Jamf Nation Community

Hive mind says "Yes"

Fork Youuuuuu Apple!

Yeah, not surprising. This is pretty much Apple's SOP these days. They have little to no interest in keeping a unified OS X build for more than a few weeks at a stretch it would seem. I would think forking the OS so frequently would make for a development nightmare, but what do I know?

Well, good news is that 10.10.4 isn't far off. So, time for a new base image...then wait two weeks for new hardware and repeat...

If only someone had helped with the faffing around when forked...

I'd hazard you might be able to get away with a functional system with the current build 11D136 with a base model 15, but there's a different dedicated video on the higher end models that would likely result in a kernel panic.

This isn't exactly new SOP for Apple. It's been this way for years now. And it usually lasts 2 months until a new combo update unifies the build.

@boettchs Yes, I'm thinking we may try to hold out for 10.10.4 and see if that brings things back together and go with that, especially since 10.10.3 has broken some important things for us anyway.

@mm2270 The guy that knows much about this - @nessts might have info on the latest .4 build. I have not tested that again, so I don't know if beta #3 nixed that or not...but it is a PITA for sure.

This is where @gregneagle chimes in to remind us we shouldn't be touching the OS. ;+)

I have not tested the latest seed for a fix createmobile, I have a fix built in my process anyway at this point, Apple has not replied back on the bug report I submitted, oh wait they have not replied back on the last 6 or the last 7 I have submitted. So, I have not expected any goodness to come from them any time soon.

you may want to wait for something better than 10.10.4 to come out too, I have had lots of unhappiness on this set of seeds. Of course what they release will have only so much to do with what we are testing I suppose since its been something like 3 years since the final seed matched the release version.

From IRC

donmontalvo @gneagle you're wanted in ER... https://jamfnation.jamfsoftware.com/discussion.html?id=14541
gneagle This is why people need a no-imaging workflow in their toolchest.
gneagle Boot the machine in TDM, install your bootstrapping pkgs, shut down. Connect to network, start up. Let your management system set the machine up to your standards.
donmontalvo Yep, been more open to it over the past few months.

cannot agree more, the base OS is important only for re-imaging a hosed machine. all new stuff should just be getting the custom stuff only.

I love the idea behind the no-imaging workflow and have been pushing for it more and more here, but unfortunately, its still a little simplistic to just assume it will always work correctly. If the stable of apps and tools you need on your Mac's is small or very basic, then yeah, it can work great. If you have a number of more, ahem, 'complicated' applications and tools, like AV software (MCAfee AV/Firewall), virtualization, VPN (AnyConnect for example) and other stuff like that which is mandated by the org or environment and which our users rely on daily, it means we can't just blindly accept whatever OS Apple decides to shove down our throats. The next point release could cause incompatibility issues with these apps, and the vendors aren't exactly super quick on updating their wares, which makes matters worse.
Another perfect example is the createmobileaccount binary getting busted with 10.10.3. We use that in a custom user setup process, so if we just took 10.10.3 and ran with it, a lot of remote users receiving Macs would have been dead in the water.
Then there is the issue of "re-images" which means we likely still need a base OS. Internet restores are still pretty painfully slow.

Believe me, I'd love to get away from imaging as a whole and just use the OS they ship with, and I fully expect we will get there, but so far what we've seen is that, at least in our case, its only trading one issue for another.

Has anyone posted a blow by blow of their workflow for thin imaging with Casper? I'd really like to not touch the OS moving forward and not deal with circumstances like this, but I'd like to see how other folks are automating this process so as not to reinvent the wheel.

How do you folks kick off the Casper workflow for setup? I haven't been able to wrap my head around how I get past the initial user setup and Casper enrollment part. Even with DEP, you'd still have to create a user... correct?

I would want all of my users to be created via policies (outside of the end user who would be created via mobile account creation via logging in with AD credentials). Really I want EVERYTHING to be handled via policies and Config Profiles. How do you we make this as no touch as possible? At least as no touch as Casper Imaging.

@hkabik for me, I utilize Casper Imaging on a NetBoot image to get the machine enrolled and to drop my first boot script that handles configuration and installation of packages via policies. Casper Imaging takes care of enrolling the machine and getting the initial management user on the machine so that I do not have to create a user on the machine.

