Imaging. We used to say that we imaged computers. But then came Apple File System (APFS) and the need for Macs to have specific firmware installed to support APFS’s capabilities. These days, preparing a device to go into the hands of an end user is more about provisioning the Mac for use by installing an OS and then configuring it for a person’s use than it is about creating a disk image and applying it to a Mac to prepare it for someone to use.
When we say “imaging” a Mac, we typically think of erasing a device and putting new bits on the device so the device has everything a user needs to get their work done. At first, this was done by creating a “monolithic” image, where the disk image was taken from a Mac which had been set up with everything needed. That monolithic image was then applied to other Macs to make them exact clones of that first Mac. But that lacked flexibility, so we moved from monolithic imaging to package-based imaging, where we installed an image just containing the OS and then applied a series of installer packages to set up the Mac. Then we moved from package-based imaging to restoring a “thin” image, or one with just the operating system and an agent, where the agent would set up the Mac using settings and software pulled down from a management server. Then Apple gave us the Automated Device Enrollment program (or ADE for short), formerly known as the Device Enrollment Program (DEP), and we skipped doing any predelivery setup work altogether and started just providing a fresh-out-of-the-box Mac to our non-IT colleagues. Once they started the Mac for the first time, Apple’s Setup Assistant and the follow-up configuration workflows enabled our colleagues to set up their own Macs without anyone else’s assistance. This saves many large organizations the $20–$40 per device cost that they used to pay to have Macs set up prior to delivering them. ADE automatically enrolls the device into a Mobile Device Management (MDM) solution, puts apps on the device, and puts the agent on the device through MDM. There are less options, but the process has never been so streamlined with such a small amount of work.
Shipping devices directly to a user makes them feel like they’re getting the new device they were always getting. Once administrators had everything necessary to provision a device out of the box. However, with the release and general adoption of Apple’s Apple File System (APFS) filesystem, traditional imaging became much more difficult. In its place, Apple has recommended installing the operating system and using MDM profile, scripts, and installer packages to configure the operating system for use. These changes introduced a learning curve for many Mac admins, but ultimately this change is one for the better.
macOS Startup Modifier Keys
To aid with provisioning and other functions, Apple has always allowed you to boot a computer while holding down a given keystroke in order to invoke a specific startup sequence.
With the introduction of Apple Silicon Macs in addition to Macs with Intel processors, those keystrokes (otherwise known as Startup Modifiers) are going to be different between Apple Silicon and Intel Macs.
Power key (hold down for ten or more seconds) | Boots into the Startup Options screen, which allows you to select which volume you want to boot to, choose to boot into Safe Mode or choose to boot into the Recovery environment. |
Alt or Option key | Boots into the Startup Manager, which allows you to select a wireless network and then choose which volume you want to boot to. |
C key | Boots into volumes on a CD, DVD, or USB drive. |
Command-Option-P-R keys | Resets the parameter RAM (or PRAM for short). |
Command-R keys | Boots into the macOS recovery mode, useful when doing an Internet restore or using Disk Utility to repair a volume. |
Command-Option-R keys | Boots into Apple’s cloud-hosted recovery mode. |
Command-S keys | Boots into single-user mode. |
Command-V keys | Boots into verbose mode, so you see a log of everything during the startup process. |
D key | Boots into diagnostics, used for checking the hardware of your system. Depending on Mac model, this will load either Apple Hardware Test (for Mac models introduced before June 2013) or Apple Diagnostics (for Mac models introduced in June 2013 or later). |
Option-D keys | Boots into Apple’s cloud-hosted Diagnostics. |
Eject key, F12 key, or mouse/trackpad button | Ejects any removable media inserted into the Mac. |
N key | On NetBoot-capable Macs, boots to a NetBoot volume. (Macs equipped with T2 chips are not capable of NetBooting.) |
Option-N keys | On NetBoot-capable Macs, boots to the default NetBoot volume on a particular network. |
Shift key | Boots into Safe Boot mode. Safe Boot verifies the startup disk and repairs directory issues, disables user fonts, and clears the cache for them, only loads required kernel extensions and clears the cache for them, clears system caches, and disables startup and login items. |
T key | Boots into Target Disk Mode (TDM). TDM sets the system as a disk which can be mounted on another system as an external drive. |
X key | Boots to a macOS startup disk when otherwise booting to a Windows partition or startup manager. |
macOS Provisioning with ADE
- 1.You must have an Apple School Manager (ASM) or Apple Business Manager (ABM) instance set up for your company, school, or institution.
