@dan.snelson Thanks for that, I read your post and reviewed the script, see that it gets dumped to the client but in Reddrop's Jamf policy it looks like he has recononreboot.sh uploaded to the jamf server. I'm confused how the 2 relate to each other?

Paging @reddrop …

ReconOnReboot.sh:
This was extracted from the SierraUpgrade script. I just cut it down i use it quite often for software updates etc.

#!/bin/bash

# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #

# CREATE FIRST BOOT SCRIPT

# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #



/bin/mkdir /usr/local/jamfps



/bin/echo "#!/bin/bash

## First Run Script to remove the installer.



## Update Device Inventory

/usr/local/jamf/bin/jamf recon



## Remove LaunchDaemon

/bin/rm -f /Library/LaunchDaemons/com.jamfps.reconNextBoot.plist



## Remove Script

/bin/rm -fdr /usr/local/jamfps

exit 0" > /usr/local/jamfps/recon.sh



/usr/sbin/chown root:admin /usr/local/jamfps/recon.sh

/bin/chmod 755 /usr/local/jamfps/recon.sh



# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #

# LAUNCH DAEMON

# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #



cat << EOF > /Library/LaunchDaemons/com.jamfps.reconNextBoot.plist

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

<dict>

    <key>Label</key>

    <string>com.jamfps.reconNextBoot</string>

    <key>ProgramArguments</key>

    <array>

        <string>/bin/bash</string>

        <string>-c</string>

        <string>/usr/local/jamfps/recon.sh</string>

    </array>

    <key>RunAtLoad</key>

    <true/>

</dict>

</plist>

EOF



##Set the permission on the file just made.

/usr/sbin/chown root:wheel /Library/LaunchDaemons/com.jamfps.reconNextBoot.plist

/bin/chmod 644 /Library/LaunchDaemons/com.jamfps.reconNextBoot.plist

RestoreMacOS.sh
Updated with a few tweaks and bug fixes to handle filesystems that don't have CoreStorage enabled.

#!/bin/bash

######################################################################################

#

#   RestoreMacOs.sh - Ashley Stonham <reddrop>

#   Restores either High Sierra or Sierra based on a best guess

#

#   Variables:

#   DP      - Set this to the path that your DP mounts as

#   SIERRA      - Set this to the filename of your Sierra image 

#   HSIERRAAPFS     - Set this to the filename of your HighSierra APFS Image    

#   HSIERRAHFS  - Set this to the filename of your HighSierra HFS Image

#

######################################################################################





## Set these Variables

DP="/Volumes/casperdp"

SIERRA="osx-10.12.6-16G29.hfs.dmg"

HSIERRAAPFS="osx-10.13.2-17C88.apfs.dmg"

HSIERRAHFS="osx-10.13.2-17C88.hfs.dmg"





## No need to change anything below

TARGET="$1"

SOURCE=""







FSTYPE=$( diskutil info "$TARGET" | grep 'Type (Bundle)' | awk '{print $3}' )





## If the filesystem is APFS just restore High Sierra APFS



if [ "$FSTYPE" == "apfs" ]; then

    echo "APFS Detected setting SOURCE to $HSIERRAAPFS"

    SOURCE="$HSIERRAAPFS"

fi





## If the filesystem is HFS check the currently installed OS Version

if [ "$FSTYPE" == "hfs" ]; then

        echo "HFS Detected checking OS Version"

    VERSION=$( defaults read "${TARGET}/System/Library/CoreServices/SystemVersion.plist" ProductVersion )

    echo $VERSION

    if [[ "$VERSION" == *"10.13"* ]]; then

        echo "High Sierra Detected"

        SOURCE="$HSIERRAHFS"

    else

        echo "High Sierra Not Detected"

        SOURCE="$SIERRA"

    fi  

fi





if [ "$SOURCE" == "" ]; then

    echo "ERROR: Unable to determine source"

    exit 1

fi



echo "Running ASR ${DP}/Packages/${SOURCE} to $TARGET"



## If restoring APFS

if [ "$SOURCE" == "$HSIERRAAPFS" ]; then

    echo "Restoring APFS Volume"



    ## Workout APFS Container

    APFSDISK=$( diskutil list "$TARGET" | head -1 | cut -d' ' -f 1 )

