So with macOS Mojave, is imaging dead?

ooshnoo
Valued Contributor

There's been talk for months about this, but I haven't seen anything anywhere regarding deployment options for Mojave. Maybe it's restricted by hardware and not so much the OS?

Thoughts?

75 REPLIES 75

tx-wolf
New Contributor II

I have been able to successfully create and deploy APFS formatted Mojave images (even up to yesterday's 10.14.6 release) without using any 3rd party tools (a custom script for byhost file renaming has to be written). Catalina may change that. It does require some precise specific conditions to be met on the source drive to work. The new T2 chips mean using bootable USB devices instead of NetBoot. Is it the right solution for all cases? No. But it does still fill a specific need in certain situations. I don't advocate for or against using imaging - it is just another tool in the box. All tools are the right tool when they fit the need, and all tools are the wrong tool when there is one that fits better. Never throw a tool away (even if only used rarely) - you never know when you may need it again.

mconners
Valued Contributor

@d.mccullough I couldn't agree more with you.

Over a year ago, we moved to make every Mac we could get our hands to cut over to APFS. With DEP and APFS, the workflow is much cleaner and easier to do. This summer, I was happy to report to my peers, it took me a little over a week to do a full OS recovery (my term for the new imaging ways) on over 750 computers. Then we received nearly 250 computers that refreshed some of our old computers.

All told, in a few weeks, I was able to do what typically took a couple of months back in the imaging days. The new workflow is wonderful, for the most part.

summoner2100
Contributor

@mconners First how in the hell did "back in the imaging days" take you a couple of months to do 750 computers? I have that many, and it took me a day (by myself). Sometimes two if I had to spread it between other work.

General - The fact is, no, imaging is not "dead". It's only dead because Apple say so. I don't actually get why people put up with Apple just stopping things for no reason to replace it with some poorly thought out "solution" that involves longer processes and interaction. DEP is a solution to a problem that never existed. There are plenty of Apple customers that use Macs in lab environments. Interaction with DEPVPP and waiting for apps to deploy is literally dumb. What used to take 20 minutes for the entire machine can now take half the day, per computer, for apps to deploy.

Even in the case of individual staff machines. Staff don't want to be waiting for loading bars, and apps to download. They just want to login and get to work; especially in teaching environments.

Why exactly do people just let Apple get away with restricting things so much? There's no logical reason for it.

donmontalvo
Esteemed Contributor III

@summoner2100 wrote:

The fact is, no, imaging is not "dead". It's only dead because Apple say so.

a0eb2dc556ec43fb912a77f5897fd0d9

--
https://donmontalvo.com

Hugonaut
Valued Contributor II

http://isimagingdead.com/

________________
Looking for a Jamf Managed Service Provider? Look no further than Rocketman
________________


Virtual MacAdmins Monthly Meetup - First Friday, Every Month

summoner2100
Contributor

@Hugonaut Would people stop just posting that link. If you don't have any comments, then don't comment. This is a discussion forum, not a link spam. That link is not true anyway. People need to push back against Apple's restrictions that they force on everyone. It's not in anyone's best interest.

summoner2100
Contributor

@donmontalvo yes, did you have a comment?

gachowski
Valued Contributor II

Security period.

larry_barrett
Valued Contributor

I'm sure the JAMF forums is where the revolution will occur. Watch out Apple!

Look, I can still fire up my VCR and basically do anything I want, that doesn't mean it's a modern solution. Imaging had it's time in the sun. The sun still shines on your old hardware. Shine on you crazy diamond.

Literally zero reason to necro a 3 month old thread to tell everyone how awesome you are. Nobody cares.

sdagley
Esteemed Contributor II

@summoner2100 I was a huge devotee of DeployStudio through Sierra, and by using MacBook Airs in Target Disk Mode as really expensive Thunderbolt SSDs, had a workflow which imaged a MacBook Air in about 15 minutes from booting into DS and the on-first-boot script finishing configuration with an AD bind and Jamf Pro enrollment. I don't miss it at all. With DEP I can run my configuration process anywhere an Internet connection is available, not just an organizational network, and it takes about 20 minutes with decent connectivity. If I need to wipe the drive and re-do the macOS install and configuration process the --eraseinstall option for the startosinstall tool makes that simple enough the end user can do that themselves. And again it can be done anywhere with Internet connectivity.

summoner2100
Contributor

@larry_barrett There's no such thing as "neco'ing a thread". People comment on old threads all the time. If you don't like it, don't comment? I NEVER said that there was going to be a"revolution". Here or otherwise, just that people shouldn't blindly accept Apple's ruling on something. Especially when DEP is NOT available everywhere, and doesn'tcan't cover machines that were purchased before it became a thing. And for reference, NOWHERE did I say I was "awesome".

