Update: 10.11 "El Capitan" finally patched against code injection with the introduction of System Integrity Protection (SIM). Consequently, deleting/replacing User Template files will result in quite a few irreparable permissions issues when deploying an image. I would recommend using a tool like Outset (free) or utilizing OS X Server user profile configuration payloads to modify profile settings in 10.11.

An article I wrote for the Dell KACE monthly inKpad newsletter addressed preparing an instance of OS X as a gold master image. The article is a little dated but the information is still accurate (at the time of this writing). However, there have been a few additions to my process with the latest versions of OS X that I would like to include. Without further ado, here is the "sysprep" process for OS X that I use with 10.9:

Although Macs are not nearly as finicky when it comes to capturing images and redeploying to other Mac hardware, that doesn’t mean we shouldn’t prepare our systems so that we are capturing the cleanest image possible. For the purposes of this guide we will use the term “sysprep" for Mac, although it is not actually a tool such as Microsoft Sysprep utility. Instead, it is a set of steps that will closely resemble the same thing Sysprep.exe does on a Windows system.

In Windows there’s a set of tools available that lets you build a reference computer with all the latest updates, pre-installed drivers, software, and your own configurations. Using sysprep.exe you can strip out all the bits that make it a uniquely identified computer, such as user profiles and associated passwords, unique computer SIDs and tokens, etcetera. At the end of this process you end up with a clean install of Windows that you can take an image of and deploy to other computers. The first time you boot a computer after sysprep.exe has been executed, the system goes through some basic setup routines and away you go. We’ve got several articles at www.kace.com on that process, but let’s take a look at the “Sysprep for Mac” process:

Create a default install of Mac OS X

When you get to the login screen for OS X, set up an account called ADMIN. If you already have a local admin account on the system, login with that account now and do the following:

  1. Install System Updates
  2. Install Company Required Software
  3. Create a new User account if a customized default account template is desired.
    1. Add a new user called DEFAULT. Make sure this is defined as an Administrator account. Set a simple password for this user, as this account will later be removed before capturing the system image.
  4. Log out and log in to the new DEFAULT account.
  5. Go through System Preferences and set everything the way you want it to be in your image after deployment.
  6. Start each app at least once, particularly if it has been downloaded from the Internet, and make sure they startup normally and with no warnings.

Profile Cleanup

  • Using Finder go to /Users/DEFAULT/Library/Caches and delete the contents. Make sure you empty the Trash. User Terminal for this portion if Finder doesn't let you delete the Caches:
    rm -Rvf /Users/DEFAULT/Library/Caches/
  • Run Keychain Access (Applications/Utilities), select “login” and delete the keychain (right click > Delete keychain "login").
  • Clear file histories (Apple menu -> Recent Items -> Clear Menu).

Optional: Shell Scripting Examples

#Set Machine Name Back to Generic
/usr/sbin/scutil --set ComputerName "Master_Image“
/usr/sbin/scutil --set LocalHostName "Master_Image“ #Delete Swapfiles
rm /private/var/vm/swapfile* #Clean Up Global Caches and Temp Data
rm -rf /Library/Caches/*
rm -rf /System/Library/Caches/*
rm -rf /Users/Shared/*
rm -f /private/etc/ssh_host* #Resolves Duplicate Computer Name When Binding to Open Directory or Active Directory
#This portion no longer works in 10.9. I will check for filename changes and update this script.
/usr/sbin/systemkeychain -k /Library/Keychains/System.keychain -C –f rm -rf /var/db/krb5kdc
/usr/bin/defaults delete
/System/Library/LaunchDaemons/com.apple.configureLocalKDC Disabled #Cleanup Root Home Dir
rm -rf /private/var/root/Desktop/*
rm -rf /private/var/root/Documents/*
rm -rf /private/var/root/Downloads/*
rm -rf /private/var/root/Library/Caches/*
rm -rf /private/var/root/Library/Recent\ Servers/*
rm -rf /private/var/root/Library/Logs/*
rm -rf /private/var/root/Library/Keychains/*
rm -rf /private/var/root/Library/Preferences/ByHost/*
rm -f /private/var/root/Library/Preferences/com.apple.recentitems.plist
rm -rf /private/var/root/Public/Drop\ Box/*


Set Up System-wide Default User Account

  1. Restart the computer and log in as ADMIN.
  2. Run Terminal (Applications/Utilities) and type “sudo -s” and enter your password for ADMIN when prompted.
  3. Clear out the existing system-wide default account:
rm -rf /System/Library/User\ Template/English.lproj/*

Copy your new default account to the system default account:

cp -R /Users/DEFAULT/ /System/Library/User\ Template/English.lproj

NOTE: At this point, you’ve now got the start of a system-wide default user profile – this is what gets used every time a new user is created on the system, including the first user when you go through the Apple Welcome process on a new computer.

