Imaging is dead. Hello modular deployment. And yes, an MDM is still required.

November 15, 2019 by Chris Morris.

*Has only been tested on 10.13 & 10.14

I work in a specialized Post-Secondary Department that manages its own technical infrastructure. For me this includes a 35 workstation Apple iMac lab for teaching Music Theory, Music Production, and Audio Software Development. While the workstation configuration is complex, the size of the lab does not justify the cost of a popular MDM. To make this deployment as pain-free as possible I got creative with the cheap and open source tools available to me.

A managed network user environment (Active Directory) and the deployment of specialized, custom-configured software proved to be a challenge. License servers, hardware licensing (iLok & Steinberg), usb peripherals, user-based pre-configured application preferences. This situation was formally tackled with strategic editing of the default user template but traditional imaging is dead. It’s time to move on.

Hello modular deployment. And yes, an MDM is still required.

The Tools

My new tactic is to use installr to package a fresh copy of macOS and a variety of pre-configured pkgs for deployment. These pkgs contain applications compiled with Jamf Composer and pkgs containing scripts to run at first boot. These scripts take care of things like skipping the apple setup assistant, creating a local administrator, naming the workstation, configuring Apple Remote Desktop, enabling SSH, and enabling the root user. This is a good chunk of work completed before the workstation has even booted up.

Below is the script I use to configure ARD, enable SSH, and enable the root user assuming the administrator account is named “admin”. I used munki-pkg to build the script as a payload free pkg so it could be included with the installr build. Note: Always build your pkgs as “distribution style”. Installr will fail otherwise.

#!/bin/bash

## Turn on Remote Desktop Sharing, allow access for admin, and enable the menu extra:

sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -allowAccessFor -specifiedUsers

## Restart the ARD Agent and helper:
sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -configure -users admin -access -on -privs -all

## Turn on Remote Login (SSH)

sudo launchctl load -w /System/Library/LaunchDaemons/ssh.plist

## Add Root User

dsenableroot -u admin -p adminPassword -r rootPassword
exit 0

I use Jamf Composer to capture application installations and compile them as a .pkg. Jamf Composer is also great at identifying those important plists, authorization files, and Application Support files that are stored in the User Library instead of the System Library. These files will be collected and deployed to each workstation during the initial boot phase and stored in a staging directory (/usr/local/plists). Outset is used to copy these user specific preferences to each new user upon their first login.

Below is an example of a script I would use to copy pre-configured plists to the users preferences folder (/Users/$USER/Library/Preferences). This would be placed in Outsets “Login-Once” directory.

#!/bin/sh
## Copy PLIST files from /usr/local/plists to the current users /Library/Preferences/ directory.

## Get Current Logged In User
loggedInUser=$( scutil <<< "show State:/Users/ConsoleUser" | awk -F': ' '/[[:space:]]+Name[[:space:]]:/ { if ( $2 != "loginwindow" ) { print $2 }}' )

## Copy PLIST Files
cp -r /usr/local/plists/. /Users/$loggedInUser/Library/Preferences/

A few other scripts I run at boot compiled by some amazing people:

macOS Server is simply leveraged to host the dmg compiled by installr for deployment. Profile Manager is used to manage the minutia such as binding to AD, login window text, login items, printing, restrictions, os updates, and kernel extension white lists. And yes, I know Profile Manager is awful but it works just enough.

This process usually means I only need to touch each workstation twice. Once to initialize the startoinstall process. A second time to approve the Profile Configurations, which must be done manually. I deploy the Configuration Profiles with the installr build to a staging directory. I run the command below via Apple Remote Desktop to install them:

profiles -I -F [.mobileconfig filepath]

There are likely many better ways to do what I’ve outline above, and I’d love to hear about them. This process worked for me only due to the low amount of workstations in a fixed environment.

Leave a Reply

Your email address will not be published. Required fields are marked *