This script was designed to be used in a Self Service policy to ensure specific requirements have been met before proceeding with an in-place upgrade to macOS, as well as to address changes Apple has made to the ability to complete macOS upgrades silently.
Requirements:
eraseInstall
option is ONLY supported with macOS Installer 10.13.4+ and client-side macOS 10.13+This workflow will not work if a user is not logged in since the startosinstall
binary requires a user to be logged in. Tested with macOS 10.13.4 and you will get errors in that the process couldn't establish a connection to the WindowServer.
Why is this needed?
Starting with macOS Sierra, Apple has begun enforcing the way in which you can silently call for the OS upgrade process to happen in the background. Because of this change, many common ways that have been used and worked in the past no longer do. This script was created to adhere to Apple's requirements of the startosinstall
binary.
This script has been tested on OS X 10.10.5, 10.11.5 and macOS 10.12.5 clients upgrading to 10.12.6 and 10.13.3. As of v2.5 of this script FileVault Authenticated reboots work again!
Scope
When you start deploying this script to your end-users you will want to ensure that it is scoped properly. At that very least, you'll want to create a Smart Group to determine if the target system(s) meet the system requirements for the macOS upgrade.
Also, if you are encrypting your macOS devices (which I hope you are), you will want to ensure your scope also includes devices that are not currently encrypting. While the devices are encrypting, you will not be able to upgrade macOS until after encryption is completed.
And/Or | Criteria | Operator | Value |
---|---|---|---|
FileVault 2 Partition Encryption State | is not | Encrypting |
Configuring the Script
When you open the script you will find some user variables defined on lines 60-118. Here you can specify the message that is displayed to the end user while the script is running and preparing the computer to upgrade to macOS Sierra, as well as the variables used to determine the version and path for the macOS Installer. Also, don't forget to setup a policy with a custom trigger specified as defined in the user variables.
Added in v2.6.0 - You can now specify to use the --eraseInstall
parameter when using macOS Installer 10.13.4 or later and the client is running macOS 10.13 or later. Essentially this will wipe and reload the system to factory defaults. Yay \o/
Staging the macOS Installer
In order for this script to work, you will have to have a copy of the macOS Installer that is available from the Mac App Store located in /Applications. One of the easiest ways to achieve this is to package the installer as seen below and deploy the package via Jamf Pro.
Otherwise you can get a package of the installer with helper script as shown below and deploy the package via Jamf Pro.
./helper-tools/prepare-jamf-policy.sh /Applications/Install\ macOS\ Big\ Sur.app
You will get some parameters for policy for Jamf pro, path to the installer app, the installer dmg file's check sum and the version to upgrade.
Example of Required Self Service Description
Example of Factory Reset Self Service Description
Example of HUD Displayed if Installer is Downloaded
Example of FullScreen Dialog
Example of Utility Dialog