DEP "ReImage"

Asnyder
Contributor III

How do schools reimage their machines over the summer with DEP? I've just started DEP recently and right now I do the internet recovery but that seems to take forever - Even with a caching server and being plugged into the same switch as it. Even doing a new install off the recovery partition will take about an hour. Our Apple rep gave a presentation at our AEA and talked about how with apfs and snapshots you can restore to a base image in about 2 minutes. Unfortunately, I had to leave early and never got a chance to ask him how he did it. We refresh all of our student computers every summer which is about 500 MacBooks.

17 REPLIES 17

bbot
Contributor

subscribed. I know some others are creating bootable USB drives with the macOS installers to wipe. I'm looking for something as fast, if not faster than our current DeployStudio setup.

ScottOram
New Contributor II

Curious on this as well...

qsodji
Contributor

Quiet simple actually. If you have the installer from the App Store, use AutoDMG to get a dmg image of it.
Then set the computer in target disk mode and use disk utility to wipe and restore it.
I do this all the time to test DEP scenarios etc.. now if you have to do more than one, I would recommend using tools like Imager or Deploystudio and you could build the workflow so it does it as soon as the computer netboots

stevevalle
Contributor III

I have a NetBoot server specifically setup for this scenario.

Rather than using internet restore, staff are able to NetBoot the Mac and restore it from a base OS image that I insert into the NetBoot image using Disk Utility. This process takes less that five minutes!

When the Mac restarts, it automatically goes into our DEP enrolment workflow!

maurits
Contributor

I agree, Internet Recovery is slow.
slow to boot, slow to install (depending on your internet speed to download 5 GB), plus 20 minutes install after reboot.

You should use (package based) installer due to possible firmware updates, but one can (for now) use imaging to replace same-version-macOS (HT208020

I see four good options that are faster than internet recovery for your scenario.
All you need (with DEP prestage configured) is a 'fresh' macOS. (including typical times as I have seen)
1-use a USB bootable installer (SSD or stick) can create with createinstallmedia script from macOS installer app (5 minutes boot, 4 minutes install, plus 20 minutes install after reboot)
2-use a local NetInstall (on macOS Server), this is faster than Internet recovery (but with fast internet the difference is rather limited)
(10 minutes netboot, 4 minutes install, plus 20 minutes install after reboot)

Provided the firmware is up to date on all your Macs you can do imaging :
3-use DeployStudio or Imagr, but it is not sure how long this supported (10.14??) Netbooting is slow (10 minutes), restore is fast (5minutes)
4-use thunderbold based restoration (the fastest I have seen) with Google Restor or FileWave Lightning Biggest drawback (compared to deploystudio etc) is limited configuration options (the restore app cannot make different configs for each target since it cannot recognise target), but for your case this is not important.

If you restore many devices option 4 looks the fastest to me. What do you think?

cscsit
New Contributor III

I just use Deploy Studio to image my Macs and I have the JSS enrollment package as part of a workflow that runs after imaging, naming, and joining to AD. Yes, I have to build my own images but that is easily done with Deploy Studio. It works so well and is very fast so as long as I can do this, I think I'll continue to use this method, even with new Macs coming in.

All you really need is a Mac mini to host the images and the boot environment (with Server running). Its a simple setup and works really well. I even have a replica Mac mini server in another building and Deploy Studio can setup a replica server which is great for us because then we don't have to image across the network as the buildings are 4-5 miles apart. Any changes on the primary server will sync to the replica automagically.

Asnyder
Contributor III

@cscsit @maurits Currently I use JAMF imaging to do all my imaging, I have a couple netboots and a couple netinstalls. I'm just trying to get away from that if I can. Looks like using netbooting to an image with JAMF imaging installed on it to lay down the base might be the way I continue to go. I'm trying to be as hands-off as possible. This way I could start with all the machines up and use JAMF Remote to netboot them all at once and have autorun setup to lay down the base image. Either that or look into doing it over Thunderbolt, but that would be a lot more involved. USB booting might not be a bad option either. The closer I can get to internet recovery with the speed of Thunderbolt the better.
Thanks for all the suggestions!

