Re: Macos Big Sur O Catalina
Laverne Levenstein
Like the previous discussion i created on Jamf Nation about upgrade paths to Mojave back in september, i thought lets start a new fresh thread for sharing macOS Catalina installing & upgrade ideas and experiences.
Modulair Imaging
We all know that "modulair" imaging is dead for a while, but to be honest for our older mac fleet that is not DEP registered and not having an T2 chip i still used Jamf Imaging and creating DMG's with AutoDMG for bringing that Mac's alive.
Upgrading
The thing i already noticed is that in the past new macOS version were available in the Mac App store. Now the Software Update pane gets an 1 icon and will give you the option to download and install the upgrade.
I heard there is a reset (or was it restore) option in system preferences in Catalina, that works like an iPad where you can reset and erase the macOS to factory settings. I am not on beta, so I can't confirm that. If Apple added this feature in Catalina, that would be better than using imaging to reset computers with fresh macOS.
First, I want to say, the utilization of the 'Download and Install' through Management command for single computer or 'Action' via the search for multiple, didn't work for me. So, I've looked at the 'whitepaper' on how to install/ upgrade to Catalina but it seems one of the easiest ones for MDM infrastructure has been omitted....The 'Mac App Store Apps' approach.
After your receive the email confirmation and Jamf Pro syncs with VPP, make sure that when you're reviewing the OS within 'Mac App Store Apps' and setting up scope, you're NOT selecting 'Site' under General tab but on the actual 'Scope' tab. Otherwise, you won't be able to assign the licenses gotten via VPP.
Said policy should execute following command (Within 'Files and Processes') '/Applications/Install macOS Catalina.app/Contents/Resources/startosinstall --agreetolicense --nointeraction' (remove the apostrophes from the command)
Side Note: I like using 'Smart Groups' in conjunction with my scopes. It eliminates keeping track what has upgraded, shouldn't be upgraded and what happens when you image it with something else. So here is what I have as criteria:
1. Enrolled via DEP -> is -> Yes
2. OS Version -> greater than -> (I have a specific need for a specific version, so that's what I have there)
3. Building -> is -> my neck of the woods
Which is a perfectly fine way to go, however I prefer the scripted approach macOS Upgrade which gives the user clear instructions on what is happening. Your method will trigger a 30second countdown timer for users before it auto restarts, which could be fine for some but others could be doing a presentation before it restarts
I'm still amazed to see imaging mentioned. I considered our school one of the last holdouts but once the APFS change happened and I read what was necessary to make it maybe work, we finally submitted to provisioning via scripts and policies. It's definitely not as set it and forget it but it works. The real disappointment was DEP. All it really does is throw it in Jamf for you. Cool, so I don't have to do a QuickAdd. Sooo much time saved. /s
@totalyscrewedup ... dude!! Why has nobody come else come up with this solution? You are awesome!!
I am going to test that option via VPP and self service.
Just wondering .. if I can scope to all machines and that app will take care the min requirements?
any one can chime in?
@txhaflaire does your script take into account Standard users performing the upgrade? I know for upgrading to Mojave, admin creds were required and there was a scripted workaround of granting temporary admin access to the user's account during the upgrade process, then revoking admin post-install.
@vcasiero Where did you download the installer app? Did you had to put it in composer before adding it to JAMF admin? I'm trying to push out Catalina via Patch Management but the package doesn't seem to work, so not sure what I'm doing wrong.
But Why? Because DEP with "Enrollment Complete" trigger isn't reliable - If I can get 75% success with that combination I'm super happy. But what if you have to make sure that everything the user needs is installed when you hand it to them? Well, now we've got a problem. Especially when users are (super busy and easily distracted) nincompoops who will go into a literal war zone without updating.
When the "Enrollment Complete" trigger is > 95% successful, we'll re-evaluate it. But we've got 58 packages, < 30 GB of apps, settings, presets, and codecs, that get installed as part of our typical machine. And the last thing I need is a producer or on-camera talent camped out between Russian, Turkish, Kurdish, and ISIS soldiers shooting at each other who can't do his job because he forgot to install something before he left the bureau. And when your only internet connection is a portable satellite terminal where downloads cost $4.35/MB and max out at 384Kbps, the last thing anyone needs is a $7,873.50 bill so someone could reinstall Premiere.
