SlideShare a Scribd company logo

Tools and Process for Streamlining Mac Deployment

Timothy Sutton
Timothy Sutton

This presentation was given at the MacSysAdmin 2016 conference in Gotebörg, Sweden. Session description follows: Apple’s popularity and their approach to selling hardware is revolutionizing how IT gets that hardware into the hands of its users. Every year’s new Macs and OS X bring new changes, which doesn’t leave much time for the repetitive setup tasks that are involved in getting machines ready for users (or our testing!). It’s easy to fall behind on OS support, but we have no choice but to support the latest. The Mac sysadmin community is blessed with so many great open-source tools at its disposal for deploying and managing Macs. We'll look at approaches and tools for automating these to bring speed, consistency and sanity to our deployment processes. By being more systematic, we can be more agile, and reclaim time to work on more important problems. This session will focus on OS X hardware and tools, but the approaches discussed apply equally to iOS devices.

Technology
1 of 44
Download to read offline
Tools and Process for Streamlining Mac Deployment Tim Sutton Concordia University, Faculty of Fine Arts Montreal
Things change
Release cycle • Annual releases of macOS, iOS • Mid-cycle features added in iOS, Server (i.e. iOS 9.3 EDU features) • Testing betas in summer
Process Perspective Tools https://macops.ca/macsysadmin2016
OS X macOS builds
OS X macOS builds • macOS (multiple versions, and choose your format) • Techs with specific OS requirements, self service imaging • Open source tools where possible • Aim for repeatability, don’t repeat yourself
Products and ingredients • macOS (start from the Installer app) • Restore image • Installer package • NetBoot image (System Image Utility, DeployStudio, Imagr, etc.) • Bare minimum configuration (contained in packages) • Certs, basic config, binding • Local admin user, disabling setup assistant • Management tool / agent (Munki, Casper, etc.)
Single input, multiple outputs Munki createOSXInstallPkg DeployStudio / Imagr AutoDMG NetInstall / BSDPy AutoDSNBI
Jenkins • Master server connected to multiple build machines (different OS / environments) • Central configuration, credentials storage, role-based web access • Publishing and post-processing of builds • More in MacDevOps:YVR 2016 presentation: • http://www.macdevops.ca/presentations/
• pkgbuild and productbuild pkgbuild --identifier 'se.macsysadmin.DisableSetupAssistant' --root /path/to/payload/directory/root --version 2016.09.07 'DisableSetupAssistant.pkg' • Packaging tools / frameworks • munkipkg (CLI, Python script) - https://github.com/munki/munki-pkg • Luggage (CLI, make) - https://github.com/unixorn/luggage • Packages (Cocoa app and CLI) - http://s.sudre.free.fr
Product archive (distribution format)? productbuild --package component.pkg output.pkg
Signed packages? • Signed packages (pkgutil --sign or productbuild --sign) • Distribution outside your deployment tools • Installation via MDM + DEP (InstallApplication MDM command) • Possibly a requirement in the future?
ASR image, macOS package /Applications/AutoDMG.app/Contents/MacOS/AutoDMG build 
 --output ~/somewhere 
 '/path/to/Install macOS.app' 
 disable_setup.pkg 
 create_user.pkg createOSXInstallPkg 
 --source '/path/to/Install macOS.app' 
 --pkg disable_setup.pkg 
 --pkg munkitools.pkg 
 --pkg munki_config.pkg
NetBoot • AutoNBI (creates a vanilla or custom NetInstall): • AutoNBI.py -a -s /path/to/InstallESD.dmg -d . -n MyNBI • Imagr (vanilla NetInstall with Imagr and dependencies): • make nbi • DeployStudio NBI: • https://github.com/MagerValp/AutoDSNBI (autodsnbi.sh)
Keep the code • Keep the source together in a source repository (Git, etc.) • Version your packages • Share common logic across different scripts/projects • Remove manual setup steps wherever possible (downloading, copying large required files, etc.)
Keep the code ➜ tree -L 2 . . "## jobs $   "## common.sh $   "## create_ds_nbi $   "## create_osx_install_pkg $   %## create_restore_image %## pkgs "## build_all_pkgs.sh "## create-itadmin "## disable-diagnostics "## disable-icloud-welcome "## disable-setupassistant %## munki-kickstart #!/bin/sh -e # common.sh # exports: CACHED_INSTALLOSX_DMG_PATH # PROPFILE export CACHE_DIR="$HOME/Library/Caches/OSXBuilds" if [ ! -d "${CACHE_DIR}" ]; then echo "Cache dir doesn't exist, creating at ${CACHE_DIR}" mkdir -p "${CACHE_DIR}" fi if [ -n "${OSX_VERS}" ] && [ -n "${OSX_BUILD}" ]; then # cache the installer app echo "Caching OS X installer app ${OSX_VERS} build ${OSX_BUILD}" mkdir -p "${CACHE_DIR}/InstallOSX" export CACHED_INSTALLOSX_DMG_PATH="${CACHE_DIR}/InstallOSX/${OSX_VERS}-${OSX_BUILD}.dmg" if [ ! -e "${CACHED_INSTALLOSX_DMG_PATH}" ]; then curl --location --output "${CACHED_INSTALLOSX_DMG_PATH}" "http://macsysadmin.se/macos/${OSX_VERS}-${OSX_BUILD}.dmg" fi fi export PROPFILE="${WORKSPACE}/job.properties"
Jenkins pre-build screen
Save yourself the effort • Details aren’t complicated but there are a lot of them – this is its own complexity • We can rebuild any piece at any macOS version, with the latest config components • Go on vacation – someone else can click “build”
Making changes
Lab user environment • Desktop Macs • Domain users • Not administrators • Usually getting a “fresh” profile after logging in
User Template rm -rf /System/Library/User Template/English.lproj/* cp -R /Users/it_admin/* /System/Library/User Template/English.lproj/ chown -R root:wheel /System/Library/User Template/English.lproj rm -f /System/Library/User Template/English.lproj/Library/Keychains/login.keychain
# Author: Tim S # Created: 2011/04/23 include /usr/local/share/luggage/luggage.make TITLE=Cyberduck REVERSE_DOMAIN=ca.concordia.cda PACKAGE_VERSION=4.0.2 CD_FILE=Cyberduck-${PACKAGE_VERSION}.zip CD_URL=http://cyberduck.ch/${CD_FILE} CD_PREF=ch.sudo.cyberduck.plist PAYLOAD= unpack-cd pack-cd pack-user-template-plist-${CD_PREF} pack-user-template-appsupport-cd-bookmarks unpack-cd: l_Applications curl -L ${CD_URL} -o ${CD_FILE} pack-cd: l_Applications @sudo ${DITTO} -x -k --noqtn ${CD_FILE} ${WORK_D}/Applications/ pack-user-template-appsupport-cd-bookmarks: l_System_Library_User_Template_Application_Support_Cyberduck_Bookmarks # each .duck file is a bookmark - login user and UUID keys can be left # empty, login user will use the logged-in user's shortname and UUID will # self-generate and rename the .duck file in the user's profile @sudo ${CP} cdaftp-bookmark.duck ${USER_TEMPLATE_APPLICATION_SUPPORT}/Cyberduck/Bookmarks
Date: Fri, 06 May 2011 09:40:23 From: Rob Middleton To: munki-dev@googlegroups.com Subject: Re: [munki-dev] User Filler Postflight Script […], The generic way this is solved for all possibilities is the use of a custom LaunchAgent (with plist at /Library/LaunchAgents/). When any user logs in to the local system their home directory is first mounted then LaunchAgents run as configured in the security context of the logged in user with their home directory accessible. In this way you can script initial install of items or repair of missing items in the user context. I no longer use methods which do not work in all circumstances. Rob.