For new machines out of the box, I scan their serial number into a Pre-Stage Imaging workflow in the JSS, boot the machine off the NetBoot Image, and then sit back and watch Casper Imaging auto launch and lay down the first boot script.

I'll beat @bentoms to the punch: My Casper Imaging Workflow

Ah, I was trying to get around a netboot/external boot disk all together. So as to avoid situations where new machines won't boot to previous netboots, such as when Apple forks us.

Thanks though, I'll definitely add your process to my list of possibilities. Really appreciate it.

@hkabik So create a user. In it's current form, yes you need to create a user during Setup Assistant. You can give the user a generic name which gets deleted upon next boot, and have Self Service automatically open for the tech who's binding the laptop to install another apps/printers/etc. In this situation everything is being driven by the JSS and not by the local imaging server or a technician's USB drive.

@mm2270 Well, if you look at it, there's two options. "Blindly accept" whatever OS Apple forces on the new model, or don't buy the new model. If you have apps that aren't compatible with the latest point release that is required on that model than no image/thin image/fat image isn't going to help you unfortunately. On the other hand, it's pretty easy to build a checklist to vet required apps on the latest OS release. You can do most testing in a VM, too.

I have my guys boot them to target disk mode, read the version of the OS off the disk before they touch it, if its one we don't have they capture an image of it then deploy the proper configuration without an OS in the configuration, through casper imaging. turn on the new machine.

Hence from above

gneagle Boot the machine in TDM, install your bootstrapping pkgs, shut down. Connect to network, start up. Let your management system set the machine up to your standards.

Mike,

Yes, we can "just blindly accept whatever OS Apple decides to shove down our throats". If you have to or want to use the new hardware you have to run the OS that it comes with.

I agree that there are many issues that make using the factory OS tricky. I think those of us that use the factory image are trying to point out is that, the sooner we all accept that we have to deploy on Apple schedule the better off we all will be...

It's all trade off for management, want to have the current hardware, well then we are going to have to change the image requirements.

C

PS What really gets me is that asking the 3rd party vendors to deploy on Apple schedule is not something unreasonable to ask. Jamf, Microsoft, Symantec and CrashPlan are just a few that have been on Apple schedule for over three years.

PSS. Now that I am on a roll I will go as far as saying it's our own fault, we enter in contracts with these vendors and don't write our requirements in the contracts!!

Yeah, look, I made it clear I don't love the way things are still being done, and I'm pushing for the change, despite its tricky challenges. Unfortunately, this decision isn't mine alone to make. Right now we are often forced to choose option 2 "don't buy the new model" (until we can support it) Honestly, no-one needs the new models the day after they ship anyway. This gives us some buffer to check on the new model and make sure we can work with it, or create a plan of action if it looks like it will give us some trouble.

Anyway, things are more complicated that they may appear in some places. All I'm trying to say is that those of you just saying everyone should work this way are being a bit dismissive to the realities of other environments that you know nothing about. Just as much as those of that still work the "old fashioned" way need to keep an open mind, the reverse is just as true. There is no such thing as one size fits all.

Mike,

Sorry if I was piling on, and sorry for being hostile, I didn't want it to be but after rereading I was !!!

Super sorry!!!

C

Chris, no need to be so apologetic. You did not offend. This is just one of those topics that brings out fevered debate on this issue (which is good honestly!) I'm not mad at anyone in particular. Partially mad at Apple for not being just a little more helpful in this regard, but more mad at the work environment that moves too slowly to adapt to these changes, and then we (engineers) get saddled with trying to figure out how to make a square peg fit a round hole and do it yesterday. The good news is, management is starting to get it here and are asking us to start thinking of how we can adapt our imaging workflow, so the time is about right to start switching to the better way of working. Apple sure isn't going to change their ways, so we're going to need to. But as things stand, these kinds of forked builds still... fork us over :)

@hkabik you can get the same results TDM the new machine and running Casper Imaging from the machine you are connected to. CI will enroll the machine and drop your first boot scripts, if you have any, and create your management user. Keeps you from having to run through Setup Assistant.

Yeah, thats seeming more and more like my best option. I really appreciate everyones input.

