Jamf Nation Community

I am still in need of an alternate way to kill Dock Fixup... Otherwise our 10.10 firstboot script still does the trick.

@dgreening Are you netbooting when you run Casper Imaging? I think you'll want to setup a separate package that runs during Casper Imaging (not after a restart) and that should take care of what you want.

What does your 10.10 first boot script look like?

@jwojda Can you please post the additional lines you added to your firstrun script to disable the icloud popup? My workflow images 10.10.5 fine, but when using a 10.11.1 base the icloud popup appears anyway.

I've been using the "future proof" popup disabling script floating around on the forums, using sw_build and sw_vers to dynamically generate the data for BuddyBuild and BuddyVersion attributes in the com.apple.SetupAssistant plist, but it no longer seems enough.

Did you also add:

/usr/bin/defaults write "${USER_TEMPLATE}"/Library/Preferences/com.apple.SetupAssistant LastPreLoginTasksPerformedBuild "${sw_build}" /usr/bin/defaults write "${USER_TEMPLATE}"/Library/Preferences/com.apple.SetupAssistant LastPreLoginTasksPerformedVersion "${sw_vers}"

for 10.11.x?

@dgreening have you found a way for DockFixup?

@jwojda

I have been battling the iCloud prompts with 10.11.1 Care to share your script and workflow to disable?

I had previously kiboshed the mini launcher tool in SetUp Assistant always worked well for me but SIP prohibits this.

I have been experimenting with Rich Trouton's script and utilising his payload free packaging tool (awesome work Rich!) and baking it into a base 10.11.1 using AutoDMG and Casper Imaging. Still get the prompts. Also used the script in my FB script following Casper Imaging configuration and everything works well apart from the iCloud portion.

Any clues here?

Thanks
T

here ya go, sorry for the delay. I think I scrubbed it pretty well. I've noticed some things don't work as well as they should. But at least the iCloud portion works.

#!/bin/sh

#
# Initial setup script for Mac OS X 10.10.x
# John Wojda, Created October 8, 2014
# Last Modified October 21, 2014
# modified June 16, 2015 to enable location services
#
# Initial setup script for Mac OS X 10.9.x
# Rich Trouton, created August 15, 2013
# Last modified 10-25-2013
#
# Adapted from Initial setup script for Mac OS X 10.8.x
# Rich Trouton, created July 4, 2012r
# Last modified 7-10-2012
#
#

LOGPATH='/private/var/log'
JSSURL='https://jss.server.com:8443'
JSSCONTACTTIMEOUT=120
FIRSTRUN='/Library/Application Support/JAMF/FirstRun/Enroll/enroll.sh'
ENROLLLAUNCHDAEMON='/Library/LaunchDaemons/com.jamfsoftware.firstrun.enroll.plist'
LOGFILE=/private/var/log/deployment-$(date +%Y%m%d-%H%M).logging

## Setup logging
# mkdir $LOGPATH
set -xv; exec 1> $LOGPATH/postimagelog.txt 2>&1
/usr/bin/say "Begining Post Image Script"

######################################################################################
# 
#       Tasks that do not require access to the JSS
# 
######################################################################################

####
# grab the OS version and Model, we'll need it later
####

osVersion=`sw_vers -productVersion | cut -d. -f1,2`
modelName=`system_profiler SPHardwareDataType | awk -F': ' '/Model Name/{print $NF}'`
shortModel=`system_profiler SPHardwareDataType | grep 'Model Name:' | awk '{ print $3 }'`
sw_build=`sw_vers -buildVersion` 


