Reset local admin password on NetBoot and golden master images

Hey Tim,

First I will answer your question. You can use Casper policy to reset passwords by doing so in the accounts pane in the JSS when creating a policy.

Now, my opinion is you don't want to do monolithic images. This way everything is modular and sure it may be a bit more leg work up front, but in the long run it is much less work and more efficient - in my opinion and experience. What I do is create a pristine image of OS X and all apps that are standard on every Mac. I do this via InstaDMG and Casper Admin. Also, there are no users created in the image and it has never been booted.

Then I create user accounts post image via scripts. That way if a password leak every happens I don't have to go in and change my image, I can just change the scripts. I can also deploy password changes through a casper policy if a password gets leaked while the bulk of the machines are in production.

Just my opinion,

Tom

Thanks very much that's a great idea. Going to definitely do that next time I make my golden master images.

as tom said, "best practices" include moving away from the golden master model. modular is more flexible, so start by learning what that entails with instadmg and similar tools.

i regularly bake base images for clients with small site specific changes, and it's generally a start-it-and-walk-away task. you want to get to the point where building this stuff isn't costly for you.

Easier said than done, open source is not good in the respect if you have problems there is no one to provide support or call

Tim,

I moved t a modular workflow and use nothing but apple OS disks, and the latest combo update. As Tom said, you then end up with an un-booted disk image that can be used in the Casper image workflow. No open source software is required. I believe it just makes it easier to pre-apply some of the software updates I end up applying post imaging

Everything else is layered on top during the imaging or during the first boot of the machine (like local admin accounts, ssh access, ARD settings etc). If something small changes, only the one piece of the workflow has to be changed. You should try it. It makes going forward with both big and small easy.

Aaron

Thanks for that. I need to wait for more staff in our department and then I can start moving to this.

Do you use InstaDMG Aaron or just the Install disks and upload to Casper Imaging? If using the Install DVD to Casper Imaging which grey DVD do you use as often they are hardware model specific? and how do you apply combo updates?

I really like the sound of making cleaner installs but not sure the process of the grey hardware specific DVD, enabling and setting the root user account password and combining combo updates in the workflow as a lot of the grey disks look like 10.6.4 or something like that.

Also worried about 10.7 not being on install DVD makes matters worse.

Use 1 local account that is your casper account and use a policy to spin the password randomly at a given interval. Then use directory-based accounts only. When people leave, disable directory accounts.
---
Jared F. Nichols
Desktop Engineer, Client Services
Information Services Department
MIT Lincoln Laboratory
244 Wood Street
Lexington, Massachusetts 02420
781.981.5436

I use InstaDMG for a few reasons to make my OS X image, listed here:

1) All you have to do is maintain the catalog file for updates, and it is easy to add things 2) you run the python scripts and let them be it is all automated

Then once I have my 10.x.x OS image file with all the proper updates applied I drop that into Casper Admin. Then I start adding packages and compiling them into a base image. This base image is what I will use on every Mac, and it works on every Mac. We have 14,000 macs here, a mixture of 3 different models of iMacs, two different models of Mac Minis, 3 different models of Macbooks, and now we have Macbook Airs in the mix. My image works on every system no problem.

The one caveat is, that if you compile a 10.5 image on a 10.6 machine it will kernel panic every machine you image it with. This is because JAMF uses the apple installer to compile your packages and OS image files, and the apple installer sets this file to be booted (via scan for restore) and the installer sets different drives for different OSes. So, if you are going to have multiple versions of the OS (ie 10.5, 10.6, 10.7) develop each one on the actual OS you are deploying.

Then I use post image scripts and smart configurations to add group or model specific packages and I only have to ever maintain one image.

-Tom

All these open source tools have mailing lists that the actual tool developers watch. There is support for it, not to mention a community of users as well.

-Tom

I install the OS from a retail disk (not sure if that actually matters), restart from another boot drive, (keeping the fresh install from booting) then install the latest combo OS update (10.6.8v1) to the new install drive. At that point I use composer to grab an OS image of the fresh install and have what I need to use as a source for the MacOS netinstall creator. I select my new OS image as the source , let it run, and upload to my NetBoot server.
On Oct 19, 2011, at 10:11 PM, "Tim Kimpton" <tim.kimpton at rufusleonard.com> wrote:

After imaging, i end up with a 10.6.8 install with no other updates. Those happen postimage, downloading from the SUS server. Local admin accounts, binding to AD, ARD all happen postimage. Apps are mostly all packages that get installed during the imaging or sometimes after, depending on what they are.

With the updates to instaDMG does it allow for the recovery partition on
Lion? Looking on their website was a little cryptic on if it works or
not. But I'm having a hell of a time with the compile image after
moving to 8.31, I must have done about 10 images yesterday and not a
single one has worked (3 didn't complete making them, 4 of them
completed but when booted went straight to the Select a Language screen
then to the recovery partition, and 3 would boot to the login screen but
wouldn't run any of the login scripts - such as the time zone. When I
would try to log in as the casper jss account, the login window would
grey out, but never bring up the desktop.

Starting to get REALLY frustrated with Lion.

