10.10.2 updater includes silent firmware updater

RobertHammen
Valued Contributor II

Well, interesting post by @Banks on AFP 548. Looks like the 10.10.2 updater also includes a "silent" firmware updater:

https://www.afp548.com/2015/03/05/thunderstrike-need-to-know/

The downside to this is, if you re-image a machine to 10.10.2, rather than upgrade, it may not get an available firmware update and may be vulnerable to Thunderstrike. Allister breaks out how you might re-package/scope this for deployment in a Casper environment.

8 REPLIES 8

davidacland
Honored Contributor II

Looks like another reason to move away from OS imaging.

RobertHammen
Valued Contributor II

There is always a need for laying down at least a base OS image for cases of troubleshooting/repair. However, when possible, for the last 4+ years I've been steering clients to use the OS that the computer ships with, and just enroll it, making any necessary changes via package, script, or policy.

bentoms
Release Candidate Programs Tester

If it's a big concern, move away from Imaging using an OS.dmg to Installing.

Drag the "Install Mac OSX" app into Casper Admin & set it as an OS installer.

gregneagle
Valued Contributor
There is always a need for laying down at least a base OS image for cases of troubleshooting/repair.

But a base OS can also be installed, and not only imaged...

calumhunter
Valued Contributor

I really don't understand this whole you don't/shouldn't need to image your machines any more talk
It seems to be ignoring some pretty common issues

  1. Machine has a failed hard drive, replace disk with a new one. How do i get this machine back up and running? Oh yep reimage it. What you think I'm gonig to internet recovery that sucker? Uhh no. Hello authenticated proxies. Or machine is booting to a kernal panic or some other major issue where a simple re-image is a required

  2. Restoring a 6-7gb disk image from autodmg takes about 7 minutes for me on an old macbook pro. Installing OS X from the .app/InstallESD/createosxpkg takes about 35-40 minutes. Then I still have to install all my packages.

Perhaps I am missing something?

As per usual Apple gains some momentum in the enterprise and then promptly aims the gun at it foot and fires.

Why the F would you roll a firmware updater into a an OS patch update?

davidacland
Honored Contributor II

@calumhunter I've suffered from poor deployment speeds since first dropping monolithic imaging. I could deploy huge images in hardly any time at all when it was all wrapped up in a single block scanned image.

When we setup deployment solutions for school labs we use autodmg to lay down the OS as the goal is normally to wipe the target drive and get the Macs up and running as quickly as possible.

For business setups we are using either the recovery partition or createosxinstallpkg to install an OS, mostly so we avoid wiping out local user data etc.

I'm sure that standard OS X installs are the "correct" way to do it, or at least what Apple intend. Not wanting to speak for them but I would imagine from their perspective there is nothing wrong with putting a firmware update into an OS patch.

I've heard people say that you shouldn't be imaging at all, suggesting that you will experience lots of issues. Personally we have been imaging Macs for years. There are lots of things to consider with regards to compatibility etc but I haven't seen any reason why the deployment method should be dropped entirely, particularly in schools.

gregneagle
Valued Contributor

Imaging is fine. Installing is fine. Each have trade-offs. Know what the trade-offs are, and make your choice. You don't even have always make the same choice; you might set up one batch of new machines by restoring an image; in another situation you might use the "installing" method; in still another situation you might do neither and just layer your packages on top of the OS as shipped by Apple.

This is not either-or. This is "here's a cabinet full of tools: pick the best one (or ones) for the job at hand". The more tools you know how to use, the more options at your disposal.

Chris_Hafner
Valued Contributor II

I agree with @gregneagle No one solution will solve every issue. I still make base OSs for new deployments and would follow up with users on a standard update policy to sort out needed FW installs. Heck, there have been a thousand ways to skin that particular cat in these forums! Machines that update OS in the field (via self-service) will get the FW updates as part of that process. Additionally I also have a compiled (modular) image ready for high speed delivery. Well... depending on the time of the year.