Imaging mac - what are you using in companies ?

KRIECCO
Contributor

Right now what options is there for installing mac´s - both inside Jamf and outside Jamf(not using jamf at the moment)
So just wondering what you admins are using in companies - or what you are planning to switch to.

12 REPLIES 12

Jenn_Shipp
New Contributor

This depends on your network infrastructure. If you have some type of SMB, or AWS server available you can do netboot with your deployment .pkg. If you have a large amount of macs you will want to utilize Apples DEP (Device Enrollment Program.) If you have a small amount of macs you can simply do Target Image mode with a Data cable (Depends on mac, Ex. USB C 3.0) and push an image with applications and enrollment, which would take about 1-2 minutes.

dgreening
Valued Contributor II

I would think long and hard about implementing or continuing on with methods of provisioning which are not specifically Apple approved and supported moving forward. Many folks are going to be VERY disappointed/panicked when Apple fully locks down the OS restore process. That being said, we use Internet Recovery or "createosxinstallmedia" based booters, User Initiated Enrollment, and an automated provisioning workflow which is kicked off for machines at enrollment if they meet criteria. We are dipping our toes in DEP, and hope to have it up and running in countries which support it shortly.

jcline
New Contributor III

Your gonna want to start using Recovery Mode, because very soon that's the only thing you'll be able to do. It's already difficult to do with APFS. So look at using DEP to "image" your macs going forward.

alexjdale
Valued Contributor III

We've used bare-metal imaging for years, but with High Sierra and APFS we are simply having our techs maintain the latest USB installers and perform a wipe/reinstall if we have to turn around a system.

For new devices with the OS installed, we simply enroll the device and run a Self Service policy that installs all of our apps and performs other functions (AD bind, network/cert setup, etc).

"Imaging" by applying a disk image is officially dead now that Apple is actively discouraging it. Unless they come up with some kickin' restore tools, which I am not going to hold my breath for.

amoscaritola
New Contributor III

Im agreeing with everyone here, DEP and thin imaging is the way to go right now if you can. The computer will enroll to your JSS in the initial setup then you can have it run a script during enrollment to trigger policies to install your applications and settings.

mking529
Contributor

What @dgreening said. We've been monolithically imaging since we started our 1-to-1 Mac program and as of High Sierra Apple is officially saying this isn't supported. It's 100% not supported as an upgrade path, and the language is wishy-washy at best for "reprovisioning". And that goes for Jamf management or anything else. This is an Apple design choice. Whether it's a good one is up for debate. I'll withhold my opinion on it because I'm trying to have a positive Monday. ;) (And I've discussed it at length in other threads)

The new sheriff in town is DEP, Configuration Profiles, and (through Jamf Pro) policies. The good news for you is you can build your rollout around these things so it will likely be a lot less painful than those of us who have had more monolithic Mac deployments for a while. But yeah, it's probably best to not even look at laying down images at this point.

jcline
New Contributor III

Honestly it's so much simpler doing with out Imaging anyway. With this you either have to boot command+r or usb drive and just let it set. Once you have it set up in JAMF you really can just hand it to the end user and let them use it like a new device out of the box.

Look
Valued Contributor III

It really depends what your after, I can't really imagine anything other than enrol and provision for 1:1 devices. If your talking about a lab environment of identical units it starts to become a bit more of a pain although we still opted to do it this way from this year simply because you generally run into way less issues down the road if you do things the Apple intended way.

mking529
Contributor

Yeah, in our case handing them a machine that's ready to go with software already installed is a borderline necessity. The pitfall to the new Apple methodology is this does take more time than laying down an image and calling it good. I don't foresee it being a disaster for us, but it's definitely going to be a longer, slightly more hands-on process than before.

ChupSuy
New Contributor III

Have to agree with mking529 here, specially if you have to turnaround a large number of machines, kinda in the range of 2500+, in a very short turnaround thats definitely a problem.

dgreening
Valued Contributor II

The best place to direct your displeasure with the approved deployment workflows is at Apple/AppleCare. They are going to keep removing things or deprecating features and seeing who screams about them, and then decide whether or not they want to offer an alternative. If you don't give feedback, they assume that no one cares about or uses certain capabilities, and <poof> they are gone. Get a dev account, check with AppleCare about AppleSeed beta enrollment, test the new features, and submit feedback. Annoying and short-sighted on Apple's part? Yes. It is the world we are in now in terms of features which are not mainly consumer facing.

mking529
Contributor

Indeed, I've tried my best to have a constructive conversation with our assigned Apple contacts during our "huh?" moments.

I'm all for Apple's in-house (in-OS?) solutions but they just need to support it fully. Every aspect of the OS should be manageable in Configuration Profiles. G Suite does it. Active Directory Group Policy does it. Right now, it's not quite there. I'm not afraid of the terminal in the least, but hacking around with it in a professional deployment just seems off to me.

But to steer back on topic a little, as others have said on this forum, with the changes made to High Sierra it's better to get on the train than hold onto the old solutions if at all possible. Especially if you are starting a new deployment. I feel for those organizations with low to no bandwidth sites, though.