How To Create An Never Booted OS.dmg Using Casper Admin

Standard
UPDATE: AutoDMG makes this process, "stupid easy" so I'm going to move away from the below to using that tool. Also, if you're master distribution point is a JDS you cannot compile configurations. Again AutoDMG to the rescue.

Ever since Casper Admin has allowed for compiling configurations way back in the 10.5/6 days I have been successfully creating an OS.dmg via Casper Admin. I still use this method today & since 10.7 this DMG also includes the Restore Partition.

The end result is an DMG of the OS that has never been booted & is an asr image. Much like DMG’s created by InstaDMG & AutoDMG.

I’m not sure why I seem to be the only one doing this, but below is the how;

NOTE: The below example is when using Casper Admin v9.x & the "Install Mac OS Mavericks.app." The steps will be similar when using one of the new OS's delivered via the App Store. If using an older OS the method will be a little different... But I've sadly forgotten those steps.
Also, the install app needs to support the Hardware/OS you'll be creating the OS.DMG on (so if the Build mac is on 10.9, then 10.8 will not install).
It is advised that you perform the below actions on a Mac that is located on the same VLAN as the JSS, due to speed as you'll be installing the OS to a DMG across the network.
Lastly, I've only ever performed the below using Mac OSX hosted JSS & DP's, with the CasperShare mounted via AFP.
  1. On your chosen Build Mac, download Mavericks from the App Store.
  2. Once downloaded, open Casper Admin v9.x & drag the “Install Mac OS Mavericks.app” into the packages pane. With Casper Admin v9.x will copy over just the InstallESD.dmg within the .app bundle. When using older version or Casper & maybe pre-Mavericks app bundles you may need to locate & copy the InstallESD.dmg from within the app bundle instead.1
  3. Once copied, located the uploaded InstallESD.dmg & double click it to bring up the Information window.1a
  4. Once in the Information window, change the package priority to 1 & optionally rename the DMG. (I often rename the DMG something like: 001 10.9.2 InstallESD 260214.dmg. DO NOT tick requires restart.1b
  5. 1aCreate a standard configuration in Casper Admin.Untitled 3
  6. Next enter the Management account details, (these are required but the account is not created via this method).Untitled 4
  7. Drag the previously upload DMG into the Configuration. (If wanted, you could add other packages.. but i’d advise to create a Vanilla Base OS.dmg & to add the other packages to a configuration later).2
  8. Once the DMG is in the Configuration, click the Compile button to the lower left of the Casper Admin window.3
  9. At the “Create a compressed disk image?” prompt, read the wording & select the most prudent option for your deployment method.
    4
  10. Casper Admin will prompt you to enter Administrator credentials twice during this process, & one more time per additional package you add. This can be avoided by running Casper Admin as root.5
  11. Casper Admin will now start compiling the configuration. This will create a DMG under /CasperShare/CompiliedConfigurations/<configuration name.dmg>Untitled 9
  12. Once the compiling is completed, the image is then scanned for restore.Untitled 10
  13. When the compiling is completed, you should be returned to the packages pane. With Casper Admin open, navigate to /CasperShare/CompiliedConfigurations/ & drag the compiled dmg into the packages folder. You can also rename the DMG if wanted at this stage too.Screen Shot 2014-02-27 at 9.02.49 AM
  14. Quit Casper Admin & relaunch, the dmg should then appear in the packages pane as unknown.Untitled 14
  15. Double click the dmg, & in the information window change the package priority to 1.Screen Shot 2014-02-27 at 9.05.49 AM
  16. That’s it. The DMG is now ready to be used as your OS.dmg in your configurations as per your setup. For me, as you can see in the above screen shots, we have a 10.9 Base Standard Configuration & Smart Configurations under that. Whenever we create a new OS.dmg we replace the previous version with the newly created.

I hope someone else finds this useful. If you use the Casper Suite & only need an vanilla OS.dmg, i’d suggest giving this ago.

Of course, there is still nothing stopping you using InstaDMG & AutoDMG (& intact in a few situations they work better). But you can’t have too many options!

