My Casper Imaging Workflow

Standard

For a number of years I have used the same Imaging workflow, during which time I thought the process was fairly common (with FSTAB being an exception).

However, after speaking to a few fellow Casper Admins it has become clear that my workflow isn’t as common as I thought. So the post below outlines what we do.

Base Configuration

In Casper Admin we create a “Standard Configuration” often naming is “<OS Version> Base” as per the below;

Screen Shot 2014-12-20 at 17.07.46

Under the “Management” tab, we specify the details of the management account:

Partitioning

Then due to us using FSTAB to split the Macs HD into 33% Macintosh HD & 67% Users HD, we specify the creation of the Users HD partition under the “Partitions” tab as a Journaled HFS+ Volume with 67% or up to 670GB of the target drive.

Screen Shot 2014-12-20 at 17.07.50

The nice thing about partitioning within your configuration, is that when you load up Casper Imaging on a non-partitioned Mac the first step will show the partitioning:

Untitled 2

Whereas if the Mac has already been partitioned, (as when re-imaging), Casper Imaging will see this & this step will be skipped:

Untitled 3

This preservation of partitions if great if using FSTAB to partition your Macs HD’s to have the user data on a separate partition as the data on that partition is then preserved.

Recovery HD

When deploying an OS.dmg created either by AutoDMG or Casper Admin, the “Recovery HD” that is contained is also deployed & “Casper Imaging” will partition as needed.

This includes when partitioning as per the above, but when doing so the “Recovery HD” is not the last partition as you may expect.

/dev/disk0
   #:                       TYPE NAME                    SIZE       IDENTIFIER
   0:      GUID_partition_scheme                        *251.0 GB   disk0
   1:                        EFI EFI                     209.7 MB   disk0s1
   2:                  Apple_HFS Macintosh HD            85.0 GB    disk0s2
   3:                 Apple_Boot Recovery HD             650.0 MB   disk0s3
   4:                  Apple_HFS Users HD                165.0 GB   disk0s4

The above is taken from my mac, as you can see the “Recovery HD” is the middle of the 3 partitions. Whilst this still works to boot into & to send lock or wipe commands to the Mac, it’s worth noting that FileVault2 will only encrypt the OS volume.

Smart Configurations

With the “Base Standard Configuration” created, it is then used as the parent for others, as shown below:

Screen Shot 2014-12-20 at 17.06.14

In the configurations above, you can see we have various “Smart Configurations” with the “Base Standard Configuration” that we created earlier being the parent,  & the “Smart Configurations” being split depending on what version of CS6 is to be installed.

The content of these “Smart Configurations” is only 2 items, will all other items coming from the “Base Standard Configuration.”

Screen Shot 2014-12-20 at 17.06.50

Adding Items

Next we populate the “Base Standard Configuration” with the items wanted within it, as we’re using “Smart Configurations” the “Base Standard Configuration”should hold all items that are wanted except for the items that differentiate the “Smart Configuration”.

As with anything within the JSS, timing is important. When creating configurations it’s important to set the correct priorities of items in Casper Admin as, trying to install updates for an application without it being installed will fail.

The first item is normally the OS.dmg created either via Casper Admin or AutoDMG. This DMG will have a priority of 1 set within Casper Admin.

Below is an example of what we follow for items, note we also prefix the items with their priority.

Screen Shot 2014-12-20 at 22.37.09

Generally we follow the below, this is a loose guide;

  1. Priority 1: OS.dmg’s
  2. Priority 2: OS updates (this was used more pre-App Store OS delivery, now we create a new OS.dmg with the latest “Install Mac OSX.app” using AutoDMG).
  3. Priority 3-9: OS updates, such as printer drivers as well as items affecting the User environment.
  4. Priority 10: Application installs.
  5. Priority 12: Application updates &/or settings.
  6. Priority 14: Application plugins (Adobe Creative Suite plugins for example).
  7. Priority 20: Imaging post flight triggers.

So as mentioned that’s a rough outline, & with Casper Admin having priorities of 1-20 we leave some free just incase.

Adding DMGs & PKGs to a configuration

The way Casper Imaging block copies DMGs means that we usually deploy DMGs to the target drive during imaging.

However as PKGs can have pre or post flight scripts as well as dependencies on whether or not they are being installed from the boot volume &/or have an active user session running.

So another rule of thumb we follow is to set each PKG to “Install on boot drive after imaging”.