“In all circumstances” • Context of one device: does it matter whether… • A user is already logged in? • The system or component you’re managing has been run before, or is running currently? • The user or device needs to also have some license / entitlement? • (iOS): Restrictions are set? Devices is supervised and/or DEP?
“In all circumstances” • Context of the fleet of devices: • What do you know about how things worked up to now? • What change would be backwards compatible with every other element on the system which could be affected? • Allows for smaller but more frequent, and less invasive, changes • A change can be not perfect, but still an improvement and with a way forward
Admin user • Packaged using CreateUserPkg (Per Olofsson, packaged user technique by Greg Neagle) • …not all our systems had this user created by the package, though • UID 501, 502, 503…
Admin user • Problem #1: The user package seems like the best way to deploy and/or update the user, but it depends on the user having a consistent UID on all machines, which for us it wasn’t. • Solution: Customize the package script so it can also handle the situation of the user existing already.
Admin user #!/bin/bash # preinstall USER_SHORTNAME=itadmin uid_stored="$3/private/tmp/.create_user_uid" user_plist="$3/private/var/db/dslocal/nodes/Default/users/$USER_SHORTNAME.plist" if [ -e "$user_plist" ]; then DISCOVERED_UID=$(/usr/libexec/PlistBuddy -c 'Print :uid:0' "$user_plist") echo "Discovered existing user $USER_SHORTNAME, uid $DISCOVERED_UID" echo "Storing uid in $uid_stored.." echo "$DISCOVERED_UID" > "$uid_stored" fi
Admin user #!/bin/bash # postinstall USER_SHORTNAME=itadmin uid_stored="$3/private/tmp/.create_user_uid" user_plist="$3/private/var/db/dslocal/nodes/Default/users/$USER_SHORTNAME.plist" # (most of postinstall script generated by CreateUserPkg goes here) # Check for our temporary uid that was created if the user already existed if [ -e "$uid_stored" ]; then preexisting_uid=$(cat $uid_stored) /usr/libexec/PlistBuddy -c 'Delete :uid' "$user_plist" PlistArrayAdd "$user_plist" uid "$preexisting_uid" rm "$uid_stored" fi # (service restart section of postinstall script)
Admin user • Problem #2: We don’t want Munki to install this user on every single machine, but we want to manage the user pkg if it is installed. How could Munki know when to install our user package? • Solution: Give Munki the ability to know about local users so we can determine whether to install this package.
Admin user <plist version="1.0"> <dict> [………] <key>user_local_list</key> <array> <string>com.apple.calendarserver</string> <string>daemon</string> <string>Guest</string> <string>nobody</string> <string>root</string> <string>itadmin</string> <string>tim</string> </array> [………] </dict> </plist> ConditionalItems.plist <plist version="1.0"> <dict> <key>conditional_items</key> <array> <dict> <key>condition</key> <string>'itadmin' IN user_local_list</string> <key>managed_installs</key> <array> <string>itadmin_user</string> </array> </dict> </array> </dict> </plist> Munki manifest
Reality
Toyota Production System (TPS) • Jidoka (Autonomation) • “Automation with a human touch” • Do not allow for defects to make it into the finished product • The cost and effort to go out and fix a problem in a “product” (i.e. a change, update, etc.) is higher than that spent on improving quality control Taiichi Ohno
Expecting failure • Automation can help almost any process by communicating between different systems and databases • Internal: LDAP/AD/identity, inventory, JSS, Code42, Zentral • External: Creative Cloud user licenses, cloud-based ticket / support tracker
Expecting failure • Great power, great responsibility • External dependencies • Internal edge cases • Also, bugs
AutoPkg Recipe Repos ➜ ~ autopkg search malware Name Repo Path ---- ---- ---- KnockKnock.munki.recipe andrewvalentine-recipes KnockKnock/KnockKnock.munki.recipe MalwarebytesAntiMalware.munki.recipe aysiu-recipes MalwarebytesAntiMalware/MalwarebytesAntiMalware.munki.r VirusBarrier2013.munki.recipe dankeller-recipes VirusBarrier2013/VirusBarrier2013.munki.recipe VirusBarrierX6.munki.recipe dankeller-recipes VirusBarrierX6/VirusBarrierX6.munki.recipe KnockKnock.munki.recipe jps3-recipes Objective-See/KnockKnock.munki.recipe KnockKnock.download.recipe jps3-recipes Objective-See/KnockKnock.download.recipe RansomWhere.munki.recipe jps3-recipes Objective-See/RansomWhere.munki.recipe BlockBlock.munki.recipe jps3-recipes Objective-See/BlockBlock.munki.recipe MalwarebytesAntiMalware.jss.recipe rtrouton-recipes JSS/MalwarebytesAntiMalware.jss.recipe MalwarebytesAntiMalware.install.recipe rtrouton-recipes MalwarebytesAntiMalware/MalwarebytesAntiMalware.install MalwarebytesAntiMalware.download.recipe rtrouton-recipes MalwarebytesAntiMalware/MalwarebytesAntiMalware.downloa MalwarebytesAntiMalware.pkg.recipe rtrouton-recipes MalwarebytesAntiMalware/MalwarebytesAntiMalware.pkg.rec DetectX.jss.recipe rtrouton-recipes JSS/DetectX.jss.recipe
AutoPkg Recipe Repos ➜ ~ ./setup_new_recipe_repo.py timsutton/autopkg-recipes https://github.com/autopkg/autopkg/blob/master/Scripts/setup_new_recipe_repo.py Here's what's going to happen: the repo at 'timsutton/autopkg-recipes' will be be cloned and pushed to a new repo at 'autopkg/timsutton-recipes'. A new team, 'timsutton-recipes', will be created with access to this repo, and the GitHub user 'timsutton' will be added to it with 'admin' rights. Type 'yes' to proceed:
AutoPkg Recipe Repos • Script options, GitHub token validity • Additional user option required if submitting repo is owned by an org and not a user • Existence of GitHub user given • Existence of source GitHub repo • Existence of proposed new GitHub repo • Existence of proposed new team • Check API call to create the repo • Check API call to create new team • Check API call to modify default team user assignment, add new team member • Bare git clone the source repo, mirror push it to the new destination
Script errors • Bash scripting? • set -u: exit if any $variables are not set • set -e: exit shell on any non-zero exit • set -o pipefail: non-zero exits within pipes return that exit code as well • Python / Ruby / Swift / Go / etc? • Anticipate and handle errors
Tack! @timsutton @tvsutton https://macops.ca/macsysadmin2016