@hkabik I've a few steps on taking a "traditional" imaging workflow & converting it to a no imaging one

The no imaging method is great and all, but falls down at scale, especially at EDU scale where there are thousands of machines that need to be managed/provisioned/imaged
The reason we have a centrally managed netboot system is so that we don't have to mess around with TDM or external HD's, not every site has a tech at it. machines need to be provisioned and imaged by end users so their interface needs to be highly automated and simple. ie turn on, hold n, enter your name, press play.

so again there is no one size fits all despite how hard apple tries to push this one size fits all model on us.

VPP+DEP

Unless you're behind a proxy, then the bet's off.

Authenticated proxies, 802.1x, AD blah blah blah
VPP+DEP again great for small little shops....

True, so many ideas tossed on the table at Apple, and so little vetting, POC in enterprise. :)

DEP is like many of Apple's ideas. Brilliant in concept, truly it is, but not very well thought out for the "real world". The problem is that Apple operates in their own vision of an ideal world where everything is perfect, people always do what they are supposed to, and there are internet connections no matter where you are.
On that last point, as has been pointed out elsewhere, DEP works well, until the first couple of users decide to boot up and set up their Mac with no internet connection, and the Mac does not enroll in your management solution, and does not pick up later that it should get enrolled. Oh well...

@calumhunter My point was to take the normal workflow & amend slightly for the 1's or 2'a that might need a forked OS beforr it becomes unified.

If a number of those macs are delivered & time is pressing, I'd create an OS.dmg from one via Composer (9.7+ so to include recovery).. Then AutoCasperNBI & then it's easy to amend an imaging config.

I so wish Apple would read this thread : ) That said has anybody tested net-booting the new Macs? The past few forked machines still netbooted to the "old" netboot image, allowing us to still use Casper imaging to lay down our files.

C

But what's the real problem? That new Macs have a forked image? How else can it support the new hardware? It's common practice to capture a separate image for those Macs until the next point release of the OS.

Let's be careful though, with declaring VPP and DEP useless. Apple hasn't broke netbooting nor are they requiring everyone to use VPP/DEP. (With the exception of App Store only apps I suppose..)

Netbooting does not fit my needs, so I don't use it. There is a large community where traditional workflows do not help them. I'm not saying netbooting or thick imaging sucks. I use DEP and MDM to deploy my laptops because it works for my needs. DEP and VPP are used in companies of various sizes not just small ones.

One thing Apple could do (not saying we necessarily need them to) is to allow new hardware to still boot the most recent previous OS in some type of "limp" mode. You'd still boot but would not have the best CPU, network, or display speed. Maybe be missing some resolutions or such, but you'd get something better than a grey "no access" logo. Once booted, you could access the internet, where the OS would realize "Hey, I don't have the latest drivers. I will download them." And then boom, your new Mac, running the previous build (in this case 14D131), would be fully functional. Headaches are averted.

@ktappe ....just make a package with the new drivers for enterprise to be able to deploy.....That's how OEMs deal with PCs in the Windows world. The computer could come with whatever OS, but the company can wipe it and just download the drivers for whatever OS the machine supports. It amazes me really that Apple doesn't spend any resources on that considering that they make so much and it would be a huge gesture toward being more enterprise friendly. But I understand if they did that there would be security implications as well because many companies would avoid updating to the latest OS because they could then just stay with what they have already. Just look at how many companies are still running Windows XP....

And just remember however important we think we are, we are probably less that 5% of Apple sales. So, they only put in just enough effort on enterprise as somebody like Microsoft does on making Office be a really good product on the Mac its not their bread and butter and if its good enough people will use it. If we would all drink the Apple Kool-Aid and use a Mac mini for open directory to run your corporation identity management system and let iCloud connect all your devices and not worry about security settings, I am sure everything would be oh so much better :) Or from MS standpoint if we would all run windows then office would be what its supposed to be. Personally I prefer new stuff requiring new OS and not the old OS, but it would be Oh so much better a place to be if they would quit releasing a new OS every 12 months and just fix the current one and add features to it after they do. But what do I know they have billions of dollars I have hundreds, they look much smarter than me from a $ view anyway.

I agree with most of what you said @nessts except I quite like the yearly releases and the App Store model. No longer have to rely on discs and waiting for new reference discs to be available from the Apple Store. Every new update is in the App Store which is nice.

Honestly the forked build is only an issue for 2 months at most of the year.