Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Mobile AD Accounts Not Members of Staff Group and Fail on M1 Macs #166

Closed
hawksoccer108 opened this issue Nov 22, 2021 · 3 comments
Closed

Mobile AD Accounts Not Members of Staff Group and Fail on M1 Macs #166

hawksoccer108 opened this issue Nov 22, 2021 · 3 comments
Assignees
@grahampugh
Labels
bug Something isn't working

Comments

@hawksoccer108
Copy link

Describe the bug
Mobile AD (Active Directory) accounts are not members of the staff user group. On M1 Macs, erase-install performs several additional validation checks (that are not performed on Intel Macs) on the current user's account under the get_user_details function. Line 888 in erase-install validates that the current user is a member of the staff group. When this check fails, it generates error message "account cannot be used to perform reinstallation!" and fails to start the upgrade

To Reproduce

  • /Library/Management/erase-install/erase-install.sh --reinstall --version 12.0.1 --current-user --min-drive-space 36 --no-fs --cleanup-after-use --check-power --power-wait-limit 300
  • The script is run in a Jamf Policy from the uploaded pkg
  • By running the following command on a test non-admin account named cingalls-test, we see Terminal return the following message "no cingalls-test is NOT a member of staff"
    • /usr/sbin/dseditgroup -o checkmember -m "cingalls-test" staff

Expected behavior
I expected the current user validation checks to pass successfully on a non-admin mobile AD account and allow the Monterey upgrade to proceed successfully

Code/log output
Error message "account cannot be used to perform reinstallation!"

Screenshots
Attached
Screen Shot 2021-11-22 at 3 10 31 PM

Environment (please complete the following information):

  • OS version: Upgrading from 11.6.1 -> 12.0.1
  • erase-install version 24.1

Additional context

  • Upon testing, we discovered mobile AD accounts that have been made administrators are included in the staff user group and do not face this problem. However, in an enterprise environment, the majority of mobile AD accounts are non-admins.
  • As a workaround, line 888's if statement can be commented out. Bypassing this check allows the rest of the upgrade to proceed successfully on an M1 Mac
@hawksoccer108 hawksoccer108 added the bug Something isn't working label Nov 22, 2021
@grahampugh
Copy link
Owner

The idea behind this is to determine that a real user is calling the script, i.e. not something like _mbsetupuser, which would not work. But since adding this, I also added the check for Volume Owner, so it's probably superfluous now. I'll try removing it and see if it breaks anyone else's workflow.

grahampugh added a commit that referenced this issue Nov 23, 2021
@grahampugh
Fix for #166
5d5426d
@hawksoccer108
Copy link
Author

That makes sense. Thank you

@grahampugh
Copy link
Owner

Should be fixed now in v25.0. Let me know if not.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@grahampugh grahampugh

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@grahampugh @hawksoccer108