Recommended

Harmonious Development: Standardizing The Deployment Process via Vagrant and ...
Harmonious Development: Standardizing The Deployment Process via Vagrant and ...Harmonious Development: Standardizing The Deployment Process via Vagrant and ...
Harmonious Development: Standardizing The Deployment Process via Vagrant and ...Acquia
 
yocto_scale_handout-with-notes
yocto_scale_handout-with-notesyocto_scale_handout-with-notes
yocto_scale_handout-with-notesSteve Arnold
 
Cloud Device Insecurity
Cloud Device InsecurityCloud Device Insecurity
Cloud Device InsecurityJeremy Brown
 
Eurosec2014 - An introduction to honeyclient technologies
Eurosec2014 - An introduction to honeyclient technologiesEurosec2014 - An introduction to honeyclient technologies
Eurosec2014 - An introduction to honeyclient technologiesAngelo Dell'Aera
 
[Gstar 2013] Unity Security
[Gstar 2013] Unity Security[Gstar 2013] Unity Security
[Gstar 2013] Unity SecuritySeungmin Shin
 
Software Defined Datacenter
Software Defined DatacenterSoftware Defined Datacenter
Software Defined DatacenterNETWAYS
 
jQuery-3-UI
jQuery-3-UIjQuery-3-UI
jQuery-3-UIguestcf600a
 
Introducing Docker
Introducing DockerIntroducing Docker
Introducing DockerFrancesco Pantano
 

Recommended

Harmonious Development: Standardizing The Deployment Process via Vagrant and ...
Harmonious Development: Standardizing The Deployment Process via Vagrant and ...Harmonious Development: Standardizing The Deployment Process via Vagrant and ...
Harmonious Development: Standardizing The Deployment Process via Vagrant and ...Acquia
 
yocto_scale_handout-with-notes
yocto_scale_handout-with-notesyocto_scale_handout-with-notes
yocto_scale_handout-with-notesSteve Arnold
 
Cloud Device Insecurity
Cloud Device InsecurityCloud Device Insecurity
Cloud Device InsecurityJeremy Brown
 
Eurosec2014 - An introduction to honeyclient technologies
Eurosec2014 - An introduction to honeyclient technologiesEurosec2014 - An introduction to honeyclient technologies
Eurosec2014 - An introduction to honeyclient technologiesAngelo Dell'Aera
 
[Gstar 2013] Unity Security
[Gstar 2013] Unity Security[Gstar 2013] Unity Security
[Gstar 2013] Unity SecuritySeungmin Shin
 
Software Defined Datacenter
Software Defined DatacenterSoftware Defined Datacenter
Software Defined DatacenterNETWAYS
 
jQuery-3-UI
jQuery-3-UIjQuery-3-UI
jQuery-3-UIguestcf600a
 
Introducing Docker
Introducing DockerIntroducing Docker
Introducing DockerFrancesco Pantano
 
Yocto and IoT - a retrospective
Yocto and IoT - a retrospectiveYocto and IoT - a retrospective
Yocto and IoT - a retrospectiveOpen-RnD
 
Windows Attacks AT is the new black
Windows Attacks AT is the new blackWindows Attacks AT is the new black
Windows Attacks AT is the new blackRob Fuller
 
PyCon 2011: IronPython Command Line
PyCon 2011: IronPython Command LinePyCon 2011: IronPython Command Line
PyCon 2011: IronPython Command LineLecturer UC Davis & Northwestern
 
Continuous Integration with Hackintosh
Continuous Integration with HackintoshContinuous Integration with Hackintosh
Continuous Integration with HackintoshDavid Ventura, M.E.T.
 