    APFSCONTAINER=$( diskutil apfs list "$APFSDISK" | grep 'APFS Physical Store Disk' | cut -d':' -f 2 | tr -d '[:space:]' );



    if [[ "$APFSCONTAINER" == *"disk"* ]]; then

        echo "Restoring ${DP}/Packages/${SOURCE} to /dev/${APFSCONTAINER}"

        asr restore --source "${DP}/Packages/${SOURCE}" --target "/dev/${APFSCONTAINER}" --erase --noprompt 

        diskutil mountDisk "${APFSDISK}"

    else

        echo "Error unable to determine APFS container"

        exit 1;

    fi

else

    echo "Restoring HFS Volume"

    diskutil cs convert "$TARGET"

    diskutil cs resizeVolume "$TARGET" 0

    asr restore --source "${DP}/Packages/${SOURCE}" --target "$TARGET" --erase --noprompt --corestorageconvert



    #diskutil cs convert "$TARGET"

fi



NEWNAME=$( echo "$TARGET" | cut -d'/' -f3 )

diskutil rename /Volumes/Macintosh HD "$NEWNAME"



exit 0

ImagingPostInstall.sh

#!/bin/bash



## Check OS Version if 10.12 Upgrade to HighSierra





OSVERSION=$( defaults read /System/Library/CoreServices/SystemVersion.plist ProductVersion )

if [[ "$OSVERSION" != *"10.12"* ]]; then



    ## Do nothing and exit

    echo "OS is not 10.12"

    exit 0;

fi





/bin/mkdir /usr/local/scripts





cat <<"EOF" > "/usr/local/scripts/NextBoot.sh"

#!/bin/bash

OSVERSION=$( defaults read /System/Library/CoreServices/SystemVersion.plist ProductVersion )



## If already on 10.13 remove the scripts.

if [[ "$OSVERSION" == *"10.13"* ]]; then

        ## Remove LaunchDaemon

        /bin/rm -f /Library/LaunchDaemons/com.scripts.NextBoot.plist



        ## Remove Script

        /bin/rm -f /usr/local/scripts/NextBoot.sh



        launchctl remove com.scripts.NextBoot

        exit 0

fi



## Sleep for 30s to give the mac a chance to connect to network

sleep 30



## Update Device Inventory

/usr/local/jamf/bin/jamf recon



## Run HighSierra Upgrade

/usr/local/jamf/bin/jamf policy -event highSierraUpgrade 



exit 0



EOF





/usr/sbin/chown root:admin /usr/local/scripts/NextBoot.sh

/bin/chmod 755 /usr/local/scripts/NextBoot.sh



## Install the launchdaemon

    cat << EOF > /Library/LaunchDaemons/com.scripts.NextBoot.plist

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

<dict>

    <key>Label</key>

    <string>com.scripts.NextBoot</string>

    <key>ProgramArguments</key>

    <array>

        <string>/bin/bash</string>

        <string>-c</string>

        <string>/usr/local/scripts/NextBoot.sh</string>

    </array>

    <key>RunAtLoad</key>

    <true/>

</dict>

</plist>

EOF



##Set the permission on the file just made.

/usr/sbin/chown root:wheel /Library/LaunchDaemons/com.scripts.NextBoot.plist

/bin/chmod 644 /Library/LaunchDaemons/com.scripts.NextBoot.plist





exit 0

Any advise for using this in an environment that doesn't utilize Netboot?

@boanes We don't use Netboot and I've tweaked it a tiny bit to work. I figured all this out in early December, and i've been on vacation or out for training since then, so this is after a quick review of my notes from then. The below may be missing something...

In our environment we use Casper Imaging from an external boot drive. I have the MacOSInstall.sh as the first thing run during imaging to check the existing OS. If needed it then does what the original script does. The configuration also puts the 10.13 installer put into Waiting Room (or /var/tmp/ or wherever). I have the ImagingPostinstall.sh script check if the 10.13 installer is where its suppose and create the launchdaemon and NextBoot.sh script for running on reboot. All the paths in the scripts work regardless if I'm booted from our imaging drive and using a locally replicated repository (great when your remote location has only 2Mbps total) or the distribution point is mounted.