If you're a school or other educational institution, you will be using Apple School Manager.
If you're not a school or other educational institution, you will be using Apple Business Manager.
- 2.
You must have a Mobile Device Management (MDM) solution, and that MDM solution must be capable of working with ASM/ABM.
- 3.
The Mac being set up must be registered with your company, school, or institution's ASM/ABM instance.
Once these prerequisites are fulfilled, you can use ADE to set up your Macs. In your ASM/ABM instance, you can set your registered Macs to be automatically enrolled with your MDM. This automated enrollment means that the Macs will automatically check in with your MDM when the Mac is going through the initial setup process for macOS. The MDM can in turn provide an automated setup workflow for that Mac to run through.
- 1.
Assign a Mac’s serial number to a particular MDM server.
- 2.
Install a fresh copy of macOS onto the Mac.
- 3.
On boot, the Mac will be automatically enrolled in the MDM server, and Apple’s Setup Assistant can be managed to set up the Mac with a desired configuration.
- 4.
If desired, the MDM can also install software and profiles to further configure the Mac.
The Mac is being set up.
Provide status information about where the Mac is in the setup process.
Provide any additional information that the system administrator may choose to provide as part of the setup process.
The other important function provided by this tool is that they prevent the user from making any changes to the Mac before the setup workflow has completed its task of setting up the Mac with its required set of software and settings.
The window screenshot of the Mac screen reads meet your new Mac, we are setting up your Mac with a standard suite of software and security settings, including everyday apps, configuration profiles, and security policies.
DEPNotify running an automated setup workflow
A commercial tool with similar functionality is Octory from Amaris Consulting. This tool provides a user-facing interface that allows the new Mac’s user to see the following.
DEPNotify
Octory
Site: www.octory.io
macOS Provisioning Without ADE
ADE is a great deployment solution, but being able to use it requires Apple School Manager (ASM) or Apple Business Manager (ABM), an MDM solution, and also having the Mac registered with the appropriate ASM or ABM instance. For some environments, one or more of those components aren’t available, but Macs still need to be set up and configured.
One solution to this problem is a tool called Mac Deploy Stick (MDS) from Twocanoes Software. MDS makes it easy to wipe and reinstall a Mac quickly the same way you can with Apple Configurator for iOS and iPadOS. The reason you need a tool like Mac Deploy Stick is that Apple gives users the ability to reinstall the operating system from the recovery partition, but that installer has to get downloaded during a very manual process. MDS creates those resources locally (e.g., on a USB stick or other external media) instead and organizes them into workflows, which can be deployed more quickly – and come with a simple setup so Macs can be set up faster. An optional Arduino can become a Mac Deploy Stick Automation, which inserts keystrokes during boot time so administrators don’t have to hold down Command-R during the boot process (see more on Startup Modifier Keys in the next section of this chapter).
Installation
To get started, download MDS from http://twocanoes.com/products/mac/mac-deploy-stick/. Then run the installer package. Once installed, open the MDS app from your Applications directory, and provided it opens, it’s time to create your first workflow.
Create a Workflow
The screen of M D S workflow has workflow info, M A C O S, resources, user account, options, Munki, Variables, and description. The text reads provide a name and optional description for this workflow. The cancel and ok button on right bottom of the screen.
Entering a name for the MDS workflow
The screen of M D S workflow has workflow info, MAC O S, resources, user account, options, Munki, Variables, and description. The text reads install MAC O S, select an option to install MAC O S below. If install MAC O S is selected, specify the location of the MAC O S app download from the app store. The option do not install MAC O S.
Choosing a macOS installer for the MDS workflow
The screen of M D S workflow has workflow info, M A C O S, resources, user account, options, Munki, Variables, and description. The text reads packages, apps, scripts, and profiles. The item in the specified folder will be packaged up and installed after MAC O S. Wait for network before installing resources, reboot after installing. The cancel and ok button on right bottom of the screen.
