-
Notifications
You must be signed in to change notification settings - Fork 86
Apple Silicon Local Credentials
Even with root privileges super
can not enforce software updates on Mac computers with Apple silicon without additional update credentials. Mac computers with Intel do not require additional software update credentials.
For Mac computers with Apple silicon super
supports a local software update enforcement workflow via the softwareupdate
command. To facilitate the required update credential super
supports three methods; prompt the end user to save their password, or save the credentials of an existing local account, or create a local super
service account.
Alternately, for Mac computers with Apple silicon on macOS 11.5 or later, super
also supports a MDM push software update or upgrade workflow via Jamf Pro API credentials. However, due to the increased complexity of the MDM workflow, locally authenticated softwareupdate
workflows are more reliable and performant.
Only one Apple silicon authentication method is allowed at a time. If you specify multiple authentication methods then only one will be saved via the priority order as follows; local end user's password, then an existing local account, then the local super
service account, Jamf Pro API client/secret credentials, and finally Jamf Pro API username/password credentials.
Prompt the end user to save their password which can then be used to authenticate the local softwareupdate
command.
Command option example:
--auth-ask-user-to-save-password
Command option disable example:
--auth-ask-user-to-save-password-off
Configuration profile example:
<key>AuthAskUserToSavePassword</key>
<true/>
With this option enabled, when a macOS update or upgrade workflow is about to restart the computer, the user is prompted for their password via the user authentication dialog. This password is encoded in base64 format and then stored in the the user's login keychain.
Assuming the saved password remains valid, the user will not be prompted for authentication during future macOS update or upgrade workflows. Because the user's password is stored in their own login keychain, this method is by far the safest approach to provide automatic authentication for super
workflows. If the user's local password has changed or is otherwise found to be invalid, super
will prompt the user again to save a new password.
The user authentication dialog
Save an existing local (standard or admin) user account name and password with volume ownership privileges that can be used to authenticate the local softwareupdate
command.
Command option example:
--auth-local-account='labadmin'
--auth-local-password='ThisIs@Test'
These credentials can not be set via a MDM configuration profile as doing so would make them visible to any macOS user in System Settings (or System Preferences). These credentials are encoded in base64 format and then stored in the the System keychain. Although these credentials are not stored in "clear text", any local administrator can access the base64 encoded strings in the System keychain.
When deploying super
using the command line, if either the account name or password contains any special characters or spaces then you should surround the text with single '
quotes. However, when deploying super
using a Jamf Pro Policy with Script Parameters do not use single quotes.
Jamf Pro Policy Script Parameters example:
--auth-local-account=labadmin
--auth-local-password=ThisIs@Test
Create a super
service account to authenticate the local softwareupdate
command via an existing local admin user account name and password with volume ownership privileges.
Command options example:
--auth-service-add-via-admin-account='macadmin'
--auth-service-add-via-admin-password='ThisIs@Test'
These credentials can not be set via a MDM configuration profile as doing so would make them visible to any macOS user in System Settings (or System Preferences). These credentials are only used temporarily for the creation of a local super
service account. In other words, these credentials are not saved to the computer. However, the credentials for the resulting local super
service account are encoded in base64 format and then stored in the the System keychain. Although these credentials are not stored in "clear text", any local administrator can access the base64 encoded strings in the System keychain.
When deploying super
using the command line, if either the account name or password contains any special characters or spaces then you should surround the text with single '
quotes. However, when deploying super
using a Jamf Pro Policy with Script Parameters do not use single quotes.
Jamf Pro Policy Script Parameters Example:
--auth-service-add-via-admin-account=macadmin
--auth-service-add-via-admin-password=ThisIs@Test
As a default behavior, the automatically generated local super
service account has the following characteristics:
- Account name: super
- Full name: Super Update Service
- Password generated automatically via the
uuidgen
command - No admin privileges
- No login privileges (no home folder or shell)
- Hidden in login window or Users & Groups preferences
- If FileVault is enabled, this account is visible at startup and can unlock the drive
You can customize the local super
service account name, full name, and password via the --auth-service-account
and --auth-service-password
options as documented later on this page.
The volume ownership privileges required for the local super
service account also makes the account visible at the FileVault startup screen. That being said, even though this account can unlock the FileVault drive it can not log into the computer either locally or remotely.
The attempt to create a local super
service account triggers a privacy authorization dialog that must be accepted for the account creation process to complete.
You can avoid this dialog by deploying a Privacy Preferences Policy Control (PPPC) configuration payload. Specifically, you must allow the process that starts super
the "SystemPolicySysAdminFiles" privilege.
Detailed documentation regarding the deployment of a MDM configuration profile that allows Jamf Pro to automatically create the super
service account can be found here.
Specify a custom account name and/or password for the local super
service account.
Command option example:
--auth-service-account='updateuser'
--auth-service-password='ThisIs@Test'
To create or modify the local super
service account you must also provide appropriate admin credentials per the --auth-service-add-via-admin-account
and --auth-service-add-via-admin-password
options as documented previously on this page.
Using the --auth-service-account
option overrides both the default service account name and full name for the local super
service account. The --auth-service-password
option only overrides the default generated (via uuidgen
) local super
service account password.
These credentials can not be set via a MDM configuration profile as doing so would make them visible to any macOS user in System Settings (or System Preferences). However, the credentials for the resulting local super
service account are encoded in base64 format and then stored in the the System keychain. Although these credentials are not stored in "clear text", any local administrator can access the base64 encoded strings in the System keychain.
When deploying super
using the command line, if either the account name or password contains any special characters or spaces then you should surround the text with single '
quotes. However, when deploying super
using a Jamf Pro Policy with Script Parameters do not use single quotes.
Jamf Pro Policy Script Parameters example:
--auth-service-account=updateuser
--auth-service-password=ThisIs@Test
If any managed automatic authentication method fails validation, then failover to local end user authentication.
Command option example:
--auth-credential-failover-to-user
Command option disable example:
--auth-credential-failover-to-user-off
Configuration profile example:
<key>AuthCredentialFailoverToUser</key>
<true/>
As a default behavior, managed authentication option errors do not allow the super
workflow to continue. Enabling this option allows for end user authentication if any of the following authentication options fail; --auth-local-account
, --auth-service-add-via-admin-account
, --auth-jamf-client
, or --auth-jamf-account
. As such, the --auth-credential-failover-to-user
option covers both local and MDM authentication failures, as opposed to the MDM-specific --auth-mdm-failover-to-user
option.
Delete all previously saved Apple silicon update credentials.
Command option example:
--auth-delete-all
This includes deleting any saved account credentials and any automatically generated local super
service account. This option can not be set via a MDM configuration profile.