@gachowski No, security is not a reason. There are many ways to apply security without restricting imaging.

@sdagley The problem I have with thin imaging and launching the installer is that it takes WAY longer to make a machine. I don't know what you're installing but 20 minutes of waiting and THEN having to wait for apps is not what businesses and the end user wants. They want machines that are setup. So the laptop, or desktop, needs to sit with IT for almost a day depending on what you're installing because it takes much, much, longer for applications to install; Then you've also got lab installs for schools, and others. It used to take that 20 minutes to do 3-4 labs at once. All software done. Ready to login with no interaction.

larry_barrett
Valued Contributor

@summoner2100

@mconners First how in the hell did "back in the imaging days" take you a couple of months to do 750 computers? I have that many, and it took me a day (by myself). Sometimes two if I had to spread it between other work.

Must just be a humble brag, amirite?

Can you explain, "shouldn't blindly accept Apple's ruling on something". I'd like to know how your beliefs supersede reality. Apple has moved on, you can put your head in the sand or you can grow. Hardware is evolving, schools are evolving, workflows are evolving.

I don't normally respond to contrarians, so I'll leave you alone, I promise.

sdagley
Esteemed Contributor II

@summoner2100 My 20 minutes for DEP is how long it takes from turning on a brand new, or freshly erased Mac, to having a machine configured with all of our standard corporate software and at the login prompt for the user. That can all be done in the hands of the user, not the IT department. I'll give you that installing macOS takes a chunk of time one didn't have with laying down a monolithic image with DS, but that isn't an issue with new machines, and I no longer have to worry if my OS image is compatible with new hardware.

summoner2100
Contributor

@ larry_barrett That's not saying anything about me being awesome, nor a humble brag. That's literally the state of imaging with a master image.

If anyone is a "douche bag" it's you and your attitude with your reply. You jumped in with a sarcastic, and insulting remark to my comments, rather than just ignoring the thread or adding a discussion point. I responded in kind.

How is blindly accepting Apple's ruling not clear? Apple is ruling no imaging based on single, individual user bases and not companies with 500+ computers. And they wonder why windows is still the dominate OS for business. It's because the flexibility is there to do either thin imaging or thick imaging. It also maintains the security integrity, which is why I also said above that the security argument isn't a thing. I actually like Apple machines, but in this single area in particular they are flat out wrong and everyone is just accepting it.

This isn't an evolution of a workflow, it's a step backwards because of the inherent, more time consuming, steps to get to the same place. If Apple had provided a first part solution alongside DEP that provided the same ACTUAL ZERO TOUCH workflow for labs, and schools. Then we wouldn't have a problem. But they didn't, and we do. It is NOT an efficient way of working.

Given the fact that I'm continuing examples, and you're just insulting and being sarcastic. Who's being the 'douche bag' again?

summoner2100
Contributor

@sdagley First, thanks for a decent discussion.. I assume you're not doing much installs with the Adobe suite or Autodesk in this scenario then? As the installers for those take an hour to run. Even split up to individual apps. So splitting that between 30 computers in a lab is the time consuming part. But I was more curious on what was installing for your 20 minutes. I see your point. Thanks again for a decent response.

gachowski
Valued Contributor II

@summoner2100,

You are just wrong. Security is the main reason. This might help you.

https://www.apple.com/business/docs/site/iOS_Security_Guide.pdf

C

wmehilos
Contributor

Old way:

Unbox lab machines, connect to network. Attempt to boot off Netboot server, find out the networks folks didn't move the room to the right private vlan. Call and wait an hour for them to do stuff. Finally NetBoot. 5 machines randomly fail, start over. Erasing the perfectly good OS to block copy a disk image of the same OS. Work smart. Been hanging out in this lab for half a day now. 1 gigabit/30 machines is not fast, machines totally unusable until workflow is complete. Finally done.

New Way:
Assign an order to my Jamf server with Apple. Check a box in the Prestage to scope to new computers. Install new Macs, connect to network, turn on, click next next next. Walk tf away.
Macs enroll, grab enough policies to let people login and print. Rest of software installs in the background.
Go have lunch.