Choosing resources for the MDS workflow
The screen of M D S workflow has create user account, text reads this user account is usually used for local administration. If hide user account is selected, other users will not see this account when logging in. Full name, short name, password, photo, S S H key, password hint, default shell, allow user to administer the computer.
Creating a local admin user for the MDS workflow
The screen of M D S workflow has workflow info, MAC O S, resources, user account, options, Munki, Variables, and description. The text reads select options to set on the target MAC, these options are enabled via a script that is included in as package installed after MAC O S. If an option is specified that skips settings normally set during MAC O setup.
Defining additional options for the MDS workflow
The screen of M D S workflow has workflow info, M A C O S, resources, user account, options, Munki, Variables, and description. The text reads Munki, configure client, munki repo U R L, and trust munki T L S certificate on client in system keychain.
Configuring Munki options for the MDS workflow
The screen of M D S workflow has workflow info, M A C O S, resources, user account, options, Munki, Variables, and description. The text reads variables, set variables, displays variable name and prompt, it has an edit option below.
Defining shell script variable options for the MDS workflow
The screen of M D S workflow has workflows, preferences, deployment, services, and tools. The text reads M D S organizes and saves resources on an external drive to fully restore a MAC from the recovery partition. It can also save resources to a disk image for hosting on a web server. It has workflow option, logging and save to volume button at the bottom.
MDS main configuration window
The screen of bash terminal has following text bash 3 point 2 hash slash volumes slash M D S resources slash run.
Launching the MDS workflow from the Recovery environment
The screen of bash terminal has following text terminal, shell, edit, view, window, help options on the top right corner of the window and configuration code generated.
The MDS workflow automatically installing macOS and configuring the Mac
This will set up the Mac with the applications, tools, and settings needed to operate properly at the company, school, or institution in question.
There are a lot more workflows than just this one, so to learn more about MDS, go to https://twocanoes.com/knowledge-base/mds-4-guide/.
One of the important components of MDS when used on Intel Macs is an open source project known as Imagr, developed by Graham Gilbert. Imagr is a community project that runs not only on macOS but on Linux as well. While Imagr was originally developed for use with NetInstall and a web server, Twocanoes built on the existing Imagr project to provide MDS’s ability to provision Macs.
Imagr
Site: https://github.com/grahamgilbert/imagr/
Purpose: Imaging and deployment for Mac systems
For Apple Silicon Macs, Twocanoes has developed a counterpart solution called MDS Deploy. MDS will detect which kind of processor the Mac is using and automatically use Imagr or MDS Deploy as needed.
Upgrades and Installations
The screen displays the MAC O S ventura installation process. Applications such as clock, contacts, dictionary, find my, font book, image capture, and install MAC O S ventura is selected. The logo of ventura application 11 point 99 gigabytes on the right panel.
The macOS Ventura installer application in the Applications directory
Running the OS installer on an individual Mac requires administrator rights, but otherwise is an easy experience where you double-click to launch the installer application and follow the prompts.
In the preceding command, we’ve already loaded the “Install macOS Ventura.app” on a machine. While you’d guess that it would find the application path based on its own surname, we went ahead and supplied it as that seems to basically be a thing. Basically, --agreetolicense keeps us from having to run some expect scripts to accept a license agreement, --nointeraction suppresses as many of the screens as possible, and --volume allows us to install to any volume we’d like. This isn’t fully automated, but I have been able to layer in some more logic to quit apps before the script fires and then expect out other items from the script to automate a restart, watching for osinstallersetupd as a key.
--license: Prints the user license agreement only.
--agreetolicense: Agrees to the license you printed with --license.
--rebootdelay: How long to delay the reboot at the end of preparing. This delay is in seconds and has a maximum of 300 (5 minutes).
--pidtosignal: Specifies a PID to which to send SIGUSR1 upon completion of the prepare phase. To bypass “rebootdelay,” send SIGUSR1 back to startosinstall.
--installpackage: The path of a package (built with productbuild(1)) to install after the OS installation is complete; this option can be specified multiple times.
--eraseinstall: (Requires APFS) Erases all volumes and installs to a new one. Optionally specify the name of the new volume with --newvolumename.
--newvolumename: The name of the volume to be created with --eraseinstall.
--preservecontainer: Preserves other volumes in your APFS container when using --eraseinstall.
--usage: Provides the list of startosinstall options.
