think that they can get the administrator privilege.
No, a launch daemon demotes the user before login
Line 290 onwards
I'm sorry I didn't explain it enough. I wanted to say "When the users do hard restart or hard shutdown the computer with full screen".
No the launchDaemon still runs on startup and demotes the user
We all know this is not ideal but if your want a seamless upgrade on a FileVaulted APFS Mac without local admin rights then promoting to admin is the only way until apple fixes the process
Thank you for your description. I understand.
Although it may be beyond review of PR, this script seems to be setting a launch daemon with non admin user who started osinstall. (https://github.com/kc9wwh/macOSUpgrade/blob/master/macOSUpgrade.sh#L368)
Because restarting after installation is not necessarily the user who kicked osinstall, is it better to do it as a user of jamf agent?
That is correct and is present in all versions of this script so far not my PR. It needs to be launched as the user, and the user needs to be admin before that is launched otherwise startosinstall prompts the user for admin rights. It appears to be a limitation imposed by Apple in newer versions of the upgrade.
Also the launchDaemon runs once the upgrade is finished, your just returned to a logged in state at the end. Regardless the Mac has booted so the launchDaemon runs and demotes
As some people run this script without using Jamf to start it so $3 is not set. For example as a post script in a pkg. The python script is the official apple method of getting current user and support fast user switching
Im closing this PR as I simply don't have the time to talk of design decisions others in this project took, like getting currentUser, user dialogs and Launch Daemons. Please remove this PR
Thank you for your contribution. And I am sorry to hear that I could not meet your expectation.
Makes current user admin if FV2 and APFS is on and user is not admin, then demotes the user after the upgrade is complete. Does not need a user logged in for the demote to work