John Wojda

Lead System Engineer, DEI & Mobility

3333 Beverly Rd. B2-338B

Hoffman Estates, IL 60179

Phone: (847)286-7855

Page: (224)532.3447

Team Lead DEI: Matt Beiriger
<mailto:mbeirig at searshc.com;jwojda at searshc.com?subject=John%20Wojda%20Fe
edback&body=I%20am%20contacting%20you%20regarding%20John%20Wojda.>

Team Lead Mobility: Chris
<mailto:cstaana at searshc.com;jwojda at searshc.com?subject=John%20Wojda%20Fe
edback&body=I%20am%20contacting%20you%20regarding%20John%20Wojda.> Sta
Ana

Mac Tip/Tricks/Self Service & Support
<http://bit.ly/gMa7TB>

"Any time you choose to be inflexible in your approach to an
unpredictable project you are already building failure into your plan"

John,

I have yet to mess with Lion. Last I read InstaDMG works with Lion but
there are a few "gotchas." I am going to set up a Lion machine here
soon to start testing since we will probably migrate to lion over this
next summer.

Have you tried the instaDMG or Mac Enterprise mailing lists?

Thanks, Tom

The last time I tried instaDMG was several versions ago, and it wasn’t creating the recovery partition, and the Casper list had mentioned using compiled images – which worked when on 8.21 and 10.7.2 beta updates… But using the 10.7.2 Final ESD doesn’t seem to go with 8.31.

John Wojda

Lead System Engineer, DEI & Mobility

3333 Beverly Rd. B2-338B

Hoffman Estates, IL 60179

Phone: (847)286-7855

Page: (224)532.3447

Team Lead DEI: Matt Beiriger <mailto:mbeirig at searshc.com;jwojda at searshc.com?subject=John%20Wojda%20Feedback&body=I%20am%20contacting%20you%20regarding%20John%20Wojda.>

Team Lead Mobility: Chris <mailto:cstaana at searshc.com;jwojda at searshc.com?subject=John%20Wojda%20Feedback&body=I%20am%20contacting%20you%20regarding%20John%20Wojda.> Sta Ana

Mac Tip/Tricks/Self Service & Support <http://bit.ly/gMa7TB>

“Any time you choose to be inflexible in your approach to an unpredictable project you are already building failure into your plan”

I've used instaDMG for years, but at this point I've switched over to casper imaging only.
Right now, instaDMG works with lion but does not create the recovery partition. If you create the recovery partition manually on the disk first, instaDMG will leave it there.
As far as casper, the only problem I've found with the installESD files is that the 'ensure computers imaged with this configuration are managed' setting does not take effect. My current work around is to include my quick add package in the configuration, and installed at boot time. That does create the management account and sets up the casper jss connection successfully.
I do not use net boot, though, all our imaging is done with USB drives that are replicated from my distribution point with casper admin.
nick
--
Nick Kalister
Desktop Engineering
Hitachi Data Systems
Office: 408.970.4316

750 Central Expressway
Building 32 : M/S 3240
Santa Clara, CA 95050

Thanks Tom but I had a look at the documentation and tried searching for guides and also couldn't find anything about support.

In my opinion as someone that had never touched this before the documentation, support isn't up to scratch. It was the same with Munki and every other open source I have looked at.

The InstallESD.dmg DVD image is in the installer...

/Applications/Install Mac OS X Lion.app/Contents/SharedSupport/InstallESD.dmg

Don

I am actually installing Lion on a partition on one of my iMacs today since the last week has been pretty much dead at work. I will try InstaDMG with Lion when I get it all set up

-Tom

this should probably be another thread now that it's been thoroughly 'jacked…

on a related note, instadmg worked fine for me in limited testing generating a 10.7.2 base image the other day. it doesn't create the recovery partition, but then again, that's not generally something it would do anyway. its purpose is to automate creation of a never booted volume with the os, updates, and other payloads, which it does.

if you want or need to create a recovery partition programmatically, try this:

https://plus.google.com/109088229817689076273/posts/CDTUmQUiBV9

**
NOTE: all community contributions, one-liners, advice from friends/your mom, come with no implied or explicit corporate fax, phone, email, remote, finger puppet, or smoke signal support, so please disregard if your organization requires paid support before proceeding.
**

Check out Lion Disk Maker. Ignore all other instructions you see on the
internet to make a bootable usb and DVD. If you follow those guides you will
miss the essential OSInstall.mpkg and then during install it downloads it
from Apple. I know this because I am behind a proxy and ge the proxy prompts
going mad.

http://blog.gete.net/lion-diskmaker-us/

Systems Engineer
E: Tim.Kimpton at rufusleonard.com
D: +44 (0)20 7956 3014
W: http://www.rufusleonard.com
F: facebook.com/rufusleonarduk
T: twitter.com/rufusleonard

Rufus Leonard limited is a company registered in England and Wales with
company number 3348509. Vat number: 691308528


Now to figure out how to get this into a casper-esq method.

Good find!

John Wojda

Lead System Engineer, DEI & Mobility

3333 Beverly Rd. B2-338B

Hoffman Estates, IL 60179

Phone: (847)286-7855

Page: (224)532.3447

Team Lead DEI: Matt Beiriger
<mailto:mbeirig at searshc.com;jwojda at searshc.com?subject=John%20Wojda%20Fe
edback&body=I%20am%20contacting%20you%20regarding%20John%20Wojda.>

Team Lead Mobility: Chris
<mailto:cstaana at searshc.com;jwojda at searshc.com?subject=John%20Wojda%20Fe
edback&body=I%20am%20contacting%20you%20regarding%20John%20Wojda.> Sta
Ana

Mac Tip/Tricks/Self Service & Support
<http://bit.ly/gMa7TB>

"Any time you choose to be inflexible in your approach to an
unpredictable project you are already building failure into your plan"