macOS 11 Update Script

09/21/2021 Updated to use the 11.6 Installer

Script will now update any client running macOS 11.5.2 or below to macOS 11.6

08/11/2021 Updated to use the 11.5.2 Installer

Script will now update any client running macOS 11.5.1 or below to macOS 11.5.2

07/27/2021 Updated to use the 11.5.1 Installer

Script will now update any client running macOS 11.5 or below to macOS 11.5.1

05/25/2021 Updated to use the 11.4 Installer

Script will now update any client running macOS 11.3.1 or below to macOS 11.4

03/10/2021 Updated to use the 11.3.1 Installer

Script will now update any client running macOS 11.3 or below to macOS 11.3.1

03/10/2021 Updated to use the 11.2.3 Installer

Script will now update any client running macOS 11.2.2 or below to macOS 11.2.3

Bug fix for "Parse Error" due to new content-length headers on download URL, other minor improvements to comparing current macOS version.

02/18/2021 Updated to use the 11.2.1 Installer

Script will now update any client running macOS 11.0, 11.1,11.1.0,11.2 to macOS 11.2.1

Details

The Script

The script can be downloaded from https://github.com/kandji-inc/support/blob/main/Scripts/11.0.1_11.1_Update_Script.sh

The Bug

macOS 11, 11.0.1, and 11.1 contain a bug that prevents the Software Update service from "seeing" available updates, this issue occurs when an MDM server issues an AvliableOSUpdates query via an MDM command. These results may eventually expire allowing the user to see the update via system preferences or the softwareupdate CLI.

Apple has fixed this bug in macOS 11.2, however, this fix does not solve the issue of macOS 11.0, 11.0.1, or 11.1 clients upgrading to macOS 11.2. This script is designed to solve this issue by checking the macOS version, downloading the 11.2 installer, prompting the user, running various sanity checks, and then running the full installer to update the Mac.

The script fetches the 11.2 installer by directly curling down the InstallAssitant.pkg containing the installer from Apple's CDN, this method was chosen over using softwareupdate --fetch-full-installer --full-installer-version 11.2 as this download mechanism was broken in early versions of macOS Big Sur, and fixed in macOS 11.1.

Apple Silicon Considerations

This script works to update both Intel-based Mac computers, as well as Apple silicon-based devices. Although there is a difference in end-user experience.

For Apple silicon Mac computers, we check if the user is a Secure Token user and prompt the user for their password via an OSA dialogue, this is required as the startosinstall CLI requires a Secure Token user to "Authorize" the install on Apple silicon Mac computers. This is less than ideal for various security reasons but was the most practical approach to build a quick solution. The password variable is immediately unset after use.

MDM Agnostic

This script will work when run from any solution, we realize many organizations regardless of MDM may be struggling with this, so we wanted to create an agnostic solution. The script, when run on a Kandji managed Mac, will use Kandji icons in the OSA dialogues, otherwise, it will use a generic "info" icon.

Script Configuration

Run Configuration

The script is designed to be run on a recurring basis from Kandji (every 15 minutes), if your using another MDM we recommend running at every recurring check-in.

Vairables

The following 3 variables can be configured but do contain default values.

orgAndDeptName="Kandji IS&T"

The orgAndDeptName variable is used in multiple OSA dialogue windows to "brand" the prompt with your organization details, a recommended value would be something along the lines of "Acme Inc's IT Dept" There is currently no support for a deferral "limit".

deferralWindow="24"

The deferralWindow variable, allows you to configure how long the deferral window should be, the deferral window is the period of time where we will not prompt the user after they click the "defer" button. This value should always be considered as a number of hours.

LaunchInstallerOnly="0"

The LaunchInstallerOnly vairable, if set to 1, has the script open the Installer Applicaiton for the user to run through, as opposed to using startosinstall

Full Script Logic:

1. First and foremost, determine if this is even needed.

The script checks the current macOS version to determine if it is an affected version that will need to be upgraded in this manner. If the currently installed macOS version, is not an affected version, the script exits 0.

2. Determine which icon to use.

A simple "if" statement determines if the OSA dialogues should use the Kandji agent icon, or a default system "info" icon. This allows the script to be MDM agnostic.

3. Check if the script has been deferred previously and if the specified number of hours has passed since the last deferral.

The script checks for the presence of the /var/tmp/.dft.kandji file, and if exists, calculates the logged time from that file, and determines if the specified number of hours has passed to prompt the user again.

4. Check if there is enough available disk space, if not fail silently.

The script checks the current disk space, and if there is not at least 38GB of free space, the script exits 4

4. Check for the macOS 11.2 "Install macOS Big Sur.app" installer, and if not present, download it.

The script checks for the presence of the installer file, and checks the version, if it is not the right version or the file is missing, it deletes the file and downloads the 11.2 InstallAssistant.pkg from Apple's CDN. There are multiple layers of validation and retry logic to the download function. If the download fails, the script exits 1 or 5 (depending on the type of download failure)

5. Check if a user is logged in, and present the welcome dialogue, otherwise exit 0.

After caching the installer, the script checks if a user is actively logged in, if no one is logged in, the script exits 0, otherwise the welcome dialogue (shown below) is displayed. At this point the user can defer, if they defer the epoch time is logged to a file, as well as the count of deferrals, the script then exits. This is used to calculate if the specified number of hours has passed before showing the dialogue again.

6. If the user continues with the update, check if the Mac is connected to AC power, if not, alert.

The script checks if the Mac is currently connected to AC power, if not an OSA dialogue is shown prompting the user to connect to power. The user is offered a "try again" button which re-runs the power check function, or they may defer in the event that they cannot connect to AC power at that time. This follows standard deferral logic and the script exits 0. If the power source fails to be detected the script exits 7.

7. The install sanity function is initiated, which checks the Mac computers architecture, and initiates a caffeinate process, or if the LaunchInstallerOnly variable is set to 1, the installer is only opened for the user.

The script checks the processor architecture due to the fact that Apple silicon Mac computers require a Secure Token user to initiate startosinstall, startosinstall is NOT Bootstrap Token aware.

8. If the Mac is Intel-based, an install in progress OSA dialogue is immediately shown, and startosinstall is executed.

Intel-based Mac computers don't require a Secure Token user to authorize startosinstall

9. If the Mac is Apple silicon-based, logic is run to confirm that the current user is a Secure Token user, if they are not the script exits 2

A Secure Token user is required in order to run startosinstall, this is a security feature of Apple Silicon devices

10. If the Mac is Apple silicon-based, their password is confirmed using dscl and passing the password via expect to an authonly option

If the password is wrong, the password dialogue reopens with a warning, the password can be attempted up to 6 times, if 6 password attempts are reached the script exits 3 and throws a final failure message to the user.

11. On either architecture if the Install fails, we throw a final failure message to the user, and exits 6.