Since Apple moved OS patching to MDM this article is intended to help customer with Intel Macs.
If you execute this on Silicon Macs, you will get a prompt from the macOS update where you have to "allow" the macOS update to be installed.
If you want to avoid the prompt on Silicon macOS, you need to use DEP or you can allow remote command execution and software updates. Here you can see how to do it.
The exported script can be found in the attachment section.
This article was originally posted by Sven Hain in ITNinja.
The standard method of executing "softwareupdate -l" via a script will not run successfully. With this in mind it was discovered that some commands can't be executed as root. The following solution in scripting worked to upgrade macOS to the latest version.
Please run the following script as "Online Shell-Script" in SMA:
#!/bin/bash
# Get logged in username
LOGGEDINUSER=$(ls -l /dev/console | awk '/ / { print $3 }')
echo "$DATE LOGGEDINUSER = $LOGGEDINUSER"
# Get UID for LOGGEDINUSER
LoggedInUserUID=$(id -u "$LOGGEDINUSER")
echo "LoggedInUserUID = $LoggedInUserUID"
SoftwareUpdateList=$(/bin/launchctl asuser $LoggedInUserUID sudo -iu "$LOGGEDINUSER" softwareupdate -i --os-only --verbose)
echo "SoftwareUpdateList = $SoftwareUpdateList"
macOS clients enrolled as supervised devices in an MDM solution do not receive the latest Ventura update, as Apple automatically delays it for 30 days.
To enable upgrades to the latest macOS version, obtain the full installer on a Mac and perform the installation to bypass the 30-day delay. Note that macOS may encounter issues upgrading to Ventura due to a change in Apple’s upgrade path, which was resolved in version 12.6.1.
Initial attempts to address this through scripting were unsuccessful, as the script module could not execute the upgrade using the full installer. The upgrade wizard consistently appeared, requiring approval from the logged-in user.
After exploring alternatives, I transitioned to using Managed Installations and, through iterative testing, successfully identified a solution to deploy the full installer effectively.
Two options were found to tackle the situation.
Option 1: Using the first option, you can download the full installer directly from the Apple App Store to install the latest macOS. In the future, the name or path of the startosinstall script may need to be updated, but this requires only a minor adjustment.
Option 2: With the second option, you can upload the macOS update as a DMG file, extract it to /Applications, and install it, enabling the use of replication shares within your environment. To avoid issues, always download and create the DMG file independently rather than copying it. For this reason, the managed installs were exported without including the DMG file.
Here is a link on how to create a DMG from an APP file.
After uploading the DMG file, a Managed Installation is required to download and extract it.
This “installs” the APP file into the /Applications folder.
Subsequently, you can execute the installation command using startosinstall, which will proceed without prompting for approval via the wizard on the local client.
Note: Combining the install command with the extraction command using && was attempted, but it did not function as expected.