On reboot everything works like the original workflow above.

I'll have to re-read my notes and I need to re-run through the process again. But it seems to work for us for now (I haven't even documented it for my team yet).

@boanes
We use this script in our environment with USB images as well as Netboot images.
All created with AutoDMG and AutoCasperNBI.

Just make sure you are on a network connection like Ethernet as wifi will not always reconnect.

Ash

@reddrop Do you use Filevault after imaging / deploying the computers? Or do you not use Filevault with this workflow?

@mrhollywoodgates Yes we use FileVault

We enable FV via a policy later after imaging.

There is a alot of stuff broken in High Sierra around FV2 right now though.

Ash

Maybe being stupid here. Is there some reason one can't just disable APFS and Create the image from there as usual? In our environment we have multiple partitions to allow rebooting to optimally configured systems for particular software packages.

Deploying High sierra without converting to APFS

@TSOAFTVPPC

See https://support.apple.com/en-us/HT208020 Specifically the section. "About monolithic system imaging"

Also we want to enjoy the benefits of APFS.

Ash

Don't really appreciate the snark. Answering a question as if the person asking it hasn't already looked at all available resources is disingenuous at best.

"See https://support.apple.com/en-us/HT208020 Specifically the section. "About monolithic system imaging"

Who said anything about monolithic imaging? I just wanted to create the base OS without enabling APFS. I want to avoid APFS because I want to continue to be able to maintain multiple bootable OS X partitions, and I want to avoid APFS. I've already come to grips with losing compiled configurations, even though my typical payload is 100GB over a slowish network.

"Also we want to enjoy the benefits of APFS."
Any file system where file copies are not really bit for bit file copies is a trade off. What till you need to delve into file recovery as I often need to. APFS eliminates the most common endusers achieving local data redundancy: copying files. A copied file in APFS actually creates a lightweight clone with no duplicated data. Corruption of the underlying device would mean that both "copies" were damaged, whereas with full copies localized data corruption would affect just one. Also APFS checksums its own metadata, but not user data.
SSD/flash drives are more prone to specific types of corruption caused by power issues etc.
Spare me lectures about cloud storage etc. Delegation of risk is not elimination of risk.
So can anyone answer the question I posed?

@TSOAFTVPPC

There was no snarkyness in my comment. Deploying 10.13 via an image to a mac that has never run 10.13 before is not a supported workflow by Apple whether it is APFS or HFS. That is why I pointed you at the article. It is not just the fact that APFS is being deployed that makes imaging 10.13 more difficult than previous MacOS versions.

I have no idea what your background is or the research you have done. I was only trying to be helpful and point you at the most relevant information to answer your question.

You asked:

Maybe being stupid here. Is there some reason one can't just disable APFS and Create the image from there as usual? In our environment we have multiple partitions to allow rebooting to optimally configured systems for particular software packages.

The reason you cant just disable APFS and deploy a HFS image to upgrade MacOS is because it is a workflow that Apple specifically says not to do. There are firmware upgrades that occur during the upgrade process when run via startosinstall that are not done at any other time.

If you ask why cant you just deploy a HFS image. I can only assume you have not seen the article. Hence I say to you see https://support.apple.com/en-us/HT208020 Specifically the section. "About monolithic system imaging"

Monolithic system imaging can only be used to re-install macOS, not to upgrade to a new macOS version.

If you try to use a monolithic system image, required firmware updates will be missing from the installation. This causes the Mac to operate in an unsupported and unstable state. You can use system images to re-install the existing operating system on a Mac.

The purpose of my scripts is to detect what the currently installed version of MacOS is and deploy the the most appropriate image. With the end result of getting a clean never booted install of High Sierra on the mac.

