Jamf Nation Community

Can you list what you push out in terms of software packages for your baseline Mac?

My baseline staff image really only has the OS pushed and a Self Service package. However, I work in a library, so most of my machines have a ton of software preloaded and preconfigured for our students. There's more for some machines than others, based on their group memberships. You can find a list at https://systems.lib.wvu.edu/services/software/mac/.

In most cases, the same package can be used for both staff and public machines. There are occasionally packages (like Firefox) where I've split the software from the configurations and made separate packages. This serves two purposes. First, it makes upgrading easier since most of the time, you can reuse the same configuration package. It also allows greater customization between different uses. In the case of Firefox, I push the app and the configs to all public machines, this locks in some settings; however, I don't want my staff to be locked in, so I just don't push the configs to them, just the app.

I hope this helps clear things up for you. If not, there is a great wealth of knowledge to be found in The Nation, as well as some very knowledgeable trolls hanging around.

You're going to get 1000 answers from 300 people on a question like this ;-) Every situation is different. Some will use "clean" OS images created via InstaDMG with all the various packages and settings scripted along the way. Some don't use base images at all.

In our case we have about 10-ish configurations that are derived from 2 base images. I admit that I tend not to script every little thing. Rather I create two custom base images. Install some problematic printer drivers (so that doesn't have to happen when my users install supported printers). Then I set a few plist's into the user template folder. Generally it's to set finder view preferences etc... pretty basic stuff that's easier for me to manually manage in the base image than worry about testing scripts. (We use profiles... not MCX just FYI)

What are you trying to accomplish/what's getting you worried?

Based only on what the organization that i worked for needed, i made a default image with OS, Office, Acrobat Pro and printers. It was around 150 users with different needs so after reboot i logged in admin and adjusted correct printers, correct name, bound to AD manually, setup Outlook and installed McAfee. I guess the point - in my case - is that there are many ways to accomplish things, and for me it was always important to be a part of the agency, and not trying to achieve everything automatically to "save time" and stay away from the users.

I then distributed for example iWork, Final Cut and CS 6 to those users who needed it. I think base OSs are the best practice and then make smart groups for deployment, but since this was software standard for all users always, it worked pretty good until i made a new image.

I come from a Windows background and years of imaging and software maintenance. The approach I have developed is a minimal image - OS and updates, and then push, script, whatever... the rest. For example, in the Windows world I use MDT to image. The image is just OS and MS Updates. We then use SCCM to push the software.

For the Macs I am creating an unbooted image with InstaDMG. I use catalog files to add updates and some minor packages to the image. I then use polices to push software to the newly imaged machines. The configuration profiles, MCXs, and scripts to do the rest.

The reason for this approach is I don't enjoy updating images. It takes too long. By pushing the software, I don't have to worry about updating the image every time a new version of some software comes out, I can just adjust the policy. To me this is a more efficient approach. I know my answer is not bringing anything new to the table but I thought I would share my approach.

Rob, if it's all new to you, I would definitely suggest developing a 'no-image' deployment workflow. I'm hoping to make that transition this year.

I've been building images for years now and I'm burnt out. It was fun when I had less to do, now it's a hassle that we don't need anymore, especially with the constant release of new hardware that requires special builds until the combo update comes out. Blahhhh.

Casper Imaging will happily allow you to lay down scripts and packages onto that out-of-the-box hardware resulting in whatever standard configuration you like. Nope, not as easy up front as the build-n-bake method, but ohhh how nice it will be to ditch the unneeded 5GB of base image being thrown around and deploying new hardware without the worry of release version compatibility.

I'm including Office, Flash, Shockwave, Java, Flip4Mac, McAfee, FireFox.

Lose weight, ditch the image ! ! ! !

Yep, there's a way for everyone. That's why I love dealing with Casper and the JSS.

@dpertschi,
Yes, I did not address that aspect. Just imaging. I agree that a new machine should not need to be imaged. Just install the software and configure. Imaging would most likely just be recreating what came in the box, and a waste of time.

The thin or no-image approach certainly is intriguing and I think we will all get there eventually, out of necessity if nothing else.
However, the only point I'll make about it is that you still need some kind of workflow for cases when a Mac HAS to be re-imaged, as in, the OS gets damaged in some way and needs to be reinstalled fresh. It does happen, even with as advanced as OS X has become. It could be as 'simple' as an Internet restore re-enroll in Casper and re-apply all policies, but that could be a rather lengthy procedure. Maybe there are slightly faster approaches to this, but in the end, if you eschew creating a master build that works on all or most of your Macs, your options for a re-image become limited.
I think for this exact reason, we still build a base OS image to do the old fashioned nuke and pave and then install software on top of it.

