Monday, 11 November 2019

macOS Catalina - How to uses imaging even though Apple don't want you to

Apple have with each new version of macOS tightened the security and in general this is clearly a good thing.

Apple have also removed a number of historically available functions - including ones used in the past by many Mac administrators. This arguably is a mixture of good and bad.

The latest casualty in macOS Catalina is the loss of the --volume option in startosinstall.

Losing the --volume option means you cannot boot from an external drive and automate the installation on to the internal drive along with (optionally) flags to erase the internal drive and install packages. Now you can only do this by booting from the internal drive itself and then running the startosinstall command which in turn means going through the Apple Setup Assistant at least once. This could be workable for wiping and reusing an existing Mac but only if you have a valid login when the Mac is returned by the previous user.

This seems an extremely petty change since the GUI macOS installer still does let you boot from an external drive, run the installer and specify a different drive to install on to. Clearly there cannot be any technical reasons for this change. 😕

Ironically the 'solution' to the loss of the --volume option is to go back in time and return to using AutoDMG and an image restoration process e.g. like DeployStudio (run locally).

It should be noted that due to the now extremely aggressive secure implementation of Security & Privacy in Catalina one can no longer run normal DeployStudio workflows to configure a Mac unless you also install DeployStudio Runtime on the target Mac, give it and Terminal/bash/scripts full disk access permission. Clearly you would not do this on a Mac you are configuring.

It is however possible to do the following.

  1. Use Mager Valp's AutoDMG (currently a beta version for Catalina compatibility) to build a Catalina image
    1. The source macOS Installer must be inside a disk image, I happen to use Greg Neagle's installinstallmacos.py script to download the macOS Installer and this automatically puts it in a disk image
    2. Make sure you have no other volumes called 'Macintosh HD' mounted as otherwise AutoDMG gets 'confused' as which to use
    3. This includes the normally invisible 'Macintosh HD - Data' now included with Catalina, I therefore have my USB boot drive named differently
  2. Use Richard Troughton's old first-boot-package tool to run scripts and installers during the first boot of the restored image
  3. Use a DeployStudio server to host the AutoDMG image
  4. Use a USB boot stick with a full install of Catalina and use Disk Utility to erase the target (internal) drive if needed
  5. Use DeployStudio Runtime to restore the AutoDMG created image
  6. On first boot the restored Mac will then run the scripts/installers provided by Richard Troughton's tool, in my case I run an installer created using Greg Neagle's pycreateuserpkg to create an initial local admin account, Mager Valp's SkipAppleSetupAssistant pkg, my own script to set initial preferences, and then Greg Neagle's munkitools installer. I also run another of my own scripts to replace the DeployStudio function to automatically name restored computers.

I could have included an installer to enrol in to our MDM e.g. a Jamf QuickAdd.pkg however I intend to use DEP for Catalina.

The above therefore pretty much restores past 'imaging' capabilities.