# Get the system's UUID to set ByHost prefs

if [[ `ioreg -rd1 -c IOPlatformExpertDevice | grep -i "UUID" | cut -c27-50` == "00000000-0000-1000-8000-" ]]; then
        MAC_UUID=`ioreg -rd1 -c IOPlatformExpertDevice | grep -i "UUID" | cut -c51-62 | awk {'print tolower()'}`
elif [[ `ioreg -rd1 -c IOPlatformExpertDevice | grep -i "UUID" | cut -c27-50` != "00000000-0000-1000-8000-" ]]; then
        MAC_UUID=`ioreg -rd1 -c IOPlatformExpertDevice | grep -i "UUID" | cut -c27-62`
fi
######################################################################################
# Dummy package with image date and computer Model
######################################################################################
/bin/echo "Creating imaging receipt..."
/bin/date
TODAY=`date +"%Y-%m-%d"`
touch /Library/Application Support/JAMF/Receipts/$modelName_Imaged_$TODAY.pkg

###############################################################################
#
#   S Y S T E M   P R E F E R E N C E S
#
# This section deals with system preference tweaks
#
###############################################################################

/bin/echo "Setting system preferences"
/bin/date

# now Activate Remote Desktop Sharing, enable access privileges for the users, grant full privileges for the users, restart arduser Agent and Menu extra:

# /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -access -on -clientopts -setvnclegacy -vnclegacy yes -clientopts -setvncpw -vncpw (password) -users admin1,admin2 -privs -all -allowAccessFor -specifiedUsers -restart -agent -menu
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -access -on -users admin1,admin2 -privs -all -restart -agent -menu
#
# Enable AirDrop over on all machines on all interfaces
#

/bin/echo "Enabling AirDrop..."
/bin/date
defaults write com.apple.NetworkBrowser BrowseAllInterfaces 1 

# Disable Time Machine's pop-up message whenever an external drive is plugged in

defaults write /Library/Preferences/com.apple.TimeMachine DoNotOfferNewDisksForBackup -bool true

## Show on desktop
/bin/echo "Show on desktop"
/bin/date
defaults write com.apple.finder ShowMountedServersOnDesktop -bool true
defaults write com.apple.finder ShowExternalHardDrivesOnDesktop -bool true
defaults write com.apple.finder ShowHardDrivesOnDesktop -bool true

# Set default  screensaver settings

mkdir /System/Library/User Template/English.lproj/Library/Preferences/ByHost


# Disabling screensaver password requirement by commenting out this line - can be re-enabled later.
#
defaults write /System/Library/User Template/English.lproj/Library/Preferences/ByHost/com.apple.screensaver.$MAC_UUID "askForPassword" -int 1
#
defaults write /System/Library/User Template/English.lproj/Library/Preferences/ByHost/com.apple.screensaver.$MAC_UUID "askForPasswordDelay" -int 1

defaults write /System/Library/User Template/English.lproj/Library/Preferences/ByHost/com.apple.screensaver.$MAC_UUID "idleTime" -int 0.0

defaults write /System/Library/User Template/English.lproj/Library/Preferences/ByHost/com.apple.screensaver.$MAC_UUID "moduleName" -string "Flurry"

defaults write /System/Library/User Template/English.lproj/Library/Preferences/ByHost/com.apple.screensaver.$MAC_UUID "modulePath" -string "/System/Library/Screen Savers/Flurry.saver"

##########################################
# Power Management
##########################################
/bin/echo "Setting power management"
/bin/date

# Detects if this Mac is a laptop or not by checking the model ID for the word "Book" in the name.

IS_LAPTOP=`/usr/sbin/system_profiler SPHardwareDataType | grep "Model Identifier" | grep "Book"`

if [[ $shortModel == "MacBook" ]]; then
    pmset -b sleep 15 disksleep 10 displaysleep 5 halfdim 1
    pmset -c sleep 0 disksleep 0 displaysleep 30 halfdim 1
else    
    pmset sleep 0 disksleep 0 displaysleep 30 halfdim 1
fi

##########################################
#  Scroll Bars
##########################################
/bin/echo "Disabling Scroll Bars"
/bin/date

# Sets the "Show scroll bars" setting (in System Preferences: General)
# to "Always" in your Mac's default user template and for all existing users.
# Code adapted from DeployStudio's rc130 ds_finalize script, where it's 
# disabling the iCloud and gestures demos