We run the installer image, load an Active Directory bind and then preload a folder with some larger files during the imaging process. Once it checks in for the first time, it installs other software based on policies. Works wonderfully for us so far. At my previous employer, we would install everything in a flat file due to some issues we were having with applications. From there, we would apply policies and add accounts. There are so many ways to do it, so experiment and see what works best for you.

@mm2270, here's the beauty of what you're wondering. Run as fast as you can towards the "thin-imaging" approach. The only difference between the normal "thin-image" and a full restore will ONLY be an unbooted mac image. Use InstaDMG to create on and that would be the ONLY thing you need to add to a work flow when a unit needed a full re-image.

@Chris_Hafner, do you have your individual installer package option set to "This package must be installed to the boot volume at imaging time" in Casper Admin or are you handling it differently? I've been trying to move from the "flat file" method to a more "modular" approach but am wondering if the difference in time it takes between the two methods is close enough to make it worthwhile. My current workflow has Casper Imaging block-copy an up-to-date base OS image and copy 22 individual installers to the hard drive that get installed as part of the first run script. It takes around 5 minutes to accomplish the first part then another 18 minutes to run the 22 individual installers. This workflow consists of the base Mac OS 10.8.4, Office 2011, GarageBand, iPhoto, iMovie, Adobe Reader, Symantec Endpoint Protection, Flash Player, Shockwave Player, Silverlight Player, Flip4Mac, RealPlayer SP, Firefox, SeaMonkey, Stuffit Expander, and 3 MFP print drivers. The old flat file method took about 12 minutes last year with a the same compliment of software. Since we only do mass computer roll outs once per year I don't know if this approach is the most time efficient one. I will admit this method would be nice for the small numbers of computers we have to image throughout the school year. How long does other people's typical workflow take to complete?

We also have a mass student imaging once per year. Otherwise we image randomly in varying sizes as part of normal IT operations. I run a mix of packages and a few scripts along with my slightly modified base image.

You hit the reason for my method by asking about the use of the "Install at imaging time" feature. Some packages end up really wanting to be installed at boot time of course. These are the packages I tend to install on the base image. I do this primarily to improve speed during imaging. My student configuration has 23 packages that are installed after the base image. There are also two scripts that I run during first boot. One turns off java update and the other makes the all user libraries visible. I try to compile and compress this type of configuration and distribute it via Block-Copy. I do this just as JAMF intended in CasperAdmin. Nothing funny! The result is a 23ish gig image that installs over a gig connection in about 7 minutes (pre-stage). Without pre-stage or if your going through a large number of switches it can slow down to about 12-14 minutes from power on to login screen. 100Base connections can take anywhere between 20 and 30 min. depending on the type of computer.

For mass imaging we have simplified the network links between the jss core (JSS, NetBoot servers and Distribution Points) and the switches handling the main imaging areas. I should point out that our servers are good at pushing the data at the bandwidth that is required.

In any event, I try to keep these configurations compiled for this reason. It may take some extra time on a computer sitting next to me but the advantages in speed are well worth it. Obviously I lose those advantages when I update any of my various packages or the base OS until I find it convenient to re-compile. During the year though, I rarely have to update the base image as I can add any updates so long as they don't really want to install at "imaging time"... Well, or if something else seems to require it. I keep copies of my historical base images so that I can easily reconfigure, repackage and recompile them in their configurations and move on with life.

In this fashion I get the best of both worlds.

Can I get more info regarding scripts? What are the functions of scripts (mostly interested in OSX function tweaks) that you guys deploy in your build process? Again trying to see if there are any common denominators... thanks so much for all the valuable input!

I would have to imagine that everyone is going to be a bit different. However, there are a lot fo scripts shared here (On JAMFNation) as well as in the "Resources" kit that JAMF provides. I'm pretty basic. My first script simply makes all of the user libraries visible:

chflags nohidden Users/*/Library

The second script comes from the forums here. Citation: # Created by AS (3-2-13)

#!/bin/bash

####################################################################################################
# Creates pref file for Java 7 that has setting which turns off the auto update check feature
# Created by AS (3-2-13)
####################################################################################################
####################################################################################################

/bin/echo "Beginning running disable_java_updates script"

####################################################################################################
# Get number variable needed to set suppression of update reminder
####################################################################################################

NUMBER=/bin/cat /Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Enabled.plist |grep ';deploy=' |cut -d"=" -f2 |cut -d"<" -f1

echo The number for suppression of this version of Java is "$NUMBER"

# Verify that it received a numeric value

case "$NUMBER" in
[0-9])
echo "Entry is a numeric value. Continuing..."
;;
)
echo "Error: This entry is not a number. Will fail to properly suppress update pop up."
;;
esac

####################################################################################################
# Remove Updater Launch Agent Sym Link that gets created during updates
####################################################################################################

/bin/echo "Checking to see if Launch Agent sym link exists..."

if [ -f /Library/LaunchAgents/com.oracle.java.Java-Updater.plist ]; then

/bin/echo "Launch Agent exists. Removing."