--nointeraction: Suppresses a number of screens where a human would be asked to make choices.
--volume: Allows startosinstall to run the installation process on a drive other than the boot drive.
One particularly useful function is the --installpackage function, which allows one or more packages stored on the Mac in question to be installed following the upgrade. Something to be aware of is that if you want to add any additional packages, they must all be signed or unsigned distribution-style flat packages. This is a requirement that Apple first introduced for the OS X Yosemite installer, and it still applies to the latest versions of macOS.
This is all a bit bulkier than just using something like createOSXinstallPkg, a tool available for building OS installers which was compatible with Mac OS X Lion through macOS Sierra, but it’s important to mention that there are a number of system components that are allowed for in SIP that use osinstallersetupd, and so this blessed mechanism is likely the future until you can trigger an OS upgrade (and update I suppose) using an MDM command.
Reprovisioning a Mac
Most organizations will take an iOS device out of service, erase the device, and hand it to the next user. Administrators of Macs have long wanted a similar feature, and it arrived as of macOS Monterey with the Erase All Content and Settings feature for Apple Silicon Macs and Intel Macs equipped with the T2 security chip.
The screen displays the transfer or reset preference pane in system settings has general, about, software update, storage, air drop and handoff, login items, language and region, date and time, sharing, time machine, transfer or reset, startup disk, and profiles.
The Transfer or Reset preference pane in System Settings
Selecting the Transfer or Reset preference will provide access to the Erase All Content and Settings button.
The screen displays the transfer or reset preference pane in system settings has general, transfer or reset has migration assistant, open migration assistant button on top right, the text reads use migration assistant to transfer information to this MAC from another MAC, a windows P C, a time, machine backup, or disk.
The Erase All Content and Settings button in System Settings’ Transfer or Reset preference pane
The screen displays the erase assistant with administrator credentials required to open erase assistant. Text reads enter your password to allow this with text box username and password to unlock it.
Requesting administrator credentials before opening the Erase Assistant application
The screen displays erase all content and settings, text reads all settings, media, and data will be erased. the following items will also be removed, apple i d, Touch i d, Find my and activation lock.
The Erase Assistant app displaying a summary of the data which will be removed from the Mac
Clicking Continue will wipe the encryption keys used to protect the data on the Mac, along with all other data which is not part of the operating system. The end result will be that the Mac will be returned to a factory-default configuration with an unconfigured macOS installation.
Once the Mac is back to having only an unconfigured copy of macOS installed, it can now be set up for use with whatever provisioning tool works best for the Mac admin in question.
Virtual Machines
- Anything involving having an Apple-registered hardware serial number/sending hardware serial number back to Apple: This includes iCloud services like Find My Mac and Messages. It also applies to getting hardware-specific OS installers via Recovery HD.
Depending on the virtual machine software being used, it may be possible to get around some of the limitations by assigning an actual Mac’s model and serial number to the virtual machine.
Most things involving EFI: Functions like Apple Internet Recovery or holding down the Option key to get a list of bootable volumes will not work. However, some things involving EFI work specifically because VMware made them work. For example, both NetBoot and FileVault 2 work fine in a VMware VM.
Wireless connections: Virtual machines don’t have a Wi-Fi card, though it may talk to a network via your Mac’s Wi-Fi connection. You can test in a VM to make sure that your Wi-Fi settings apply; you can’t test to verify that they work.
There are a number of virtualization solutions available which support running macOS virtual machines. Several well-known ones are listed as follows.
Parallels
UTM
Site: https://mac.getutm.app
Summary
Imaging’s death has been widely reported, but workflows for restoring devices, provisioning, and reinstalling operating systems are all very much alive. With ADE, it’s now possible to provide a user-centric setup experience for both macOS and iOS where it’s possible that IT’s only involvement is making sure that the device was delivered to the right person. On macOS in particular, tools like DEPNotify or Octory allow IT to enable a great user experience by providing a guided setup process for a Mac.
Meanwhile, for those companies, schools, or institutions that as of yet can’t take advantage of ADE, tools like Mac Deploy Stick enable automated provisioning workflows which demand the bare minimum of IT intervention required.
In the end, Mac admins need to choose the setup and provisioning workflows which work best for them, but wise use of these tools will help conserve the most precious resource a Mac admin has: time.