High Sierra Issues

scottgunn
New Contributor

Hoping someone can help or offer some advice...

As Apple have stated that monolithic system imaging is a thing of the past or at least not supported going forward with High Sierra. I've ran into a few issues with deploying High Sierra to our 200+ mac estate. Because of the firmware updates not being properly applied via monolithic imaging I was advised by our Apple tech engineer to first run the high sierra app store installer so that it pulls down the relevant firmware and to then go ahead with the my usual method which is to NetBoot via Parallels, format the disk and then run through our task sequence applying High Sierra and apps ect...

But unfortunately these users are coming back to me a few days later with their MacBook's locking up and freezing every 5/10 minutes regardless of what app is running.

Any ideas?

12 REPLIES 12

alexjdale
Valued Contributor III

Honestly, skip the imaging part. The writing is on the wall that Apple isn't going to support it, so you may as well as well just build on top of a fresh OS install every time, using the App Store installer on a wiped disk. That's what we are doing now and once you accept the paradigm shift it's not that bad. For brand new systems, just use what ships on it and run updates first.

I'm super annoyed about it, but I've decided embracing it is better.

RCoS
New Contributor III

@alexjdale Just so I get this right, you boot to recovery, wipe the disk and then re-install High Sierra from there and then just run a load of policies for the rest of the apps?

Doesn't seem that bad if it works like that tbh

cwaldrip
Valued Contributor

It works great as long as your client machines have easy access to your distribution server, and you don't have a lot of packages to install.

In our case we usually send out a drive containing a copy of the repository to our more remote users (Lagos, Nigeria, Beirut, Lebanon, Cairo, Egypt). All they need is a usable internet connection so that we can remote to their machine and Casper Imaging can read the configuration. We can then remote in, boot to a support partition on the machine, and reimage the primary partition from the repository stored on the local external drive. 45 minutes, tops.

With Apple forcing everyone into their idea of the future, where everyone has Cupertino-style high speed internet, the user just simply (unlikely) boots to the Recovery partition (has to be done locally, no method to it remotely), wipes the primary partition (try explaining the difference between device and volume to someone who doesn't even know how to get to the Applications menu), reinstalls the latest OS (several hours in some cases for our users). Then on reboot, DEP installs your management software, and then applications and settings are installed through an enrollment complete trigger (and hope that works, it doesn't reliably) or the user installs software from Self Service either as individual policies (hopefully in the correct order) or a train of policies that trigger the next policy in order to install your 30+ GB of required applications and settings, many of which have to be installed in a specific order.

Yep, I'm loving the future. It's so bright I'm obviously missing the advantages as an administator.

mking529
Contributor

Glad I'm not the only person reading about High Sierra, the new do's and don'ts and thinking "You want us to do what?!" I'm trying to figure out how we're going to proceed with this and I've been browsing around Jamf Nation and even asking Jamf support some things, and honestly I'm really, really nervous of the ability to just lay an image down on a machine and be done with it taken away from us. There are other ways to do what we're doing but they're all SO. MUCH. SLOWER. Jamf brought up modular imaging which takes up more time and from what I've read isn't even officially supported. Deploying software after the fact takes up even more time, especially if you have to run policies over and over because of laptop lid shuts, bad connections etc. like we do. I've been trying to set up Apple School Manager and so far I think it's a joke. I get "stopped responding" errors more often than not and we can't even get a managed Apple ID to show our iOS apps in Apple's Configurator. And I'm supposed to rely on this thing to get computers enrolled? Pfft.

Call me crazy, but I like setting up a couple of near-complete images and laying them down on a machine rather than relying on config profiles for the seemingly few things it's good for, rather than relying on third party best-guess softwares and dirty terminal hacks that Apple will eventually, but definitely break for the rest. They should either get their ducks in a row for deployments or just flat-out tell us to look elsewhere.

And +1 on the enrollment complete trigger. I'm lucky if it works one time out of ten. I just pretend it's not there at this point.

cwaldrip
Valued Contributor

The workflow I'm testing now, which falls into the 'duh, why didn't I think of this sooner' category...
IF the machine is in DEP (only about 1/5th of our machines are) then Wipe and reimage from Recovery, have the PreStage Enrollment add our local support account, use Enrollment Complete to install our default user account, Pulse Secure and profiles, Bomgar, and run a couple of scripts (rename machine with serial number, etc). That's still going to really suck for our remote users (Lagos Nigeria, Nairobi, Kenya, Jakarta, Indonesia, etc), and only just suck for users in better locations (Berlin, Paris, Denver, Miami, etc).

We can then remote in using Bomgar or Remote Desktop and use Casper Imaging while booted to the primary boot volume. The Post-DEP image doesn't include an OS or anything already installed by Enrollment Complete. We can choose a local repository for our remote users, or a local server for those lucky users. And finish the imaging.

