-
Notifications
You must be signed in to change notification settings - Fork 84
Apple Silicon Local Credentials
Even with root privileges 'super' can not enforce software updates on Mac computers with Apple silicon without additional update credentials. Mac computers with Intel do not require additional software update credentials.
For Mac computers with Apple silicon super supports a local software update enforcement workflow via the softwareupdate command. To facilitate the required update credential super supports two methods; an existing local account or a local super service account.
Alternately, for Mac computers with Apple silicon on macOS 11.5 or later, super also supports a MDM push software update workflow via Jamf Pro API credentials.
If multiple valid update credential methods are provided then the priority order is as follows; an existing local account, then the local 'super' service account, and finally the MDM push via Jamf Pro API credentials.
An existing local (standard or admin) user account name and password with volume ownership privileges that can be used to authenticate the local softwareupdate command.
Command option example:
--local-account='labadmin' --local-password='ThisIs@Test'
These credentials can not be set via a MDM configuration profile as doing so would make them visible to any macOS user in System Settings (or System Preferences). These credentials are stored in the System keychain which can be viewed by any local admin user.
When deploying super using the command line, if either the account name or password contains any special characters or spaces then you should surround the text with single ' quotes. However, when deploying super using a Jamf Pro Policy with Script Parameters do not use single quotes.
Jamf Pro Policy Script Parameters example:
--local-account=labadmin --local-password=ThisIs@Test
An existing local admin user account name and password with volume ownership privileges that can be used to automatically generate a super service account to authenticate the local softwareupdate command.
Command options example:
--admin-account='macadmin' --admin-password='ThisIs@Test'
These credentials can not be set via a MDM configuration profile as doing so would make them visible to any macOS user in System Settings (or System Preferences). These credentials are only used temporarily for the creation of a local super service account. In other words, these credentials are not saved to the computer. However, the credentials for the resulting local super service account are stored in the System keychain which can be viewed by any local admin user.
When deploying super using the command line, if either the account name or password contains any special characters or spaces then you should surround the text with single ' quotes. However, when deploying super using a Jamf Pro Policy with Script Parameters do not use single quotes.
Jamf Pro Policy Script Parameters Example:
--admin-account=macadmin --admin-password=ThisIs@Test
As a default behavior, the automatically generated local super service account has the following characteristics:
- Account name: super
- Full name: Super Update Service
- Password generated automatically via the
uuidgencommand - No admin privileges
- No login privileges (no home folder or shell)
- Hidden in login window or Users & Groups preferences
- If FileVault is enabled, this account is visible at startup and can unlock the drive
You can customize the local super service account name, full name, and password via the --super-account and
--super-password options as documented later on this page.
The volume ownership privileges required for the local super service account also makes the account visible at the FileVault startup screen. That being said, even though this account can unlock the FileVault drive it can not log into the computer either locally or remotely.
The attempt to create a local super service account triggers a privacy authorization dialog that must be accepted for the account creation process to complete.
You can avoid this dialog by deploying a Privacy Preferences Policy Control (PPPC) configuration payload. Specifically, you must allow the process that starts super the "SystemPolicySysAdminFiles" privilege.
Detailed documentation regarding the deployment of a MDM configuration profile that allows Jamf Pro to automatically create the super service account can be found here.
Specify a custom account name and/or password for the local super service account.
Command option example:
--super-account='updateuser' --super-password='ThisIs@Test'
To create or modify the local super service account you must also provide appropriate admin credentials per the
--admin-account and --admin-password options as documented previously on this page.
Using the --super-account option overrides both the default service account name and full name for the local super service account. The --super-password option only overrides the default generated (via uuidgen) local super service account password.
These credentials can not be set via a MDM configuration profile as doing so would make them visible to any macOS user in System Settings (or System Preferences). However, the credentials for the resulting local super service account are stored in the System keychain which can be viewed by any local admin user.
When deploying super using the command line, if either the account name or password contains any special characters or spaces then you should surround the text with single ' quotes. However, when deploying super using a Jamf Pro Policy with Script Parameters do not use single quotes.
Jamf Pro Policy Script Parameters example:
--super-account=updateuser --super-password=ThisIs@Test
Delete all previously saved Apple silicon update credentials.
Command option examples:
--delete-accounts or -d or -D
This includes deleting any saved account credentials and any automatically generated local super service account. This option can not be set via a MDM configuration profile.