-
Notifications
You must be signed in to change notification settings - Fork 102
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
FileVault Authenticated Reboots No Longer Work As Expected #13
Comments
I also submitted a bug report to Apple over the issue. I figure the more the merrier. |
I also noticed that the latest macOS Sierra 10.12.4 installer also leaves around a file called /Library/LaunchDaemons/com.apple.installer.cleanupinstaller.plist. This happens whether I use the workflow you've developed or just installing from the Mac App Store. I don't remember seeing that file when using the 10.12.3 installer. Seems like Apple is being a little sloppy with this installer. I think I'll update my bug report with Apple to include this issue. |
@kc9wwh if this workflow is in place, would this phrase hold true after being installed - since the cleanup process deletes the files? |
@mpermann I noticed that file as well and haven't seen it till now. @shawnhonsberger that would still remain TRUE as package receipts don't reference the actual file installed, instead package receipts are stored in |
Thank you @kc9wwh. |
I can verify that users are now seeing the FV2 auth screen with 10.12.4. I once reported that the installation bypassed this, but I verified that this IS an issue. |
Any updates on this? Has anyone tested the workflow in 10.12.5 beta? |
@rqomsiya The 10.12.5 beta doesn't provide the installer, instead they do a software update (reduces folks sharing the beta) so unfortunately there isn't a way to test it that I am aware of. |
I just tried 10.12.5 and it still doesn't work |
Update: It has not been determined how or when the issue will be resolved. The original report on this issue, Bug ID 31463377, is still under investigation. We will notify you when it is closed. |
So someone I was talking to on the macadmins slack found a fix for authenticated restart and it has worked for me. Basically, the currently logged in user needs to the own the macosinstaller.app and you can achieve that by quitting it the first time it's launched with this script and relaunching it. When that happens, the user owns it and it will do an authenticated restart. Here is the extra code: #Open the app as the current user to enable Authenticated reboot #There was an issue with startosinstall command that "Install macOS..app" needs to be opened once by logged in user to get it working properly #Wait for 5 seconds to settle down then quit the app This can go right before the #begin upgrade comment line near the end of the script. |
@cpwasthere Can you post the full script in RAW or a maybe a github link to it? I added these lines, but doesn't seem to be working for me. Thanks, |
@cpwasthere I'm interested if that actually works. I've talked to a couple people that have did the quick launch and quit of the app and then execute the I did come across this post the other day, but haven't had the chance to test it myself, although the logic is sound and should work. |
I posted it on my github just for readability sake. The formatting in this post is awful. Hopefully it's a bit more clear. |
@kc9wwh You can use the majority of the script you created as preinstall script and the postinstall script to install MacOS. |
Hi, just want to share what I have found. I want to be as close as possible to the standard install process. Solution like mentioned above to launch the Install App once and quit it after some seconds feels not like a nice solution...
Try it yourself ... |
@alex030 Where did you add this into the workflow? Did you add it to the script or install it separately? Very interested in trying this. |
@alex030 I would also like to know where you're working this in. |
@alex030 sorry I missed your initial post. Please submit a pull request and I’d be happy to add this to the workflow. |
I recently got an update on my enterprise ticket stating that they believe this is a result of running startosinstall as root or sudo, and they wanted me to try running as a user, which I have not tried yet (hoping sudo -u will work). Anyone have time to try? |
sudo -u gave me a auth prompt to install a privileged helper tool, but it did do the authenticated restart. |
I can't believe it took them this long to respond to that... ugh Thanks for the update though! I'll test next week and get it published or feel free to submit a Pull Request if you beat me to it! |
I have not added it to the script. I have an in house app handling the upgrade process for us. Within this app I create the LaunchAgent, start it and then start the osinstall binary. |
@alex030 Can you confirm that for the LaunchAgent, the key |
@kc9wwh This "FileVault Authenticated Reboots No Longer Work" affects regular Jamf policies as well, right? Is this something maybe Jamf can fix on their end so this works again? |
@patgmac I'm not aware of this affecting Jamf Pro policies as we initiate the authenticated reboot in a different method. Feel free to email me a case # or PI# if you have one, but I'm not seeing anything like that right now. |
@alex030 Can you provide more details? I created the LaunchAgent within the script and loaded it with launchctl, but at reboot it does not do a authenticate reboot.
I am doing a in-place upgrade from 10.12.5 to 10.13.2. I did try running the installer manually as a typical consumer user would and watched the LaunchAgent folders and never saw that plist get created, so can you please confirm the path and name? Also my last question about the Thanks! |
Timeout key is integer. Apple does not create a file. They submit the job on demand. Verify it via |
Want to share another approach I got from a team member: you can also handle it the Jamf way. Configure the osinstall binary disable automatic reboot. You can use the setting
Then the reboot process can be handled by the migration script. Call a custom trigger policy with "Perform authenticated restart on computer with FileVault2 enabled" configuration. |
Update: Was successfully able to inject the LaunchAgent today and use the existing script/workflow to deploy an OS update with FV authenticated reboot. Thanks much @alex030! |
Testing on 10.12.6 to 10.13.2 and 10.13.3 completed. |
Tested on 10.11.6 to 10.13.3 successfully. Just need to test 10.10.5 and will post. |
Testing 10.10.5 in a few minutes. I'll report back.. |
@alex030 I'm not entirely sure how you are reverse engineering the LaunchAgent from the I've also attached the sample outputs from Mac OS X 10.10 which I can only assume need a tweak to the LaunchAgent, currently when injecting the LaunchAgent you provided the client just hangs in 10.10_spawnedByScript_startosinstallRunning.txt Would appreciate any help you can provide as I'd like to have this script support 10.10 as well. |
Ok, of course as soon as I post that I got it to work by changing the program it calls to ...still would love to know how you reverse engineered that plist ;) |
Everything has been running super well on my 10.10.5 clients! Authenticated restarts are working with out issue. |
With Apple's release of macOS Sierra 10.12.4, the latest macOS Installer v12.4.06 does not enable the FileVault authenticated reboot when the installer is called via the
startosinstall
binary.Radar has been opened with Apple and I'll post updates here as they become available.
rdar://31410389
If you are an Apple Enterprise customer and are affected by this, please open a AppleCare ticket and reference Apple Radar 31410389 and Jamf PI-003804. This will help to ensure this issue is resolved in a timely manner.
The only known workaround at this time is to perform a macOS 10.12.3 Install and then do a combo update to 10.12.4. Not really ideal, but can be done.
The text was updated successfully, but these errors were encountered: