/build/static/layout/Breadcrumb_cap_w.png

Sysprep for Mac Images

Update: 10.11 "El Capitan" finally patched against code injection with the introduction of System Integrity Protection (SIM). Consequently, deleting/replacing User Template files will result in quite a few irreparable permissions issues when deploying an image. I would recommend using a tool like Outset (free) or utilizing OS X Server user profile configuration payloads to modify profile settings in 10.11 and beyond.

An article I wrote for the Dell KACE monthly inKpad newsletter addressed preparing an instance of OS X as a gold master image. The article is a little dated but the information is still accurate (at the time of this writing). However, there have been a few additions to my process with the latest versions of OS X that I would like to include. Without further ado, here is the "sysprep" process for OS X that I use with 10.9:

Although Macs are not nearly as finicky when it comes to capturing images and redeploying to other Mac hardware, that doesn’t mean we shouldn’t prepare our systems so that we are capturing the cleanest image possible. For the purposes of this guide we will use the term “sysprep" for Mac, although it is not actually a tool such as Microsoft Sysprep utility. Instead, it is a set of steps that will closely resemble the same thing Sysprep.exe does on a Windows system.

In Windows there’s a set of tools available that lets you build a reference computer with all the latest updates, pre-installed drivers, software, and your own configurations. Using sysprep.exe you can strip out all the bits that make it a uniquely identified computer, such as user profiles and associated passwords, unique computer SIDs and tokens, etcetera. At the end of this process you end up with a clean install of Windows that you can take an image of and deploy to other computers. The first time you boot a computer after sysprep.exe has been executed, the system goes through some basic setup routines and away you go. We’ve got several articles at www.kace.com on that process, but let’s take a look at the “Sysprep for Mac” process:

Create a default install of Mac OS X

When you get to the login screen for OS X, set up an account called ADMIN. If you already have a local admin account on the system, login with that account now and do the following:

  1. Install System Updates
  2. Install Company Required Software
  3. Create a new User account if a customized default account template is desired.
    1. Add a new user called DEFAULT. Make sure this is defined as an Administrator account. Set a simple password for this user, as this account will later be removed before capturing the system image.
  4. Log out and log in to the new DEFAULT account.
  5. Go through System Preferences and set everything the way you want it to be in your image after deployment.
  6. Start each app at least once, particularly if it has been downloaded from the Internet, and make sure they startup normally and with no warnings.

Profile Cleanup

  • Using Finder go to /Users/DEFAULT/Library/Caches and delete the contents. Make sure you empty the Trash. User Terminal for this portion if Finder doesn't let you delete the Caches:
    rm -Rvf /Users/DEFAULT/Library/Caches/
  • Run Keychain Access (Applications/Utilities), select “login” and delete the keychain (right click > Delete keychain "login").
  • Clear file histories (Apple menu -> Recent Items -> Clear Menu).

Optional: Shell Scripting Examples

#Set Machine Name Back to Generic
/usr/sbin/scutil --set ComputerName "Master_Image“
/usr/sbin/scutil --set LocalHostName "Master_Image“ #Delete Swapfiles
rm /private/var/vm/swapfile* #Clean Up Global Caches and Temp Data
rm -rf /Library/Caches/*
rm -rf /System/Library/Caches/*
rm -rf /Users/Shared/*
rm -f /private/etc/ssh_host* #Resolves Duplicate Computer Name When Binding to Open Directory or Active Directory
#This portion no longer works in 10.9. I will check for filename changes and update this script.
/usr/sbin/systemkeychain -k /Library/Keychains/System.keychain -C –f rm -rf /var/db/krb5kdc
/usr/bin/defaults delete
/System/Library/LaunchDaemons/com.apple.configureLocalKDC Disabled #Cleanup Root Home Dir
rm -rf /private/var/root/Desktop/*
rm -rf /private/var/root/Documents/*
rm -rf /private/var/root/Downloads/*
rm -rf /private/var/root/Library/Caches/*
rm -rf /private/var/root/Library/Recent\ Servers/*
rm -rf /private/var/root/Library/Logs/*
rm -rf /private/var/root/Library/Keychains/*
rm -rf /private/var/root/Library/Preferences/ByHost/*
rm -f /private/var/root/Library/Preferences/com.apple.recentitems.plist
rm -rf /private/var/root/Public/Drop\ Box/*

 

Set Up System-wide Default User Account

  1. Restart the computer and log in as ADMIN.
  2. Run Terminal (Applications/Utilities) and type “sudo -s” and enter your password for ADMIN when prompted.
  3. Clear out the existing system-wide default account:
rm -rf /System/Library/User\ Template/English.lproj/*

Copy your new default account to the system default account:

cp -R /Users/DEFAULT/ /System/Library/User\ Template/English.lproj

NOTE: At this point, you’ve now got the start of a system-wide default user profile – this is what gets used every time a new user is created on the system, including the first user when you go through the Apple Welcome process on a new computer.

Type “exit” to get out of the root shell and then close Terminal and reboot the computer.

Log in again as ADMIN.


Disk Cleanup

Run Disk Utility (Applications/Utilities), select the hard drive and, under the First Aid tab, run “Repair Disk Permissions“. If you got things right to this point you’ll see a whole stack of information where this fixes permissions for the system-wide default user profile you’ve just copied. If you miss this step, permissions issues may get in the way when you create a new user later. Once you’re done, close Disk Utility.

You can now delete your DEFAULT account, as you won’t need it any further. From System Preferences -> Users and Groups, delete the DEFAULT account.

Enable Automatic Login

Configuring the admin account to automatically log in will assist in automating the PostInstall task phase after the image has been deployed. Use the following command as a postinstall shell script to disable the automatic login (thanks to Corey Serrins for this tip):

sudo defaults delete /Library/Preferences/com.apple.loginwindow autoLoginUser

Optional: Enable the root account

  1. From System Preferences choose Users & Groups.
  2. Click the lock to make changes and enter an admin password for the machine.
  3. Click Login Options.
  4. Click the Join button next to Network Account Server.
  5. Click the Open Directory Utility button.
  6. Click the lock to modify system configuration and enter an admin password for the machine.
  7. Click the Edit dropdown menu in the upper-left corner of the screen and select Enable Root User.
  8. Define the root account password and then click OK.
The root account has access complete global access for the entire system and should be used with caution. Read more about the root account here: http://www.linfo.org/root.html

Optional: Reseal Apple Setup Wizard

This will "reseal" the OS X installation. This will launch the interactive Apple Setup Wizard the next time the system is booted (read: when an image is deployed). Do not follow this step unless you want an interactive setup after you deploy the image.

Run Terminal (Applications/Utilities) and type “sudo -s” and enter your password for ADMIN when prompted.

rm -rf /var/db/.AppleSetupDone
shutdown -h now

Create Your Disk Image

At this point, you’ve got a computer that’s turned off and is ready to start as a new computer with no existing users but all your configurations and software installs ready to go. Now just NetBoot to your K2000 and capture your image using K-Image or Native (DMG) capture; we support both.

Optional tasks for first boot after image deployment:

#Disable Time Machine prompt when plugging in an external drive
defaults write /Library/Preferences/com.apple.TimeMachine DoNotOfferNewDisksForBackup -bool true

#Configure Finder to always open directories in Column view
defaults write /System/Library/User\ Template/English.lproj/Library/Preferences/com.apple.finder "AlwaysOpenWindowsInColumnView" -bool true

#Place the Screen Sharing app in the Applications directory for easier access:
ln -s /System/Library/CoreServices/Screen\ Sharing.app /Applications/Utilities/Screen\ Sharing.app

#Display system info on the login screen when clicking on the time:
defaults write /Library/Preferences/com.apple.loginwindow AdminHostInfo HostName

#Turn SSH on
systemsetup -setremotelogin on

#Remove iCloud login prompt when logging into the desktop
for USER_TEMPLATE in "/System/Library/User Template"/*
  do
defaults write "${USER_TEMPLATE}"/Library/Preferences/com.apple.SetupAssistant DidSeeCloudSetup -bool TRUE
    defaults write "${USER_TEMPLATE}"/Library/Preferences/com.apple.SetupAssistant GestureMovieSeen none
    defaults write "${USER_TEMPLATE}"/Library/Preferences/com.apple.SetupAssistant LastSeenCloudProductVersion "${sw_vers}"
  done

For more excellent first boot scripting ideas, check out Rich Trouton's initialsetup script: https://github.com/rtrouton/rtrouton_scripts/blob/80536983b6bbb19eb9a9960290714408017bad01/rtrouton_scripts/first_boot/10.9/initialsetup.sh


Comments

  • Super! - MacDude 9 years ago
  • Thank you for sharing!!! I have a request, can you add a step to activate the root user and password prior to sealing the image? Thank you in advance! much appreciated. - eigger1202 9 years ago
    • Thanks for the suggestion. I have added the steps to enable root under the section "Optional: Enable the root account". - mpace 9 years ago
  • Thanks for making this guide, very handy! Ran into a bit of a problem though.

