Download the macOS Sonoma installer to Mac endpoints in advance of a fleet-wide major version upgrade
This Automox Worklet™ downloads the macOS Sonoma installer application from Apple's software update servers to a Mac endpoint and stages it at /Applications/Install macOS Sonoma.app. The Worklet does not run the upgrade itself. It performs the slow, bandwidth-heavy step of fetching a ~13 GB installer package so a later policy run, or a user-initiated install, can move straight to the actual upgrade with no network wait.
Before the download starts, the Worklet restarts the softwareupdate daemon with launchctl kickstart so Apple's catalog returns a fresh installer list. It then queries softwareupdate --list-full-installers, parses the latest Sonoma build version with awk, and calls softwareupdate --fetch-full-installer --full-installer-version <build> against that version. Intel and Apple Silicon endpoints take different paths inside the script. Intel runs the fetch directly. Apple Silicon checks Secure Token status on the Automox service account first, falls back to the console user if the service account is not tokenized, and refuses to start the download if neither account has Secure Token enabled.
After the download completes, the Worklet verifies that /Applications/Install macOS Sonoma.app exists on disk. If the directory is missing, the script exits non-zero with a message in stderr, so a failed download surfaces in Automox activity logs instead of leaving the endpoint in an ambiguous state. If the directory is present, the Worklet exits 0 and the endpoint is ready to be targeted by the Upgrade macOS Worklet.
A macOS major-version upgrade has two costs that platform teams routinely confuse. The first is the installer download, roughly 13 GB pulled from Apple's CDN over whatever uplink the endpoint happens to have. The second is the install itself, which holds the endpoint in a restart cycle for 30 to 60 minutes and locks the user out for the duration. Bundling both into a single maintenance window means the user sits idle while the laptop downloads, which is the part of the operation that does not need their attention at all. Pre-staging splits the two. The download runs whenever the endpoint is online, including overnight or on a coffee break. The install runs against an already-cached /Applications/Install macOS Sonoma.app and starts immediately when the upgrade Worklet kicks off.
Pre-staging the Sonoma installer separates the long download phase from the upgrade phase, so the office uplink does not saturate on patch Tuesday and individual Macs are not stuck in front of a 12 GB transfer when the upgrade policy fires. Schedule this Worklet across a week of off-peak evaluation windows against your macOS device group, and every targeted Mac arrives at the upgrade with Install macOS Sonoma.app already cached in /Applications.
Evaluation phase: The Worklet reads the kernel version with uname -r and extracts the Darwin major. Darwin 23 is Sonoma, so an endpoint reporting 23 is already on the target OS and the evaluation exits 0 with no remediation. Darwin greater than 23 means the endpoint is on Sequoia or newer and also exits 0. Darwin less than 19 means the endpoint is older than Catalina, which Apple's softwareupdate --fetch-full-installer command does not support, so the evaluation exits 0 with a message explaining the gate. If the directory /Applications/Install macOS Sonoma.app already exists, the installer is already cached and the evaluation exits 0. Any other state exits 1, which schedules remediation.
Remediation phase: The remediation script runs sudo launchctl kickstart -k system/com.apple.softwareupdated to refresh Apple's installer catalog cache, then captures the latest Sonoma build with softwareupdate --list-full-installers | grep 'Title: macOS Sonoma, Version: ' | head -n 1 | awk '{print $6}'. It re-runs every gate from evaluation (Darwin version, /Applications cache, 25 GB free on /) and then branches on architecture. On Intel (uname -m returns x86_64), it calls softwareupdate --fetch-full-installer --full-installer-version <build> directly. On Apple Silicon (uname -m returns arm64), it prefers sudo -u _automoxserviceaccount when the Automox service account has Secure Token, otherwise sudo -u <console-user> when that user has Secure Token, and aborts non-zero if neither account is tokenized. After the fetch returns, the script verifies /Applications/Install macOS Sonoma.app is present and exits accordingly.
Current OS between macOS Catalina (Darwin 19) and macOS Ventura (Darwin 22). The Worklet exits 0 with a message on endpoints already running Sonoma (Darwin 23) or newer.
Apple hardware on the macOS Sonoma compatibility list: iMac 2019 and newer, iMac Pro 2017, Mac Pro 2019 and newer, Mac Studio 2022 and newer, Mac mini 2018 and newer, MacBook Air 2018 and newer, MacBook Pro 2018 and newer.
At least 25 GB free on the root volume. The script reads df -h / and exits non-zero if the value is below the threshold.
Network reachability to Apple's software update CDN (swcdn.apple.com, swdist.apple.com, swscan.apple.com on port 443).
On Apple Silicon, Secure Token enabled on either the _automoxserviceaccount or the current console user. Verify with sudo sysadminctl -secureTokenStatus _automoxserviceaccount before scheduling at scale.
Extend the Worklet timeout in the Automox policy. The download can take 30 to 60 minutes depending on uplink speed and Apple CDN load.
A successful run leaves /Applications/Install macOS Sonoma.app on disk, fully expanded as an installer application bundle, sized at roughly 13 GB. The endpoint stays on its current macOS version (Catalina, Big Sur, Monterey, or Ventura) because this Worklet only stages the installer. No restart is triggered, no user prompt is shown, and no GUI flashes. Run ls -la /Applications | grep Sonoma to confirm the bundle is present, and check Automox activity logs for the exact build version that was fetched (the script logs it before the download begins).
If the download fails, macOS purges the partial files automatically. The script does not write any state outside /Applications, so a failed run is safe to re-schedule without manual cleanup. Common failure modes surface as non-zero exits with a specific stderr line: insufficient disk space ('Sonoma requires at least 25GBs to install'), missing Secure Token on Apple Silicon ('Both <user> and the Automox Service Account do not have Secure Token enabled'), or a fetch error from Apple's CDN ('Latest MacOS Sonoma failed to download'). Once /Applications/Install macOS Sonoma.app is in place, target the same endpoint with the Upgrade macOS Worklet to execute the upgrade itself.


Loading...
Consider Worklets your easy button
A Worklet is an automation script, written in Bash or PowerShell, designed for seamless execution on endpoints – at scale – within the Automox platform. Worklets deploy named-CVE mitigations within hours of disclosure, perform configuration, remediation, and install or remove applications and settings across Windows, macOS, and Linux.

AUTOMOX + WORKLETS™
Uncover new possibilities with simple, powerful automation.
By submitting this form you agree to our Master Services Agreement and Privacy Policy
By submitting this form you agree to our Master Services Agreement and Privacy Policy.
Already have an account? Log in