There are rumors that imaging will be dead

Lars_Leppert
New Contributor

Hello, based on a few articels there a rumors, that imaging will be dead in the comming APFS File System. Over the last years i have done my administration with a smoothly runnig modular imaging workflow. Based on vanilla images, built with Autodmg and the InstallESD.dmg from the Apple Installer. Macs are installed with Casper Imaging based on that vanilla images. Applications and settings are comming with policies and configuration profiles scoped to the 50 different departments. I only have to setup the department and location to the mac in the casper inventory. After that all needed applications, fonts ,printer, settings are installed automatically. The needed volumes are automounted on the screen.

I administrate up to 400 Macs in a publishing company this way and we do not have the need to update each new systemversion to the macs. I´m still happy with my nearly 95% in OSX 10.9.5 running macs. My plan was to replace the older macs and beginn to update the 10.9.5 systems to 10.12.x this year, to have a consistent environment again.

In this article (https://derflounder.wordpress.com/2017/01/10/imaging-will-be-dead-soon-ish/#comments) the author recommends the installation based on thin imaging with DEP and MDM Configprofiles. But how can i downgrade macs if the hardware supports this and imaging will not work anymore?

Is this a comprehensible way to have a consistent environment or i´m old school? I think, based on the hardware purchases over the last years, we will then have more than 4 Systemversions in the company at the same time, if we do it with thin imaging.

What is the best way to do it, if imaging is dead?

regards Lars

17 REPLIES 17

bvrooman
Valued Contributor

Perhaps a prerequisite question is, are you actually entitled to downgrade computers to an operating system older than that with which they shipped?

I don't know the real, current, legal answer to that. I do know that a few years ago (2012-ish?), at an APS/ACN event, Apple took a fairly firm stance of "no, computers must use the OS that they shipped with or one for which an upgrade has been purchased (or obtained for free)." If that's still the case, then reimaging to downgrade may be a moot point.

As a general rule, we allow OSes in our environment as long as they're still receiving security patches. However, the past few times, we've made a mandatory-unless-you-have-a-reason upgrade to the current OS in early/mid-summer so that, once the next release becomes available, we're still only managing 2 major versions across the majority of our systems.

roiegat
Contributor III

I've had good luck downgrading Mac Mini's. But with iMac and MacBook Pro I've never had luck downgrading the OS.

As far as imaging goes, as long as Casper still has it in the Suite then we'll use it as an option. At our company we use a user-enrollment method that doesn't use the imaging app. But we do have a backup plan that that uses a netboot and imaging just in case something fails.

Lars_Leppert
New Contributor

@bvrooman I want to clarify - i only use the lower system installer as it is and do not workaround something. Sometimes i have luck and i can install the lower system over a new mac with a higher version this was f.e. on macs comming with 10.10. I test this before i purchase a lot of macs. Most times i get the bad sign that the software is not allowed. Last time we need to purchase older, refurbished macs to hold our system environment stable. It was not clear if 10.12 will work with older adobe versions, because many users had posted problems with that combination.

blackholemac
Valued Contributor III

Downgrading is a tricky matter to address. Apple has had a firm policy against it long before even the debut of OS X... specifically on hardware compatibility grounds. that being said it isn't always hopeless. If we discuss a Mac Mini (Late 2014) for purposes of this post. Right now it is a currently shipping model and would ship with Sierra. In general you could probably downgrade it to Yosemite given it was the originally shipping OS. It would take some work and probably require a thumb drive install but it would work. You would also have to consider turning SIP off first before a downgrade so as not to get snagged by such modern issues. I would not want to downgrade that but I bet it could be done .

That being said it does not work that way on iOS. You can't downgrade at al if they aren't still signing the firmware. I'm betting the future does not look bright for downgrading on Macs either.

