My First Successful Modular Imaging Workflow

After being inspired by the PSU Mac Admins conference to really take a deep dive into modular imaging, I'm pleased to be able to say that on Friday, I ran my first fully successful modular imaging workflow. Granted, it was only a test, but it was very similar in fashion to what I'll be doing for the fall images and included most of the same software.

Tools I Used

- InstaDMG / InstaUp2Date
- The Luggage
- A wee tiny bit of knowledge about bash scripting
- DeployStudio
- Munki
- Managed Client for Mac OS X (MCX)

The Actual Workflow

Using InstaDMG, I built a 10.6.7 base "vanilla" image called BareBonesMac.dmg. It included Mac OS X, iLife, munki, the InstaUp2Date createUser pkg to make an admin user account, the afp548.com clearReg pkg to ensure the Apple setup assistant wouldn't show at boot, and a pkg I made using The Luggage to install the ManagedInstalls preference file for Munki. The whole point of InstaUp2Date (which is part of InstaDMG) is to be able to build a fresh, never booted, image that already has all of the latest Apple software updates baked into it. So, of course, my catalog files included all of the latest updates for both Mac OS X and iLife.

Using DeployStudio I then restored the BareBonesMac.dmg image down to a test client machine. I made a workflow in DeployStudio admin that, after restoration, would prompt me to enter the computer information, apply it, and then reboot and run my initalsetup.sh first boot script. The first boot script is small and applies some preferences in the /Library/Preferences domain. For most preferences I'll be using MCX, but certain preferences should be set locally on each machine -- that is the purpose of the first boot script. It also prepares Munki to run on startup by putting it into bootstrap mode by touching a file called at /Users/Shared/.com.googlecode.munki.checkandinstallatstartup

Upon first boot, within seconds of the login window appearing, because I put Munki into bootstrap mode, it appeared on the screen and began checking its manifest on the webserver to see what software it needed to install. On Friday, I had it installing Flash Player, Omnigraffle, Processing, Chrome, Firefox, and more. It worked beautifully. In bootstrap mode, if a restart is required, Munki will do it and keep running until everything is done installing. At that point, it removes /Users/Shared/.com.googlecode.munki.checkandinstallatstartup and the login window is displayed. It worked as expected. It was incredibly awesome to watch the test iMac installing software on its own.

At that point, the only items which were left were the managed preferences. MCX settings were applied properly (all but bluetooth disabling -- see my previous post) and the test iMac essentially configured itself exactly how I would have done it in a golden master style workflow.

Next Steps

I need to talk with our software vendors about which files are touched for licensing and how, if at all, I can go about making licensing packages using The Luggage. Fortunately, products like Adobe Creative Suite and Microsoft Office both are volume licensed. Creative Suite can be prelicensed using Adobe's AAMEE tool, and Microsoft Office is prelicensed upon download.

My goal is also to try and figure out a way to use Kerberos authentication with Munki when accessing the web repository. We have a small group of users who will be running Managed Software Update, and I want to figure out a way to have the HTTP requests come from their account rather than "root." If I can get it working, I can make a group in OD called Munki Admins and use a kerberized web realm to secure the repository. If I can't figure that out, I'll end up using the HTTP Basic Auth functionality which is documented on the Munki wiki. There's also an SSL option, but dealing with certificates is far more complex than I'd like to make our Munki installation.

I'll make fresh posts for progress on the Kerberos auth idea.

2194 views and 0 responses