A issue was opened recently for AutoCasperNBI, where 10.11.2 NBI’s generated for not accessible over ARD or VNC.
Some digging revealed this this only affected NBI’s with the “Reduce Image Size” option selected.
NBI’s for 10.7.x – 10.11.1 work fine over ARD or VNC with that option selected, so some investigation was needed. Below is the investigative work, but you can also skip straight to the resolution.
Contents
Boot.sh
Both AutoCasperNBI & AutoImagrNBI run a script on boot which is triggered by a LaunchDaemon.
These can be found at
/Library/Application Support/AutoCasperNBI/Scripts/boot.sh
/Library/Application Support/AutoImagrNBI/Scripts/boot.sh
These scripts do the following:
- Set the NBI’s Time using a specified time server & zone (if wanted)
- Create the ARD user (if wanted)
- Enable Screen Sharing (if wanted, this can be either/or ARD & VNC)
- AutoCasperNBI: Install the JSS SCEP Certificate into the System.keychain (for trusting JDS connections)
- Disable Gatekeeper
- Sets the Energy Saver settings.
AutoCasperNBI’s one can be found, here.
After creating a 10.11.2 NBI with the “Reduce Image Size” option selected, I manually ran the Boot.sh script & this gave the below error:
Whereas on a 10.11.2 NBI without the “Reduce Image Size” option selected, the script ran without error.
So what does the “Reduce Image Size” option do?
Well it reduces the overall NBI size by deleting items, this is for people whom want a smaller NBI to send to multiple servers & if using a USB etc.. people might want a restorable NBI that’s less than 8GB.
The list of items & actions performed when the “Reduce Image Size” option is selected & an NBI is created are show below:
- Deletes all items from /Applications/ except LaunchPad.app, Safari.app, System Preferences.app, TextEdit.app & the Utilities folder.
- Deletes all items from /Applications/Utilities/ except Activity Monitor.app, Console.app, Disk Utility.app, Grab.app, Keychain Access.app, System Information.app & Terminal.app.
- Deletes all items in /System/Library/PreferencesPanes/ except DateAndTime.prefpane, Displays.prefpane, Network.prefpane & StartupDisk.prefpane.
- Empties /Library/Application Support/
- Empties /Library/Audio/
- Empties /Library/Caches/
- Empties /Library/Desktop Pictures/
- Empties /Library/Dictionaries/
- Empties /Library/Fonts/
- Empties /Library/Logs/
- Empties /Library/Modem Scripts/
- Empties /Library/Printers/
- Empties /Library/Screen Savers/
- Empties /Library/User Pictures/
- Empties /Library/WebServer/
- Empties /System/Library/Address Book Plug-Ins/
- Empties /System/Library/Automator/
- Empties /System/Library/Caches/
- Empties /System/Library/Compositions/
- Deletes /System/Library/CoreServices/DefaultDesktop.jpg
- Empties /System/Library/LinguisticData/
- Empties /System/Library/Printers/
- Empties /System/Library/Screen Savers/
- Empties /System/Library/Speech/
This takes a 10.11 NBI from a little under 11GB to around 6.5GB, but it’s this reduction that caused the issue.
Tracking It Down
It was a relatively simple process, with the above list I guessed that item 4 was the issue & lo & behold, it was!
I took a working 10.11.2 NBI built without the “Reduce Image Size” option selected, renamed the NetBoot.dmg to NetBoot.sparseimage (as per this) & emptied the /Library/Application Support/ folder. Then renamed the NetBoot.sparseimage to NetBoot.dmg.
Once done I netbooted a client, & the client was not accessible over ARD & VNC. Also, running the Boot.sh resulted in the same error as shown above.
SIP?
I know that some people might jump to this being a SIP issue, it’s not because:
- SIP does not come into play with NBI creation. SIP protects bootable 10.11.x disks, a DMG mounted within a user session will not fall under SIP.
- The directory /Library/Application Support/ is not a SIP protected directory as per the SIP definitions in /System/Library/Sandbox/rootless.conf. As shown here.
The Resolution
10.11.2 seems to require some directories within /Library/Application Support/ for ARD & VNC to be enabled.
Where as 10.7.x through to 10.11.1 would recreate if missing.
The directory structure needed is:
/Library/Application Support/Apple/Remote Desktop/
After creating which, the Boot.sh no longer errors & ARD &/or VNC can be enabled via the Boot.sh or System Preferences.
AutoCasperNBI will have a 1.3.3 release later today, & AutoImagrNBI is a few releases behind, but I’ll update when able.
I’ve also opened a bug for this, & that can be found here.
Ah, the old “what’s behind door number 4?” trick.. nice sleuthing!
thank you for the information, I was trying to get SSH and VNC working again on the latest DeployStudio, and had only managed to get ssh fixed. this was the missing bit to get remote desktop back, at least for view and control. (I don’ really need the other advanced ARD bells)
No problem!