Type “exit” to get out of the root shell and then close Terminal and reboot the computer.

Log in again as ADMIN.

Disk Cleanup

Run Disk Utility (Applications/Utilities), select the hard drive and, under the First Aid tab, run “Repair Disk Permissions“. If you got things right to this point you’ll see a whole stack of information where this fixes permissions for the system-wide default user profile you’ve just copied. If you miss this step, permissions issues may get in the way when you create a new user later. Once you’re done, close Disk Utility.

You can now delete your DEFAULT account, as you won’t need it any further. From System Preferences -> Users and Groups, delete the DEFAULT account.

Enable Automatic Login

Configuring the admin account to automatically log in will assist in automating the PostInstall task phase after the image has been deployed. Use the following command as a postinstall shell script to disable the automatic login (thanks to Corey Serrins for this tip):

sudo defaults delete /Library/Preferences/com.apple.loginwindow autoLoginUser

Optional: Enable the root account

  1. From System Preferences choose Users & Groups.
  2. Click the lock to make changes and enter an admin password for the machine.
  3. Click Login Options.
  4. Click the Join button next to Network Account Server.
  5. Click the Open Directory Utility button.
  6. Click the lock to modify system configuration and enter an admin password for the machine.
  7. Click the Edit dropdown menu in the upper-left corner of the screen and select Enable Root User.
  8. Define the root account password and then click OK.
The root account has access complete global access for the entire system and should be used with caution. Read more about the root account here: http://www.linfo.org/root.html

Optional: Reseal Apple Setup Wizard

This will "reseal" the OS X installation. This will launch the interactive Apple Setup Wizard the next time the system is booted (read: when an image is deployed). Do not follow this step unless you want an interactive setup after you deploy the image.

Run Terminal (Applications/Utilities) and type “sudo -s” and enter your password for ADMIN when prompted.

rm -rf /var/db/.AppleSetupDone
shutdown -h now

Create Your Disk Image

At this point, you’ve got a computer that’s turned off and is ready to start as a new computer with no existing users but all your configurations and software installs ready to go. Now just NetBoot to your K2000 and capture your image using K-Image or Native (DMG) capture; we support both.

Optional tasks for first boot after image deployment:

#Disable Time Machine prompt when plugging in an external drive
defaults write /Library/Preferences/com.apple.TimeMachine DoNotOfferNewDisksForBackup -bool true

#Configure Finder to always open directories in Column view
defaults write /System/Library/User\ Template/English.lproj/Library/Preferences/com.apple.finder "AlwaysOpenWindowsInColumnView" -bool true

#Place the Screen Sharing app in the Applications directory for easier access:
ln -s /System/Library/CoreServices/Screen\ Sharing.app /Applications/Utilities/Screen\ Sharing.app

#Display system info on the login screen when clicking on the time:
defaults write /Library/Preferences/com.apple.loginwindow AdminHostInfo HostName

#Turn SSH on
systemsetup -setremotelogin on

#Remove iCloud login prompt when logging into the desktop
for USER_TEMPLATE in "/System/Library/User Template"/*
defaults write "${USER_TEMPLATE}"/Library/Preferences/com.apple.SetupAssistant DidSeeCloudSetup -bool TRUE
    defaults write "${USER_TEMPLATE}"/Library/Preferences/com.apple.SetupAssistant GestureMovieSeen none
    defaults write "${USER_TEMPLATE}"/Library/Preferences/com.apple.SetupAssistant LastSeenCloudProductVersion "${sw_vers}"

For more excellent first boot scripting ideas, check out Rich Trouton's initialsetup script: https://github.com/rtrouton/rtrouton_scripts/blob/80536983b6bbb19eb9a9960290714408017bad01/rtrouton_scripts/first_boot/10.9/initialsetup.sh