# Checks the system default user template for the presence of 
# the Library/Preferences directory. If the directory is not found, 
# it is created and then the "Show scroll bars" setting (in System 
# Preferences: General) is set to "Always".

for USER_TEMPLATE in "/System/Library/User Template"/*
  do
     if [ ! -d "${USER_TEMPLATE}"/Library/Preferences ]
      then
        mkdir -p "${USER_TEMPLATE}"/Library/Preferences
     fi
     if [ ! -d "${USER_TEMPLATE}"/Library/Preferences/ByHost ]
      then
        mkdir -p "${USER_TEMPLATE}"/Library/Preferences/ByHost
     fi
     if [ -d "${USER_TEMPLATE}"/Library/Preferences/ByHost ]
      then
        defaults write "${USER_TEMPLATE}"/Library/Preferences/.GlobalPreferences AppleShowScrollBars -string Always
     fi
  done

# Checks the existing user folders in /Users for the presence of
# the Library/Preferences directory. If the directory is not found, 
# it is created and then the "Show scroll bars" setting (in System 
# Preferences: General) is set to "Always".

for USER_HOME in /Users/*
  do
    USER_UID=`basename "${USER_HOME}"`
    if [ ! "${USER_UID}" = "Shared" ] 
     then 
      if [ ! -d "${USER_HOME}"/Library/Preferences ]
       then
        mkdir -p "${USER_HOME}"/Library/Preferences
        chown "${USER_UID}" "${USER_HOME}"/Library
        chown "${USER_UID}" "${USER_HOME}"/Library/Preferences
      fi
      if [ ! -d "${USER_HOME}"/Library/Preferences/ByHost ]
       then
        mkdir -p "${USER_HOME}"/Library/Preferences/ByHost
        chown "${USER_UID}" "${USER_HOME}"/Library
        chown "${USER_UID}" "${USER_HOME}"/Library/Preferences
    chown "${USER_UID}" "${USER_HOME}"/Library/Preferences/ByHost
      fi
      if [ -d "${USER_HOME}"/Library/Preferences/ByHost ]
       then
        defaults write "${USER_HOME}"/Library/Preferences/.GlobalPreferences AppleShowScrollBars -string Always
        chown "${USER_UID}" "${USER_HOME}"/Library/Preferences/.GlobalPreferences.*
      fi
    fi
  done


###########
# TIME
###########
# now set the time zone
#/bin/echo "Setting time"
#/bin/date
#systemsetup -settimezone America/Chicago

# enable network time
systemsetup -setusingnetworktime on

# set the time server

systemsetup -setnetworktimeserver ntp1.server.com,ntp2.server.com,time.apple.com

# disable the save window state at logout
defaults write com.apple.loginwindow 'TALLogoutSavesState' -bool false

# enable location services
/bin/launchctl unload /System/Library/LaunchDaemons/com.apple.locationd.plist
uuid=$(/usr/sbin/system_profiler SPHardwareDataType | grep "Hardware UUID" | cut -c22-57)
/usr/bin/defaults write /var/db/locationd/Library/Preferences/ByHost/com.apple.locationd."$uuid" LocationServicesEnabled -int 1
/usr/bin/defaults write /var/db/locationd/Library/Preferences/ByHost/com.apple.locationd.notbackedup."$uuid" LocationServicesEnabled -int 1
/usr/sbin/chown -R _locationd:_locationd /var/db/locationd
/bin/launchctl load /System/Library/LaunchDaemons/com.apple.locationd.plist

###########
# SSH
###########
# enable remote log in, ssh
/bin/echo "Setting ssh"
/bin/date
/usr/sbin/dseditgroup -o edit -a adminaccount -t user com.apple.access_ssh
/usr/sbin/systemsetup -setremotelogin on

###########
#  AFP
###########
# Turn off DS_Store file creation on network volumes
/bin/echo "Turn off DS_Store"
/bin/date
defaults write /System/Library/User Template/English.lproj/Library/Preferences/com.apple.desktopservices DSDontWriteNetworkStores true

