May Las Vegas, NV. Mirage Resort

Session ID # Mac Provisioning Best Practices Mike Stahulak – Development Engineer Bennett Norton – Pre-sales blog: UEMB160

New OS X Provisioning Actions  Core Storage  Fusion Drive  Recovery Partition  Device Name Prompter  Mapped Software  Agent Settings  Configure Agent

Demo Click to Watch the Example Video

GitHub Script Repository 5

The Big 5 Architecture Pieces LDMS 2016, SU3 & OS X Agent 1081 NetBoot Image NetBoot Listener or NBI USB Preferred Package Server AFP or SMB Image Share

Understanding the LANDESK NBI 77 System Image Utility Step 1 Apple NBI Step 2 Apple NBI OS X Startup Scripts LANDESK Agent LANDESK Disk Stamper Utility LANDESK NBI

LANDESK NBI Build Tips  Always use the latest OS installer from Apple, paying attention to the dot release  Ensure you have the most up-to-date LANDESK Mac agent  Compress the NBI when transferring to a Windows machine and extract on the machine itself 88 Click to Watch the Example Video

Configure the NetBoot Service OS X Server NetInstall LANDESK PXE Representative

System Integrity Protection & NetBoot  You cannot remotely reboot to NetBoot on an El Capitan machine unless you have whitelisted the NetBoot server  Boot to the machine’s recovery disk, OS Installer or NetBoot environment and run ‘csrutil netboot add ipaddress’  This requires a physical touch to every machine  Resetting the NVRAM removes this setting  Script provided in the notes to add to a whitelist specific NetBoot image. See the video for details.  1010 Click to Watch the Example Video

Preferred Package Server & Image Share Preferred Package Server SMB or AFP File Share Click to Watch the Example Video

Creating Your Gold Image  Use the open source tool AutoDMG – it builds an image directly from the OS X installer making the image completely hardware independent  As part of the image creation process, AutoDMG will also create everything needed to deploy the Recovery partition  Leverage additional tools/scripts with AutoDMG such as CreateUserPkg, Skip Apple Setup Assistant and Disable iCloud and Diagnostics Pop  Shout out to Per Olofsson and Rich Trouton for the scripts/utilities  Links to the scripts/utilities available in the speaker notes  1212 Click to Watch the Example Video

Discovering the Correct Partition Identifier for Templates  Open Terminal on the you’ll either be capturing or deploying to  Make note of the Identifier for the partition(s). You’ll need the proper Identifier when creating the capture template or when disabling Core Storage on your deployment template.  Typically the correct identifier for OS X will be disk0s2 unless Core Storage has been enabled and then the logical volume of disk1 may be the correct choice. §Open Terminal on your machine you want to capture the image from, run the command Diskutil List and make note of the Identifier for the partition to be imaged. You’ll need the proper Identifier when creating the capture template. In this example, disk1 is the proper Identifier.

Provisioning Template Chooser  Only templates in the Public Folder will be displayed  When prompted for credentials, make sure the user provided is a LANDESK user.  A valid Windows account will grant you access to select a template, but it will fail to create a scheduled task on the core.  If your LANDESK user is tied to a domain account, make sure you enter your username as a domain\user.  1414

Provisioning Template Chooser – Detailed View  To watch the provisioning actions being executed from within a terminal window during the provisioning process, prior to booting into the NBI session, open up a Terminal window and run the command:  sudo nvram ldosdterm=1  Note: This is a permanent flag that would need to be removed if you want the template picker to automatically show the next time you image the machine. To so do, from within a terminal window, type: sudo nvram –d ldosdterm  Boot to the LANDESK NBI  When the NBI loads, you’ll be presented with a terminal prompt instead of the Template Choooser  Within the terminal window, type: /Library/Application\ Support/LANDesk/bin/ldpprovision  Select your desired template and authenticate  1515

Deploy Template Best Practice

The Five Steps of a Deployment Template System Migration All actions take place within the pre-OS boot environment or within the OS currently installed Use this step to mount shares, copy files off, collect user data and reboot the device to NetBoot Pre-OS Installation All actions take place within the NetBoot environment This phase is destructive to any existing data Use this step to create the partition structure, typically a the OS partition and a Recovery partition OS Installation All actions take place within the NetBoot environment Use this step to deploy your Mac image, Recovery partition image and Windows image if desired Post-OS Installation All actions take place within the NetBoot environment Use this step to rename the machine, deploy the LANDESK agent and reboot into the newly deployed operating system System Configuration All actions take place within the newly deployed operating system Use this step to deploy software, change agent settings (configuration profiles with LDAP bindings, security settings, WiFi), install mapped software and restore previously copied off profile information

