hyper-efficient mac deployment

Hyper-Efficient Mac Deployment

Light-touch tools to automate Mac management

Nick McSpadden Client Systems Manager Schools of the Sacred Heart, San Francisco

Old and Busted: "Golden Master imaging"

Golden Master: create one perfect Mac, clone it to all machines.

Sometimes unexpected problems occur with different hardware.

ByHost preferences, correct boot cache, hardware-specific OS builds - these are all issues with golden master imaging.

The second a new update comes out, the image is outdated - and so are all the devices cloned from it.

This requires fully rebuilding the image every time you want to update anything.

Golden master imaging has no good method for ongoing management or updates.

How do you update end nodes? Re-imaging them every time an update comes out?

New Hotness: "Thin imaging"

Thin imaging: Lay down a never-booted base OS layer, and then granularly install software on top of it.

Base Mac OS

OS Software Updates

3rd-Party Software: Office, Adobe

iLife/iWork, etc.

Profiles, config. mgmt

Highly modular and adaptable to any configuration.

Easily updated, as only the individual piece of software has to be touched.

Base Mac OS

OS Software Updates

3rd-Party Software: Office only

Profiles, config. mgmt

Base Mac OS

OS Software Updates

3rd-Party Software: Office, Adobe

Profiles, config. mgmt

Hotter Hotness: "No imaging"

No imaging: For new Macs out of the box, the OS is already installed. Don't remove and reattach the wheel.

OS Software Updates

3rd-Party Software: Office, Adobe

iLife/iWork, etc.

Profiles, config. mgmt

Thin Imaging Workflow: Preparation

1. Create the base OS layer - never-booted OS X install. createOSXInstallPkg

2. Set up initial install mechanism - NetBoot server.DeployStudio

3. Set up Apple software updates - local update server. Reposado

4. Set up software deployment mechanism - something to install packages. Munki

Building A Never-Booted OS X Install

CreateOSXInstallPkg:https://github.com/munki/createOSXinstallPkg

• Creates a standard Apple pkg that installs OS X.

• Can be installed with any tool or mechanism that supports installing standard Apple packages.

• Supports adding other .pkgs to install process.

• We use this to Install the OS.

Setting up DeployStudioDeployStudio:http://www.deploystudio.com/Home.html

• With OS X Server, can boot up Macs over the network via NetBoot.

• Set up workflows to install packages.

• Use this to install OS X + Munki + initial setup configuration on client machines.

Setting up OS X Software Updates

Reposado:https://github.com/wdas/reposado

• Can run on any server platform - Windows, OS X, Linux.

• Hosts a local copy of Apple's software update catalog.

• Requires about ~200 GB of disk space.

Setting up Software Deployment Mechanism

Munki:https://github.com/munki/munki

• Can run on any web server platform - Windows, OS X, Linux.

• Requires software installed on clients, which pull from the server periodically.

• Installs packages, disk images, and Apple software updates from local server.

Munki - Quick primer

Munki:Munki will install/update all software on first boot (and every ~2 hours).

Each client machine has a manifest, which specifies what software should be installed.

The latest version of the imported software is always installed.

Thin Imaging Workflow: Deployment

1. Use NetBoot to boot to DeployStudio.

2. Install the base Mac OS 10.10.3 installer package - createOSXInstallPkg.

3. Install Munki client software package.

4. Install local admin account, bypass initial setup screens.

5. On boot, Munki triggers and installs all software & updates from Reposado.

DeployStudio in action

29 minutes later...

On first boot, Munki triggers

We installed 10.10.3. What happens when 10.10.4

comes out in a month or two?

What happens when OS X 10.11 comes out in November?

Modularity of Thin Imaging

Only individual pieces require updating. Total time to update the workflow for new items:

• If a new OS comes out: Run CreateOSXInstallPkg again. Total time: ~7 minutes.

• If a new Firefox or Chrome comes out:Import new version into Munki.Total time: ~30 seconds.

Monolithic aspect of Golden Master Imaging

Total time to update the workflow if a new OS comes out:

1. Install image on fresh machine.Time dependent on transfer speed - at gigabit, with SSD:Estimated time: ~20 minutes for a 15 GB image.

2. Install new OS. Estimated time: ~30 minutes.

3. Capture new image.Estimated time: ~40-60 minutes.

Modularity of Software Deployment with Munki:

Use AutoPkg (https://github.com/autopkg/autopkg) to get common updates.

Total admin effort for me to update Firefox on all machines: autopkg run Firefox.munki MakeCatalogs.munki

or:

munkiimport ~/Downloads/Firefox.dmg

Munki will ensure all clients will receive the update.

Within 24 hours, 80% of my fleet will have the new update of Firefox.

Within 48 hours, 99+% of my fleet will have it.

Total admin time involved:5 seconds

Why Use Munki for Deployment?

Scenario: New Firefox update comes out. Admin imports into Munki.

Machines that will receive update:

• All new machines that are deployed from now on.

• All existing machines with Munki.

Scenario: New Firefox update comes out. Admin recreates golden master.

Machines that will receive update:

• All new machines that are deployed from now on.

• ????

Total cost of all of these tools?

$0

One method, one command, to update all existing and new

machines.

No need to reinvent the wheel.

Thin imaging gives you unlimited flexibility and control.

Thin imaging gives you, the admin, your time back.

Where do I go from here?

• Consider adding some kind of MDM / Configuration Management tool.

• Profiles for configuring OS X settings (Profile Manager not required).

• Find/Write/Share AutoPkg recipes for your common installs.

• Join the OS X Admin community!

Resources• Going MAD - Munki, AutoPkg, and DeployStudio by Steve Yuroff,

PSU Mac 2014:https://youtu.be/UG84nedo4ag

• You Oughta Check Out AutoPkg by Greg Neagle, PSU Mac 2014:https://youtu.be/mqK-MAEZekI

• What's New With Munki? by Greg Neagle, MacSysAdmin 2014:http://docs.macsysadmin.se/2014/pdf/What_is_new_with_Munki.pdfhttp://docs.macsysadmin.se/2014/video/Day2Session3.mp4

• Setting Up Munki with OS X Yosemite Server, by Nick McSpaddenhttps://osxdominion.wordpress.com/2015/02/26/setting-up-munki-with-os-x-yosemite-server/

More Advanced Resources

• Munki-In-A-Boxhttps://github.com/tbridge/munki-in-a-box Helpful setup script for Munki & Autopkg

• AutoNBIhttps://bitbucket.org/bruienne/autonbi Generate DeployStudio NetBoot images automatically

• BSDPyhttps://bitbucket.org/bruienne/bsdpy Python-based NetBoot server (cross-platform)

More Resources• MacBrained.org

Local Mac admin user group, meeting monthly in the Bay Area - join now!

• IRC channel for OS X admins: ##osx-server on FreeNode

• Mac Enterprise mailing list, hosted by PSU:http://www.macenterprise.org/mailing-list

• AFP548, a site for Mac admins:http://www.afp548.com/