macOS - Software - Download Monterey Installer

What the Monterey installer downloader does

This Automox Worklet™ downloads the macOS Monterey 12 full installer from Apple's software update servers and stages it at /Applications/Install macOS Monterey.app on the target Mac. The Worklet queries softwareupdate --list-full-installers, selects the latest published Monterey build, and runs softwareupdate --fetch-full-installer --full-installer-version <build> under the correct user context. The download is roughly 12 GB and can take up to an hour on a typical office connection.

Before any bytes move, the Worklet runs a sequence of compatibility checks. It reads uname -r to capture the Darwin kernel major version, confirms the endpoint is on Catalina (Darwin 19) or Big Sur (Darwin 20), short-circuits if the endpoint is already on Monterey (Darwin 21), Ventura (Darwin 22), Sonoma, or Sequoia, verifies that /Applications/Install macOS Monterey.app does not already exist, checks df -h / for at least 20 GB free, and reads uname -m to branch on Intel vs Apple Silicon.

On Apple Silicon Macs, the Worklet additionally validates Secure Token. It runs sysadminctl -secureTokenStatus against both the console user (stat -f %Su /dev/console) and the _automoxserviceaccount, and exits cleanly if neither account holds a token, because softwareupdate --fetch-full-installer requires a Secure Token holder on M-series hardware. When a token holder is found, the Worklet invokes the fetch with sudo -u under that account so the call inherits the necessary privilege.

Why pre-stage a specific macOS version

macOS Monterey 12 is no longer Apple's current release, but it remains the only certified target for a long tail of enterprise software – Mobile Device Management agents, kernel extension dependencies, niche scientific tools, and legacy in-house apps that have not been recompiled for Ventura, Sonoma, or Sequoia. When the security team mandates an upgrade off Catalina or Big Sur but the application owners cannot yet sign off on the latest macOS, Monterey is the bridge. Pre-staging the installer separates the 12 GB download from the upgrade window, which is the single largest source of failure in a fleet-wide macOS rollout.

Pinning the fleet to Monterey is a deliberate choice when Big Sur is approaching end-of-support and Ventura or Sonoma have not yet been validated against the applications, kernel extensions, or MDM profile set in production. Scheduling this Worklet at the Monterey stage of a phased upgrade gates itself on Darwin version and Secure Token state, leaves Macs already on a newer release alone, and pre-stages a known-good installer that the companion Upgrade macOS Worklet can execute during a scheduled maintenance window.

How Monterey installer download works

1. Evaluation phase: The evaluation script captures CurrentDarwin from uname -r, M1Check from uname -m, CurrentUser from stat -f %Su /dev/console, and Secure Token status for both the console user and _automoxserviceaccount via sysadminctl. It exits 0 (compliant, no action) when the Darwin version is below 19, equal to 21, 22, or greater than 22, when /Applications/Install macOS Monterey.app already exists, or when the endpoint is Apple Silicon without any Secure Token holder. It exits 1 (remediation needed) only when the endpoint is on Catalina or Big Sur, has no Monterey installer staged, and either is Intel or is Apple Silicon with a token-enabled account available.

2. Remediation phase: The remediation script re-runs the same gates, plus a df -h / check that aborts if free space is below 20 GB. It pulls LatestBuild from softwareupdate --list-full-installers, filters for the first Monterey line, and extracts the version string. On Intel, it runs softwareupdate --fetch-full-installer --full-installer-version $LatestBuild directly. On Apple Silicon, it prefers sudo -u _automoxserviceaccount when that account has Secure Token; otherwise it falls back to sudo -u $CurrentUser. After the fetch returns, the script verifies /Applications/Install macOS Monterey.app exists on disk and exits 0 on success or 1 with a stderr message on failure.

Monterey download requirements

• Current OS is macOS Catalina 10.15 (Darwin 19) or Big Sur 11 (Darwin 20). Endpoints already on Monterey, Ventura, Sonoma, or Sequoia exit clean.

• Hardware is compatible with macOS Monterey 12 – 2016-and-later MacBook Pro and iMac, 2015-and-later MacBook, 2017-and-later MacBook Air, 2014-and-later Mac mini, 2017-and-later iMac Pro, 2013-and-later Mac Pro, plus all Apple Silicon Macs.

• At least 20 GB of free disk space at /. The script aborts remediation if df -h / reports less than 20 GB available.

• Outbound network access to swcdn.apple.com and swdist.apple.com on TCP 443 from every endpoint that will fetch the installer.

• Apple Silicon endpoints require Secure Token on the _automoxserviceaccount or the console user. Verify in advance with sudo sysadminctl -secureTokenStatus _automoxserviceaccount and grant the token through your MDM bootstrap flow if it is missing.

• Extend the policy timeout in the Automox console. A 12 GB fetch over a constrained link can take up to one hour; the default Worklet timeout will cut the download short.

• Pair this Worklet with the Upgrade macOS Worklet from the catalog. This Worklet only stages the installer; it does not initiate the upgrade.

Expected state after Monterey is staged

After successful remediation, /Applications/Install macOS Monterey.app exists on disk. The Automox activity log shows the LatestBuild string the script logged before the fetch, followed by a confirmation line reading 'MacOS Monterey downloaded successfully, you may now run the MacOS Installer Worklet to install.' The end user sees no prompts during the fetch; macOS handles the download in the background under the chosen Secure Token account.

Validate the staged installer by running ls -ld '/Applications/Install macOS Monterey.app' and defaults read '/Applications/Install macOS Monterey.app/Contents/Info.plist' CFBundleShortVersionString to capture the build number. For fleet-level audit evidence, run softwareupdate --list-full-installers on a sample endpoint and compare the highest published Monterey 12.x version to what landed in /Applications. If the fetch failed, the script returns exit code 1 with a stderr line indicating either a network disconnect or that the requested version is no longer published by Apple. macOS purges partial downloads automatically, so no manual cleanup is required before re-running. Once the installer is staged across the target group, schedule the Upgrade macOS Worklet during a maintenance window to complete the move from Catalina or Big Sur to Monterey 12.