Yeah, I sure do miss the old way of doing things.

Imaging is a lower-order task. I'm freed now to go spend my time in better, more productive ways, like any decent automation/technology should enable.

donmontalvo
Esteemed Contributor III

@summoner2100 asked:

@donmontalvo yes, did you have a comment?

Nope, nope, you're doing fine, carry on...

15a63280178a434c93dd16cca7f45ff8

--
https://donmontalvo.com

Chris_Hafner
Valued Contributor II

Darn... no popcorn here. Guess I get to comment next. I fondly remember a few different dinners with "Apple and/or JAMF corporate folks" arguing just this same thing two years ago. I was saying the same things you were @summoner2100 as I too had a need to deploy hundreds of computers in a day. I'll leave only two observations.

•) Having done this both ways, I can know the different benefits each solution provided. I'm growing to actually like the DEP process even though it has some interesting snags... BUT those snags are less than the snags I would hit (was hitting) "fighting the machine". Also, I'd completely agree that Apple didn't/doesn't have all the tools in place for "us" to swap right from imaging to DEP and so I had to change many of our processes to move away from modular imaging but my new processes are cleaner and require less maintenance than when we were imaging. FYI My imaging infrastructure is still up and maintained. I can still image 10.13x TODAY. I actually used it today to quickly restore a user's old 2011 iMac that has nothing to do with our academy. However, Having shifted to DEP for our owned units and User Enabled Management for our BYOD users (roughly ~370 BYOD) I quite prefer it. Things will get easier moving this way. (Way less fighting with profiles, etc)

•) At this point, what's the fight worth? I mean, Apple makes the product and they've already jumped in that direction. Heck, they've put hardware/firmware behind this change, forget the OS. Let's get DEP, JAMF and the rest of the Apple configuration world running like the way you like your imaging setup. DEP has its issues no doubt, but let's be realistic. Apple's not going back. Besides, I haven't had to be part of a debate over what "imaging" is for over a year now!

summoner2100
Contributor

@gachowski If you're going to post a link, don't post it to the wrong OS platform. That is iOS... and completely different. Also wrong with regards to security. Suggest you do some more research.

@wmehilos Umm, wow. First question. Why are you changing VLANS at all? Set the network up properly and you just walk into a room and boot it. Second. You're making assumptions that the included OS is "perfectly good". I've had factory OS on Mac machines be pretty crap, actually. So I don't assume that. Third. Half a day? A properly setup GB network can do 3 labs of 30 machines, at once, and be done in 30 minutes (and my previous master had a size of 135GB). P.s. the machine is also unusable during Jamf thin image creation as it has to wait for programs to install.

@Chris_Hafner Thanks for the polite response. I've also had the debate with an Apple rep here back and forth. The discussion was interesting. I've got my DEP workflow setup for mostly the same as what the full master does. I've been the one building ours. The headaches, and workarounds, are a pain. I'm sure once it's fully in place it will be fine. But the biggest problem is the many many machines that aren't in DEP (and can't be) due to purchase time. So I need to do two processes for deployment until all the machines not in DEP are replaced.

donmontalvo
Esteemed Contributor III

gachowski
Valued Contributor II

@summoner2100

I posted that link on purpose. I am upset that Apple hasn't secured the macOS like iOS yet... six years come on. Anybody can see that they are going to copy as much as they can from iOS to macOS.

You said "security is not a reason. There are many ways to apply security without restricting imaging" and that iOS doc explains is a simple way why security is the reason and why it effects imaging.

C

jerdill
New Contributor III

I've been imaging machines to 10.14.6 without an issue using the method described here:
http://deploystudio.com/Forums/viewtopic.php?id=8139

Catalina throws a wrench in it by dividing the System and Data partitions though and using Volume Groups, so not sure if it will work for Catalina yet.

jerdill
New Contributor III

I got an image to work on 10.15 Catalina. It looks like the ASR command does support copying a DMG file to disk and it copies the volume group intact and bootable.

taugust04
Valued Contributor

I apologize for re-hashing anything already said, but I'm feeling especially sentimental after reading through this thread that's been ongoing for the last year or so...

I've been imaging Macs since the days of RevRDist and the original GUI version of Apple Software Restore in Mac OS 7/8/9, so I'm also reading this thread with a large bucket of Orville Reddenbacher close by. I can understand the level of frustration like @summoner2100 has, and I've written out a couple of rants myself in this very community on many of the limitations of DEP in comparison to previous deployment workflows. My current job no longer has Mac deployment as a primary responsibility, but I still have a vested interest in the topic and it's a secondary responsibility as needed.

