Casper Imaging Versus DeployStudio

dstranathan
Valued Contributor II

I just purchased Casper Suite. Haven't deployed yet. In the process of setting up a JumpStart. Reading lots of manuals right now. ;0)

I have used DS for years and know it well but I haven't even seen Casper imaging in the real world so I have no point of reference - other than the Admin guides.

What are your thoughts of replacing DeployStudio with Casper Imaging?

Can you outline the Pros and Cons of each please?

Can I run both DS and Casper Imaging on the same NetBoot Server and make a slow transition if I want to?

24 REPLIES 24

davidacland
Honored Contributor II

The two can co-exist on the same server ok. You'll just need a separate NetBoot set for Casper Imaging.

The main strength of Casper Imaging is when you are deploying lots of packages (or other items). After about 10 items in deloystudio it gets a bit hard to manage.

Casper imaging lists each step in the deployment process in a sidebar which is much clearer.

That being said, I've used both together on some deployments. You can just include a quickadd package in your deploy studio workflow.

If you do want to use NetBoot and Casper imaging it will be worth trying AutoCasperNBI from Mac mule.

dstranathan
Valued Contributor II

Thanks David

Does Casper Imagine handle erasing/formatting/partitioning drives of rotation and SSD drives? Can it handle an occasional Fusion drive/CoreStorage setup?

Ill grab AutoCasperNBI and play with it.

My DS workflows are fairly streamlined. I have ~10 workflows max. Pretty straightforward jobs that wipe/image the drive with OS X, push a few app packages, run post a flight script, bind to AD, etc. Laptops have one additional workflow for provisioning VPN.

mm2270
Legendary Contributor III

FWIW, we continue to use DS for our imaging, not Casper Imaging, and have it integrated well into our Casper environment. You just need to make sure you drop a Recon.app generated QuickAdd pkg into your workflow to ensure the Mac gets enrolled after it reboots and runs the install packages.

davidacland
Honored Contributor II

It can do partitioning in a very limited way. DS is actually a little better in that area.

When its needed, we will use a drive prep script before launching Casper Imaging to do the partitioning etc.

calumhunter
Valued Contributor

+1 for using DS for imaging.
- Lay down a base clean image from autodmg
- Apply casper quick add pkg to get the machine into the JSS
- Let the JSS do the rest via policies

Casper imaging has burnt me too many times in the past especially around partitioning/erasing disks

No authentication for access to specific workflows like DS either. All configs are accessible with Casper imaging which can be problematic depending on your environmnent

dstranathan
Valued Contributor II

Thanks @calumhunter

I'm in an environment where I leverage granular access control to my DS Workflows (Admins, Techs and Users).

I also use AutoDMG for generating a base image (sometimes critical for new hardware before OS X is unified etc). Is there any reason AutoDMG can't be used with Casper Imaging?

Can you elaborate on what Capser Imaging has failed at in terms of disk provisioning? Perhaps 9.81 doesn't have those issues any longer?

calumhunter
Valued Contributor

@dstranathan Casper Imaging can take an AutoDMG created disk image no problems at all.

Casper Imaging has a bit of a sketchy history IMO. Problems dealing with CoreStorage and Fusion Drives

I'm sure that its fixed in 9.81...

I've also had a number of times where i had to run an older version of casper imaging say 9.6 when everything else was running 9.7 or so other wise imaging workflows would not display or run correctly.

So for me I'd rather use something I trust like DeployStudio or Imagr

dstranathan
Valued Contributor II

As long as the two solutions can peacefully co-exist, I guess Ill be setting up Casper Imaging on the same server as my existing NetBoot and DeployStudio. I will play with both solutions side-by-side and make a determination of how to proceed. Perhaps a gradual transition from DS to Casper Imaging may occur.

I have never even seen Casper Imaging up close, so I have no insight into the product whatsoever. I have used DeployStudio for what feels like forever (and Mike Bombich's NetRestore before that - yes, Im old). I really want to give Capser Imaging a fair shake, but I really have no complaints about DS other than a lack of "official" support.

I only have a few Fusion-enabled iMacs here (all were purchased on accident by other staff members). So any Fusion/CoreStorage hiccups aren't going to be a deal-breaker for me.

I dont see many JN community members raving about how awesome Casper Imaging is. This makes me ...apprehensive.

bpavlov
Honored Contributor

I will offer a different take on it. DeployStudio has in the past encountered problems working with either new hardware or OS updates whether minor (10.10.X) or major (10.X.0). And because it's closed sourced you need to wait on the developers to fix it. Sometimes its quick, sometimes its not. Casper Imaging can suffer from similar issues but I haven't seen it in the year I've been using it. Ever try to get something solved same day with DeployStudio? They have a forum but it isn't nearly as active as other Mac communities nor is there any official support.