blackholemac
Valued Contributor III

I would recommend considering an Apple Netinstall image as made by System Image Utility. You could boot to that and have an Apple-supported Installer that works while keeping part of the traffic internal to the network.

bbot
Contributor

Great suggestions. I'll be looking into NetInstall Images. (We currently use DeployStudio which works great for 10.12.6. I haven't tested 10.13 High Sierra yet. Found a few links here that may help some of the other guys on here
https://www.macworld.com/article/3086908/macs/how-to-create-your-first-netinstall-image.html
https://www.macworld.com/article/3089471/macs/fire-up-the-netinstall-service.html

bbot
Contributor

Has anyone been able to use NetRestore/NetInstall to wipe a fv2 encrypted drive, then install a clean OS? If so, how?

My machines boot to the netboot, then gets stuck at the unlock a device. Once I manually type in the password, it starts installing. The only issue is that it's not wiping the drive, just re-installing the OS. (all the old data is still there)

Randydid
Contributor II

I am testing the NetInstall method right now, myself. We are new to DEP and only have about ~700 DEP eligible Macs out of thousands in our environment. Not sure how I am going to get our SOE to flow onto our what I call 'legacy Macs.' It seems until they age-out/off, things are going to be pretty awful. Is there anyone out there that has solved a scenario like ours? Currently, we are just going to continue to re-image using Sierra and not think about High Sierra except for the DEP eligible ones going forward.

/randy

russeller
Contributor III

@Randydid If I understand the issues with 10.13 correctly, can't you create model specific builds (never booted base images of 10.13) of your legacy Macs and create imaging workflows for each specific model? If you have dozens of different models this wouldn't be ideal, but if you only have a couple might be manageable. Please someone correct me if I'm not understanding this right.

fsjjeff
Contributor II

@ssrussell My understanding is it's not a matter of just creating model specific builds, but rather that the macOS installer itself (and apparently the Security updates now as well) have embedded Firmware updates that may be specific to different models.

spalmer
Contributor III

With the High Sierra installer the firmware updates are not embedded, they are downloaded on the fly.

https://support.apple.com/en-us/HT208020

You must be connected to the Internet when you upgrade your macOS. After your Mac confirms your connection, the Installer uses the model number of your Mac to locate and download a firmware update specific to only that Mac.

This is why further down the page it states:

Apple doesn't recommend or support monolithic system imaging when upgrading or updating macOS.
Monolithic system imaging can only be used to re-install macOS, not to upgrade to a new macOS version.

Look
Valued Contributor III

I have moved us to NetInstall with the release of 10.13, it seems to work very well and even goes away and gets firmware installs etc...
It is slightly broken though so just be aware you cannot have more than one additional pkg and scripts completely don't work!
We are just using the Disk Utility within the NetInstall environment to wipe the drive before proceeding with the macOS install.
It has significantly sped up with the newer hardware refresh the SSD's are just darn fast! with the post reboot installation that used to be ~19 to 20 minutes dropping down to ~11-12 minutes (this is the estimated time by Apple's own installer so may not reflect the actual time taken, but you get the idea of the speed increase).

easyedc
Valued Contributor II

Question for those who are using NetInstall. Are you impacted by having your imaging server on one subnet and your target on another? That's historically been the limitation that I've encountered. And combined with SSD-SSD-over-TB speeds, monolithic imaging was so unbelievably fast (20 gb image in 90 seconds anyone?), I never went too deep down that rabbit hole.

Look
Valued Contributor III

@easyedc Not as yet although I may know more later today as we are going to deploy a couple of classrooms simultaneously in different subnets (I have previously done a few machines at a time). But given the macOS installer only takes 2 or 3 minutes to download before rebooting and running it locally and that is the only thing coming out of NetInstall I can't see it being that much of an issue.
One thing for us though is that speed is not issue (within reason), with everything policy based the larger setups we have with the full version of Adobe and some other big apps in there are taking about 60 - 90 minutes start to finish to deploy and this suits our purposes just fine, the smallest setups for staff machines without Adobe are only about 20-30 minutes start to finish.