Creating a Mac Deploy Template  Go to Tools > Provisioning > OS Provisioning > New Template and select Mac Deploy Template  Provide a template name  Enter a template description if desired  Specify the SMB or AFP path for your captured OS X image, i.e. smb://ldserver.ldlab.org/Imaging/OSX.dmg  If also deploying a Windows image, check the Include Windows Image box  Provide the SMB or AFP path for your captured Windows image, i.e. smb://ldserver.ldlab.org/Imaging/Windows10.i mage  Ignore the profile path

NetBoot Reboot  If you do not plan to use the NetBoot feature (i.e. provisioning a brand new machine), remove this action completely. If you don’t remove it, when the device reboots into the System Configuration phase it will attempt to retry the failed NetBoot action at that point causing the whole process to start over.  If you are going to Netboot, edit the Netboot action in the System Migration step  Ensure the NetBoot radio button is selected  Enter the NetBoot server using the format ‘bdsp://ipaddress.’ This will be your PXE representative or OS X server

Disable Core Storage  You can’t erase a drive that is involved with core storage. So in order to partition the disk, Core Storage needs to be disabled.  Add the Partition action to the Pre-OS Installation step  Select Set Core Storage for the Action Type  Select the Disable radio button  Enter the disk identifier for the Logical Volume, likely disk1. Diskutil list will tell you for sure  Rename the action to something more identifiable, by right clicking on the action and selecting properties.

Create Partitions  Edit the Create Partitions action in the Pre-OS Installation step  Change the Disk ID from 0 to disk0. The template wizard does not automate this piece correctly.  If using the AutoDMG image, no additional partitions will need to be added. If you’ve captured your image from a machine, add in a second partition for the recovery partition. Name the volume Recovery HD and set the size to 860 with a Journaled HFS+ file system type  Add a MSDOS partition if deploying a Windows image as well. You can specify the size in a percentage of the drive if you desire.

Fusion Drive Partitions  If deploying to a Fusion Drive, edit the Create Partitions action in the Pre-OS Installation phase  Change the Action type to Create an OS X Fusion Drive  Set the partition identifiers, likely disk0s2 and disk1s2  Provide the desired volume name, the default is Macintosh HD, and set the file system type to Journaled HFS+  Rename the action to something more identifiable by right clicking on the action and selecting properties.  Note: Fusion drives do not need the enable core storage action

Deploy an Image  It’s likely you’ll not need to tweak the Deploy an Image action in the OS Installation step, the only item to pay attention to is the disk identifier (/dev/disk0s2) listed in the command line. Make sure this matches to what you’ve defined in the Create Partitions action.  If deploying to a Fusion drive, you may need to set the identifier to disk2 or other depending on the number of drives in the device.  If you want to enable Core Storage, perform that action after you’ve deployed your image and rebooted into the OS so you know exactly what identifiers to use

Deploy a Recovery Image  Again, if using the AutoDMG image, this step will not be required. It will take care of it automatically as part of the standard image deploy action.  If using your own image capture, add the Deploy an Image action to the OS Installation step  Provide the SMB or AFP file path and recovery image name ending with.dmg  Select the Mac Image radio button  Check the box for ‘This is a recovery partition’  Click the Validate button to build the command-line parameters  Change the disk0s2 to disk0s3 or whatever you set in the Create Recovery Partition action.  Rename the action to something more identifiable, by right clicking on the action and selecting properties.

Configure Agent  The Configure Agent action from the GUI, is only available in the System Configuration phase. However, in order to successfully move into the System Configuration phase, you’ll need to move your Configure Agent action into the Post-OS Installation area. So add your action in the System Configuration step, select your desired agent from the Configuration dropdown menu, apply it and then drag it up to the Post-OS Installation step.  Note: Make sure your agent you’re deploying does not include Mac AV at this point. The reboots caused by AV will mess up the provisioning process. If you want to add in AV, deploy it as your last action in the System Configuration phase.  In addition to moving the action into the Post-OS Installation step, there is a variable that needs to be added to tell the agent installer to what partition do you want to write to. Go to the properties of the action and add in the variable “volumename” and insert the name of the disk volume specified in your Create Partitions action, the default name for OS X being Macintosh HD * This action has some known issues in LDMS An update post SU3 will address them.

Reboot Action  In order to continue on the provisioning process, once the OS loads, we need to schedule a task to start provisioning again. Do this with a reboot action, specifying the correct partition.  Add the action Reboot/shutdown to the Post-OS Installation step as the last action in that section*  Select the Reboot radio button  Set a timeout value if desired  Set the partition identifier to disk0s2 or to whatever matches your Deploy Image action.  If you’ve enabled Core Storage the value may be disk1. Best practice would be to enable Core Storage in the System Configuration to avoid confusion  If you’re working with a Fusion drive, the value may be disk2, depending on the number of drives in the system. * This action has some known issues in LDMS An update post SU3 will address them.