    I've been following the steps and everything works up until I "reseal" the computer and attempt making a new account. When I try to, it gets to "setting up your mac" and then just hangs (beachballs).

    When I reboot the computer, it shows the account name that I made and prompts me for the password I set. At that point, it lets me login normally and everything appears to function properly.

    Could you provide any insight? - overhauls 8 years ago
  • Thank you again for sharing this guide. I followed everything on this guide and deploy it using Casper Imaging as our base image. On our testing, users are presented with login keychain error. What could be causing this? - eigger1202 8 years ago
    • If you are creating your image from scratch you could try skipping the keychain deletion portion of the guide. Are users logging in with new accounts or an account included in the reference image? - mpace 8 years ago
      • This image is what we are going to use next school year for the teachers and students. They are network accounts. - eigger1202 8 years ago
      • We had similar issues with the keychain (university using domain/mobile accounts). When we duplicated our default profile to the User Template, the folder the keychains are created in was corrupting during the copy. I added 2 lines to our cleanup script deleting the corrupt folder and creating a new folder, and we've not had issues with the keychains since:

        rm -rf /System/Library/User\ Template/English.lproj/*
        cp -R /Users/default/* /System/Library/User\ Template/English.lproj/
        rm -R /System/Library/User\ Template/English.lproj/Library/Keychains/
        mkdir /System/Library/User\ Template/English.lproj/Library/Keychains/ - sarahmurray 8 years ago
  • After much trial and error, I did the following to fix the permissions issues when using a modified user template in El Capitan.

    Follow this guide to create a DEFAULT user template. When copying the DEFAULT user account to the user template directory, use saramurray's suggestion to avoid the keychain issues.
    rm -rf /System/Library/User\ Template/English.lproj/*
    cp -R /Users/default/* /System/Library/User\ Template/English.lproj/
    rm -R /System/Library/User\ Template/English.lproj/Library/Keychains/
    mkdir /System/Library/User\ Template/English.lproj/Library/Keychains/

    After you copy the profile, to fix the sidebar permission issue:
    Delete the folder /System/Library/User\ Template/English.lproj/Library/Application\ Support/com.apple.sharedfilelist/

    To fix the downloads icon in the dock issue:
    Use a plist editor to open the com.apple.dock.plist file found at /System/Library/User\ Template/English.lproj/Library/Preferences
    Delete the key "_CFURLString" line from the Downloads section.
    Delete the string line listing the path to the user DEFAULT's Downloads folder, which is right under the "_CFURLString" key line.

    At this point, you can create a new local user to test. This is working in my 10.11.3 environment. This isn't officially supported by apple of course, and if you're only modifying the default template to set simple settings like screensaver, desktop wallpaper, finder preferences, you really are better off using Profile Manager. - brandnewhistory 8 years ago
    • Until now, as much I like modular imaging, I still like to use this Golden Master Image because of bandwidth issues and limited scripting knowledge. Thats why I'm so bummed out about this El Capitan SIP. I saw this article:
      http://osxdaily.com/2015/10/05/disable-rootless-system-integrity-protection-mac-os-x/
      and I wonder if you can disable SIP then perform the so called mac sysprep the re enable it again? I havent tested it but I wonder If you tried it before? - eigger1202 8 years ago
      • I haven't tried this either, but never felt I needed to for this task. If you dig into the rootless.conf, you can see the exceptions Apple has put in place, including the "/System/Library/User Template" directory. I don't think SIP is the true culprit when it comes to sysprepping an El Capitan image. What specific issues are you having while going through this process? - brandnewhistory 8 years ago
  • Thanks so much for this help. Everything has worked perfect except for Microsoft Office. (Go Figure) When office launches it pops up a window asking to Grant Access to the custom dictionary that was copied from the DEFAULT user. Its down in the /System/Library/User Template/English.lproj/library/Group Containers/


    Any ideas would be appreciated. - shawnwwjd 7 years ago
    • That's a permissions issue in your base image. Go to the file (or folder) and grant access. You can do this via the GUI or command line (Google "macos change permissions"). - mpace 6 years ago
This post is locked
 
This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