Skip to main content

Why is the Sonoma Update Asking for Admin Credentials?

Overview
#

With the changes Apple has been making to their update process starting in 12.3 – specifically removing the admin requirement for upgrades – I was anticipating a smooth flow for our organization’s upgrade to Sonoma. However, after a few users upgraded successfully, I began receiving reports that an administrator password was suddenly required for the installation to proceed.

I spent some time digging and eventually came to a solution and – presumably – an explanation that I did not find written down anywhere, so I thought it would be fun to write up my process in case this ends up being useful for anyone else.

Starting Point
#

Just to set the stage, here are some key facts about the environment that are relevant to this issue.

  • Fleet is on macOS Ventura 13.6+.
  • macOS Sonoma 14.1 had been released approximately a week prior.
  • Update Deferral is set via MDM.
    • Updates - 2 days.
    • Upgrades - 14 days.
  • Users do not have admin rights.
  • Some users have successfully updated to Sonoma without intervention.

NOTE: Apple documents the difference between updates and upgrades here.

Process
#

When the first user reported that they were being asked for an admin password I resolved the issue manually. This was unlikely to be a one-off, so to begin an investigation I hopped over to the Mac Admins Slack to see if anyone had reported a similar issue. I did find one conversation from a few days prior in which it was suggested to delete the installer file that had been downloaded so that the Mac would then download the current installer. Specifically, it appeared that the installer that had been downloaded was the Install Assistant package, rather than the delta upgrade, and that this was the root of the problem.

I was able to replicate this in a VM running macOS 13.6.1; the only update available was the full Install Assistant installer for 14.0. Deleting the installer package did not help; the same package was downloaded when checking for updates afterward. Doing some more digging online I came across a command I was unfamiliar with: /usr/libexec/mdmclient AvailableOSUpdates.

This command lists out all of the available macOS updates on the local machine and, critically, indicates if the update is deferred by your MDM.

Running this command on my VM generated the following output:

=== OS Update Item ===
Product Key:               042-58988
Title:                     macOS Sonoma
Version:                   14.0 <Build: (null)> <PMV: (null)>
Deferred:                  no  (Date: )
Tags:                      SUBUNDLE:com.apple.InstallAssistant.macOSSonoma; CUSTOMER
MacOSUpdate:               no
MSU:                       no  (Major: no  Full: no  DL: no  label: (null))
Splat:                     no  <(null)> (Revoked: no)
IsMacOSUpdate():           no
IsMajorOSUpdateViaIA():    YES
  Major Version:           14.0
  Major BundleID:          com.apple.InstallAssistant.macOSSonoma
  Major Title:             macOS Sonoma
[ERROR] Assertion Failed.  File: /AppleInternal/Library/BuildRoots/d9889869-120b-11ee-b796-7a03568b17ac/Library/Caches/com.apple.xbs/Sources/MCXTools/ConfigProfiles/mdmclient/MajorOSUpdateSupport.mm:505
[ERROR] Assertion Failed.  File: /AppleInternal/Library/BuildRoots/d9889869-120b-11ee-b796-7a03568b17ac/Library/Caches/com.apple.xbs/Sources/MCXTools/ConfigProfiles/mdmclient/OSUpdateSupport.mm:1043
=== OS Update Item ===
Product Key:               042-86434
Title:                     macOS Sonoma
Version:                   14.1 <Build: (null)> <PMV: (null)>
Deferred:                  YES  (Date: Nov 7, 2023 at 11:00 PM)
Tags:                      SUBUNDLE:com.apple.InstallAssistant.macOSSonoma; CUSTOMER
MacOSUpdate:               no
MSU:                       no  (Major: no  Full: no  DL: no  label: (null))
Splat:                     no  <(null)> (Revoked: no)
IsMacOSUpdate():           no
IsMajorOSUpdateViaIA():    YES
  Major Version:           14.1
  Major BundleID:          com.apple.InstallAssistant.macOSSonoma
  Major Title:             macOS Sonoma
[ERROR] Assertion Failed.  File: /AppleInternal/Library/BuildRoots/d9889869-120b-11ee-b796-7a03568b17ac/Library/Caches/com.apple.xbs/Sources/MCXTools/ConfigProfiles/mdmclient/MajorOSUpdateSupport.mm:505
[ERROR] Assertion Failed.  File: /AppleInternal/Library/BuildRoots/d9889869-120b-11ee-b796-7a03568b17ac/Library/Caches/com.apple.xbs/Sources/MCXTools/ConfigProfiles/mdmclient/OSUpdateSupport.mm:1043
=== OS Update Item ===
Product Key:               MSU_UPDATE_23B74_patch_14.1_major
Title:                     macOS Sonoma 14.1
Version:                   14.1 <Build: 23B74> <PMV: 14.1>
Deferred:                  YES  (Date: Nov 7, 2023 at 4:00 PM)
Tags:                      (null)
MacOSUpdate:               YES
MSU:                       YES  (Major: YES  Full: no  DL: no  label: macOS Sonoma 14.1-23B74)
Splat:                     no  <(null)> (Revoked: no)
IsMacOSUpdate():           YES
IsMajorOSUpdateViaIA():    no
  Major Version:           14.1
  Major BundleID:          (null)
  Major Title:             macOS Sonoma 14.1
Available updates (install debug profile for more details): (
        {
        AllowsInstallLater = 0;
        AppIdentifiersToClose =         (
        );
        DownloadSize = 12856486405;
        HumanReadableName = "macOS Sonoma";
        IsConfigDataUpdate = 0;
        IsCritical = 0;
        IsFirmwareUpdate = 0;
        IsMajorOSUpdate = 1;
        IsSecurityResponse = 0;
        RequiresBootstrapToken = 1;
        RestartRequired = 1;
        Version = "14.0";
    },
        {
        AllowsInstallLater = 0;
        AppIdentifiersToClose =         (
        );
        DeferredUntil = "2023-11-08 07:00:00 +0000";
        DownloadSize = 12906247380;
        HumanReadableName = "macOS Sonoma";
        IsConfigDataUpdate = 0;
        IsCritical = 0;
        IsFirmwareUpdate = 0;
        IsMajorOSUpdate = 1;
        IsSecurityResponse = 0;
        RequiresBootstrapToken = 1;
        RestartRequired = 1;
        Version = "14.1";
    },
        {
        AllowsInstallLater = 0;
        AppIdentifiersToClose =         (
        );
        Build = 23B74;
        DeferredUntil = "2023-11-08 00:00:00 +0000";
        DownloadSize = 6523415948;
        HumanReadableName = "macOS Sonoma 14.1";
        HumanReadableNameLocale = "en-US";
        IsConfigDataUpdate = 0;
        IsCritical = 0;
        IsFirmwareUpdate = 0;
        IsSecurityResponse = 0;
        ProductKey = "MSU_UPDATE_23B74_patch_14.1_major";
        RequiresBootstrapToken = 1;
        RestartRequired = 1;
        SupplementalBuildVersion = 23B74;
        Version = "14.1";
    }
)

That’s a lot of information, but there were three key points that clued me into what was happening, and the solution.

  1. Of the three updates, only one is a delta update. The other two are Install Assistant updates, which always require admin rights to install.
  2. The only delta update available is 14.1. There is no 14.0 delta update. I presume Apple stops providing older delta updates when new updates are available.
  3. The 14.1 delta update is marked as deferred.

What was Happening?
#

So here is my understanding of what was occurring.

Fourteen days after macOS Sonoma was released my more adventurous users were able to update without any issues because Apple provided a delta update – which did not require admin to install – but pulled that specific delta update when 14.1 was released. The new 14.1 delta update is treated as a Major Update per the MDM profile, and was deferred. Thus the only Sonoma update available to install, per our MDM settings, was the 14.0 Install Assistant update, which always requires admin.

Solution
#

With this information in hand, the solution was easy. In our MDM I simply changed the deferral time for Upgrades from 14 days to 2 to match the deferral time for Updates. This will need to be changed next year, but for now it means that any new delta upgrades that are released will be available to my users to upgrade to Sonoma without requiring admin rights.