Device Name Prompter  Add the action Device Name Prompter to the Post-OS Installation step  Select the desired radio button, LDHostName, Mapped HostName or Name Template.  If choosing Name Template, create your naming schema using sequences and machine variables

Distribute Software  Add the action Distribute Software to the System Configuration step  Select your desired package from your packages list  Rename the action in the Properties panel for the action to match the name of the software to deploy

Install Mapped Software  Add the Install Mapped Software action to the System Configuration phase  This action is only needed if performing an upgrade or a rebuild. If there are no machine mappings, this step will show as successful and just move on.  Make sure you’ve performed the software mappings under Provisioning > OS Provisioning > Tools > Product to Package Mappings

Change Agent Settings  You can easily tweak how the standard agent behaves or apply additional configuration profiles using the Change Agent Settings  Add the action Change Agent Settings to the System Configuration step  Select the Mac Configuration Profile agent setting that contains all of the desired configuration profiles  Adjust any other desired agent setting, such as the Reboot settings or Distribution and Patch settings  Rename the action to something more identifiable by right clicking on the action and selecting properties.

Active Directory Binding  To bind a Mac to AD, you’ll need to build a Configuration Profile in Profile Manager on an OS X server and import that profile into a Mac Configuration Profile agent setting  Add the action Change Agent Settings to the System Configuration step  From the Mac Configuration Profile type, select your agent setting that contains your AD binding profile  Rename the action to something more identifiable by right clicking on the action and selecting properties.

Enable Core Storage  Core Storage is enabled by default on all new Macs. It is a good idea to re-enable this option on your newly deployed Mac image. Unless you deployed to a Fusion Drive, you’ll need to create an action to do this.  In the OS Installation area, add a Provisioning Action.  Select Set Core Storage for the Action Type  Select the Enable radio button  Enter the disk identifier for the drive you deployed your image to, likely disk0s2.  Rename the action to something more identifiable, by right clicking on the action and selecting properties.  Now move the action to the System Configuration phase. If you leave it in the OS Installation step, it’ll be harder to know what identifier to use in your other actions.

LANDESK Actions as Package Scripts  Add the action Distribute Software to the System Configuration step  Select your package script from your list of Software Distribution packages  Rename the action to something more identifiable by right clicking on the action and selecting properties. From the Distribute Software

Capture Template Best Practice

Image Capture Decision  In most scenarios, using AutoDMG to create your image is going to be the most ideal as the image will be completely hardware independent.  However, if you want to capture a unique custom configuration, maybe with multiple partitions (Mac and Windows), you can leverage a Capture Mac Template

The Five Steps of a Capture Template System Migration All actions take place within the pre-OS boot or within the OS currently installed Use this step to reboot the fully configured device to NetBoot Pre-OS Installation All actions take place within the NetBoot environment This phase is destructive to any existing data so use caution It's likely that you will not need to perform any actions for a capture template OS Installation All actions take place within the NetBoot environment Use this step to capture your Mac image, Recovery partition image and Windows image if desired Post-OS Installation All actions take place within the NetBoot environment Use this step to reboot or shutdown the machine after the image capture System Configuration All actions take place within the newly deployed operating system This step is not needed for a capture tempalte

Creating a Capture Template  Go to Tools > Provisioning > OS Provisioning > New Template and select Empty Template  Provide a name for your capture template  Change the Boot Environment to NetBoot  Change the Target OS to Mac OS X  Add a description if desired

Netboot Reboot  Add the Reboot/shutdown action to the System Migration step  Select the NetBoot radio button  Enter the NetBoot server using the format ‘bdsp://ipaddress’  Deselect the box ’Stop processing the template if this action fails’

Capture an OS X Image  Add the Capture an Image action to the OS Installation phase  Provide the image capture path and file name appending with.dmg  Ensure the Mac Image radio button is selected  Hit the validate button  Change the partition identifier in the command based on your ‘diskutil list’ command; it’s likely disk0s2 is correct but verify on your machine

Capture an OS X Recovery Partition  Add the Capture an Image action to the OS Installation phase  Provide the image capture path and file name appending with.dmg  Ensure the Mac Image radio button is selected  Hit the validate button  Change the partition identifier in the command based on your ‘diskutil list’ command; it’s likely that it’ll be disk0s3 but verify on your machine

Capture a Windows Image  Add the Capture an Image action to the OS Installation phase  Provide the image capture path and file name appending with.image  Ensure the Windows Image radio button is selected  Hit the validate button  Change the partition identifier in the command based on your ‘diskutil list’ command; it’s likely that it’ll be disk0s3 or disk0s4 but verify on your machine

Reboot / Shutdown Action  Add the Reboot/shutdown action to the Post-OS Installation Phase  Select the Reboot or Shutdown radio button  If selecting Reboot, enter the desired Partition to reboot to, likely disk0s2

Troubleshooting

Thank you