Jamf Nation Community

Hey we use both for both EDU and PRO clients.
For our EDU clients we use a mix of slim and normal imaging. Anytime we deploy new machines, we run the slim image (which includes the combo update) since the machines are shipped with a working OS. Anytime we need to fully restore a machine, we use the same image except we added a base OS.dmg from AutoDMG. I also add a local management account in addition to the JAMF management account. I use the program CreateUserPkg to create a user package then I add that into my image and make sure it's set to install on boot drive after imaging. You could also use an enrollment policy to add another account. I just prefer to use the package since we don't really have too many enrollment policies in effect in my environment. If you create an OD/AD Binding in Casper Admin, you should be able to log into any of those accounts after imaging. When the user logs in for the first time, assuming your AD/OD is reachable, a mobile account will be created. We moved away from Workgroup manager a couple years ago and have been able to manage those settings via config profiles.

Thanks for the responses @blackholemac and @Jalves

To answer your question about what imaging solution we use @blackholemac
- We use Casper Imaging right now.
- I was indeed referring to CreateUserPKG when I said CreateUser.
- I'll take a look at MCXtoProfile for migration from Workgroup Manager to Profiles.
- That's a neat little trick about the AppleSetupDone file, didn't know about that.

Even with new machines we just wipe the whole thing and install the packages we want via Casper Imaging.

Even with new machines we just wipe the whole thing and install the packages we want via Casper Imaging.

The issue I have with this is when a new model is released and has a specific OS (until the next combo updater comes out). Rather than having to create a new base image just for one model, we put all of the our apps, CreateUserPkg and post image scripts in our config and let it fly.

@usher.br Glad to have some context to go on there...thin imaging by itself can be a loaded question. I'll be honest...when it first came out, I said we would never use it. If you look at the 20,000 foot view of it, I do use it for when we have true, brand-new models that do not have a retail build of OS X yet...out of the box I just boot to recovery partition, make a new NetBoot set for the server and then boot the new machine to that NetBoot set and run my Casper Image config on it (customizing it to remove our normal OS.dmg for anything not brand-new) and it works. A great method when imaging 40 new MacBook Airs. I can say it saves me time.

I agree with you though on modular imaging in general...in our org, our department is the only one who re-images workstations. Thin imaging may work for some orgs. I could see it working for our org if:

1. we were all laptop-based
2. we had an Apple Store nearby to help errant users get the OS re-loaded
3. our user's knowledge base was improved
4. I'm still not totally convinced that students are ready for admin rights yet

In the end, the only thing I use it for is brand-spanking new hardware that retail builds don't exist for yet. Apple has designed the ecosystem so you never downgrade beyond what shipped on the computer at purchase.

@johnnasset That makes sense. We usually buy new Macs in a big pack though, so I just setup one of those machines with our defaults then use Composer to take an OS image and use that from that point on as our base OS.

@blackholemac I think I may be confused as to what "Thin imaging" really is... My understanding is that it is a way to allow users control of the setup etc of the computer while still allowing things such as the JSS to manage it on the backend. Is that correct?

20 thousand foot view the thin imaging process is officially modular imaging minus the OS.dmg

http://macadmins.psu.edu/wp-content/uploads/sites/1567/2012/11/PSUMAC211-Modular_OS_deployment_on_the_Mac-Rich_Trouton.pdf

Given that reality, many organizations use the concept to let users manage the OS (including its reinstallation) with admin rights and only managing certain pieces of software or settings. they may implement in the form of a Casper enrollment QuickAdd that has been customized or is set to kick off triggers/policies. We don't really do any of the fancy stuff as it isn't a good fit for our organization.

The only time we use the concept is in the event of brand spanking new hardware that I had a model specific build that is not appropriate for a general OS.dmg.

You'll get a lot of definitions thrown around. My understanding:
Monolithic/Golden image: Build and setup one computer. Take image from it and restore to other computers.

Modular image: Put a base image and deploy packages separately to that base image through your imaging tool of choice. (This is the method that Casper Imaging uses and other tools like DeployStudio). Back in the day, InstaDMG allowed for this as well.

Now technically the next two terms can be considered modular in that the packages are separate from the 'image'.

Thin Image: Create a bare bones unbooted OS image and deploy packages separately through your software management too on first boot.

No Image: Do not image computer. Use a "tool" to configure the software deployment tool on the computer so that it can get the software it needs. This "tool" can be an imaging tool like DeployStudio or Casper Imaging where instead of installing an image you just install a package that runs on first boot (postponed install) that puts the necessary pieces to connect to the software management tool. However you can also get a bit manual and just take the computer out the box as is and download said tool manually and install it yourself or manually run a script that takes care of what it needs to. Regardless of how you get the computer to talk to your software deployment tool, the main point is that there is no imaging involved.

You can go strictly "no imaging" if you wanted, but that would mean making sure your new hardware supports Internet Recovery to get OS in situations where a computer needs to be wiped. Not quite practical I think due to the time that may take (plus the uncertainty of what OS it may pull down on the hardware) which is why most will always have to use a 'thin image' at some point but are pretty much trending toward a "no image" approach due to the fact that Apple releases new hardware that sometimes has a special OS build.

In a recent white paper, Apple talks about methods to manage computers and the word imaging is not even mentioned in it! Apple released DEP over a year ago now. And that would be considered "No imaging". The idea behind it is probably a bit different though from what some admins are looking to do. In Apple's eyes they view the device as something personal and in their eyes the user should be in control and the management software a company uses should be an extra layer that allows a user to do the things the company wants (not restrict the user). Think of a one to one deployment where the user has local admin access. Casper does support this model as it has support for DEP. However, not everyone wants to use DEP because companies are not just going to give users admin access and not every company is going to give up using directory services.

Right now, Casper Imaging supports monolithic imaging and modular imaging pretty well. It supports No Imaging as well through DEP. However thin imaging and no imaging in general could use some improvements because the actual Casper Imaging app just wasn't really built with thin imaging/no imaging in mind. It requires some customization depending on your company's workflow for getting software out to computers/users.

Anyways, this is a frequently discussed topic. And everyone's got an opinion on it. There's pros and cons to every method (speed, size, maintenance, packaging, scripting, etc.).