Jamf Nation Community

We're starting to experiment with enrollment-based "imaging" (more like installing/configuring) with new machines that are coming right out of the box. We just run the QuickAdd package off of a USB (or out of a mounted software/fileshare) and on enrollment all the basic software is installed on the machine and its bound to AD. We then have some software assigned to specific LDAP users groups that get pushed to the machine once the user profile is loaded.

We've only done very basic testing with this method but we're already loving it.

I have started a super-thin imaging process of late, and I've been thinking about how to reduce the initial setup from a newly delivered machine. I've sort of gone off netboot with all the recent shenanigans (and am thinking of starting up a thread on this to canvas opinion), so got it down to

1) run through first set up with a standard admin user (the jss management account)
2) set name of machine and check time is OK
3) to to jss/enroll, download and run quickadd
[4) until I can get the quickadd signed, confirm quickadd install in 'Security' pref pane ]

I'm basically trying to adopt the 'let apple and jamf do as much as possible' reducing the customised scripts as much as possible. So I've got JSS MCX settings (yet to fully migrate to profiles) doing a lot of configuration.

It is still very tempting to do 1-3 via 'Casper imaging' at netboot. But I don't trust my scripts to emulate apple's first set up. My localisation script seems to lose UK keyboard setting for a lot of users, for one. Am I over-thinking this, or is anyone else dithering over this?

In the past, we've used a hybrid image.

We had a base OS X deployed and configured (UI settings and default user account). We then deployed packages on top of that including a recovery partition package that ran a post-install script to create said recovery partition. This method has worked well for us from OS X 10.7 - 10.9.

We are now in process of transitioning to a 100% thin imaging model with the following workflow:

NEW SYSTEMS
New systems get unboxed and we use Casper Imaging to deploy packages only. We configure our default local admin account using the CreateUserPkg app. All packages with few exceptions are pkg/mpkg files ass provided by the vendor. Other apps that don't play nice with Casper Imaging (i.e. Microsoft Office 2011, etc.) are dropped into a temp folder on the target system and are called from a post-install script.

Package deployment takes roughly 3-5 minutes tops. Post-install takes about 3-5 minutes tops.

When post-install completes and the JAMF client wraps up its gyrations (policies, etc.) the system goes through a single reboot. The tech is hands on and authenticates for FileVault2 encryption.

The tech logs in via FileVault2 then logs out - it's not the user's turn to log in.

The tech adds the user to the FileVault2 group, local admin group and configured Outlook then steps away.

Total deployment time, about 15-20 minutes per box. Total technician touch time is about 5-10 minutes give or take (sans any special configuration requests).

EXISTING/REPURPOSED HARDWARE:
We leverage Apples NetInstall feature to restore a system to factory settings using the latest OS. We can nuke and pave a Mac with the latest OS in 20 minutes give or take without calling out to the Internet, without using Thunderbolt/Firewire, without using USB drives, etc.

We then run through the same thin imaging process as we use for new systems. This adds about another 3-5 minutes of total touch time.

We can also nuke and pave several Macs simultaneously in this fashion and put them on a shelf without fear of an image going stale. We can also slip stream combo updates into the image if necessary if our NetInstall image is a revision or two behind.

Our biggest forward thinking challenge is how do we get from the technician launching casper install and stepping away and when they return, the laptop is fully ready for user delivery - filevault encrypted, admin rights, etc. - That's the holy grail for us - we're getting closer to that goal every day.

@stevewood Hi Steve,

your firstboot is great. Do you have anything similar for 10.10? anything that needs to change for it? I am in the middle of upgrading some MACs.

@wmateo for the most part the script is the same in 10.10. There really isn't much that needs to change. Now I took some of the items out of the script and started moving them to Configuration Profiles instead. I was just looking through my 10.10 version of the script, and found some more things I can clean up.

@stevewood Any chance you have examples of your config profiles posted on a GitHub or somewhere?

@pblake no, I do not, but I can. Give me a day or three and I'll see what I can do.

@pblake sorry it took a little longer to get to this than I expected. I've posted them up on my GitHub:

GitHub

Nothing special, just a few small profiles. Hope that helps.

@stevewood Thanks so much for the script - it is cranking away on 40 laptops as we speak! (two stations doing 3 at a time btw).

Is there any way to see the script on the login screen as it's doing it's work? I'm simply waiting for it to restart after shutting down the netboot, watching it sit at the login screen, and then waiting for it to restart again. I've missed the restart a couple times as well as jumped the gun a couple times. Wondering if there's a way to see the log running in real-time. If not, no worries and thanks again.

