Install macOS Updates On Apple Silicon Hardware

This section goes through the following:

  • Apple Changes with Apple Silicon Hardware
  • Apple Recommended Method for Updating macOS Devices
  • User Initiated Software Updates
  • Allow Standard Users to Use the Full macOS Installer vian Endpoint Privilege Management for Mac

Apple Changes with Apple Silicon Hardware

On the Apple Silicon architecture, Apple has introduced a new concept called Volume Ownership. At the time of writing, any user on the system with a secure token is considered a volume owner by macOS, regardless of whether they are a local administrator.

This change has affected the software update mechanism because updates now require these credentials. This is necessary so that different volumes on local storage used during the software update process can be unlocked to allow the update data to be written to them.

For more information, see Use secure token, bootstrap token and volume ownership in deployments.

Apple-Recommended Method for Updating macOS Devices

Official guidance from Apple is that organizations managing multiple Mac devices use their MDM provider to manage and schedule OS updates.

One advantage of managing software updates in this way is that organizations are not beholden to the vigilance of their end users to ensure that the latest security patches are applied.

For more MDM provider specific guidance, see:

User-Initiated Software Updates

End users ultimately want to update the macOS version on their hardware, and with Endpoint Privilege Management for Mac installed this is still possible, although there are some caveats.

Endpoint Privilege Management for Mac does allow policy control to allow standard users to install delta or minor updates through the System Settings / System Preferences app but not the full installer. The differences are described below.

Full Installer or Delta Installer

If the update being presented to the user is shown as a 12GB or larger, this implies that the update is going to attempt to download the macOS full installer package as opposed to a delta update. If an end user is offered only the full installer, the user can quit the System Preferences application and relaunch it. At that point they are offered the delta installer, which is approximately 6GB. Once this is shown, they can update the OS. During the user-initiated software update, the end user is prompted for an additional username and password dialog, which is presented by macOS. Endpoint Privilege Management for Mac does not control this dialog.

End users can update macOS with delta updates without issue and we go through this process below with examples.

End users will encounter issues when using the full-installer, because a user who is both a local administrator and who has a secure token (volume owner) is required to approve the installation.

Be aware that when applying a delta update on macOS Ventura, for example when upgrading from 13.0 to 13.1, the username and password dialog box displays that it requires the credentials for an administrative user. For more information, see Delta Update Process (Ventura).

This is a bug in macOS and will be fixed in a future release to reflect the same experience from macOS Monterey.

For more information, see Allow Standard Users to Use the Full macOS Installer via Endpoint Privilege Management for Mac.

Why is the Extra Username and Password Dialog Box Required?

As mentioned above in the Changes with Apple Silicon Hardware section, on the Apple Silicon architecture a new concept is introduced by Apple called Volume Ownership. At the time of writing, the software update mechanism requires these credentials so that different volumes on local storage used during the software update process can be unlocked to allow the update data to be written to them.

For more information, see Use secure token, bootstrap token and volume ownership in deployments.

Ensure You are Using the Delta Installer

Software update dialog box in Apple

Sometimes when users initially go to the Software Update preference pane, there is an option to install a macOS update, which indicates a very large download size (see screenshot). This is a full installer method and is subject to the problems detailed in the section below regarding the full macOS installer.

If you see a 12GB update, check back at a later time when there might be a much smaller download available. It might be necessary to quit the System Preferences application and reopen it for the smaller update to be offered.

In the case of updating to macOS Ventura 13.1 from macOS Monterey, the update is approximately 6GB, as opposed to the 12GB full installer.

Delta Update Process (Ventura)

Screen captures in this section are from macOS Ventura.

When navigating the System Settings app via General > Software Update, you might be presented with an Endpoint Privilege Management for Mac confirmation dialog box, depending on how you configured your Endpoint Privilege Management for Mac policy.

Delta upgrade that displays a Endpoint Privilege Management for Mac message

  1. After the Endpoint Privilege Management for Mac message is approved, click Update Now, and then agree to the Terms and Conditions dialog box.

 

Delta upgrade authentication

  1. Enter a username and password. The Software Update dialog box prompts for an administrator username and password; due to a bug in macOS, the currently logged-in user must only enter their username and password. The bug will be resolved in an upcoming release.

 

The download progress for a delta upgrade on macOS

  1. After authenticating, the install downloads and the update completes.

 

Delta Update Process (Monterey)

Screen captures in this section are from macOS Monterey.

Software update starting dialog box from Monterey computer

  1. When you open the Software Update preference pane in macOS Monterey, you will see something like the screenshot shown. Click Upgrade Now.

 

Endpoint Privilege Management for Mac message to proceed with upgrade

  1. Depending on the Endpoint Privilege Management for Mac policy applied, you might need to approve the operation, as shown here.

 

Enter credentials to access software updates

  1. After approving the dialog box, enter your password on the system dialog box. This does not need to be an administrative user, though it must be valid credentials for any valid user on the system who has a secure token.

 

Allow Standard Users to Use the Full macOS Installer via Endpoint Privilege Management for Mac

When running a full macOS installer from the /Applications folder (Install macOS xxxx.app) on Apple Silicon (M1 / M1 Pro / M1 Max) hardware as a standard user, there is an additional prompt for administrator authentication after the initial request for administrator credentials.

When installing as a standard user with Endpoint Privilege Management for Mac, this causes problems that means the installation cannot be completed. You might be prompted for the password of user _avectodaemon. This occurs because Endpoint Privilege Management for Mac does not have access to a secure token within macOS. We encourage customers to remove local administrator privileges for their users to increase security of the endpoint.

When macOS is installing macOS updates, the credentials of a user with a secure token are required to write data to volumes on local storage that must first be unlocked.

The full installer expects credentials for a user who is both a local administrator and has a secure token, and does not accommodate requesting credentials of any secure token enabled user. As such, an install using this method cannot proceed with Endpoint Privilege Management for Mac installed.

See the following section for a workaround method that allows installation to proceed in cases in which using the full installer is the only available option.

A similar issue has also been highlighted in the Jamf Community when attempting the update to Monterey via Jamf scripts. The Jamf community has created a workaround for this issue. For more information, see macOS installer script not working for Apple Silicon M1 Macbook + macOS Monterey.

The development team has an open ticket with Apple to resolve this issue; the KB article will be updated in due course. If you want to reach out to Apple directly, please quote ticket "Feedback ID - FB9750688."

Supported Method for Full Installer

The following method can be used to allow users to upgrade to macOS with a full installer without needing to uninstall Endpoint Privilege Management for Mac or provide the end user with real administrator credentials on the machine. This is possible because the command line installer accepts the password of the currently logged-in user to gain access to a secure token regardless of local administrator status.

In the policy editor, add application to approve authorization requests

  1. In your policy editor, find an appropriate application assignment that will approve authorization requests without displaying a message to the user. If your policy is based on QuickStart, then Authorize - General Business Applications is a good fit.

 

Full installer wizard

  1. Select Authorize - General Business Applications on the left, and then right-click in the main area and select Sudo Command.

    In the wizard, type /Applications/Install macOS Monterey.app, and then click the Next button.

 

Add a sudo command in Endpoint Privilege Management for Mac.

  1. Click Next on the Description dialog box (or type a description), and then click Finish to add the command.

 

Enter your password in macOS install

  1. Once your new policy is applied to your endpoints, you can run the installer with the command:

    sudo /Applications/Install\ macOS\ Monterey.app/Contents/Resources/startosinstall --agreetolicense --passprompt

    When the password prompt appears, the standard user types their password to continue.

 

  1. The installer runs and the machine restarts, after which it is updated to macOS Monterey.