Jamf Nation Community

just an idea.. use AutoNBI to make a netboot image.. then use the system.dmg from inside this to make the bootable USB..

@davidacland Thanks for the reply and listing out the steps, I am going to give this a try today and see if it works out better for us.

@manyusersaccount Thanks for the reply. Are you saying to not tick the option to create the restorable DMG in ACNBI but to merely allow it to run normally and then attempt to utilize the system.dmg file that it creates as the DMG for the USB drive image?

Don't have this in front of me at the moment, but if you open the NBI there is the DMG inside.. mine is called 'Netboot.reduced.dmg' as I ticked the option to reduce size.

Use Disk utility to make the bootable USB from that.

For the last set of bootable imaging drives I needed, I used AutoCasperNBI's "restorable" option to create a disk image for restore and it worked great (as usual, thanks @bentoms)

Take a look at his documentation. It's straightforward:
MacMule: Create a Restorable DMG

@ Freddie.cox Yes, this is exactly what I did. However, when I launch Casper imaging it starts to pop up messages that the server may not be a real Casper server and that it requires the certificate. As I stated above, I saw the portion of the image build where it called for the cert and it did it, so I am not sure why, during Casper imaging launch or during imaging it pops this error message.

I follow what @davidacland said. I take it a couple steps further by disabling hibernate/sleep and locking down the sleepimage and VM swap file with blank files that the OS cannot modify (since USB drives are pretty slow). I also delete a LOT of files from the OS, so the resulting compressed DMG is ~5GB (for easier global distribution) and it can be restored to an 8GB USB drive, which is what most techs seem to have lying around.

@MTurnerFMRCO Sorry - Distracted Reading. Missed that part. Are you imaging from a JDS?

@MTurnerFMRCO Can you possibly log an issue here?

Include the AutoCasperNBI log & com.macmule.autocaspernbi.plist please, oh & the certificates in the system keychain please!

The cert should download if a JSS URL is being set.. is one?

I'd also like to see where this is hanging on 10.8.x, lastly you should be able create a 10.8.x NBI on a 10.10.x Mac.

@bentoms I can upload the logs, where exactly do I find them?

The JSS URL is being set in the appropriate line in the ACNBI utility and it confirms connection and matching version with Casper Imaging app. The message pops up each time I attempt to build a device, whether at the beginning of the process or before a reboot step.

I will get a screen shot of where it hangs up on the 10.8.x device and upload it here. There has been no attempt to create a 10.8.x NBI at any time. Only trying to create a 10.10.x NBI on the Mountain Lion machine and then on the Factory Yosemite machine. No issue on factory device.

Basically, I am trying to build 10.10.x boot media that is lite and easy to restore to USB drives so that I can start working on a 10.10.x OS image (something else that I will be reaching out to the community for help with as all of this is so new to me).

@davidacland I have tried as you suggested and everything went smooth...until I launch Casper Imaging and get the same certificate message that the server may not be trusted.

Question, when CI is launched, it asks for the URL of the Casper server, and has a check box for 'trust certificate from untrusted source' or something similar to that. Should this be checked or unchecked?

@manyusersaccount I have done as you suggested, did not tick the option for ACNBI to create a restorable DMG, rather to just utilize the one created for the normal process. Have restored the image to USB and will be attempting a build shortly, will send results.

@MTurnerFMRCO if you have a self-signed (untrusted) certificate on your JSS, leave it unticked.

@davidacland FWIW, Invalid cert should be enabled

@MTurnerFMRCO The logs should be in ~/Library/Logs/AutoCasperNBI.

If you can post the logs & ~/Library/Preferences/com.macmule.AutoCasperNBI.plist here, also with what's been happening & I'll have a nose.

Oops, my bad, I knew what I meant!

@bentoms Issue opened through your link. Do I upload the logs or are you looking for a copy/paste?

@davidacland I tried both ticked and unticked. Same result. Certificate warning message each time at some point during the build.

@MTurnerFMRCO Copy & paste will work.. or use this & upload that way.. (i need to fix the CSS on that page it seems..)

Can I also have a copy of the casper imaging plist from the NBI?