I went with Casper Imaging because it's a product we're paying for and it works. If I encounter a problem, I can get JAMF Support immediately. Casper Imaging also integrates with the packages and configurations you setup in Casper Admin. If you go with DeployStudio you will have to manage image configurations/workflows separately as DeployStudio uses its own repo to store packages.

I will say this though. I would advise against using packages in workflows/image configurations in either DeployStudio or Casper Imaging. I recommend making use of policies in the JSS to deploy the software you want to that computer. This way all you really need to do is bootstrap the computer with a first boot package that will take care of getting the computer enrolled and running the necessary policies as needed.

Those are just my 2 cents.

dstranathan
Valued Contributor II

@bpavlov Thank you sir. I was hoping to see both sides of the coin on this topic.

Sometimes I get the feeling that its awful quite over on the DeployStudio site, and at times I wonder if the lights are still on. Months go by with little or no developer feedback. JAMF gives my bosses a warm 'n fuzzy because we always have a phone number to call when crisis looms.

Since I just purchased the JAMF Casper Suite (days ago), Id be remiss in not trying to make the most use of all of the JAMF solutions in its ecosystem. Im excited to see it in comparison to DeployStudio.

I have not considered controlling a base software install via policy. This totally makes sense because the JSS and the NetBoot server can share the same repo(s). I guess my brain is still thinking too linear. Great suggestion - especially for my company that has fairly basic, static software needs for most Mac users.

Typically, my current DS workflow looks like this:

New Mac arrives.
Provision Mac in OD for computer MCX policies (soon to be replaced with Casper and profiles!)
NetBoot/DS: Wipe/re-image the Mac (modular, not "thin")
NetBoot/DS: Add a hidden local admin account pkg, and base software packages (Office, Java, etc)
NetBoot/DS: Run a finalize setup script for certain settings, and bind to AD.
Reboot
Slap a physical asset tag on the Mac.
Create a CI/Asset record in ServiceNow.
Add any custom software manually or via ARD, etc
Deploy Mac to the user

Several of these steps will be deprecated consolidated or replaced altogether with JAMF.

bpavlov
Honored Contributor

I think you're taking a good approach. I say throw out any preconceived notions of how you currently do things and think different. In some cases, you'll want to use what JAMF offers in other cases you may not. It all depends. But this is as good as time as any to at least try something new in hopes of accomplish your task more efficiently.

All those steps can definitely be accomplished with the JSS. In terms of the software, I would start asking myself "how do I determine which computers get which software"? From that start creating smart groups and then the associate policies for each piece of software. Some people make use of the Enrollment trigger in policies so that policies run immediately when they are enrolled. I don't use that approach. Instead I have my first boot script just call "jamf policy" enough times so that it runs any policies that it falls in scope of.

You can create an AD Binding config in the JSS. Go to your JSS. Click on the Settings gear in the top right corner. Click on Management Settings> Computer Management > Directory Bindings > Click New and fill out information. Then in Casper Imaging you can add the AD binding as part of an image config which will bind the computer to AD on reboot. There is an alternative of doing it with a config profile too but I haven't used that method.

Feel free to ask any questions. We're a friendly bunch here you'll find.

jhuls
Contributor III

I'm curious to hear how this works out.

While I've been supporting the Macs here for a couple years(community college), it's been quite the upward battle. We've had Casper this entire time but it wasn't being used when I took over to do anything but add a couple icons to the dock for one of our labs. It was pretty shocking to me considering how much Casper cost. Since then I've developed a number of policies, profiles, etc to manage everything allowing us to better adapt to the demands we're being faced with.

I still have a ways to go though with some things and one of those happens to be imaging. We had a Mac Netboot server when I came on that worked "ok"...just slow. Nobody knew how to create images or anything with it though so with so many demands at that time due to job turnover(I was supporting Mac and Windows areas) and other projects this got pushed to the back burner. Version 9 of Casper came along as well as newer versions of OS X and one of our network guys decided to pull the netboot server because it was too old. He tried the open source netboot server that Jamf suggests but had problems. No replacement then.