WebLogic Administration und Deployment mit WLST
WebLogic Administration und Deployment mit WLSTWebLogic Administration und Deployment mit WLST
WebLogic Administration und Deployment mit WLSTenpit GmbH & Co. KG
 
Wielding a cortana
Wielding a cortanaWielding a cortana
Wielding a cortanaWill Schroeder
 
Building Android games using LibGDX
Building Android games using LibGDXBuilding Android games using LibGDX
Building Android games using LibGDXJussi Pohjolainen
 
How to Install, Use, and Customize Drush
How to Install, Use, and Customize DrushHow to Install, Use, and Customize Drush
How to Install, Use, and Customize DrushAcquia
 
PowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege EscalationPowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege EscalationWill Schroeder
 
Dance for the puppet master: G6 Tech Talk
Dance for the puppet master: G6 Tech TalkDance for the puppet master: G6 Tech Talk
Dance for the puppet master: G6 Tech TalkMichael Peacock
 
ITT 2015 - Simon Stewart - Building Android Apps at Speed and Scale
ITT 2015 - Simon Stewart - Building Android Apps at Speed and ScaleITT 2015 - Simon Stewart - Building Android Apps at Speed and Scale
ITT 2015 - Simon Stewart - Building Android Apps at Speed and ScaleIstanbul Tech Talks
 
MacSysAdmin Tools Smörgåsbord
MacSysAdmin Tools SmörgåsbordMacSysAdmin Tools Smörgåsbord
MacSysAdmin Tools SmörgåsbordTimothy Sutton
 
IzPack at LyonJUG'11
IzPack at LyonJUG'11IzPack at LyonJUG'11
IzPack at LyonJUG'11julien.ponge
 
PowerShell - Be A Cool Blue Kid
PowerShell - Be A Cool Blue KidPowerShell - Be A Cool Blue Kid
PowerShell - Be A Cool Blue KidMatthew Johnson
 
Serving Moodle Presentation
Serving Moodle PresentationServing Moodle Presentation
Serving Moodle Presentationwebhostingguy
 
Dependencies Managers in C/C++. Using stdcpp 2014
Dependencies Managers in C/C++. Using stdcpp 2014Dependencies Managers in C/C++. Using stdcpp 2014
Dependencies Managers in C/C++. Using stdcpp 2014biicode
 
Django dev-env-my-way
Django dev-env-my-wayDjango dev-env-my-way
Django dev-env-my-wayRobert Lujo
 
A "Box" Full of Tools and Distros
A "Box" Full of Tools and DistrosA "Box" Full of Tools and Distros
A "Box" Full of Tools and DistrosDario Faggioli
 
Staging Drupal 8 31 09 1 3
Staging Drupal 8 31 09 1 3Staging Drupal 8 31 09 1 3
Staging Drupal 8 31 09 1 3Drupalcon Paris
 
Provisioning with Puppet
Provisioning with PuppetProvisioning with Puppet
Provisioning with PuppetJoe Ray
 
Build your own embedded linux distributions by yocto project
Build your own embedded linux distributions by yocto projectBuild your own embedded linux distributions by yocto project
Build your own embedded linux distributions by yocto projectYen-Chin Lee
 
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016Chris Gates
 

More Related Content

What's hot

Yocto and IoT - a retrospective
Yocto and IoT - a retrospectiveYocto and IoT - a retrospective
Yocto and IoT - a retrospectiveOpen-RnD
 
Windows Attacks AT is the new black
Windows Attacks AT is the new blackWindows Attacks AT is the new black
Windows Attacks AT is the new blackRob Fuller
 
Continuous Integration with Hackintosh
Continuous Integration with HackintoshContinuous Integration with Hackintosh
Continuous Integration with HackintoshDavid Ventura, M.E.T.
 
WebLogic Administration und Deployment mit WLST
WebLogic Administration und Deployment mit WLSTWebLogic Administration und Deployment mit WLST
WebLogic Administration und Deployment mit WLSTenpit GmbH & Co. KG
 
Building Android games using LibGDX
Building Android games using LibGDXBuilding Android games using LibGDX
Building Android games using LibGDXJussi Pohjolainen
 
How to Install, Use, and Customize Drush
How to Install, Use, and Customize DrushHow to Install, Use, and Customize Drush
How to Install, Use, and Customize DrushAcquia
 
PowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege EscalationPowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege EscalationWill Schroeder
 
Dance for the puppet master: G6 Tech Talk
Dance for the puppet master: G6 Tech TalkDance for the puppet master: G6 Tech Talk
Dance for the puppet master: G6 Tech TalkMichael Peacock
 
ITT 2015 - Simon Stewart - Building Android Apps at Speed and Scale
ITT 2015 - Simon Stewart - Building Android Apps at Speed and ScaleITT 2015 - Simon Stewart - Building Android Apps at Speed and Scale
ITT 2015 - Simon Stewart - Building Android Apps at Speed and ScaleIstanbul Tech Talks
 

What's hot (11)

Yocto and IoT - a retrospective
Yocto and IoT - a retrospectiveYocto and IoT - a retrospective
Yocto and IoT - a retrospective
 
Windows Attacks AT is the new black
Windows Attacks AT is the new blackWindows Attacks AT is the new black
Windows Attacks AT is the new black
 
PyCon 2011: IronPython Command Line
PyCon 2011: IronPython Command LinePyCon 2011: IronPython Command Line
PyCon 2011: IronPython Command Line
 
Continuous Integration with Hackintosh
Continuous Integration with HackintoshContinuous Integration with Hackintosh
Continuous Integration with Hackintosh
 
WebLogic Administration und Deployment mit WLST
WebLogic Administration und Deployment mit WLSTWebLogic Administration und Deployment mit WLST
WebLogic Administration und Deployment mit WLST
 
Wielding a cortana
Wielding a cortanaWielding a cortana
Wielding a cortana
 
Building Android games using LibGDX
Building Android games using LibGDXBuilding Android games using LibGDX
Building Android games using LibGDX
 
How to Install, Use, and Customize Drush
How to Install, Use, and Customize DrushHow to Install, Use, and Customize Drush
How to Install, Use, and Customize Drush
 
PowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege EscalationPowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege Escalation
 