Lars_Leppert
New Contributor

@blackholemac yes, i think i could downgrade a few months after a new system release and if the mac is not a new model. I can not downgrade a new model with a new system. If Apple does not want, that a system will be installed on a mac, they can easily resrict it and they do that with not compatible system verisons. Anyway, i must think about DEP and make more updates to keep the environment save.

blackholemac
Valued Contributor III

They tend to use model identifiers to restrict that. That's why I gave the example above.

tnielsen
Valued Contributor

Switch to PC

Thin imaging is a pretty good way to go otherwise. Sure, you're going to have another troubleshooting step to identify when problems arise. (Is it the OS?) but Apple is forcing this path. "Upgrade or else!" attitude.

blackholemac
Valued Contributor III

I'll be honest...not thrilled if the thread is going in this direction of the above poster. @Lars 's original post was quite a legit one considering the direction Apple is going. My posts above covered a technical nugget that really didn't answer the original poster's question but covered my experience in downgrading. I am sad to see someone above has decided to get on a soapbox and say "switch to PC" because that isn't what I feel this community is about. Jamf is supposed to be about "helping organizations succeed with Apple". That means if Apple is headed a new direction it is worthy of discussion here, without someone saying "switch to PC."

To give a more dignified response to the original post rather than talk about downgrade technicalities above, there are new techniques where you can take a Mac straight out of the box with Apple and get it "up to spec" by using policies and packages deployed from Casper rather than traditional imaging techniques. Jamf has had this capability all along, however in the past, admins didn't trust Apple to have the OS deployed consistently on new devices. That has changed greatly. I have tested that my "environment package" will customize the pre-shipped OS from Apple to my environment's liking. Basically you can use DEP to get a shiny new Mac enrolled in MDM and use policies to fire off all of your packages (including your environment transforms). That is the direction Apple seems to be going from my opinion anyway.

This would help you get to an old school standardized config by simply using new tricks. That being said, I still like the old school imaging (modular style) myself and plan on using it as long as I can, but am studying the new methods for a switch when convenient. </getting off of my soapbox>

bvrooman
Valued Contributor

Unfortunately, in my case, it isn't the admins that don't trust Apple to deploy the OS consistently out-of-box, it's our InfoSec that doesn't trust anything that we don't block-level image ourselves. It's all a little silly, but until we get approval to not wipe machines as soon as we get them, we'll probably have to keep doing so.

Unless major changes happen in the OS or firmware, I don't see a compelling reason that Apple would need to restrict a block-level image deployment, wherein those blocks happen to consist of an APFS volume. That said, we don't know what we don't know, and I hope that WWDC this summer will give us a lot more insight into what we'll be working with.

JustDeWon
Contributor III

We also have to keep in mind, that some companies are not ready for the OS that comes with a new Mac because of the internal software being used that isn't supported yet. So a downgraded image would suffice. This would be a legit issue, if it were indeed soon to be the case for some companies..

blackholemac
Valued Contributor III

In general I agree with @JustDeWon .... in reality our best power is to push back at Apple and say that we still need to keep imaging around... I don't know how lucky we will be ... I hope Apple leaves the provision for imaging in with the new filesystem ( in some form ) if they don't luckily I think I can make their new methods work for at least my organization. I love reading thoughtful discussion on this topic specifically ... as I hope to keep imaging around , knowing Apple though I'm not betting on it. MCX went the way of profiles.. Real OS X server went the way of what we have now ...in general I'm not betting that imaging stays around either but we can hope. For a real good discussion on the topic look up Alastair Banks on MacAdmins slack...he and MagerValp likely have some strong views on the subject .

Lars_Leppert
New Contributor

I think i have all what i need to use the preinstalled os or to use DEP. I do my management with JamfPro policies or configprofiles since a few years. If i use the preinstalled os i have less more work at beginning, but more work afterwards with more systemupdates to hold the environment consistent.

(Time will tell - i hope that such rumors about imaging are not a bad sign that the system is going more and more to a closed ios system, that is only managable with configprofiles. Don´t get mad with me, then i like to switch to another operating system, after 15 years with apple. Assuming there is another usable product left)

georgecm12
Contributor III

I too have some serious questions about a DEP no-imaging model and how it would fit into some use cases.

For one, I'm thinking of my labs and classrooms, particularly those located some distance from me. As it stands now, I do have to image the machines initially... but once installed into the classrooms, I can manage them entirely remotely, including telling them to netboot and reimage automatically. Will there be a way to send a command to do a "erase all data and settings" AND do a DEP enroll... all unattended?

