krypted.com

Tiny Deathstars of Foulness

I love answering a question with a question. Is asr still in OS X? Is NetInstall still in OS X Server? Can OS X still NetBoot? Does System Image Utility still work? The answer to all of these is yes. Therefore, the answer to “Is imaging dead” is clearly no. Is it on its way out, maybe. Debatable. Is it changing? Of course. When does Apple not evolve?

What have we seen recently? Well, the rhetoric would point to the fact that imaging is dying. That seems clear. And this is slowly coming out of people at Apple. The word imaging is becoming a bad thing. But, as a customer recently asked me, “what do you do when a hard drive fails and you need to get a system back up”? My answer, which of course was another question was “what do you do when that happens with an iPad?” The answer is that you Restore.

What is the difference between an Image and a Restore? Yes, I meant to capitalize both. Yes, I realize that’s not grammatically correct. No, I don’t care. It’s my prose, back off. But back to the point. What is the difference between the two? Am Image can have things inserted into /Applications, /Library, and even /System (since it’s not booted, it’s not yet protected by SIP). An Image can have binaries and scripts automatically fire, that Apple didn’t bake into the factory OS. On an iPad, when you Restore, you explode an .ipsw file onto disk that can’t be altered and acts as an operating system.

The difference here is that one is altered, the other isn’t. Additionally, iOS ripsaw files only contain drivers for the specific hardware for a given device (e.g. one for iPad Mini and another for iPhone 6). But, you have pre-flight and post-flight tasks you need to perform. Everyone understands that. Think about automation via profiles. You can run a script with a profile. You can apply a profile at first boot. You can install a package (the future of packages is IMHO more debatable than the future of images) and a .app with a profile. These might take a little more work than it does with a NetInstall and System Image Utility. But then, it might not. You’d be surprised what’s easier and what’s actually harder (for now) with this new workflow. Complexities are more logistical than technical.

So, Imaging is dead, long live Restoring? Arguably, any older workflows you have will be fine for some time. So any good article has a call to action somewhere. The call to action here is to try to subtly shift your deployment techniques. This involves implementing a DEP strategy where possible. This involves putting the final nails in the coffin of monolithic imaging. This involves moving to as thin an image as possible. This involves (I can’t believe I’m saying this) de-emphasizing scripting in your deployment process. This also involves completing the move that you’ve hopefully started already, from MCX to profile or mdm-based management.

What else do you think this involves? Insert running commentary below!

December 5th, 2015

Posted In: iPhone, Mac OS X, Mac OS X Server, Mac Security, Mass Deployment

Tags: , , , , , , , , ,

  • Rich

    Part of what makes iPad Restore work on iOS is iCloud Backup. If I can get iCloud Backup for Mac, that would simplify a number of things in my deployment workflow.

  • Lopekal
  • Dave Hagan

    Apple still has a lot to improve when it comes to restoring OS X in this new world of the App Store and profiles. The Apple “ease of use” paradigm has gone away with MDMs and DEP. You’d think with all of Apple’s billions they would have this part licked.

    • Donnie

      What are your thoughts on Internet Recovery? I’ve never had trouble getting a fresh OS from Apple on a working yet blank hard drive.

      • Dave Hagan

        I don’t have a problem with Internet recovery from a consumer’s point of view. It works great. But for the enterprise, it’s not that efficient.

        • Donnie

          Yeah I understand that. I guess I haven’t really had a need to Restore machines en masse. Failed hard drive replacement and the occasional unfixable kernel panic are the few times I’ve had to use it.

          What would you want to see in an Enterprise solution? I was going to say Internet Recovery from a caching server but I’m interested to know what you would want to see.

          • Dave Hagan

            Apple should build an application in their cloud infrastructure that consolidates the VPP, DEP, and MDM and puts it into a single pane of glass that’s easy to use and inexpensive (or free!). When the enterprise buys a new Mac (or bunch of Macs, iPads, or iPhones), their serial #’s are already registered to the enterprise’s database of Macs and are therefore ready to deploy from the factory. The IT department should be able to set in motion when the computer is first turned on the connection to Wi-Fi, binding to Active Directory, and all of the settings that the enterprise needs to set. Now some of you will say this already exists and to a degree it does exist. But it’s messy. Needing to seek out a third party for a large scale MDM solution is obnoxious and costly. It would be fine if Apple’s profile manager worked in all circumstances but in my experience it’s fragile and does not scale well. I find the whole application of VPP codes and DEP to be a ginormous clusterfu¢k of sorts. Apple should be tying all of the pieces together. Right now it’s really embarrassing.

          • Chandler Wearer

            It sounds to me like you’ve been dealing with macs in the enterprise with limited success. I think there are any number of MDM providers that may solve your precise “Single Pane of Glass” problem. I would urge you strongly to look in to them. You’ll find some of them are free and others have license seat costs associated with them. But like any other thing in life, if you expect someone to do something well for you, there’s probably a premium associated with that.

          • Dave Hagan

            Yes, there are number of MDM providers out there and I have looked at them — from Casper to Meraki (which is now no longer free by the way). My overall point is that I find Apple’s implementation half hearted and clumsy.

          • Larry Towers

            You know what’s really embarassing?Apple won’t even let my department enroll for DEP!
            I also really hate that anything we do to our computers has to roll through Apple’s infrastructure first. I want to manage all my computers locally if I feel like it!