##########################################
# Login Window Customizations
##########################################

# allow click thru clock to see IP, Host Name, OS version
/bin/echo "Setting click thru clock on loginwindow"
/bin/date
defaults write /Library/Preferences/com.apple.loginwindow AdminHostInfo HostName

# Set the login window to name and password
/bin/echo "Setting loginwindow to name & password"
/bin/date
defaults write /Library/Preferences/com.apple.loginwindow SHOWFULLNAME -bool true

# Disable external accounts (i.e. accounts stored on drives other than the boot drive.)
/bin/echo "Disable external accounts"
/bin/date
defaults write /Library/Preferences/com.apple.loginwindow EnableExternalAccounts -bool false

### universal Access - enable access for assistive devices
## http://hints.macworld.com/article.php?story=20060203225241914
/bin/echo "Enable assistive devices"
/bin/date

/bin/echo -n 'a' | /usr/bin/sudo /usr/bin/tee /private/var/db/.AccessibilityAPIEnabled > /dev/null 2>&1 
/usr/bin/sudo /bin/chmod 444 /private/var/db/.AccessibilityAPIEnabled

# play chime when plugging in the power
defaults write com.apple.PowerChime ChimeOnAllHardware -bool true; open /System/Library/CoreServices/PowerChime.app &
### auto brightness adjustment off
# /bin/echo "Disable auto brightness"
# /bin/date
# /usr/bin/defaults write com.apple.BezelServices 'dAuto' -bool false

### time machine off
/bin/echo "Disable Time Machine"
/bin/date
/usr/bin/defaults write com.apple.TimeMachine 'AutoBackup' -bool false

###  Expanded print dialog by default
# <http://hints.macworld.com/article.php?story=20071109163914940>
#
/bin/echo "Expanded print dialog by default"
/bin/date
# expand the print window
defaults write /Library/Preferences/.GlobalPreferences PMPrintingExpandedStateForPrint2 -bool TRUE

##Disable Fast User Switching
/bin/echo "Disable Fast User Switching"
/bin/date
defaults write /Library/Preferences/.GlobalPreferences MultipleSessionEnabled -bool FALSE


###########
#  Misc
###########

# Disables iCloud pop-up on first login for Macs

for USER_TEMPLATE in "/System/Library/User Template"/*
  do
    defaults write "${USER_TEMPLATE}"/Library/Preferences/com.apple.SetupAssistant DidSeeCloudSetup -bool TRUE
    defaults write "${USER_TEMPLATE}"/Library/Preferences/com.apple.SetupAssistant DidSeeSyncSetup -bool TRUE
    defaults write "${USER_TEMPLATE}"/Library/Preferences/com.apple.SetupAssistant DidSeeSyncSetup2 -bool TRUE
    defaults write "${USER_TEMPLATE}"/Library/Preferences/com.apple.SetupAssistant DidSeeiCloudSecuritySetup -bool TRUE
    defaults write "${USER_TEMPLATE}"/Library/Preferences/com.apple.SetupAssistant GestureMovieSeen none
    defaults write "${USER_TEMPLATE}"/Library/Preferences/com.apple.SetupAssistant LastSeenCloudProductVersion "${sw_vers}" 
    defaults write "${USER_TEMPLATE}"/Library/Preferences/com.apple.SetupAssistant LastSeenBuddyBuildVersion "${sw_build}"
  done
# Disable OS X OS Prerelease downloads for all users 
sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate AllowPreReleaseInstallation -bool false

##Kill Dock Fixup
rm -R /Library/Preferences/com.apple.dockfixup.plist

# Make a symbolic link from /System/Library/CoreServices/Directory Utility.app 
# to /Applications/Utilities so that Directory Utility.app is easier to access.

ln -s /System/Library/CoreServices/Applications/Directory Utility.app /Applications/Utilities/Directory Utility.app