Long story short I've now been imaging systems via Casper Imaging but only with portable ssd's for over a year now. While the ssd option is pretty fast over thunderbolt and usb3, a network based solution works much better when we have to replace a lab. I'm hoping to get a network imaging solution in place once again now that some of the dust has settled on many of the projects we've been working on. Casper seems like an obvious choice but it seems like I hear a lot more about DeployStudio.

gachowski
Valued Contributor III

Every-time I say it will be the last time I will bring this up .. . however.....

Imaging, AD and 3rd party AV are dead!!!! IBM, Apple and Jamf put the nail in the coffin last week at JNUC....

http://www.jamfsoftware.com/resources/mac-ibm-zero-to-30000-in-6-months-video/

C

PS I know there are going to be a few orgs with outside the normal cases... but If IBM can secure and deploy 200,000 Macs with DEP, Config profiles and Self Service ... then we all have to take a hard look at why we are doing anything different...I am betting in most cases the reasons are political not fact based....

I all ready have users asking why we are doing "things" different that IBM...

jhuls
Contributor III

If we only deployed software and configurations to newly ordered systems, I wouldn't bother with imaging. Working in our environment though I'm working with systems that get rotated from labs to offices when labs are replaced. It's quicker to image. New systems I don't image.

For what it's worth we have a new CIO who wants to do away with rotations so this might change but for now we fall into the outside normal case I guess.

calumhunter
Valued Contributor

@gachowski

Clearly you do not work in education.

It's one thing for an IT company to change its policies and infrastructure in order to support adult tech savvy users with Macs.

Its quite another thing to suggest that this same process can and should be applied to all organisations and institutions that use Mac devices.

Show me how IBM's method works for shared computer labs across campuses/schools used by 8yr olds..

Perhaps it would/could work for higher education with a 1:1 laptop program where the student owns the laptop.

bpavlov
Honored Contributor

@gachowski Those are some ridiculous statements.

  1. Imaging is far from dead. Even if you go with a 'no imaging' workflow, there are still many situations that require a re-image. That's not to say that organizations shouldn't get away from thick images, but even clean base OS images are still very valuable and have their place.
  2. AD provides a lot of benefits. Just like having a local account has its pros and cons, so does AD. It otherwise wouldn't be as popular as it is today if it didn't work.
  3. IBM still uses AV on their Macs and requires them on their computers. And even Apple has their own built-in security to prevent some malicious software from being loaded.

There's more I wish I could say specifically about IBM, but at the end of the day, I wouldn't take anything IBM does to influence my decisions.

gachowski
Valued Contributor III

@bpavlov

  1. I really don't consider a netinstall imaging and I would be surprised if anyone else did. Also you can use "Internet Recovery" to do a clean base image so in theory you don't need that imaging infrastructure at all... it's a choice to save time...

  2. I am not going to argue details, I was trying to make that point that Imaging, AD and 3rd party AV are things of the past. As there are over 2,100 post about AD in Jamf Nation I disagree that it's popular because it works.

  3. You are kinda implying that IBM and Apple are misleading us...and that is not fair at all. The IBM presentation and the notes are clear.. that the default is Xprotect.. I have had 1st hand access to Apple Corp machines, have asked many Apple employees and have heard the Apple guys talk about their Casper process and implying that they have "special" software is incorrect. To my knowledge the only "special" thing they have ever done was awhile back they pushed a institutional encryption key a few years before we could, and even then Apple employees didn't have to use it.

But I the general ideas behind #3 very interesting..so I will use my fav argument.

I find that fact that you think a 3rd party AV can "secure" the Mac better than Apple can "ridiculous".

I don't think we can prove one way or another 3rd party AV is better than Xprotect. In fact I know we can't. However to assume 3rd party AV better is just crazy and old OS 9 thinking...Apple has tied their brand to security and has done more than any major OS in recent years to secure their OS.

C

alexjdale
Valued Contributor III

IBM said they install third-party AV only when that system is going onsite to a customer who requires it, they rely on Xprotect for their own internal requirements.

That said, third-party AV can provide some critical functionality, like centralized alerting/reporting when something is detected and action is taken, as well as protecting the overall ecosystem by detecting non-Mac virus/malware payloads to keep them from spreading. We also have someone we can hold accountable if there is a new threat that needs to be addressed, since Apple won't comment on it.

We still use third-party AV and I don't even want to try to fight that battle, since Xprotect does not meet our corporate requirements around alerting/reporting. We use Symantec, and on occasions where it is broken or doesn't work it's been harmless and doesn't interfere, so it's not a big deal for me.

jhuls
Contributor III
  1. Saving time can certainly be a huge cost benefit and can allow for maintaining control of what's installed on systems. That's no small thing. As has been stated much of this depends on how systems are managed and rotated in many organizations.

