Jamf Nation Community

carlo_anselmi · ‎10-06-2015

Hello everyone, maybe this has already been discussed but I could not find a solution
We are still on a JSS 9.72, trying to create a workflow to upgrade FileVault-enabled 10.8.5 clients to Yosemite from SelfService
The one workflow we have for non-FV enabled clients works just fine

Policy 1
- Cache Install OS X Yosemite.InstallESD.dmg
- Run Unix command 'jamf policy -event InstallOSX'

Policy 2 (trigger by InstallOSX)
Install Cached Install OS X Yosemite.InstallESD.dmg
Change startup disk to InPlaceOSUpgrade
Reboot immediately if nobody is logged in
Reboot immediately if somebody is logged in
If rebooting, display message 'This computer will restart in 0 minutes. Please save anything you are working on and log out by choosing Log Out from the bottom of the Apple menu.' to end user

As far as FV enabled Macs, it seems that the "Perform authenticated restart on computers with FileVault 2 enabled" option does not work (seen some comments elsewhere in JAMFNation), therefore we would need to reach each computer to unlock the disk to complete the upgrade automatically

I have tried adding the Execute Command "fdesetup authrestart" to the policy but this seems to mess up everything, I ended up with the new OS components/files spread on the root of the HDD and the policy stucks

I was wondering how you guys have solved this and if it's just a matter of the JSS not being up to date or there's a better way to achieve this
Many thanks for you help as always
Ciao
Carlo

jpfromdc98 · ‎10-06-2015

working with my co-worker and using info from Derflounder and Greg Neagle I came up with the following to deploy Yosemite to my environment (which are all FV2)

Create an installer with createOSXinstaller (https://github.com/munki/createOSXinstallPkg)
Policy 1: Request in Self-Service to Cache OS X

Policy 2: IFC (install from cache) trigger for OS X

Policy 3:Install from Self-Service that calls a script with osascript to prompt for user creds to pass onto fdesetup authrestart -Script then calls IFC trigger, passes creds, reboots, and let the installer do it's work -reboot (users have to enter their creds at this point) Policy 4: at login, script that removes incompatible software, fdesetup authrestart again (reboot)

Policy 5: at login script that installs updated software, fdesetup authrestart again (reboot)

And all is done. My process took about 45 minutes. They also had to be on network/ethernet (not wifi or VPN)

carlo_anselmi · ‎10-07-2015

Hello and thanks you for your reply
We upgraded to 9.81 and unfortunately the option "Perform authenticated restart on computers with FileVault 2 enabled" still does not seem to work
As far as your workflow, thanks for sharing, actually we were looking for a way not to involve users/techs, just an ordinary "in-place" update without intervention to unlock the FV disk to complete the upgrade
have a great evening everyone
Carlo

mjsanders · ‎10-07-2015

I am not sure if your scripts use the 'authrestart' option, this is not existing in earlier versions of 10.8 (introduced in 10.8.2 I think) Maybe that is the reason your script fails? 10.8.5 should have it I think, but remember that updates (from 10.8 to 10.8.x) do usually not touch the recovery HD partition, so with some (bad)luck your systems recovery is still 10.8.0

edit: Rich Trouton states it is intruduced in 10.8.2 (link)

Jamf Nation Community

How to upgrade FileVault-enabled clients to Yosemite from SelfService