One oddity to mention, is that is you use this method & FSTAB. The Restore Partition still works, but is located as a after the OS partition & not the last partition on the disk as per the below;

Screen Shot 2014-03-06 at 22.20.04

This doesn’t affect the ability to use the Recovery Partition to boot into, nor does it affect the MDM lock or wipe functions. Also, Casper Imaging resizes the DMG when imaging as appropriate. But the Recovery Partition stays at 650MB.

However, I’ve not attempted FileVault2 with multiple partitions as I understand this will only encrypt the OS partition & as our Users data is on a second partition.. there is little point to me using it.

23 thoughts on “How To Create An Never Booted OS.dmg Using Casper Admin

  1. As far as I know, FV2 in Mav can encrypt multiple partitions. I could be very wrong here though, as we keep things simple with the one partition.

    • WordPress.com Support

      I’ll have a nose then when it have the time. Just something I’ve not done… YET…

  2. You can have multiple encrypted partitions. However, if your user folder is stored on a non-boot encrypted partition, the tricky bit is getting the non-boot partition unlocked in time for you to log in at the login window. I’ve heard that some folks accomplish this by putting the unlock credentials in the System keychain.

    That said, I have not tested this and cannot attest to how well it works. Apple’s design model for FileVault 2 is where the user folders are stored on the encrypted boot partition.

  3. Jonathan

    Hi I tried again to follow all the instruction but when I deploy the image it simply reboots in the recovery portion and not the OS. In fact it doesn’t seem that the OS is deployed at all…no partition is created. I’m working with 10.9.2 and Casper admin 9.3

    • Hi Jonathan,

      Just to make sure, you’re wiping the HD.. then installing the OS.dmg via Casper Imaging.. (this should be being block copied when running imaging not after).

      Once run, the mac is then being restarted? If it boots again to recovery, can you select the local startup disk as the one you’ve installed 10.9.2 on?

  4. Todd

    I’ve tested this out using an OS.dmg created with AutoDMG and deploying using Casper Imaging 9.3. All works fine except anything deployed under the ‘Prepare First Run script’ does not seem to be getting run. So no scripts, user accounts or Directory binding is being run on first boot.

    • WordPress.com Support

      Odd, have you any packages that are set to install at boot volume during imaging?

      Also, post imaging.. What does the jamf.log say?

      • Todd

        Jamf.log indicates that everything has run correctly. When testing, any packages set to install during imaging would not install, nothing showed in the log why.

        I’ve been working the issue from home all weekend and think I’ve figured it out. If there is no local account, the First run script doesn’t run – or fails – I can’t tell because there is no account to log in with to see what has and hasn’t run. It’s quite annoying that the first run script isn’t logged anywhere. I think this is the only reason our manually built images were having more success.

        What I have now runs like: OS.dmg deployed > First run script to create temp local account, call a few jamf triggers (calls policies for settings/create desired admin support account/install additional minor software) and run the jamfhelper to lock the screen > larger software installs deployed on boot drive after imaging > logs into temp local account where the called jamf triggers finish > local temp account gets deleted > final reboot.

        I’ll recreate this at work tomorrow with added steps to pull any available updates off our NetSUS and bind to AD – if this works then that makes our entire imaging process modular and updating images becomes a 10 minute process as opposed to having to build images and then spend days testing to make sure we haven’t forgotten something.

          • Todd

            We are – however in testing:

            * Imaging that was just the OS, the management account was created and you could log in with it
            * Imaging that was OS plus software installed during imaging, software would not get installed and management account wouldn’t get created
            * Imaging that was just the OS and AD binding, no binding, no management account.

            • WordPress.com Support

              Are you using the same version of Casper Imaging as your JSS? I.e 9.31 JSS & Casper Imaging 9.31?

  5. Todd

    Yes, same version of Casper Imaging as the JSS so it wasn’t that. Have since created a new OS.dmg and the management account is being created every time now. Odd but I’m not going to question it.

    Have made a bit of progress but I’m hitting a few new walls which stem from not having a local account already baked into a manually built image.