@MTurnerFMRCO this sounds like a different problem I've seen. Do you mean it happens mid-imaging / deployment? Could you post a screenshot?

@davidacland The issue happens sometimes as Casper Imaging loads and sometimes right before a reboot occurs in the build process, towards the end of the process.

I've had this before when there was a firewall between the client and the JSS that was doing SSL deep packet inspection, where is your JSS in relation to the client Macs?

And do you have a properly signed SSL certificate on the JSS, or is it self signed?

I've had one more drastic issue where I had to clear out some MySQL tables and redeploy the tomcat webapp, I'll see if I can find the jamfnation thread that talks about it.

@davidacland The current environment utilizes ML and Mavericks boot sticks for imaging, no issue on those at all. However, those were all created by our former Mac engineer, this is my first whack at it. Trying to get Yosemite up and running as a boot drive.

Macs are global, most in US. Right now I am in in NC and JSS servers are in New England. Though there is a distribution point local.

I believe that the certificate is self signed. is there a quick may to verify?

I have tried moving the certificate on the boot drive from System to just Login locations, no change. Even changed some of the settings within, no luck.

Its possible that there is something between the clients and the JSS (ssl related) that wasn't an issue in 10.9 and earlier.

You can check if you have a self signed SSL cert by connecting to your JSS in a web browser and checking the https certificate. It would look something like this

@davidacland That could very well be possible, not sure as this is my first attempt at boot media and apparently the first Yosemite boot media to be created. I am using Casper Imaging 9.4. Possibility of trying a newer version of the Imaging application?

Cert appears to be self-signed.

Re-creating the boot media using Casper Imaging 9.72 appears to have partially resolved the certificate error message. Upon initial launch the certificate message does not pop up, able to image a device as normal.

However, if I quit Imaging and re-launch the application the certificate error message is present and continues to occur upon each subsequent quit and launch. Only first launch works without issue. This applies to boot image created manually as well as using AutoCasperNBI.

@MTurnerFMRCO Have you reached out to JAMF support about this?

I've not seen this behaviour myself, & am struggling to recreate.

Only thought I had was: is your JSS behind a load balancer?

@MTurnerFMRCO Any update from JAMF on this? I cannot recreate the issue at all.

@bentoms JAMF support was also scratching their heads on this one. I just got it to work this past Friday after trying and re-trying numerous tests. See below for steps and what eventually worked.

Letting AutoCasperNBI pull the cert from Casper itself did not seem to work. Was present in keychain, looked good to me.
Exporting the cert from Casper and manually adding it to the keychain myself did not work.

As I am very new to this whole Casper and Mac world, I started looking to our production devices, running ML at this time. I noticed that the devices had a Casper cert as well as an internal cert. I grabbed the internal cert, brought it to the USB boot image device and imported it, making sure to match all settings that were present on a production Mac device.

Then began testing. Casper Imaging 9.72 now launches and connects without issue on each and every launch without server cert error messages.

Not sure if this is normal or not, but without both of these certificates on the USB boot device, I get the server cert error message each time and the builds would not complete.

I am assuming that the AutoCasperNBI tool grabs that Casper cert and applies it, that's what it always looked like after I would restore the image it created. Not sure if anyone has ran into this, perhaps only the Casper cert is required for most people's USB boot media, we needed both.

Now onto a server upgrade and trying to create a Yosemite base image......

Thank you (and everyone that responded) for the help!

@MTurnerFMRCO Actually, makes perfect sense...

I was having a nose at AutoCasperNBI & it's grabbing the JSS's CA cert.. Not the Tomcat cert.

If you add the "internal cert" as an additional cert to AutoCasperNBI... It should work, as in the created image should have the cert trust in there as needed.

Actually, I think this maybe a Casper Imaging issue.

By default, AutoCasperNBI will set Casper Imaging to ignore Invalid certs if a JSS URL is passed to it:

If Casper Imaging is not honouring that, then it's a bug with Casper Imaging.

If a JSS URL is not being entered into AutoCasperNBI then it's still a Casper Imaging but as Casper Imaging will not honour the "allowedInvalidCertificate" key. (FR)