For the purpose of upgrading our lab computers to High Sierra, I'm using a slightly-modified version of ImagingPostInstall.sh (right now I'm not concerned with RestoreMacOS.sh). I have this (we have computers ranging from 10.12.3-10.12.6, for computers that aren't already at 10.12.6 I want to get them to that version before running the High Sierra installer because I ran into an issue with a 10.12.3 computer where after upgrading to High Sierra none of the Admin accounts worked):

#!/bin/bash -v



## Check OS Version if 10.12 Upgrade to HighSierra



OSVERSION=$( defaults read /System/Library/CoreServices/SystemVersion.plist ProductVersion )

if [[ "$OSVERSION" != *"10.12"* ]]; then



    ## Do nothing and exit

    echo "OS is not 10.12"

    exit 0;

else

    echo "OS is ${OSVERSION}"

fi





/bin/mkdir /usr/local/scripts





cat <<"EOF" > "/usr/local/scripts/NextBoot.sh"

#!/bin/bash

OSVERSION=$( defaults read /System/Library/CoreServices/SystemVersion.plist ProductVersion )



## If already on 10.13 remove the scripts.

if [[ "$OSVERSION" == *"10.13"* ]]; then

        ## Remove LaunchDaemon

        /bin/rm -f /Library/LaunchDaemons/com.scripts.NextBoot.plist



        ## Remove Script

        /bin/rm -f /usr/local/scripts/NextBoot.sh



        launchctl remove com.scripts.NextBoot

        exit 0

fi



## Sleep for 30s to give the mac a chance to connect to network

sleep 30



## Update Device Inventory

/usr/local/jamf/bin/jamf recon



if [[ "$OSVERSION" == *"10.12.6"* ]]; then

    ## Run HighSierra Upgrade

    echo "Upgrading to 10.13.2"

    /usr/local/jamf/bin/jamf policy -event highSierraUpgrade

elif [[ "$OSVERSION" == *"10.12.1"* ]] || [[ "$OSVERSION" == *"10.12.2"* ]] || [[ "$OSVERSION" == *"10.12.3"* ]] || [[ "$OSVERSION" == *"10.12.4"* ]] || [[ "$OSVERSION" == *"10.12.5"* ]]; then

    ## Run Sierra Upgrade to upgrade to 10.12.6

    echo "Upgrading to 10.12.6"

    /usr/local/jamf/bin/jamf policy -event sierraUpgrade

fi



exit 0



EOF





/usr/sbin/chown root:admin /usr/local/scripts/NextBoot.sh

/bin/chmod 755 /usr/local/scripts/NextBoot.sh



## Install the launchdaemon

    cat << EOF > /Library/LaunchDaemons/com.scripts.NextBoot.plist

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

<dict>

    <key>Label</key>

    <string>com.scripts.NextBoot</string>

    <key>ProgramArguments</key>

    <array>

        <string>/bin/bash</string>

        <string>-c</string>

        <string>/usr/local/scripts/NextBoot.sh</string>

    </array>

    <key>RunAtLoad</key>

    <true/>

</dict>

</plist>

EOF



##Set the permission on the file just made.

/usr/sbin/chown root:wheel /Library/LaunchDaemons/com.scripts.NextBoot.plist

/bin/chmod 644 /Library/LaunchDaemons/com.scripts.NextBoot.plist





exit 0

It seems pretty straightforward: if it's not 10.12.* do nothing, otherwise create the script and .plist. When it next reboots if it's 10.12.6 upgrade to High Sierra or if it's 10.12.1-10.12.5 upgrade to 10.12.6 (then in theory after rebooting the next time it'll detect it's at 10.12.6 and install High Sierra). However, whenever I run this through JSS all I see in the logs is "Failed" and in the Details it just says "Executing Policy Sierra/High Sierra Upgrader (Create Launch)" with no errors/feedback. All the Policy includes is the above script, set to run Before (I also tried After and it didn't make any difference). I also checked and the /usr/local/scripts folder isn't created, and I created separate policies for the triggers sierraUpgrade and highSierraUpgrade.

Am I missing something obvious? I looked in jamf.log on the computer and all it shows is that the policy executed (with no errors/feedback), but I'm struggling to find out why it's failing.

Figured out my issue...I'd named the script "Sierra/High Sierra Upgrader" and apparently JSS won't run scripts with "/"s in the title (it won't give you any error/warning message when you create a script with that in the title, which is kinda annoying...)

Approximately how long does the restore take with Casper Imaging?

I'm looking for a fast way to do a re-image of High Sierra similar to DeployStudio for 10.12.6. Usually a I can get 10.12.6 reimaged in less than 5 minutes using DeployStudio.