    My imaging workflow now runs as:

    1. Erase HD
    2. Deploy OS
    3. Reboot
    4. FirstRun script – this enrols the machine into the appropriate site and then fires off applied policies in the right order

    This builds the machine in the way I want but there is a few gotchas. If there is no local account created before step 4, the first run script does not run. If you add a single package set to install on boot after imaging it creates the Adobe installer account and everything runs beautifully, all applied policies fire off in the right order and it even reboots when it finishes so the first time you see a login prompt you know everything is good to go. This is the outcome I’m aiming for.

    However, I don’t want to have to deploy a package that installs on boot after imaging just to trigger that functionality, it feels hacky and adds an unnecessary link in the chain. I only want that FirstRun script running after reboot to keep everything as modular as possible so this is easy for other departments to adopt for their own needs.

    Where I am at as of today is I’m using ‘createuserpkg’ to add that user during the initial imaging. If I create the user with no autologin and everything fires off but it sits at the login screen with no indication anything is happening. You have to look at the policy logs for the machine to know when everything is completed. On reboot we’re at a ready to go state. If I create the user to auto login you see a bit of activity but again you have to check the logs to confirm everything is done. In both instances my script deletes this account.

    There’s two missing pieces that would make this complete:

    1 Reboot. No matter whether by policy set to run last or set as the last line in the script, the machine always reboots early and ends up getting stuck in a loop. It seems to call the reboot before all policies have finished running. If I could figure out how to get it to reboot only when everything is complete then I’d have everything working.

    It’s late but I’ve just thought that maybe a ‘while postinstall.sh exists do nothing else reboot’ statement in my scripts might do it?

    2. Lock the screen during imaging. I know things have changed in Mavericks and you can’t call the jamf helper app to lock the screen over the login window anymore. I’ve tried every suggestion I can find on jamf nation but I just can’t make this bit work, not even it is called as a LaunchDaemon. If I could get this happening then that’s everything. If I can’t get it to run then having the temp user autologin and then run the jamf helper is probably the next best thing.

  6. DJ

    I found this page as am having permission issues with the ‘built-in’ local admin account not having access to it’s home directory when trying to create a never booted OS X image using casper admin and AutoDMG.

    I though I’d attempt to follow you instructions on using casper admin to create my never booted OS.dmg as apposed to AotoDMG but the Compile button is greyed out for me once I’ve added the INSTALLESD.dmg to a base configuration.

    JSS version 9.32
    Casper Imaging version 9.32
    jamfds binary Version 9.21

    Upgrade of my jds binary version to match the JSS & casper suite perhaps? I will try and test this tomorrow but would be interested to know if anyone else has seen this behaviour?

  7. DJ

    Thanks for the quick reply and the link, good to know that it’s not supported!

    I’m still having issues with the permissions on the built in local account for my never booted os dmg. Basically it looks like the administrator account does’t have read or write permissions to it’s own home directory.

    I’m thinking of adding a script via casper admin into my configuration to apply the correct permissions to the administrator home directory after the administrator user has been created.

    Not sure if this is the best way to go about it though, I’ve been reading on this thread https://jamfnation.jamfsoftware.com/discussion.html?id=10587 about a similar issue and they mention about creating a payload free package to add to the configuration

  8. hunter99

    We’ll I tried twice to create the OS image and both times the test system to be imaged KP’d after imaging with it. I can create the image step-by-step just fine.

    Not really worried as I use AutoDMG but was testing an issue we found that AutoDMG images are taking a very long time to create the management account after imaging using Casper Imaging. I have been working with support and he mentioned he is also seeing issues as well. Anyway, I was trying the method above to do further testing as I don’t like the suggested method from JAMF to install a fresh copy onto a system, target mode it, and use Composer to capture it. We have found that it cases issues with software updates on hardware that is not the same as the original system. I don’t want to create an image for each type of system either.

    As an aside the info on your site is excellent. It is one of my main go to’s to check out along with Der Flounder and a couple of others.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.