@rcastorani Glad it's working out for you. It's been my go to method for a couple years now.

There is no way that I know of to display the output of the log file as the script is running. Of course, there may be and I'm just not aware of it.

I took a different route and simply lock the screen while the second part is happening. I grabbed a script that Mike (@mm2270 ) had posted and used that. The script was discussed in this post and is on his GitHub [here].(https://github.com/mm2270/CasperSuiteScripts/blob/master/selectable_SoftwareUpdate.sh)

If you find the section in the script for placing a lock screen up, that's what I do. This is the way it looks in my script now:

################################################################################
##
##  The below section of code was "borrowed" from Mike Morales' software update
##  script.  This script can be found in the following JAMF Nation posting:
##
##  https://jamfnation.jamfsoftware.com/discussion.html?id=5404#respond
##
##  And on his GitHub page here:  https://github.com/mm2270/CasperSuiteScripts/blob/master/selectable_SoftwareUpdate.sh
##
##  Thanks Mike for some great code.
##
################################################################################

## Block the user from being able to see our trickery
## Define the name and path to the LaunchAgent plist
PLIST="/Library/LaunchAgents/com.LockLoginScreen.plist"

## set the icon
swuIcon="/private/var/inte/helperimages/UnderConstruction.png"

## Define the text for the xml plist file
LAgentCore="<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>Label</key>
    <string>com.LockLoginScreen</string>
    <key>RunAtLoad</key>
    <true/>
    <key>LimitLoadToSessionType</key>
    <string>LoginWindow</string>
    <key>ProgramArguments</key>
    <array>
        <string>/System/Library/CoreServices/RemoteManagement/AppleVNCServer.bundle/Contents/Support/LockScreen.app/Contents/MacOS/LockScreen</string>
        <string>-session</string>
        <string>256</string>
    </array>
</dict>
</plist>"

## Create the LaunchAgent file
echo "Creating the LockLoginScreen LaunchAgent..."
echo "$LAgentCore" > "$PLIST"

## Set the owner, group and permissions on the LaunchAgent plist
echo "Setting proper ownership and permissions on the LaunchAgent..."
chown root:wheel "$PLIST"
chmod 644 "$PLIST"

## Use SIPS to copy and convert the SWU icon to use as the LockScreen icon

## First, back up the original Lock.jpg image
echo "Backing up Lock.jpg image..."
mv /System/Library/CoreServices/RemoteManagement/AppleVNCServer.bundle/Contents/Support/LockScreen.app/Contents/Resources/Lock.jpg 
/System/Library/CoreServices/RemoteManagement/AppleVNCServer.bundle/Contents/Support/LockScreen.app/Contents/Resources/Lock.jpg.bak

## Now, copy and convert the SWU icns file into a new Lock.jpg file
## Note: We are converting it to a png to preserve transparency, but saving it with the .jpg extension so LockScreen.app will recognize it.
## Also resize the image to 400 x 400 pixels so its not so honkin' huge!
##echo "Creating SoftwareUpdate icon as png and converting to Lock.jpg..."
##sips -s format png "$swuIcon" --out /System/Library/CoreServices/RemoteManagement/AppleVNCServer.bundle/Contents/Support/LockScreen.app/Contents/Resources/Lock.jpg 
##--resampleWidth 400 --resampleHeight 400

cp $swuIcon /System/Library/CoreServices/RemoteManagement/AppleVNCServer.bundle/Contents/Support/LockScreen.app/Contents/Resources/Lock.jpg

## Now, kill/restart the loginwindow process to load the LaunchAgent
echo "Ready to lock screen. Restarting loginwindow process..."
kill -9 $(ps axc | awk '/loginwindow/{print $1}')

For the image, I created a funny cartoon image with text indicating that the machine was being imaged and to come back later. Using this method, once the computer is back at a login window you know it is done.

@rcastorani You could use a method like this... https://github.com/patchoo/patchoo/blob/master/0patchoo.sh#L1722t

That bootstrapHelper function is called by a launchagent at the loginwindow....

caffienates so the mac doesn't sleep
locks the loginwindow
waits until the network is up and the jss is reachable
then tails the jamf log, and changes the loginwindow message lock to the last entry.

The output looks something like this:

http://www.rehrehreh.com/files/pd_install_chrome.png