/bin/rm /Library/LaunchAgents/com.oracle.java.Java-Updater.plist

/bin/echo "Removed Update Launch Agent Sym Link"

else
/bin/echo "Launch Agent does not exist."

fi

####################################################################################################
# Remove Updater Launch Daemon Sym Link that gets created during updates
####################################################################################################

/bin/echo "Checking to see if Launch Daemon sym link exists..."

if [ -f /Library/LaunchDaemons/com.oracle.java.Helper-Tool.plist ]; then

/bin/echo "Launch Daemon exists. Removing."

/bin/rm /Library/LaunchDaemons/com.oracle.java.Helper-Tool.plist

/bin/echo "Removed Update Launch Daemon Sym Link"

else
/bin/echo "Launch Daemon does not exist."

fi

####################################################################################################
####################################################################################################

# Check to see if Java Plugin exists
if [ -d /Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home ]; then

echo "Java Plugin is installed, continuing..."

if [ ! -f /Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/lib/deployment.properties ]; then

/bin/echo "The deployment.properties file does not yet exist. Will create..."

# Create deployment.properties file
/usr/bin/touch /Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/lib/deployment.properties

/bin/echo "Created deployment.properties file"

# Change ownership on this new file
/usr/sbin/chown root:wheel /Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/lib/deployment.properties

/bin/echo "Changed ownership on deployment.properties file"

# Change permissions on this file
/bin/chmod 755 /Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/lib/deployment.properties

/bin/echo "Changed permissions on deployment.properties file"

# Write contents of this file
/bin/echo '#deployment.properties' > /Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/lib/deployment.properties
/bin/echo deployment.macosx.check.update.locked >> /Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/lib/deployment.properties
/bin/echo deployment.macosx.check.update=false >> /Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/lib/deployment.properties
/bin/echo deployment.expiration.decision.suppression."$NUMBER".locked >> /Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/lib/deployment.properties
/bin/echo deployment.expiration.decision.suppression."$NUMBER"=true >> /Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/lib/deployment.properties
/bin/echo deployment.expiration.decision."$NUMBER".locked >> /Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/lib/deployment.properties
/bin/echo deployment.expiration.decision."$NUMBER"=later >> /Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/lib/deployment.properties

/bin/echo "Wrote content to deployment.properties file. Have a wonderful day."

else

/bin/echo "deployment.properties file already exists. Removing and building new version..."

# Delete existing version of the file
/bin/rm -f /Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/lib/deployment.properties

/bin/echo "Deleted previous deployment.properties file"

# Create deployment.properties file
/usr/bin/touch /Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/lib/deployment.properties

/bin/echo "Created deployment.properties file"

# Change ownership on this new file
/usr/sbin/chown root:wheel /Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/lib/deployment.properties

/bin/echo "Changed ownership on deployment.properties file"

# Change permissions on this file
/bin/chmod 755 /Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/lib/deployment.properties

/bin/echo "Changed permissions on deployment.properties file"

# Write contents of this file
/bin/echo '#deployment.properties' > /Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/lib/deployment.properties
/bin/echo deployment.macosx.check.update.locked >> /Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/lib/deployment.properties
/bin/echo deployment.macosx.check.update=false >> /Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/lib/deployment.properties
/bin/echo deployment.expiration.decision.suppression."$NUMBER".locked >> /Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/lib/deployment.properties
/bin/echo deployment.expiration.decision.suppression."$NUMBER"=true >> /Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/lib/deployment.properties
/bin/echo deployment.expiration.decision."$NUMBER".locked >> /Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/lib/deployment.properties
/bin/echo deployment.expiration.decision."$NUMBER"=later >> /Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/lib/deployment.properties

/bin/echo "Wrote content to deployment.properties file. Have a wonderful day."

fi

else
echo "Error: Failure to find Java Plugin path. Either Java is not installed, or the path within the plugin has changed. Exiting"

fi

/bin/echo "Finished running disable_java_updates script"

####################################################################################################
####################################################################################################