Upgrading macOS on Apple silicon
59 views
Skip to first unread message
Greg Neagle
Jun 15, 2022, 12:40:39 PM6/15/22
to 'Gregory Neagle' via munki-discuss, munki-dev
As I’m sure you know, Munki does not currently support upgrading macOS on Apple silicon. This is because the `startosinstall` tool needs the credentials of a “Volume Owner” on Apple silicon, and Munki does not currently have access to those, or a way to request those credentials.
I’d like to get this issue resolved before macOS Ventura ships. Some possibilities:
1) Similar to the way Munki/MSC supports authenticated restarts on FileVault-encrypted volumes, MSC could prompt for credentials and securely store them, then Munki could securely retrieve them for use with the `startosinstall` tool. This would be a fair amount of work to implement, but I’ve done it before with FileVault auth restarts, so I’m reasonably certain it can be done.
2) Similar to the way Munki now opens the System Preferences Software Update pane for Apple software updates; Munki could just open the “Install macOS Foo.app” and allow the user to do a self-install via that app. For users who are Volume Owners, but do not have Administrator rights, there are two possible approaches:
a) Temporarily add the user to the admin group; configure a signal that causes the user to be removed from the admin group when a process exits. This might not be desirable in some orgs because the user does have admin rights for a time.
b) Launch the “Install macOS Foo.app” as root. This avoids having to promote the user to admin temporarily, but there may be other risks or issues triggered by running a GUI app as root within a “normal” user session.
In neither case would _unattended_ upgrades of macOS be possible; for that you’d need to look to your MDM vendor.
The second option would be (probably) easier to implement, and since we’re running the Install macOS Foo.app, more like what Apple expects and has tested, but for non-admin users has some potential security implications.
The first option of course has a different set of security implications, as we’re collecting and storing user credentials.
Would love thoughts, reactions, and additional ideas.
-Greg
I’d like to get this issue resolved before macOS Ventura ships. Some possibilities:
1) Similar to the way Munki/MSC supports authenticated restarts on FileVault-encrypted volumes, MSC could prompt for credentials and securely store them, then Munki could securely retrieve them for use with the `startosinstall` tool. This would be a fair amount of work to implement, but I’ve done it before with FileVault auth restarts, so I’m reasonably certain it can be done.
2) Similar to the way Munki now opens the System Preferences Software Update pane for Apple software updates; Munki could just open the “Install macOS Foo.app” and allow the user to do a self-install via that app. For users who are Volume Owners, but do not have Administrator rights, there are two possible approaches:
a) Temporarily add the user to the admin group; configure a signal that causes the user to be removed from the admin group when a process exits. This might not be desirable in some orgs because the user does have admin rights for a time.
b) Launch the “Install macOS Foo.app” as root. This avoids having to promote the user to admin temporarily, but there may be other risks or issues triggered by running a GUI app as root within a “normal” user session.
In neither case would _unattended_ upgrades of macOS be possible; for that you’d need to look to your MDM vendor.
The second option would be (probably) easier to implement, and since we’re running the Install macOS Foo.app, more like what Apple expects and has tested, but for non-admin users has some potential security implications.
The first option of course has a different set of security implications, as we’re collecting and storing user credentials.
Would love thoughts, reactions, and additional ideas.
-Greg
Gregory Neagle
Jun 15, 2022, 3:46:48 PM6/15/22
to munk...@googlegroups.com, 'Gregory Neagle' via munki-discuss
I’d think coordinating Munki and MDM to temporarily elevate users would be quite tricky. Better to do it all inside Munki.
Sent from my iPhone
> On Jun 15, 2022, at 12:40 PM, Dustin Davis <1dusti...@gmail.com> wrote:
>
> I would prefer the second option. As you mentioned, it aligns with Apple’s expected use which will hopefully means it is less likely to break in a future OS update.
>
> Our users are all admins, but I also think it would be reasonable to not address that problem directly with Munki. Orgs that have standard users could potentially use MDM or deploy their own method of temporarily elevating users. (But maybe I’m ignorant about managing a fleet of standard accounts)
>
> Dustin
>
>> On Jun 15, 2022, at 9:39 AM, 'Greg Neagle' via munki-dev <munk...@googlegroups.com> wrote:
>>
>> As I’m sure you know, Munki does not currently support upgrading macOS on Apple silicon. This is because the `startosinstall` tool needs the credentials of a “Volume Owner” on Apple silicon, and Munki does not currently have access to those, or a way to request those credentials.
>> --
>> Find related discussion groups here:
>> https://github.com/munki/munki/wiki/Discussion-Group
>> ---
>> You received this message because you are subscribed to the Google Groups "munki-dev" group.
>> To unsubscribe from this group and stop receiving emails from it, send an email to munki-dev+...@googlegroups.com.
>> To view this discussion on the web visit https://groups.google.com/d/msgid/munki-dev/80C0A2D0-F6E8-4311-A0D1-05225A1D34FE%40mac.com.
>
> --
> Find related discussion groups here:
> https://github.com/munki/munki/wiki/Discussion-Group
> ---
> You received this message because you are subscribed to the Google Groups "munki-dev" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to munki-dev+...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/munki-dev/F06360E9-5519-4EFE-9ECB-4C01774066CA%40gmail.com.
Sent from my iPhone
> On Jun 15, 2022, at 12:40 PM, Dustin Davis <1dusti...@gmail.com> wrote:
>
> I would prefer the second option. As you mentioned, it aligns with Apple’s expected use which will hopefully means it is less likely to break in a future OS update.
>
> Our users are all admins, but I also think it would be reasonable to not address that problem directly with Munki. Orgs that have standard users could potentially use MDM or deploy their own method of temporarily elevating users. (But maybe I’m ignorant about managing a fleet of standard accounts)
>
> Dustin
>
>> On Jun 15, 2022, at 9:39 AM, 'Greg Neagle' via munki-dev <munk...@googlegroups.com> wrote:
>>
>> As I’m sure you know, Munki does not currently support upgrading macOS on Apple silicon. This is because the `startosinstall` tool needs the credentials of a “Volume Owner” on Apple silicon, and Munki does not currently have access to those, or a way to request those credentials.
>> Find related discussion groups here:
>> https://github.com/munki/munki/wiki/Discussion-Group
>> ---
>> You received this message because you are subscribed to the Google Groups "munki-dev" group.
>> To unsubscribe from this group and stop receiving emails from it, send an email to munki-dev+...@googlegroups.com.
>> To view this discussion on the web visit https://groups.google.com/d/msgid/munki-dev/80C0A2D0-F6E8-4311-A0D1-05225A1D34FE%40mac.com.
>
> --
> Find related discussion groups here:
> https://github.com/munki/munki/wiki/Discussion-Group
> ---
> You received this message because you are subscribed to the Google Groups "munki-dev" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to munki-dev+...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/munki-dev/F06360E9-5519-4EFE-9ECB-4C01774066CA%40gmail.com.
Reply all
Reply to author
Forward
0 new messages