Install macOS Big Sur 11.2.2-20d80

What the Big Sur 11.2.2 installer does

This Automox Worklet™ installs macOS Big Sur 11.2.2 (build 20D80) on Mac endpoints by running /usr/sbin/softwareupdate -iR with the named update label "macOS Big Sur 11.2.2-20D80". The -i flag installs the update and the -R flag reboots automatically when the install requires a restart, which Big Sur major-version updates always do.

The Worklet does not stage an installer application or use startosinstall. It hands the named update directly to softwareupdate, which retrieves the update payload from Apple's software update CDN and applies it the same way the App Store update path does. This keeps the upgrade workflow stateless on each endpoint: no payload to pre-position, no application bundle to verify.

The README in the source repository notes this Worklet exists as a workaround for installing Big Sur system updates until the TITAN-58 patching enhancement ships in the agent.

Why pin Mac endpoints to Big Sur 11.2.2

macOS Catalina (10.15) is past Apple's security update window. Endpoints still on Catalina stop receiving Safari patches, kernel CVE fixes, and XProtect signature updates, which leaves a measurable gap in your endpoint protection posture. Moving Catalina endpoints to Big Sur 11.2.2 closes that gap and gets the fleet on the signed system volume, the hardened runtime defaults, and the kernel extension deprecations that downstream EDR and DLP products now assume.

Pinning to a specific build (11.2.2-20D80) gives you a known-good baseline across the fleet rather than letting endpoints land on whatever Big Sur point release Apple is serving on a given day. Important caveat: Apple stopped issuing security updates for Big Sur in September 2023, so plan a follow-on upgrade to a currently supported macOS major release (Sonoma, Sequoia, or later) as soon as Apple hardware compatibility allows. Bind this Worklet to your Catalina device group so the Automox agent walks each remaining 10.15 endpoint through the softwareupdate handoff without per-host SSH or an in-person upgrade session.

How the Big Sur install flow works

1. Evaluation phase: The Worklet reads sw_vers -productVersion for the macOS product version and uname -r for the Darwin kernel version. If the Darwin version equals 19 (which corresponds to macOS Catalina) or the product version does not equal 11.2.2, the script exits 1 and Automox schedules the remediation. If the endpoint already reports product version 11.2.2, the script exits 0 and remediation is skipped.

2. Remediation phase: The script runs /usr/sbin/softwareupdate -iR "macOS Big Sur 11.2.2-20D80" as root via the Automox agent context. softwareupdate downloads the named update from Apple's content delivery network, installs it, and reboots the endpoint when the install completes. The exit code from softwareupdate is returned to Automox and surfaces in the activity log alongside captured stderr.

macOS Big Sur 11.2.2 install requirements

• Mac endpoint currently on macOS 10.15 Catalina (Darwin 19) or on a Big Sur build other than 11.2.2

• Big Sur–compatible hardware: 2014 or newer iMac and Mac mini, 2013 or newer MacBook Air, 2013 or newer MacBook Pro, 2015 or newer MacBook, 2013 or newer Mac Pro, 2017 or newer iMac Pro

• At least 35 GB of free disk space on the system volume (Apple recommends 44 GB headroom for an upgrade from Catalina on smaller drives)

• Root or sudo context for the Automox agent (the default agent context already meets this requirement)

• Network reachability to Apple's software update CDN (swcdn.apple.com, swscan.apple.com) so softwareupdate -iR can retrieve the named update

• Power adapter connected for laptops; softwareupdate refuses to apply a major macOS update on battery

• FileVault recovery key recorded in your MDM or escrow system before scheduling, in case the signed-in user is prompted at first boot

Expected state after the Big Sur install

After softwareupdate completes and the endpoint finishes its post-install reboot cycle, sw_vers -productVersion reports 11.2.2 and uname -r reports a Darwin 20 kernel (specifically 20D80 corresponds to Darwin 20.3.0). The Worklet's evaluation script then returns 0 on subsequent policy runs, so Automox marks the endpoint as compliant and remediation does not fire again. Users see the redesigned Control Center, a refreshed Safari, and the new notification grouping introduced in Big Sur.

Validate at the fleet level by querying endpoint reports for the macOS version field, or run system_profiler SPSoftwareDataType | grep "System Version" through a follow-up Worklet to confirm the build identifier reads 20D80. For audit evidence, capture the Automox activity log entry for the policy run (start time, end time, exit code, stderr) and the post-upgrade sw_vers output. If a small number of endpoints stall during the install, check /var/log/install.log on the endpoint for softwareupdate errors – the most common causes are insufficient disk space, a stale software update catalog that needs softwareupdate --list to refresh, or a FileVault prompt waiting for the signed-in user at first boot.