Dance for the puppet master: G6 Tech Talk
Dance for the puppet master: G6 Tech TalkDance for the puppet master: G6 Tech Talk
Dance for the puppet master: G6 Tech Talk
 
ITT 2015 - Simon Stewart - Building Android Apps at Speed and Scale
ITT 2015 - Simon Stewart - Building Android Apps at Speed and ScaleITT 2015 - Simon Stewart - Building Android Apps at Speed and Scale
ITT 2015 - Simon Stewart - Building Android Apps at Speed and Scale
 

Similar to Tools and Process for Streamlining Mac Deployment

MacSysAdmin Tools Smörgåsbord
MacSysAdmin Tools SmörgåsbordMacSysAdmin Tools Smörgåsbord
MacSysAdmin Tools SmörgåsbordTimothy Sutton
 
IzPack at LyonJUG'11
IzPack at LyonJUG'11IzPack at LyonJUG'11
IzPack at LyonJUG'11julien.ponge
 
PowerShell - Be A Cool Blue Kid
PowerShell - Be A Cool Blue KidPowerShell - Be A Cool Blue Kid
PowerShell - Be A Cool Blue KidMatthew Johnson
 
Serving Moodle Presentation
Serving Moodle PresentationServing Moodle Presentation
Serving Moodle Presentationwebhostingguy
 
Dependencies Managers in C/C++. Using stdcpp 2014
Dependencies Managers in C/C++. Using stdcpp 2014Dependencies Managers in C/C++. Using stdcpp 2014
Dependencies Managers in C/C++. Using stdcpp 2014biicode
 
Django dev-env-my-way
Django dev-env-my-wayDjango dev-env-my-way
Django dev-env-my-wayRobert Lujo
 
A "Box" Full of Tools and Distros
A "Box" Full of Tools and DistrosA "Box" Full of Tools and Distros
A "Box" Full of Tools and DistrosDario Faggioli
 
Staging Drupal 8 31 09 1 3
Staging Drupal 8 31 09 1 3Staging Drupal 8 31 09 1 3
Staging Drupal 8 31 09 1 3Drupalcon Paris
 
Provisioning with Puppet
Provisioning with PuppetProvisioning with Puppet
Provisioning with PuppetJoe Ray
 
Build your own embedded linux distributions by yocto project
Build your own embedded linux distributions by yocto projectBuild your own embedded linux distributions by yocto project
Build your own embedded linux distributions by yocto projectYen-Chin Lee
 
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016Chris Gates
 
Ideal Deployment In .NET World
Ideal Deployment In .NET WorldIdeal Deployment In .NET World
Ideal Deployment In .NET WorldDima Pasko
 
Тарас Кирилюк та Олена Пустовойт — CI workflow у веб-студії
Тарас Кирилюк та Олена Пустовойт — CI workflow у веб-студіїТарас Кирилюк та Олена Пустовойт — CI workflow у веб-студії
Тарас Кирилюк та Олена Пустовойт — CI workflow у веб-студіїLEDC 2016
 
TechMentor Fall, 2011 - Packaging Software for Automated Deployment with Wind...
TechMentor Fall, 2011 - Packaging Software for Automated Deployment with Wind...TechMentor Fall, 2011 - Packaging Software for Automated Deployment with Wind...
TechMentor Fall, 2011 - Packaging Software for Automated Deployment with Wind...Concentrated Technology
 
OpenNMS - My Notes
OpenNMS - My NotesOpenNMS - My Notes
OpenNMS - My Notesashrawi92
 
Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)
Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)
Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)Codemotion
 
From pets to cattle - powered by CoreOS, docker, Mesos & nginx
From pets to cattle - powered by CoreOS, docker, Mesos & nginxFrom pets to cattle - powered by CoreOS, docker, Mesos & nginx
From pets to cattle - powered by CoreOS, docker, Mesos & nginxQAware GmbH
 
Road to Opscon (Pisa '15) - DevOoops
Road to Opscon (Pisa '15) - DevOoopsRoad to Opscon (Pisa '15) - DevOoops
Road to Opscon (Pisa '15) - DevOoopsGianluca Varisco
 
Php on the Web and Desktop
Php on the Web and DesktopPhp on the Web and Desktop
Php on the Web and DesktopElizabeth Smith
 
0-Day Up Your Sleeve - Attacking macOS Environments
0-Day Up Your Sleeve - Attacking macOS Environments0-Day Up Your Sleeve - Attacking macOS Environments
0-Day Up Your Sleeve - Attacking macOS EnvironmentsSecuRing
 

Similar to Tools and Process for Streamlining Mac Deployment (20)

MacSysAdmin Tools Smörgåsbord
MacSysAdmin Tools SmörgåsbordMacSysAdmin Tools Smörgåsbord
MacSysAdmin Tools Smörgåsbord
 
IzPack at LyonJUG'11
IzPack at LyonJUG'11IzPack at LyonJUG'11
IzPack at LyonJUG'11
 
PowerShell - Be A Cool Blue Kid
PowerShell - Be A Cool Blue KidPowerShell - Be A Cool Blue Kid
PowerShell - Be A Cool Blue Kid
 
Serving Moodle Presentation
Serving Moodle PresentationServing Moodle Presentation
Serving Moodle Presentation
 
Dependencies Managers in C/C++. Using stdcpp 2014
Dependencies Managers in C/C++. Using stdcpp 2014Dependencies Managers in C/C++. Using stdcpp 2014
Dependencies Managers in C/C++. Using stdcpp 2014
 
Django dev-env-my-way
Django dev-env-my-wayDjango dev-env-my-way
Django dev-env-my-way
 
A "Box" Full of Tools and Distros
A "Box" Full of Tools and DistrosA "Box" Full of Tools and Distros
A "Box" Full of Tools and Distros
 
Staging Drupal 8 31 09 1 3
Staging Drupal 8 31 09 1 3Staging Drupal 8 31 09 1 3
Staging Drupal 8 31 09 1 3
 
Provisioning with Puppet
Provisioning with PuppetProvisioning with Puppet
Provisioning with Puppet
 