Screen Shot 2014-12-20 at 16.42.40

Casper Imaging will then cache these PKGs onto the target Macs HD, once restarted the target Mac will auto-login to an account called “Adobe Install” (this is a legacy account name).

Once logged into the “Adobe Install” account, you should see the below screen on the Macs screen:

Screen Shot 2014-12-20 at 23.02.43

The Mac will now be installing all the cached PKGs, whilst logged in as a user account with no conflicting processes.

Postflight Policy

The last part of the workflow is the “Postflight script” as shown in the “Smart Configurations” above. The reasoning behind  putting this script as part of “Smart Configuration” instead of the “Standard Configuration” is that it allows us to create other “Smart Configurations” what install all the items from the “Standard Configuration” with a different “Postflight script”.

The “Postflight script” is set to run “At Reboot” & triggers a policy with the trigger “OSXPostflightconfig”

jamf policy -trigger OSXPostflightConfig

In the JSS the policy looks like the below, & the policy is set to “Ongoing” at triggered via the above custom trigger:

Screen Shot 2014-12-20 at 23.28.12

Any needed “Software Updates” are installed from the Network Segment defined software update server for the imaged Mac.

Screen Shot 2014-12-20 at 17.10.23

Next we run a collection of scripts:

Screen Shot 2014-12-20 at 17.10.41

These are set to “Before” or “After” depending on what the script is, for example you could have a “Before” script that sets the Macs time to your NTP. Then an “After” script that does the “AD Binding”.

The only script of note is the below:

sudo touch /.JSS-Managed

We report back that “Dummy Receipt” (it’s not really a dummy receipt, but close enough), as an “Management Level” Extension Attribute. All policies are then scoped on the value of that Extension Attribute as a base value for the policies “Smart Group”. The “Management Level” Extension Attribute is below:

As you can see we use a number of  “Dummy Receipt” for various things, but in context of this post the “Management Level” values are:

  1. Managed (for clients)
  2. Supervised (for clients with special use cases, such as meeting room Macs)
  3. Sedna (for our Macs running Sedna Presenter digital signage).
  4. Server (for our Mac servers, this includes our Casper DP’s & JSS box)

The benefit of doing this, is that no policies are run on the newly imaged Mac until this file is in place & the Mac has ran an inventory update.

After the scripts have run we bind to our Active Directory:

Screen Shot 2014-12-20 at 17.11.08

Lastly, we perform some maintenance tasks:

Screen Shot 2014-12-20 at 17.11.20 copy

Managed Preferences & Profiles

The Mac then restarts & pulls down the required “Managed Preferences” & “Configuration Profiles”.

As mentioned above, we create a “Dummy Receipt” & scope Smart Groups for polices using that value returned via an EA as a base for the group. Well we use  the same method is used when scoping “Managed Preferences” & “Configuration Profiles”, with the exception that we also scope via OS version.

No Imaging

The above workflow can also be easily tailored for when you wish to preserve the Macs shipped OS, this can happen if the Macs build is a bespoke “fork” of OSX.

In order to use the above when “No Imaging” do the following:

  1. Boot up the Mac & run through the setup assistant creating an administrator account.
  2. Once logged in, enable root & login as root (this stops you being prompted every 5 minutes for administrative credentials).
  3. Download & launch Casper Imaging.
  4. Select the wanted configuration.
  5. Press “Show Custom”
  6. Remove the OS.dmg & any OS updates you have added.
  7. Select your normal options in “Casper Imaging” except “Erase”.
  8. Once “Casper Imaging” has installed all items, login as the administrator account created at step 1 & disable the root account. (Of course, if this is a workflow you wish to employ regularly you could add a script to the “Post flight policy” that disables root).

Summary

I hope you’ve found the above of some use, this workflow has remained largely unchanged since 10.6.x but with people querying how I do it & some potential changes are coming with Yosemite I thought it was about time I blogged it.

4 thoughts on “My Casper Imaging Workflow

  1. Hey Ben, hope you are well, So if you setup the HD into 2 partitions, How do you setup the workflow not to format the User HD partition only the OS drive ? and do you need to run a script to reset the User permission. I remember doing that at Pentland.

  2. Tab nawaz

    Hii Ben

    I want if you could help me with this issue

    When I use the Casper remote, and I select the iMac in which I want to push the office 365 app to; I receive the following error message:
    Sending wake on LAN command
    Opening SHH connection to [IP ADDRESS]
    Authenticating…
    Authenticating…
    Authenticating…

    I have also checked to make sure that my username and password are correct

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.