Since my primary task is now network management and information security, I can confidently say that security is the primary reason that we now have to go through hoops to "image" a cluster of workstations that don't belong to an end-user. It's easy to connect the dots between what we used to be able to do unabated to the operating system with deploying a Mac system and how it could easily be taken advantage of in today's information technology security landscape.

Apple originally provided customers the ability to use the exact same tools they used to "image" systems at their factories. Thats simply no longer the case. The level of security Apple has at its factories can't be guaranteed for the rest of its customers once the sale is made, especially since the majority of those sales are consumers or businesses/schools that focus on one-to-one deployments. In macOS Catalina, System Image Utility isn't even included anymore. I imagine that ASR still exists because Apple still needs to get some sort of image onto these systems at the factory. However, I wouldn't put any effort or research into continuing to use it for any sort of deployment workflow. Apple has clearly stated that imaging is no longer a supported workflow across their product lines, and asr could break at any time.

The security team definitely at Apple definitely has the the ear of key software managers and the executive management team much more than the deployment team. In addition, the environment in which Macs are purchased and installed has drastically changed as well in the last 25 years. While I don't have actual numbers, I feel (anecdotally) that when I started out with Casper Suite back in the late version 6.x days, the largest number of customers were education - managing large numbers of labs, classrooms, and clusters, with a secondary focus on faculty and staff deployments. Within a few years, that changed, and I think Jamf gained a ton of business customers from many companies that started offering Macs as options to their employees. When iOS management started being offered, that educational lab/classroom/cluster percentage of customers shrunk even more.

In 2019, I would imagine that for both Jamf and Apple, the percentage of sales of hardware (or management licenses of said hardware) for labs, classrooms, and clusters is less than 1% of total sales. And as annoying as it is for those of us who still have to maintain these unassigned types of labs, I can't blame either Apple or Jamf for focusing engineering resources on where the majority of their sales are going.

While I hate dealing with it, I fully understand and accept the concepts and realities of Apple's DEP deployment workflow. And I expect that Apple will continue to add more features into DEP/MDM based workflows as the deployment team catches up to the initiatives of the security team at Apple. At some point these teams will converge and feel confident enough to have a fully automated workflow similar to the old days of NetBoot/NetRestore/ASR, when they feel that the security of such a workflow is resilient to any compromise.

I would love to say it's just Apple causing these problems to their customers, but the same is happening on the Microsoft Windows platform, as Microsoft continues to modernize SCCM, and move users towards InTune and Autopilot for "imaging" and deploying Windows hardware. Microsoft MDT is essentially an afterthought now as well for the same reasons Apple abandoned their own imaging tools.

Apple has never been a company focused on the past. If you're managing their systems, it can be a challenge to keep up, but if you pay attention to their hints and their depreciation warnings, you can reduce the pain when they take action on the warnings.

Personally, I have successfully abandoned imaging for both my employers. NetBoot hasn't been used in two years. Using the provided tools in the OS Installers, Recovery, and Internet Recovery for factory resets, along with documentation for techs, has gotten past the deprecation of imaging on macOS. Having caching servers in strategic locations with your labs/classrooms/clusters helps immensely as well, as they cache the Apple installers used for Internet Recovery and can really speed up the deployment process.

The positive I take from this is that for the majority of Apple's customers, it is now much easier to deploy a Mac to a customer, with little intervention from IT staff. Unfortunately for the rest of us still dealing with unassigned workstations, it got more complicated.

Hopefully things improve on that front for us, soon, as well.

donmontalvo
Esteemed Contributor III

@taugust04 wrote:

The positive I take from this is that for the majority of Apple's customers, it is now much easier to deploy a Mac to a customer, with little intervention from IT staff. Unfortunately for the rest of us still dealing with unassigned workstations, it got more complicated.

Yeap, its a shame to see large, established companies, unable to align their workflows with industry best practices, usually due to incompetent/incapable profit driven mid level management getting in the way.

One day I'll hang up my keyboard, ride into the sunset and blog about all the shady stuff I've seen in the outsourcing business.