It's great to say "just let the users who use the system do it..." but that doesn't help when the faculty first shows up at the beginning of their class to teach and need a working computer, with the software they need to teach with, right away.

blackholemac
Valued Contributor III

That Actually is why I still like to keep imaging around. I have two adobe labs into Final Cut labs and one Logic Pro lab.

I have almost got the DEP based workflow to work for these guys but not quite .

So I assume system image utility is still going to be kept around in some form...I remotely use that to trigger a net install image that installs an Apple only I remotely use that to trigger a net install image that installs an apple only OS stock... said computer then boots to the OS, enrolls using the DEP through the setup assistant without requiring a walk without requiring a login to enroll, bind to AD with a policy and installs the apps through the policy .. there in lies the problem ... I still need boots on the ground to get through lightweight DEP enrollment (without a login).

If Apple could solve at least two problems with this workflow I could see using it even to do labs:

Problem 1: easier way needed to wipe and reinstall the stock OS after a year of multiple student usage...APFS gives me hope here...i'm hoping they will come up with a way to restore a factory snapshot to the Mac using some kind of an automated command or process.

Problem 2: user activity needed to get through a lightweight setup assistant...sure imaging requires someone being there to boot to an alternate volume, but some folks have managed to do that through Casper ... we do that sneakernet anyway ....though I wish we didn't. Having someone manually proceed through a set up assistant though is prone to introducing human error into the process .

Problem 3: @georgecm12 pointed it out there the best...The teaching staff in these labs count on everything being ready but the login on hour one of class. It would be awkward to tell these teachers "OK now...after first login you'll need to wait for three hours while smartly written after first login you'll need to wait for three hours policies install your software." I would get a shoe thrown at me.

I truly do want to make the new workflow work but like other folks on here still have some concerns such as public lap I truly do want to make the new workflow work but like other folks on here still have some concerns such as public labs. I have made the new workflow work on single user laptops fairly well. I always remind the user when they are assigned a new laptop that software installs could take up to 12 hours time. Hopefully with APFS, we can get some help from Apple to address such concerns.

alexjdale
Valued Contributor III

I support both bare-metal imaging and thin imaging at my company (6500 Macs across 40 sites globally). When a new system arrives, we use thin imaging. If we need to redeploy a Mac, bare-metal imaging is by far the fastest and lowest-touch method of getting the system turned around (we are required to erase the drive between uses). I have a highly automated scripted process that takes 20 minutes from start to finish with very little interaction and spits out a deployment-ready system at the other end.

Sure, we could do away with bare-metal imaging, but we absolutely need a fast way to erase and restore a drive to factory defaults. Booting from a USB, erasing, and reinstalling takes a long time and a lot of interaction. Internet restore takes even longer.

I made sure I told our Apple rep about this when the topic came up during a recent discussion. If we have to add 30 minutes to the imaging process just to lay down the OS, it will be a huge impact on our support staff who are already stretched very thin.

AdamHWilliams
New Contributor

What about environments that can't use APNS? We have a fully automated build with manually delivered (offline) configuration profiles and some scripts to do the things configuration profiles can't do. We use Casper Imaging heavily to re-image macs to our supported version of macOS (downgrading where required) and then lay down all the apps/configurations dynamically after imaging has completed. This is a mixture of profiles and some scripts. Some of this workflow will work as-is but Apple will need to dramatically improve configuration profile support in their next OS to allow us the level of flexibility we require in order to manage everything using configuration profiles only.

What about older machines that can't be enrolled in DEP? What about places where DEP isn't supported? Will internet recovery work behind a proxy server or will we have to open that up somehow? How many new macs will we have to buy? How much will all this cost? How long will Apple give us to get all this done?

If imaging goes away but everything else stays roughly the same then I think places will find a way to support the new status quo with varying levels of pain. If more changes come in and the whole OS is locked down, can only be changed with configuration profiles and MDM then organisations will have some tough questions to answer such as is it worth it? However - everything at this point is guesswork and rumor. Our lives would be a lot easier if we knew ahead of time what the changes were and when they were coming.

barnesaw
Contributor III

Until DEP doesn't go down at least once a month, DEP is not a solution.