PreStage Enrollment: Users Are Not Volume Owners on Computers with macOS 11.5–12 when the Recovery Lock Password is Set During Enrollment (PI-010304)

Symptoms

If user accounts on computers with macOS 11.5–12 were recently enrolled in Jamf Pro 10.32.0 or later and cannot authorize changes to local policy on their computers, allow software updates or kernel extension management, volume ownership may not be enabled for the user accounts. When computers with Apple silicon enroll via a PreStage enrollment and the Recovery Lock password is set during enrollment, user accounts are not volume owners in the following circumstances:
  • A computer with macOS 11.5–12 enrolls with Jamf Pro 10.32.0

  • A computer with macOS 12 enrolls with Jamf Pro 10.33.0

Volume ownership is required for users to authorize changes to local policy on computers with Apple silicon, and to allow software updates and kernel extension management.

Solution

To ensure user accounts on computers with Apple silicon and macOS 11.5–12.0 can be volume owners, you must do the following:
  1. Identify which computers have user accounts that are not volume owners.

  2. Erase and re-install macOS on the target computers. This will install macOS 12.0.1 on the computers.

To enroll computers with Apple silicon and macOS 11.5–12.0 via a PreStage enrollment, set a Recovery Lock passcode, and enable volume ownership for user accounts, you can do one of the following:
  • Set the Recovery Lock password after enrollment using the Jamf Pro API.

  • Jamf Cloud customers with Jamf Pro 10.33.0 can expect an upcoming change in Jamf Cloud hosting that will mitigate the risk of PI-010304.

Identifying Computers Without Volume Owners Using an Extension Attribute

You can use an extension attribute to identify computers with Apple silicon that have cryptographic users, but do not have volume owners. The extension attribute runs a script during an inventory update to display whether a computer is in this state, which allows you to identify target devices with a smart computer group or an advanced computer searches.

  1. In Jamf Pro, click Settings > Computer Management.
  2. In the "Computer Management–Management Framework" section, click Extension Attributes.
  3. Click New.
  4. Name your extension attribute.
  5. (Optional) Enter a description.
  6. Choose String from the Data Type pop-up menu.
  7. Choose a category in which to display the extension attribute in Jamf Pro from the Inventory Display pop-up menu.
  8. Choose Script from the Input Type pop-up menu.
  9. Enter the following script in the field:
    
    #!/bin/bash
    
    # Setting a Recovery Lock password in a PreStage Enrollment on Fall 2021 MacBook 
    # Pros shipping with macOS 12 causes there to be no volume owners on the Mac.
    # This Jamf Pro extension attribute will detect computers that need remediation.
    
    # Case 1. Set a status to display in case we run into an unexpected condition
    STATUS='Unknown State'
    # Intel or Silicon?
    ARCHITECTURE=$(uname -p)
    # Build version? 
    BUILD_VERSION=$(sw_vers -buildVersion)
    # We need to add the "-e" parameter when we call the updated xpath version in Big Sur
    [[ ${BUILD_VERSION} > "20A" ]] && DASH_E='-e' || DASH_E=''
    # List the crypto users on the root volume
    PLIST=$(diskutil apfs listUsers / -plist)
    
    if [[ ${ARCHITECTURE} == 'i386' ]]; then
      # Case 2. If Intel, no need to go further
      STATUS='[OK] Intel Device'
    elif [[ ${ARCHITECTURE} == 'arm' ]]; then
      #   Check for no users state... 
      VOLUME_USER_COUNT=$(echo "${PLIST}" | xpath ${DASH_E} "count(/plist/dict/array/dict)" 2> /dev/null)
      if [[ VOLUME_USER_COUNT -eq 0 ]]; then
        # Case 3. There are no users on a volume early in the setup process.
        STATUS='No Users Yet'
      else
        VOLUME_OWNER_COUNT=$(echo "${PLIST}" | xpath ${DASH_E} "count(/plist/dict/array/dict/true[preceding-sibling::key='VolumeOwner'])" 2> /dev/null)
        if [[ ${VOLUME_OWNER_COUNT} -eq 0 ]]; then
          # Case 4. There are users, but none are owners. 
          STATUS='No Volume Owner Users'
        else
          # Case 5. There are owner users on this volume
          STATUS='[OK] Volume Owners found'
        fi
      fi
    fi
    echo "<result>${STATUS}</result>"
    
    
    # Copyright 2021 JAMF Software, LLC
    # 
    # THE SOFTWARE IS PROVIDED "AS-IS," WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
    # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
    # FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT. IN NO EVENT SHALL JAMF SOFTWARE,
    # LLC OR ANY OF ITS AFFILIATES BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
    # LIABILITY, WHETHER IN CONTRACT, TORT, OR OTHERWISE, ARISING FROM, OUT OF OR IN
    # CONNECTION WITH THE SOFTWARE OR THE USE OF OR OTHER DEALINGS IN THE SOFTWARE,
    # INCLUDING BUT NOT LIMITED TO DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
    # CONSEQUENTIAL OR PUNITIVE DAMAGES AND OTHER DAMAGES SUCH AS LOSS OF USE,
    # PROFITS, SAVINGS, TIME OR DATA, BUSINESS INTERRUPTION, OR PROCUREMENT OF
    # SUBSTITUTE GOODS OR SERVICES.
  10. Click Save.

Identifying Computers Without Volume Owners Using Terminal

You can use Terminal to identify computers with Apple silicon that have cryptographic users, but do not have volume owners.

Open Terminal on the target computer and execute the following:
diskutil apfs listCryptoUsers /

If the user account GUID is identified as Type: Local Open Directory User and Volume Owner: Yes does not display below the user type, this means that the user account is not a volume owner and the computer must be erased and macOS must be re-installed.

Erasing and Re-installing macOS in Preparation to Enable Volume Owners

After identifying target computers enrolled via PreStage enrollment that do not have volume owners, you can erase and re-install macOS. This will install macOS 12.0.1 which allows you to re-enroll the computer via a PreStage enrollment and set the Recovery Lock password during enrollment.

To erase the computer, send the Wipe Computer remote command. For more information, see Remote Commands for Computers in the Jamf Pro Administrator's Guide. After wiping the computer, you can re-install macOS. For more information, see the following articles from Apple's support website:

After the computer is erased and macOS is re-installed, you can re-enroll the computer in Jamf Pro. For more information about PreStage enrollment, see Computer PreStage Enrollments in the Jamf Pro Administrator's Guide.