  2. AD isn't dead but it's current implementation could be. It's not designed well for mobile or byod.

  3. 3rd party AV vs Apple is a matter of where you want to place the goal posts. As mentioned there is the reporting aspect. There is also the turnaround time. Apple has improved but they tend to still lag much more than they should. Saying that they've done more than any other major OS in recent years is laughable considering how far behind Apple was. It's great to see Apple making progress here but lets not get carried away.

At any rate we should be careful of stating something is dead as it's simply drama. I've seen statements like this for years. How many times have we heard in the last 15-20 years that native software was dead and we'd be moving to the web for our software? Flash is still here. Bluray is still kicking. The Mac was dead. Apple was dead. Those stand out at the moment. It comes down to business needs.

Back on topic though I'm still interested in hearing a followup on the original topic.

gachowski
Valued Contributor III

@jhuls

I will get "carried away" : ) Until somebody can prove otherwise : ) "past performance does not guarantee future/current results" I would go as far to say that the work Apple is trying to do to secure their OSes is the best in the industry.

I am not an expert but from what I have read think everyone is selling SIP very very short.. I don't know a major non Apple OS that does all of the following...

  1. Protected locations can only be written to by the OS developer.

  2. Protected system processes that cannot be attached and cannot be subject to code injection.

  3. Kernel extensions, such as drivers, cannot be installed without approval from OS Vender

  4. The system objects and in-memory processes are so flagged that they cannot be altered by processes not signed with OS Vender's own code signing key.

C

gachowski
Valued Contributor III

Sorry highjack the thread...

C

bpavlov
Honored Contributor

@gachowski
1. I'm not referring to netinstall. I'm talking about laying a flat base image. Some people make it thick, others keep just the base OS. It's still imaging regardless of what it contains since it's wiping the volume. I'm willing to bet that in most environments reinstalling an OS via Internet Recovery is an absolute last resort. I'm guessing most people would prefer use Netintall or a OS X package installer before resorting to Internet Recovery. It's a great tool for clients, but does not scale well for enterprise.

  1. You could reference all those posts, but then again there are thousands of posts here on many other topics, MDM, VPP, DEP, etc. Is the argument that none of those work either? No. People have trouble and they come to this community asking for help, advice, clarification, better understanding, etc. Whatever gripe you may have against AD, if it didn't work it wouldn't be so widely used. It's not like it's a cheap tech to implement. Obviously every environment is different and needs to weigh the pros and cons of using it. But to say it's a thing of the past is really

  2. The Apple security I was referring to was Xprotect. If AV really wasn't necessary then there would be no need for Xprotect. I have no knowledge as to what Apple does on their computers internally and didn't mean to imply I did. Sorry, about the confusion. IBM does have AV that they use though. So if the very company you're saying we should look at is using it......But in any case, like I said even if they weren't I wouldn't base any decision based on what IBM is doing. Every company will have different environments and regulations to deal with where it is recommended and/or required.

Arguments like these have come up in the past. Just because one way of doing things will work it doesn't mean that it will work for most or is even ideal for most. Every environment is different. The size of a company like IBM means that they have to deal with some factors that other companies don't have to deal with. For example IT staffing. Do you increase on-site IT support to aide users as much as possible or do you force end users to help themselves by putting out as much documentation as possible? This is one of many things to consider when deciding on what workflow you should use for preparing computers.

bpavlov
Honored Contributor

@jhuls DeployStudio works, but just don't expect official support. It is definitely a lot more flexible than Casper Imaging. In fact, I think it's a lot more intuitive when it comes to setting up imaging workflows. DeployStudio is a pretty simple thing to setup so why not just load up a VM and run it from there to see how it works? That should tell you more or less whether you want to use it or not over Casper Imaging.

calumhunter
Valued Contributor
Posted: 40 minutes ago by gachowski I am not an expert but

And there it is.

@Dickson made a comment not that long ago in regards to a similar attitude in another thread...

I'm weary of anyone who declares absolutes in any scenario or rule. The precursor to these claims usually is something like "I can't think of why anyone would want/need..". The words never, always, phrase 'can't think of', etc show a lack of imagination more than anything.

I think that sums it up quite nicely.

I think the OP's question has been answered before this thread got a little off track, but if not @dstranathan please post any other questions you have re Casper Imaging v DeployStudio workflows and lets see if we can help out.

Lets put the ideology debates to rest