So How? (Hint: Jamf Imaging doesn't have to install an OS) If it doesn't already have your supported OS version (10.13 or later) then install it, do a reboot/clean install. If it's in DEP then it gets managed, if it's not then you need to take the corporate AmEx away from an executive and manually get it managed (user initiated enrollment). For us, we use the "Enrollment Complete" trigger to (hopefully) get VPN, VPN Profiles, Bomgar, and Jamf Imaging on the machine. We've got about an 80% success rate with that limited number of packages. Even a DEP machine will probably need help, so we've got Jamf Imaging in our Self Service (which gets installed on enrollment about 95% of the time).
Here's the magic! Once you've got Jamf Imaging on the machine, launch it, authenticate, log in, choose the configuration (none of which install an OS), tell it to image the boot drive, and go. None of our policies are configured to 'install on boot drive' since they're already being installed to the boot drive, but a restart is still done by Jamf Imaging which is fine because several installers require a restart.
@cwaldrip Have you looked into DEPNotify and the DEPNotify Starter for Jamf Pro script? Instead of a bunch of policies trigged via Enrollment Complete only the DEPNotify Starter for Jamf Pro needs to trigger off of that, and it in turn calls your other install policies. I don't know that I've had a single failure on DEP enrollment since switching to it.
@sdagley I'll look into it again, and it may be our only option if/when Jamf kills Jamf Imaging.app. But killing the app seems like a waste since it still works perfectly fine since we're not deploying an OS. I think Jamf should re-evaluate their decision not to keep Jamf Imaging around. Sad to see development on that go to waste.
@cwaldrip Don't let the DEPNotify name mislead you, nothing about the tool or Jamf's script to drive it is DEP specific. Before we enabled DEP I modified the DEPNotify Starter for Jamf Pro script to mimic my existing workflow which was triggered by Enrollment Complete. When we switched to DEP pretty much nothing had to change.
@jjimenez10 Just downloaded it from software update following this link. -catalina/id1466841314?ls=1&mt=12
It downloaded the full installer into "Applications". Then just dragged and dropped the .app into JAMF Admin. It auto zipped it into a tar file and recognized is as a MacOS Installer.
We've seen some machines get stuck at the "Screen Time" setup screen, which means we had to force the machine down and cold boot. I have yet to see an explanation for this phenomenon, but I have seen that it's a common issue.
@sdagley I am setting up a DEPNotify to replace my existing workflow and was wondering if there's a way to prevent/postpone policies set to run at "recurring check-in" while those triggered by DEPNotify run. Right now they seem to overlap, I mean if a policy called by DEPNotify takes a long time to finish, those at "recurring check-in" begin to run.
Maybe it is just time has come to review my existing workflow...
Many thanks!
We've seen the machines get stuck at the "Screen Time" setup screen issue happen a lot. We're also having big issues getting AD logon to work - they just get stuck logging in. Plus one Mac mini has been bricked and sent back for repair.
Having trouble with the last part. How do I write a script so it can execute the command '/Applications/Install macOS Catalina.app/Contents/Resources/startosinstall --agreetolicense --nointeraction'?
@carlo.anselmi Unfortunately short of having a breadcrumb dropped at the end of the enrollment complete policy, and then changing all of your recurring check-in policies to exclude systems without that breadcrumb I don't know of a good solution (everybody please Up Vote the Feature Request that @donmontalvo references above). Currently I have tweaked my DEPNotify script that I use so it typically runs in less time than my check in interval.
We're seeing the policy sit at running for about 20 minutes, then it attempts to restart, but throws a strange Cocoa error (screenshot attached to this post). This error prevents Self Service from quitting and holds up the restart. I've done some digging on this error and haven't found much, just one person thinking it might be Self Service barfing on a large policy. Any ideas would REALLY be appreciated
Hello,
Has anybody else used the script in-place upgrade to macOS Catalina? When I run the script, it downloads the OS to the Applications folder, and then the file disappeared /current OS Mojave/. And start over to downloading it. After OS .pkg shows up in the Application folder a second time, pop up the error message that cannot install the OS. I'm following those steps from here: _Catalina_Jamf.pdf. What I'm doing wrong I appreciate any help with the macOS upgrade.sh script has updated on 11/30/2020 Do not have DEP or VPP.