You can make a difference in the Apple Support Community!

When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.

Clarification on macOS Update Requirements: Secure Token, Admin Privileges, and MDM Behavior on Apple Silicon Devices (macOS 12.3+)

I’m working on a deployment and update workflow for macOS devices, focusing particularly on Apple Silicon and T2-equipped Macs. My goal is to ensure seamless and reliable macOS updates, especially for major OS upgrades, in a managed environment using Microsoft Intune.


Referred: Use secure token, bootstrap token, and volume ownership in deployments - Apple Support

          https://it-training.apple.com/tutorials/deployment/dm215/

          SoftwareUpdate | Apple Developer Documentation



I’m working on managing macOS updates and upgrades in a corporate environment, primarily for Apple Silicon and T2-equipped Macs using Microsoft Intune. My goal is to establish a seamless update experience for users without requiring additional admin intervention, particularly for major OS upgrades.


Current Context and Setup


Here’s the current configuration on our devices:



1. Primary User: A standard user with Secure Token and volume ownership.

2. Additional Admin Account: Created via a shell script, without Secure Token or volume ownership. This account is not intended for regular user access but is available if admin credentials are needed.


Future Desired Setup


To ensure a smooth update workflow, we’re considering the following configuration:



1. Primary User: Remains a standard user with Secure Token and volume ownership.


2. Additional Admin Account: Modified to have Secure Token and admin privileges, ensuring elevated permissions are available if needed.


3. MDM Configuration: The restrict-software-update-require-admin-to-install key in Intune is set to false, which should allow standard users with Secure Token to perform updates.


Apple’s Guidance on macOS 12.3+


According to Apple’s official training material (Apple IT Training), starting with macOS 12.3 and later:



Any user can perform software upgrades as long as they are a volume owner (implying they hold a Secure Token).


Local administrator privileges are no longer required for updates or upgrades as long as the user meets the volume ownership and Secure Token requirements.


This guidance suggests that for macOS 12.3+, a standard user with Secure Token and volume ownership should be able to perform both minor and major updates, as long as the MDM policy allows it.


Discrepancies Observed in Practice


Despite following this guidance, we are encountering inconsistencies in practice:



1. Admin Credential Prompt: Even with a standard user who is a volume owner and holds a Secure Token, some devices still prompt for admin credentials during major OS upgrades. This behavior seems inconsistent and may depend on the device configuration or other factors, such as the macOS version or specific security checks on Apple Silicon devices.


2. System Gets Stuck During Upgrade: When a standard user with a Secure Token initiates an upgrade, the system sometimes reboots, displays the Apple logo and progress bar, but then gets stuck at that stage indefinitely. This issue prevents access to the operating system entirely


3. Recovery Mode Findings: To resolve the issue in point 2, I booted into Startup Recovery using the recovery key. When attempting to reinstall the operating system from Recovery Mode, the system indicated that no account with a Secure Token was available on the disk. This raised the question of whether the standard account, despite having a Secure Token, lacks the necessary privileges, possibly requiring admin status to complete the upgrade successfully.


Questions


Given these observations, I’m hoping for clarification on the following points:



  1. Is an admin account with Secure Token strictly necessary on Apple Silicon and T2 Macs for major OS upgrades, despite Apple’s guidance for macOS 12.3+ stating otherwise? Could there be internal system checks that still reference admin privileges during an upgrade?


  1. Is it a requirement that all accounts on the device, whether standard or admin, have Secure Token enabled to ensure consistent and reliable upgrade experiences?


  1. Could variations in MDM configurations or specific macOS versions impact whether admin credentials are requested during a major upgrade?


Apple’s guidance on this matter is clear, but our real-world experience does not fully align with the documentation. Any insights, especially from Apple experts or those managing similar setups, would be invaluable in helping us ensure reliable, user-friendly updates.


Thank you for any assistance or official guidance on this matter!


Posted on Nov 8, 2024 1:33 AM

Reply
1 reply

Nov 8, 2024 4:24 AM in response to tnch57

From the Apple reference article I also learned that there are two approaches for software update lifecycle, they are user-driven update or upgrade OR MDM driven update or upgrade using Bootstrap token. In Microsoft Intune, it supports "INSTALl LATER" workflow which would use the Bootstrap token to perform updates but it does not support upgrades meaning major updates. Microsoft may have decided to limit this feature to avoid potential issues or failures during major upgrades, as they require a more robust validation and execution mechanism than minor updates. This is where I started to think what other MDM providers are handling this workflow, JAMF Pro uses service accounts to perform update/upgrade workflow seamlessly (I am not sure about the recent but I have read it about in their support articles"


Please share yours thoughts to address this problem.

Clarification on macOS Update Requirements: Secure Token, Admin Privileges, and MDM Behavior on Apple Silicon Devices (macOS 12.3+)

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.