Skip to content

Apple Silicon Local Credentials

Jump to bottom
Kevin M. White edited this page Oct 30, 2023 · 3 revisions

Even with root privileges super can not enforce software updates on Mac computers with Apple silicon without additional update credentials. Mac computers with Intel do not require additional software update credentials.

For Mac computers with Apple silicon super supports a local software update enforcement workflow via the softwareupdate command. To facilitate the required update credential super supports three methods; prompt the end user to save their password, or save the credentials of an existing local account, or create a local super service account.

Alternately, for Mac computers with Apple silicon on macOS 11.5 or later, super also supports a MDM push software update or upgrade workflow via Jamf Pro API credentials. However, due to the increased complexity of the MDM workflow, locally authenticated softwareupdate workflows are more reliable and performant.

Only one Apple silicon authentication method is allowed at a time. If you specify multiple authentication methods then only one will be saved via the priority order as follows; local end user's password, then an existing local account, then the local super service account, Jamf Pro API client/secret credentials, and finally Jamf Pro API username/password credentials.

Authenticate via End User's Account

Prompt the end user to save their password which can then be used to authenticate the local softwareupdate command.

Command option example:
--auth-ask-user-to-save-password

Command option disable example:
--auth-ask-user-to-save-password-off

Configuration profile example:
<key>AuthAskUserToSavePassword</key>
<true/>

With this option enabled, when a macOS update or upgrade workflow is about to restart the computer, the user is prompted for their password via the user authentication dialog. This password is encoded in base64 format and then stored in the the user's login keychain.

Assuming the saved password remains valid, the user will not be prompted for authentication during future macOS update or upgrade workflows. Because the user's password is stored in their own login keychain, this method is by far the safest approach to provide automatic authentication for super workflows. If the user's local password has changed or is otherwise found to be invalid, super will prompt the user again to save a new password.

Apple silicon user authentication dialog

User authentication dialog

Authenticate via Existing Local Account

Save an existing local (standard or admin) user account name and password with volume ownership privileges that can be used to authenticate the local softwareupdate command.

Command option example:
--auth-local-account='labadmin'
--auth-local-password='ThisIs@Test'

These credentials can not be set via a MDM configuration profile as doing so would make them visible to any macOS user in System Settings (or System Preferences). These credentials are encoded in base64 format and then stored in the the System keychain. Although these credentials are not stored in "clear text", any local administrator can access the base64 encoded strings in the System keychain.

When deploying super using the command line, if either the account name or password contains any special characters or spaces then you should surround the text with single ' quotes. However, when deploying super using a Jamf Pro Policy with Script Parameters do not use single quotes.

Jamf Pro Policy Script Parameters example:
--auth-local-account=labadmin
--auth-local-password=ThisIs@Test

Authenticate via Local super Service Account

Create a super service account to authenticate the local softwareupdate command via an existing local admin user account name and password with volume ownership privileges.

Command options example:
--auth-service-add-via-admin-account='macadmin'
--auth-service-add-via-admin-password='ThisIs@Test'

These credentials can not be set via a MDM configuration profile as doing so would make them visible to any macOS user in System Settings (or System Preferences). These credentials are only used temporarily for the creation of a local super service account. In other words, these credentials are not saved to the computer. However, the credentials for the resulting local super service account are encoded in base64 format and then stored in the the System keychain. Although these credentials are not stored in "clear text", any local administrator can access the base64 encoded strings in the System keychain.

When deploying super using the command line, if either the account name or password contains any special characters or spaces then you should surround the text with single ' quotes. However, when deploying super using a Jamf Pro Policy with Script Parameters do not use single quotes.

Jamf Pro Policy Script Parameters Example:
--auth-service-add-via-admin-account=macadmin
--auth-service-add-via-admin-password=ThisIs@Test

Local super Service Account Details

As a default behavior, the automatically generated local super service account has the following characteristics:

  • Account name: super
  • Full name: Super Update Service
  • Password generated automatically via the uuidgen command
  • No admin privileges
  • No login privileges (no home folder or shell)
  • Hidden in login window or Users & Groups preferences
  • If FileVault is enabled, this account is visible at startup and can unlock the drive

You can customize the local super service account name, full name, and password via the --auth-service-account and --auth-service-password options as documented later on this page.

The volume ownership privileges required for the local super service account also makes the account visible at the FileVault startup screen. That being said, even though this account can unlock the FileVault drive it can not log into the computer either locally or remotely.

PPPC Requirements to Create The super Service Account

The attempt to create a local super service account triggers a privacy authorization dialog that must be accepted for the account creation process to complete.

You can avoid this dialog by deploying a Privacy Preferences Policy Control (PPPC) configuration payload. Specifically, you must allow the process that starts super the "SystemPolicySysAdminFiles" privilege.

Detailed documentation regarding the deployment of a MDM configuration profile that allows Jamf Pro to automatically create the super service account can be found here.

Custom Local super Service Account

Specify a custom account name and/or password for the local super service account.

Command option example:
--auth-service-account='updateuser'
--auth-service-password='ThisIs@Test'

To create or modify the local super service account you must also provide appropriate admin credentials per the --auth-service-add-via-admin-account and --auth-service-add-via-admin-password options as documented previously on this page.

Using the --auth-service-account option overrides both the default service account name and full name for the local super service account. The --auth-service-password option only overrides the default generated (via uuidgen) local super service account password.

These credentials can not be set via a MDM configuration profile as doing so would make them visible to any macOS user in System Settings (or System Preferences). However, the credentials for the resulting local super service account are encoded in base64 format and then stored in the the System keychain. Although these credentials are not stored in "clear text", any local administrator can access the base64 encoded strings in the System keychain.

When deploying super using the command line, if either the account name or password contains any special characters or spaces then you should surround the text with single ' quotes. However, when deploying super using a Jamf Pro Policy with Script Parameters do not use single quotes.

Jamf Pro Policy Script Parameters example:
--auth-service-account=updateuser
--auth-service-password=ThisIs@Test

User Authentication Credential Failover

If any managed automatic authentication method fails validation, then failover to local end user authentication.

Command option example:
--auth-credential-failover-to-user

Command option disable example:
--auth-credential-failover-to-user-off

Configuration profile example:
<key>AuthCredentialFailoverToUser</key>
<true/>

As a default behavior, managed authentication option errors do not allow the super workflow to continue. Enabling this option allows for end user authentication if any of the following authentication options fail; --auth-local-account, --auth-service-add-via-admin-account, --auth-jamf-client, or --auth-jamf-account. As such, the --auth-credential-failover-to-user option covers both local and MDM authentication failures, as opposed to the MDM-specific --auth-mdm-failover-to-user option.

Delete All Saved Credentials

Delete all previously saved Apple silicon update credentials.

Command option example:
--auth-delete-all

This includes deleting any saved account credentials and any automatically generated local super service account. This option can not be set via a MDM configuration profile.

Introduction

Home

Requirements

Getting Started

Workflow Options

Updates and Upgrades

User Initiated Workflows

Alternate Workflows

Deferrals and Deadlines

Deferral Behavior

Count Deadlines

Days Deadlines

Date Deadlines

Dialogs and Notifications

Dialog Timeouts

Display Behavior

Display Customization

Display Language

Apple Silicon Authentication

Apple Silicon Local Credentials

Apple Silicon Jamf Pro API Credentials

Test and Troubleshoot

Testing and Validation

Troubleshooting

Deployment

Configure Settings

Apple Software Update Settings

Jamf Pro Deployment

Clone this wiki locally