just-some-tall-bloke
commented
3 years ago From the fruity company:
Hello xxxxxx, Thanks for contacting Apple. I understand you have questions about Apple Silicon Macs prompting for user authentication when running software updates. Is that correct?
Depending on how the updates triggered, this may be expected behavior. On Apple Silicon Macs, the softwareupdate binary requires the "Volume Owner" in order to process an update. On Intel systems this is not a requirement.
From context, I'm assuming the behavior is triggered when a remote script is run from the MDM using 'softwareupdate'. Is that correct? If so, this is definitely expected as the command is invoked as the 'root' user, which is not a Volume Owner and will not ever be in the crypto users list.
For Apple Silicon Macs, remotely installing or updating macOS with no user interaction can be done using ScheduleOSUpdate commands and the Bootstrap Token.
https://developer.apple.com/documentation/devicemanagement/schedule_an_os_update
mpanighetti
Called out here:
We'll need to update this project to account for the user interaction requirement, including the possibility of people canceling the prompt, and having a timeout in case no one is present at the time of the script running (like when the deferral period runs out). For user-approved installs (clicking the Install button), it could be as simple as updating the alert text to inform of the impending authentication prompt, and to make it happen immediately after they click the button. For deferral timeouts and enforced updates, logic will need to be added to the script to repeat if the user declines the authentication prompt, and to display something more persistently for unattended Macs so they have context when they return.
Just putting this here as a reminder to work on. In the meantime, I'll update #44 to remove Apple Silicon as a compatible platform until one of us gets hands on actual Apple Silicon Macs for proper testing.