Hi el2493,

It's because "/" is the directory separator symbol - just replace it with an underscore _ character
or say ""Sierra or High Sierra Upgrader"

@cwaldrip we also image from a bootable USB drive with Casper Imaging on it. I am looking for ways to "image" the existing 10.11/1012 machines to 10.13. You mentioned a macosintall.sh script... is this what you use: https://github.com/gibiansky/IHaskell/blob/master/macos-install.sh?

I'm using the above method, with only a few minor changes, with a local repository on a USB drive. We replicate the repository to the root level on our USB drives. And the drive name is CasperShare. Then we select the USB drive as usual for the repository to use when imaging.

The image configuration doesn't have an OS install for priority 1, but the RestoreMacOS.sh script. The script checks if the target machine is running 10.12 or earlier and uses ASR (Apple Software Restore, going old school!) to wipe the drive and put a clean 10.12 image on it, the imaging proceeds as normal, and the 10.13 installer is copied to /Library/Application Support/JAMF/Waiting Room/ from the USB drive. The script ImagingPostinstall.sh is also run and creates a launch daemon to run a new script on the next restart that will delete the launch daemon and run 10.13 as an update from Waiting Room. I have the install set NOT to convert the drive to APFS for now. And, Ta-Dah! Easy Peasy! (sigh).

@cwaldrip I don't really understand this. For sake of conversation, not argument, I'm really asking. If not upgrading to APFS anyway, wouldn't it have been easier (and faster) to just make an image of a 10.13 HFS+ Install and and imaged it to the machines via USB using Disk utility or any cloning/imaging software? It wouldn't matter at that point if it was already on 10.13 or 10.12, or if they had the firmware since you are booting HFS+ anyway. Or is this just a matter of trying to keep it "sort of Apple approved"?

Maybe its due to size of deployment but personally I don't have the time to wait for the 10.13 update to run on 950 machines (just in 1 building) and fully intend to image them (APFS) and have the FIrmware Update install before first boot. Still a work in progress for the "perfect" solution but APFS imaging does still work despite the naysayers word .

@TSOAFTVPPC The answer to your question, was yes you could do that. You can also image using APFS although it is currently a hassle compared to HFS+ (and just script in installing the firmwarepackage before first boot).

@chrisdaggett I understand. For me I've found that you can't reliably deploy a 10.13 base disk image. That's the rub. The most reliable method I've found so far is the method on this page - put a clean 10.12 on the machine and then update the machine to 10.13 so it gets the special sauce. There's more to the firmware than just the APFS boot loader too. There's the Touch Bar firmware too, and a machine won't boot if the TouchBar OS can't be loaded (in my experience it gets hung trying to fix it more often than not). And we'll eventually be moving to APFS (probably sooner rather than later - maybe by the time we start actually deploying 10.13, we're still testing).

All of these convolutions seem to be to just get the firmware updated. I have multiple partitions one of which is a Restore partition. Why wouldn't I just upgrade the OS to HighSierra on the restore partition just to get the firmware updates, and image as previously on the other partitions?

I copy the firmware pkgs from my mac sus server and just add them to my imaging workflows so that the firmware updates match the version of the OS I'm deploying. I set it to install the firmware package right at the start and so far this seems to have worked fine for Sierra and my brief experience of imaging High Sierra.

@allanp81 Can you elaborate on this process please? I dont see specific firmware updates on my SUS. Im curious about the details on your process.

@chrisdaggett You cant just restore a HFS+ version of 10.13 on a mac that has never run high sierra before. There is more to the firmware than just the boot loader for APFS. Once you have upgrade to high sierra there is no longer an issue in imaging directly to 10.13 and that is why my script will detect what the currently installed OS is and deploy a 10.13 image if the current OS is already 10.13, otherwise it will deploy 10.12.6.

Directly from the from the apple support article:

https://support.apple.com/en-us/HT208020

Monolithic system imaging can only be used to re-install macOS, not to upgrade to a new macOS version.

If you try to use a monolithic system image, required firmware updates will be missing from the installation. This causes the Mac to operate in an unsupported and unstable state. You can use system images to re-install the existing operating system on a Mac.

Jamf: When is "soon"?