search

macadmins / nudge

A tool for encouraging the installation of macOS security updates.
Apache License 2.0
1.03k stars 187 forks source link

Nudge maybe incorrectly stating device is no longer capable of receiving updates & needs to be replaced #620

Closed fleish closed 1 month ago

fleish commented 1 month ago

SSIA. Nudge notification on a supported device with a pending macOS security update incorrectly states the "device is no longer capable of receiving critical security updates" & advises the user to "Please work with your local IT team to obtain a replacement device"

The device is a MacBook Pro currently running 12.7.5 (21H1222)

It is a virtual machine running on a MacBook Pro (13-inch, 2020, Four Thunderbolt 3 ports), but I'm not sure if that could be causing Nudge to incorrectly flag it or something else is amiss.

nudge about
erikng commented 1 month ago

but I'm not sure if that could be causing Nudge to incorrectly flag it or something else is amiss.

very likely, how did you setup the VM properties?

show me the logs :)

fleish commented 1 month ago

I create a MacOS vm as normal, but when you get to the stage where it asks to create a user account I power down to add hw.model to the vmx file of the VM and then boot it up and keep going. It enrolls as whatever hardware model I've set it as vs. a mobile device

hw.model = "MacBookPro16,2"

log.debug.txt

erikng commented 1 month ago

The logs are pretty clear

2024-07-30 07:20:20.117883-0700  localhost Nudge[1294]: [com.github.macadmins.Nudge:sofa] Assessed Model IDs: ["Mac-5F9802EFE386AA28", "", "Unknown", ""]
2024-07-30 07:20:20.118527-0700  localhost Nudge[1294]: [com.github.macadmins.Nudge:sofa] Assessed Model ID found in SOFA Entry: false

The model ID logic is not correct here and not available in the sofa feed

2024-07-30 07:20:20.049526-0700  localhost Nudge[1294]: [com.github.macadmins.Nudge:sofa] SOFA Assets: ["J132AP", "J137AP", "J140AAP", "J140KAP", "J152FAP", "J160AP", "J174AP", "J185AP", "J185FAP", "J213AP", "J214KAP", "J215AP", "J223AP", "J230KAP", "J274AP", "J293AP", "J313AP", "J314cAP", "J314sAP", "J316cAP", "J316sAP", "J375cAP", "J375dAP", "J413AP", "J456AP", "J457AP", "J493AP", "J680AP", "J780AP", "Mac-06F11F11946D27C5", "Mac-06F11FD93F0323C5", "Mac-1E7E29AD0135F9BC", "Mac-35C5E08120C7EEAF", "Mac-473D31EABEB93F9B", "Mac-4B682C642B45593E", "Mac-551B86E5744E2388", "Mac-63001698E7A34814", "Mac-65CE76090165799A", "Mac-66E35819EE2D0D05", "Mac-77F17D7DA9285301", "Mac-937A206F2EE63C01", "Mac-937CB26E2E02BB01", "Mac-9AE82516C7C6B903", "Mac-9F18E312C5C2BF0B", "Mac-A369DDC4E67F1C45", "Mac-A5C67F76ED83108C", "Mac-AA95B1DDAB278B95", "Mac-B4831CEBD52A0C4C", "Mac-B809C3757DA9BB8D", "Mac-BE088AF8C5EB4FA2", "Mac-CAD6701F7CEA0921", "Mac-DB15BD556843C820", "Mac-E43C1C25D4880AD6", "Mac-EE2EBD4B90B839A8", "Mac-F60DEB81FF30ACF6", "Mac-FFE5EF870D7BA81A", "VMA2MACOSAP", "VMM-x86_64"]

You can use -simulate-hardware-id "A-VALID-ID-FROM-ABOVE" to work around this.

fleish commented 1 month ago

Thanks. Would it also make sense to have a different handler for an unknown Model ID that doesn't tell the user they need new hardware?

erikng commented 1 month ago

I don't think so. Apple has the list, we should honor the list.