# Make a symbolic link from /System/Library/CoreServices/Applications/Network Utility.app 
# to /Applications/Utilities so that Network Utility.app is easier to access.

ln -s /System/Library/CoreServices/Applications/Network Utility.app /Applications/Utilities/Network Utility.app

# Make a symbolic link from /System/Library/CoreServices/Screen Sharing.app 
# to /Applications/Utilities so that Screen Sharing.app is easier to access.

ln -s /System/Library/CoreServices/Applications/Screen Sharing.app /Applications/Utilities/Screen Sharing.app

# Turn off Gatekeeper

spctl --master-disable 

# Enable Application Firewall
defaults write /Library/Preferences/com.apple.alf globalstate -int 1
defaults write /Library/Preferences/com.apple.alf loggingenabled -int 1
defaults write /Library/Preferences/com.apple.alf stealthenabled -int 0

# Terminal command-line access warning
/usr/bin/touch /etc/motd
/bin/chmod 644 /etc/motd
/bin/echo "" >> /etc/motd
/bin/echo "This Apple Workstation, including all related equipment belongs to Company. Unauthorized access to this workstation is forbidden and will be prosecuted by law. By accessing this system, you agree that your actions may be monitored if unauthorized usage is suspected." >> /etc/motd
/bin/echo "" >> /etc/motd

# Login Screen disclaimer

defaults write /Library/Preferences/com.apple.loginwindow LoginwindowText "WARNING: This system, including Internet and Email, and its contents are confidential and proprietary.  By using this system you acknowledge that you've read and will comply with the Company's Email, Internet and Collaborative Computing Services - Acceptable Use Policy and the Information Security Policy; and by using this system you expressly consent to monitoring and review of use.  Any unauthorized use of this system is strictly prohibited, including work-related use by non-exempt associates during unscheduled work hours.  Violations may subject you to disciplinary action up to and including termination, as well as civil or criminal prosecution."


# Disable Root
# dscl . -create /Users/root UserShell /usr/bin/false

##########################################
# /etc/authorization changes
##########################################

security authorizationdb write system.preferences allow
security authorizationdb write system.preferences.datetime allow
security authorizationdb write system.preferences.printing allow
security authorizationdb write system.preferences.energysaver allow
security authorizationdb write system.preferences.network allow
security authorizationdb write system.services.systemconfiguration.network allow

######################################################################################
# 
#       Tasks that do require access to the JSS
# 
######################################################################################
###########################################
# Flush all previous policy history
###########################################

/bin/echo "Flushing Policy History..."
/bin/date
/usr/local/jamf/bin/jamf flushPolicyHistory -verbose

##########################################
# Install VPN if MacBook
##########################################
/bin/echo "Install VPN if MacBook"
/bin/date

# Detects if this Mac is a laptop or not by checking the model ID for the word "Book" in the name.

IS_LAPTOP=`/usr/sbin/system_profiler SPHardwareDataType | grep "Model Identifier" | grep "Book"`

if [[ $shortModel == "MacBook" ]]; then
    jamf policy -trigger F5VPN
else    
    /bin/echo "VPN Not Installed, desktop machine"
fi

###########################################
# Touch a file and recon so machine is in FirstBoot SG
###########################################

# touch /Library/Application Support/JAMF/Receipts/firstboot.pkg
# jamf recon

#####################################################
#
#  Install Apple SWU
#
#####################################################
/bin/echo "Installing Apple SWU"
/bin/date
/bin/rm /Library/Preferences/com.apple.SoftwareUpdate.plist
softwareupdate -iav

########## Done installing software #################

#####################################################
#
#  Clean up procedures
#
#####################################################

##########################################
# Remove user folders from /Users
##########################################

find /Users -mindepth 1 -type d -maxdepth 1 -not -name Shared -exec rm -rf {} ;

##Remove apples info files.
rm -R /System/Library/User Template/Non_localized/Downloads/About Downloads.lpdf
rm -R /System/Library/User Template/Non_localized/Documents/About Stacks.lpdf