Build your own embedded linux distributions by yocto project
Build your own embedded linux distributions by yocto projectBuild your own embedded linux distributions by yocto project
Build your own embedded linux distributions by yocto project
 
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
 
Ideal Deployment In .NET World
Ideal Deployment In .NET WorldIdeal Deployment In .NET World
Ideal Deployment In .NET World
 
Тарас Кирилюк та Олена Пустовойт — CI workflow у веб-студії
Тарас Кирилюк та Олена Пустовойт — CI workflow у веб-студіїТарас Кирилюк та Олена Пустовойт — CI workflow у веб-студії
Тарас Кирилюк та Олена Пустовойт — CI workflow у веб-студії
 
TechMentor Fall, 2011 - Packaging Software for Automated Deployment with Wind...
TechMentor Fall, 2011 - Packaging Software for Automated Deployment with Wind...TechMentor Fall, 2011 - Packaging Software for Automated Deployment with Wind...
TechMentor Fall, 2011 - Packaging Software for Automated Deployment with Wind...
 
OpenNMS - My Notes
OpenNMS - My NotesOpenNMS - My Notes
OpenNMS - My Notes
 
Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)
Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)
Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)
 
From pets to cattle - powered by CoreOS, docker, Mesos & nginx
From pets to cattle - powered by CoreOS, docker, Mesos & nginxFrom pets to cattle - powered by CoreOS, docker, Mesos & nginx
From pets to cattle - powered by CoreOS, docker, Mesos & nginx
 
Road to Opscon (Pisa '15) - DevOoops
Road to Opscon (Pisa '15) - DevOoopsRoad to Opscon (Pisa '15) - DevOoops
Road to Opscon (Pisa '15) - DevOoops
 
Php on the Web and Desktop
Php on the Web and DesktopPhp on the Web and Desktop
Php on the Web and Desktop
 
0-Day Up Your Sleeve - Attacking macOS Environments
0-Day Up Your Sleeve - Attacking macOS Environments0-Day Up Your Sleeve - Attacking macOS Environments
0-Day Up Your Sleeve - Attacking macOS Environments
 

More from Timothy Sutton

Jenkins CI for MacDevOps
Jenkins CI for MacDevOpsJenkins CI for MacDevOps
Jenkins CI for MacDevOpsTimothy Sutton
 
Advanced Mac Software Deployment and Configuration: Just Make It Work!
Advanced Mac Software Deployment and Configuration: Just Make It Work!Advanced Mac Software Deployment and Configuration: Just Make It Work!
Advanced Mac Software Deployment and Configuration: Just Make It Work!Timothy Sutton
 
Managing the User Experience
Managing the User ExperienceManaging the User Experience
Managing the User ExperienceTimothy Sutton
 
Why Mac Sysadmins Love Python
Why Mac Sysadmins Love PythonWhy Mac Sysadmins Love Python
Why Mac Sysadmins Love PythonTimothy Sutton
 
AutoPkg: Crowd-sourcing Mac packaging and deployment
AutoPkg: Crowd-sourcing Mac packaging and deploymentAutoPkg: Crowd-sourcing Mac packaging and deployment
AutoPkg: Crowd-sourcing Mac packaging and deploymentTimothy Sutton
 

More from Timothy Sutton (7)

Jenkins CI for MacDevOps
Jenkins CI for MacDevOpsJenkins CI for MacDevOps
Jenkins CI for MacDevOps
 
Advanced Mac Software Deployment and Configuration: Just Make It Work!
Advanced Mac Software Deployment and Configuration: Just Make It Work!Advanced Mac Software Deployment and Configuration: Just Make It Work!
Advanced Mac Software Deployment and Configuration: Just Make It Work!
 
Managing the User Experience
Managing the User ExperienceManaging the User Experience
Managing the User Experience
 
Python for Mac Admins
Python for Mac AdminsPython for Mac Admins
Python for Mac Admins
 
How Do I Contribute?
How Do I Contribute?How Do I Contribute?
How Do I Contribute?
 
Why Mac Sysadmins Love Python
Why Mac Sysadmins Love PythonWhy Mac Sysadmins Love Python
Why Mac Sysadmins Love Python
 
AutoPkg: Crowd-sourcing Mac packaging and deployment
AutoPkg: Crowd-sourcing Mac packaging and deploymentAutoPkg: Crowd-sourcing Mac packaging and deployment
AutoPkg: Crowd-sourcing Mac packaging and deployment
 

Recently uploaded

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfhans926745
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 

Recently uploaded (20)