¯_(ツ)_/¯

It'll probably get more hits than my motorcycling blog. #seeWhatIDidThere

--
https://donmontalvo.com

thebrucecarter
Contributor II

I'm right in there with @taugust04 , anybody else remember Assimilator? We also had some home brew deploy things cobbled together before DeployStudio came along. I remember fondly (?) the convoluted stuff we had to go through to make pre-OS X systems pretend that they were multiuser...

d_mccullough
New Contributor III

There is a distinction between "industry best practices" and "people holding onto the past". At this point, with how long Apple telegraphed its move, these kind of complaints are moving towards the latter. I seem to recall them being the first to ditch disk drives, too. That is not to say there isn't a valid point there, but these changes have been a long time coming; organizations do have a responsibility to future proof themselves in this sense.

donmontalvo
Esteemed Contributor III

@d.mccullough nail hit squarely on head, Apple sets "industry best practices" with their DEP, VPP, ABM, etc.

Even if Apple missteps, feedback from their large customers gets them back on track (remember VPP 1.0?).

Jamf is Apple's biggest proponent, following their lead and providing a great tool, so why do outsource companies drop the ball?

Outsource companies' never ending chase for profit margin, cutting corners in a "damn Apple/Jamf's best practices" way...

e894c3f68fe84316a091553914536fd5

--
https://donmontalvo.com

gabester
Contributor III

OK so riddle me this - what's the best way for me to get a 20GB creative app, a 65GB VM, and a 16GB bluray authoring tool onto over a dozen Macs, now that imaging is dead? Unbox, DEP enroll, and wait for everything to fly down over the network... without the benefit of block copy speed. It's simple, sure, and it's effective, and leaves us time to do other tasks, but it doesn't feel FAST.

It's a shame Apple's got these really fast SSDs now that are throttled by the bandwidth of a wifi network. I think there are those of us who imagine, starry-eyed, what it would be like to deploy a huge amount of content to such a fleet, if only there were an expeditious way to do it that didn't involve running everything through DEP and an available network connection.

FWIW Apple doesn't set the industry standards, the only set the supported solutions for their relatively limited ecosystem - Windows and Linux can still do the equivalent of netboot, although in some cases it may be pretty tricky to nearly impossible (I'm looking at you, Surface tablets!)

@donmontalvo I'm looking forward to your new blog!

d_mccullough
New Contributor III

Apple sets the standards for Apple products....regardless of what others are doing. So, the "industry standard" - in the case of Apple devices - is whatever they say it is. It's one of those things where it might or might not align with what you expect, but fighting it is quixotic and generally fruitless.

jerdill
New Contributor III

@Sterritt - I was able to get imaging to work still using ASR. It looks like apple updated ASR to copy volume groups and restore those groups back intact and bootable. If you boot to an external USB device running 10.15 you should be able to ASR copy a drive to a .sparsebundle file and then restore that file to other disks also using ASR.

scerazy
New Contributor III

Imaging might be dead, but it still works fine. And I do not see a reason to change what works for the few non-T2 devices that I have to deal with. Apple preferred method might be something else, but it is inefficient, as Sterritt above mentioned. Windows Intune/Autopilot also "prefers" this approach, but does not mean that MDT/SCCM task sequence imaging is suddenly dead & abandoned!.

Apple has it all wrong, yet we stupid users clap each time they bring new device, and part with $$$$ for it!

summoner2100
Contributor

I think the biggest issue here with "imaging is dead" is that Apple killed it without really giving a viable replacement. Imaging used to be an all in one thing, now you have to wait for an MDM to deploy software to the machines. When doing a lab, this takes the lab out of action for longer. The best I've seen to reduce this is depnotify, because at least it pulls everything with a splash screen and you can have it log off right after.

Following that, for "block images", MDS from twocanoes is probably the best way to drop a dmg image as it uses ASR to do so. You just need usb "automatons" to automate

p.s.... I feel like when I posted my original comments in here, I was too harsh and argumentative. So I apologise for all that. I shouldn't have started in like that.

scottb
Honored Contributor

@summoner2100 - not harsh - Apple and Jamf have not given us a viable replacement, only parts of it. We now have to kluge together a bunch of things to do what imaging did. Sure, once setup it's more versatile, but really, Apple/Jamf should make these bits part of the MDM for us to use. As is, we're looking to see what other tools are used and have to decide on which method to go with and then figure out how to make them work in a viable fashion. With ASR, I needed Apple and Jamf and that was pretty much it.

summoner2100
Contributor

@scottb It will be interesting to see if Apple pull anything forward with the purchase of Fleetsmith recently.. and how they integrate it. I suspect bare minimum integration into ASMABM possibly.