####
# Now we must purge the system log to get rid of any passwords that may be in plain text
####

/bin/rm -rf /var/log/system.log

/bin/echo "purged logs"

## remove from FirstBoot Group
# rm /Library/Application Support/JAMF/Receipts/firstboot.pkg
# jamf recon

## Fix Permissions - non functional in 10.11.x
# /usr/local/jamf/bin/jamf fixPermissions

/usr/bin/say "Finished Post Image Script"
##########################################
# Reboot
##########################################
# srm /Library/LaunchDaemons/com.jamfsoftware.firstrun.enroll.plist
# shutdown -r now

Any update on this? I want to start using netinstall with first boot scripts userpkg doesn't support 10.11

ls: firstbootscript: No such file or directory

No imaging. No firstboot script.

If I'm being honest, only the first sentence is true of my production environment. The second sentence should be true by the end of Q1.

what??

@kericson Not sure what the question is.

If createuserpkg isn't working though perhaps make use of the utility in your first boot script: sysadminctl

I guess I posted the wrong post. I was just trying to find a way to get a very simple first boot script created.

@kericson Start with a pen and paper (or keyboard and text editor) and plan out what settings/preferences you want in place. Then start researching how to implement them using config profiles where possible. And if not, then start scripting it so that it can be done on first boot with the appropriate OS X tools. And if all else fails then begin modifying the User Template (but this really should be for extreme cases where you haven't found alternative solutions). Every environment is going to be different. But sure enough if you go through this process as I described you should be able to create your own first boot script.

@bpavlov I've never used a firstboot script.

I dislike the one shot method. I do have a post imaging script that calls a policy to do things, including creating a dummy receipt & a recon.

That then pulls the Mac into various smart groups where they then receive profiles to set things as needed.

@bentoms I suppose it depends what you're looking to accomplish. My first boot script does pretty much what yours does to some extent (approached in a different manner, but conceptually the same; assigns user to computer, runs recon, runs policies applicable to it). What I'm referring to my previous post is just how to go about determining which prefs you are looking to manage and ways to go about managing them.

I'm big on using config profiles for prefs that always need to be enforced. Due to the nature of how config profiles that apply only once work (inconsistent), I always take a second look at whether I really need to enforce that setting before looking for alternatives to set the prefs once. For that, adding it to a first boot script works great. But naturally you can also have those prefs applied via a policy that also runs the script when it checks in on that trigger you chose for the policy. Ultimately, there's different ways to approach it which can depend on how quickly you want certain things done in the post imaging process.

@bpavlov I guess it really depends on what you're trying to manage as different apps & systems require different things.

Take Firefox, Chrome & Safari as examples. All can be managed to some extent, but what you want to manage (if at all) depends.

@bentoms I can personally say I only touch very few things once (and some I don't even want to but have to per mgmt's request):
Finder favorite servers
Safari homepage
Dock
Desktop Picture
Finder status bar, extensions shown and HD shown on desktop

Firefox I don't even bother to manage. Chrome I've developed manifest so that it applies settings once.

Then I unlock some sys prefs so users can manage certain things on their own.

Everything else essentially amounts to config profiles that are built in the JSS or custom payloads that basically block apps from receiving updates.

@kericson,

If you need a model to refer to, I have several first boot scripts posted here on my GitHub repo:

https://github.com/rtrouton/rtrouton_scripts/tree/master/rtrouton_scripts/first_boot

My sample firstboot for 10.11.x is available via the link below:

https://github.com/rtrouton/rtrouton_scripts/blob/master/rtrouton_scripts/first_boot/10.11/first_boo...

Hi All, I posted this question before I found this discussion but is seems it might be better added here. OtherPost

It boils down to this; does the CasperImaging process automatically enable ARD so that CasperRemote can screen share by default or do I still need to include a kickstart command in a first boot script?

It's interesting that the 10.11 & 10.12 versions of @rtrouton 's first boot scripts do not include an ARD kickstart command.