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 

Tools and Process for Streamlining Mac Deployment

  • 1. Tools and Process for Streamlining Mac Deployment Tim Sutton Concordia University, Faculty of Fine Arts Montreal
  • 2.
  • 4.
  • 5. Release cycle • Annual releases of macOS, iOS • Mid-cycle features added in iOS, Server (i.e. iOS 9.3 EDU features) • Testing betas in summer
  • 7. OS X macOS builds
  • 8. OS X macOS builds • macOS (multiple versions, and choose your format) • Techs with specific OS requirements, self service imaging • Open source tools where possible • Aim for repeatability, don’t repeat yourself
  • 9. Products and ingredients • macOS (start from the Installer app) • Restore image • Installer package • NetBoot image (System Image Utility, DeployStudio, Imagr, etc.) • Bare minimum configuration (contained in packages) • Certs, basic config, binding • Local admin user, disabling setup assistant • Management tool / agent (Munki, Casper, etc.)
  • 10. Single input, multiple outputs Munki createOSXInstallPkg DeployStudio / Imagr AutoDMG NetInstall / BSDPy AutoDSNBI
  • 11. Jenkins • Master server connected to multiple build machines (different OS / environments) • Central configuration, credentials storage, role-based web access • Publishing and post-processing of builds • More in MacDevOps:YVR 2016 presentation: • http://www.macdevops.ca/presentations/
  • 12. • pkgbuild and productbuild pkgbuild --identifier 'se.macsysadmin.DisableSetupAssistant' --root /path/to/payload/directory/root --version 2016.09.07 'DisableSetupAssistant.pkg' • Packaging tools / frameworks • munkipkg (CLI, Python script) - https://github.com/munki/munki-pkg • Luggage (CLI, make) - https://github.com/unixorn/luggage • Packages (Cocoa app and CLI) - http://s.sudre.free.fr
  • 13. Product archive (distribution format)? productbuild --package component.pkg output.pkg
  • 14. Signed packages? • Signed packages (pkgutil --sign or productbuild --sign) • Distribution outside your deployment tools • Installation via MDM + DEP (InstallApplication MDM command) • Possibly a requirement in the future?
  • 15. ASR image, macOS package /Applications/AutoDMG.app/Contents/MacOS/AutoDMG build 
 --output ~/somewhere 
 '/path/to/Install macOS.app' 
 disable_setup.pkg 
 create_user.pkg createOSXInstallPkg 
 --source '/path/to/Install macOS.app' 
 --pkg disable_setup.pkg 
 --pkg munkitools.pkg 
 --pkg munki_config.pkg
  • 16. NetBoot • AutoNBI (creates a vanilla or custom NetInstall): • AutoNBI.py -a -s /path/to/InstallESD.dmg -d . -n MyNBI • Imagr (vanilla NetInstall with Imagr and dependencies): • make nbi • DeployStudio NBI: • https://github.com/MagerValp/AutoDSNBI (autodsnbi.sh)
  • 17. Keep the code • Keep the source together in a source repository (Git, etc.) • Version your packages • Share common logic across different scripts/projects • Remove manual setup steps wherever possible (downloading, copying large required files, etc.)
  • 18. Keep the code ➜ tree -L 2 . . "## jobs $   "## common.sh $   "## create_ds_nbi $   "## create_osx_install_pkg $   %## create_restore_image %## pkgs "## build_all_pkgs.sh "## create-itadmin "## disable-diagnostics "## disable-icloud-welcome "## disable-setupassistant %## munki-kickstart #!/bin/sh -e # common.sh # exports: CACHED_INSTALLOSX_DMG_PATH # PROPFILE export CACHE_DIR="$HOME/Library/Caches/OSXBuilds" if [ ! -d "${CACHE_DIR}" ]; then echo "Cache dir doesn't exist, creating at ${CACHE_DIR}" mkdir -p "${CACHE_DIR}" fi if [ -n "${OSX_VERS}" ] && [ -n "${OSX_BUILD}" ]; then # cache the installer app echo "Caching OS X installer app ${OSX_VERS} build ${OSX_BUILD}" mkdir -p "${CACHE_DIR}/InstallOSX" export CACHED_INSTALLOSX_DMG_PATH="${CACHE_DIR}/InstallOSX/${OSX_VERS}-${OSX_BUILD}.dmg" if [ ! -e "${CACHED_INSTALLOSX_DMG_PATH}" ]; then curl --location --output "${CACHED_INSTALLOSX_DMG_PATH}" "http://macsysadmin.se/macos/${OSX_VERS}-${OSX_BUILD}.dmg" fi fi export PROPFILE="${WORKSPACE}/job.properties"
  • 20. Save yourself the effort • Details aren’t complicated but there are a lot of them – this is its own complexity • We can rebuild any piece at any macOS version, with the latest config components • Go on vacation – someone else can click “build”
  • 21.
  • 23. Lab user environment • Desktop Macs • Domain users • Not administrators • Usually getting a “fresh” profile after logging in
  • 24. User Template rm -rf /System/Library/User Template/English.lproj/* cp -R /Users/it_admin/* /System/Library/User Template/English.lproj/ chown -R root:wheel /System/Library/User Template/English.lproj rm -f /System/Library/User Template/English.lproj/Library/Keychains/login.keychain
  • 25.
  • 26. # Author: Tim S # Created: 2011/04/23 include /usr/local/share/luggage/luggage.make TITLE=Cyberduck REVERSE_DOMAIN=ca.concordia.cda PACKAGE_VERSION=4.0.2 CD_FILE=Cyberduck-${PACKAGE_VERSION}.zip CD_URL=http://cyberduck.ch/${CD_FILE} CD_PREF=ch.sudo.cyberduck.plist PAYLOAD= unpack-cd pack-cd pack-user-template-plist-${CD_PREF} pack-user-template-appsupport-cd-bookmarks unpack-cd: l_Applications curl -L ${CD_URL} -o ${CD_FILE} pack-cd: l_Applications @sudo ${DITTO} -x -k --noqtn ${CD_FILE} ${WORK_D}/Applications/ pack-user-template-appsupport-cd-bookmarks: l_System_Library_User_Template_Application_Support_Cyberduck_Bookmarks # each .duck file is a bookmark - login user and UUID keys can be left # empty, login user will use the logged-in user's shortname and UUID will # self-generate and rename the .duck file in the user's profile @sudo ${CP} cdaftp-bookmark.duck ${USER_TEMPLATE_APPLICATION_SUPPORT}/Cyberduck/Bookmarks
  • 27. Date: Fri, 06 May 2011 09:40:23 From: Rob Middleton To: munki-dev@googlegroups.com Subject: Re: [munki-dev] User Filler Postflight Script […], The generic way this is solved for all possibilities is the use of a custom LaunchAgent (with plist at /Library/LaunchAgents/). When any user logs in to the local system their home directory is first mounted then LaunchAgents run as configured in the security context of the logged in user with their home directory accessible. In this way you can script initial install of items or repair of missing items in the user context. I no longer use methods which do not work in all circumstances. Rob.