Not ideal. We'll still have to talk the users through booting to Recovery, wiping the drive, reinstalling the OS, and going through the required setup screens (language, keyboard, network (if needed). But it's better than nothing.

Can't wait until our Apple Rep comes by... 👿

conitsupport
Contributor

Hi not sure if this is the right place (we just use MDM for our ipads) but we now have a suite of 25 imacs high sierra and i was wondering whats the best way to manage them using jamf, we want items placed in dock and also some shortcuts. Also wondering can you map AD home drives is jamf or should we stick with our mac mini and remote management.

OR

Can we just enrol them like an ipad via a url? I know very strange request but not used imacs in anyway shape or form on a network before never mind with JAMF.

Thanks.

mking529
Contributor

@cwaldrip I'm glad you mentioned using Casper.. I mean, Jamf Imaging. I had pretty much forgotten you can indeed use it to load up packages on a booted system. This might help us during the summer when the machines are in our IT rooms. It might be easier than waiting for policies to run. I guess it just depends on how much updates we need to get out.

I'm still annoyed to lose the ability to image a ready-made machine, but I'm not quite as full of doom and gloom either after reading how others have adapted to it. I've definitely got some good ideas on what direction to take. I think summer refreshes won't be too bad, but they will definitely be a little more time consuming for our campus technology staff. Because they don't already have enough to do... :/ What's really going to be a pain is when we do inventory rollover. Even if we get DEP going, and have it create some basic accounts and settings, that's gonna be a lot of packaging legwork. Maybe once I move to this approach it won't be as bad as I'm imagining. And maybe, just maybe Apple will make their MDM framework a little more robust by then. -_-

john_sherrod
Contributor II

What I'm doing is a little clunky, but works for now. I unbox a new Mac, run through Setup Assistant, create the ladmin account, and enroll the machine in Jamf. I then launch self service and login and then kick off a policy that installs all of our standard apps and printer drivers.

allanp81
Valued Contributor

@john.sherrod That's how we've been doing our laptops for a while.

With our student macs though I'm sticking with monolithic imaging for as long as I can as we have so many different environments and configurations.

cisdadmin
New Contributor

I have been trying for days now to deploy an High Sierra image and cannot get the background to show up once logged in. After reading this blog I think it is time to give up. I can install Sierra and download the High Sierra image to the desktop, run it, and everything works. But to push it from Casper is not working. It is taking twice as long to image these computers and set them up. But, I guess Apple thinks they know what is best for us. Go figure.

mking529
Contributor

Yeah, imaging is pretty much dead. Most of us have found it's best to just stop trying to fight it, even if it destroys your current workflow. Which it definitely did ours.

We got some new computers recently that shipped with High Sierra and I built new policies and scripts to do as much of what we used to do on our images as I could. As expected I can achieve the same things as before but it just takes SO. MUCH. LONGER. Self Service is great, custom trigger policies are great, scripts are great (until Apple changes stuff and breaks them), but you just can't beat a block copy as far as the speed is concerned. It will be missed. Next year will be the big test as it's time to roll over a campus student deployment of around 350 machines. I will definitely be looking into DEP as time permits throughout the school year.

Our new Apple engineer recently came by and I discussed with them how these changes were throwing us for a loop. He listened and he is definitely a lot more understanding than some of our past reps, but he also reiterated that this is the path Apple's going and to hop on board the Config Profile/DEP/ASM train. In any case it just made me feel a little better to say to someone on Apple's payroll "Please make sure the new way of doing things is there and reliable before taking the old way away."

bozemans
New Contributor III

Like many of you writing on this string, I am faced with the task of upgrading our staff and student MBAirs to 10.13. And I also like the method of Target Mode Imaging(TMI) due to the speed of install. So, I created a base OS 10.12 with the 10.13 downloaded already from the App Store. Put the rest of my .pkg or .dmg in the TMI image and after that process was complete I hooked up to a hardline to complete the restart/enroll/blah/blah....

When that was done and I was satisfied that the unit had all the applications I needed, I would then use the downloaded 10.13 to begin the upgrade. Working with two IT techs we just completed 180 machines using 4 TMI hosts and 20 -25 hardline slots in three days.

Then we had 20-30 units that already had 10.13...

I had to learn on the fly how to use DEP and reinstall 10.13, set up prestage enrollments correctly, log in correctly through AD/LDAP, and create packages to run through Self Service. Still working on the last part now....

Later this summer I will repeat this process on 700 student MBAirs...

If I don't get the Self Service to work out I'll go back to the TMI method but honestly the DEP version of install isn't that bad in my environment. I say that because we do have a pretty robust line to internet...and Apple hasn't had a major upgrade/update this week. Either of those would most certainly slow down the new method of OS deployment