  • 28. “In all circumstances” • Context of one device: does it matter whether… • A user is already logged in? • The system or component you’re managing has been run before, or is running currently? • The user or device needs to also have some license / entitlement? • (iOS): Restrictions are set? Devices is supervised and/or DEP?
  • 29. “In all circumstances” • Context of the fleet of devices: • What do you know about how things worked up to now? • What change would be backwards compatible with every other element on the system which could be affected? • Allows for smaller but more frequent, and less invasive, changes • A change can be not perfect, but still an improvement and with a way forward
  • 30. Admin user • Packaged using CreateUserPkg (Per Olofsson, packaged user technique by Greg Neagle) • …not all our systems had this user created by the package, though • UID 501, 502, 503…
  • 31. Admin user • Problem #1: The user package seems like the best way to deploy and/or update the user, but it depends on the user having a consistent UID on all machines, which for us it wasn’t. • Solution: Customize the package script so it can also handle the situation of the user existing already.
  • 32. Admin user #!/bin/bash # preinstall USER_SHORTNAME=itadmin uid_stored="$3/private/tmp/.create_user_uid" user_plist="$3/private/var/db/dslocal/nodes/Default/users/$USER_SHORTNAME.plist" if [ -e "$user_plist" ]; then DISCOVERED_UID=$(/usr/libexec/PlistBuddy -c 'Print :uid:0' "$user_plist") echo "Discovered existing user $USER_SHORTNAME, uid $DISCOVERED_UID" echo "Storing uid in $uid_stored.." echo "$DISCOVERED_UID" > "$uid_stored" fi
  • 33. Admin user #!/bin/bash # postinstall USER_SHORTNAME=itadmin uid_stored="$3/private/tmp/.create_user_uid" user_plist="$3/private/var/db/dslocal/nodes/Default/users/$USER_SHORTNAME.plist" # (most of postinstall script generated by CreateUserPkg goes here) # Check for our temporary uid that was created if the user already existed if [ -e "$uid_stored" ]; then preexisting_uid=$(cat $uid_stored) /usr/libexec/PlistBuddy -c 'Delete :uid' "$user_plist" PlistArrayAdd "$user_plist" uid "$preexisting_uid" rm "$uid_stored" fi # (service restart section of postinstall script)
  • 34. Admin user • Problem #2: We don’t want Munki to install this user on every single machine, but we want to manage the user pkg if it is installed. How could Munki know when to install our user package? • Solution: Give Munki the ability to know about local users so we can determine whether to install this package.
  • 35. Admin user <plist version="1.0"> <dict> [………] <key>user_local_list</key> <array> <string>com.apple.calendarserver</string> <string>daemon</string> <string>Guest</string> <string>nobody</string> <string>root</string> <string>itadmin</string> <string>tim</string> </array> [………] </dict> </plist> ConditionalItems.plist <plist version="1.0"> <dict> <key>conditional_items</key> <array> <dict> <key>condition</key> <string>'itadmin' IN user_local_list</string> <key>managed_installs</key> <array> <string>itadmin_user</string> </array> </dict> </array> </dict> </plist> Munki manifest
  • 37. Toyota Production System (TPS) • Jidoka (Autonomation) • “Automation with a human touch” • Do not allow for defects to make it into the finished product • The cost and effort to go out and fix a problem in a “product” (i.e. a change, update, etc.) is higher than that spent on improving quality control Taiichi Ohno
  • 38. Expecting failure • Automation can help almost any process by communicating between different systems and databases • Internal: LDAP/AD/identity, inventory, JSS, Code42, Zentral • External: Creative Cloud user licenses, cloud-based ticket / support tracker
  • 39. Expecting failure • Great power, great responsibility • External dependencies • Internal edge cases • Also, bugs
  • 40. AutoPkg Recipe Repos ➜ ~ autopkg search malware Name Repo Path ---- ---- ---- KnockKnock.munki.recipe andrewvalentine-recipes KnockKnock/KnockKnock.munki.recipe MalwarebytesAntiMalware.munki.recipe aysiu-recipes MalwarebytesAntiMalware/MalwarebytesAntiMalware.munki.r VirusBarrier2013.munki.recipe dankeller-recipes VirusBarrier2013/VirusBarrier2013.munki.recipe VirusBarrierX6.munki.recipe dankeller-recipes VirusBarrierX6/VirusBarrierX6.munki.recipe KnockKnock.munki.recipe jps3-recipes Objective-See/KnockKnock.munki.recipe KnockKnock.download.recipe jps3-recipes Objective-See/KnockKnock.download.recipe RansomWhere.munki.recipe jps3-recipes Objective-See/RansomWhere.munki.recipe BlockBlock.munki.recipe jps3-recipes Objective-See/BlockBlock.munki.recipe MalwarebytesAntiMalware.jss.recipe rtrouton-recipes JSS/MalwarebytesAntiMalware.jss.recipe MalwarebytesAntiMalware.install.recipe rtrouton-recipes MalwarebytesAntiMalware/MalwarebytesAntiMalware.install MalwarebytesAntiMalware.download.recipe rtrouton-recipes MalwarebytesAntiMalware/MalwarebytesAntiMalware.downloa MalwarebytesAntiMalware.pkg.recipe rtrouton-recipes MalwarebytesAntiMalware/MalwarebytesAntiMalware.pkg.rec DetectX.jss.recipe rtrouton-recipes JSS/DetectX.jss.recipe
  • 41. AutoPkg Recipe Repos ➜ ~ ./setup_new_recipe_repo.py timsutton/autopkg-recipes https://github.com/autopkg/autopkg/blob/master/Scripts/setup_new_recipe_repo.py Here's what's going to happen: the repo at 'timsutton/autopkg-recipes' will be be cloned and pushed to a new repo at 'autopkg/timsutton-recipes'. A new team, 'timsutton-recipes', will be created with access to this repo, and the GitHub user 'timsutton' will be added to it with 'admin' rights. Type 'yes' to proceed:
  • 42. AutoPkg Recipe Repos • Script options, GitHub token validity • Additional user option required if submitting repo is owned by an org and not a user • Existence of GitHub user given • Existence of source GitHub repo • Existence of proposed new GitHub repo • Existence of proposed new team • Check API call to create the repo • Check API call to create new team • Check API call to modify default team user assignment, add new team member • Bare git clone the source repo, mirror push it to the new destination
  • 43. Script errors • Bash scripting? • set -u: exit if any $variables are not set • set -e: exit shell on any non-zero exit • set -o pipefail: non-zero exits within pipes return that exit code as well • Python / Ruby / Swift / Go / etc? • Anticipate and handle errors