Professional Documents
Culture Documents
OS X Mountain Lion
Technical Training:
Deployment
Apple Inc.
2013 Apple Inc. All rights reserved.
Apple, the Apple logo, AirPort, Bonjour,
FileVault, Finder, FireWire, Mac, MacBook,
MacBook Air, Mac OS, Safari, and Spotlight are
trademarks of Apple Inc., registered in the U.S.
and other countries. Apple Remote Desktop is
a trademark of Apple Inc. Mac App Store is a
service mark of Apple Inc.
The absence of an Apple product or service
name or logo from this page does not
constitute a waiver of Apples trademark or
other intellectual property rights concerning
that name or logo.
Intel is a trademark of Intel Corp. in the U.S.
and other countries.
IOS is a trademark or registered trademark of
Cisco in the U.S. and other countries and is
used under license.
Java is a registered trademark of Oracle and/or
its affiliates.
UNIX is a registered trademark of The Open
Group in the U.S. and other countries.
OS X version 10.8 is an Open Brand UNIX 03
Registered Product.
Other company and product names
mentioned herein are trademarks of their
respective companies. Mention of third-party
products is for informational purposes only
and constitutes neither an endorsement nor a
recommendation. Apple assumes no
responsibility with regard to the performance
or use of these products. All understandings,
agreements, or warranties, if any, take place
directly between the vendors and the
prospective users. Every effort has been made
to ensure that the information in this
document is accurate. Apple is not responsible
for printing or clerical errors.
06-16-2013
This document is intended for Apple internal and channel audiences, and is for training purposes only.
Table of Contents
........................................................................... Introduction 1
............................................................................................... About this series 1
................................................. 1 Creating Installer Packages 2
............................................................................... About installer packages 2
............................................................................. Signing installer packages 3
..................................................................... Obtaining a Developer ID certificate 3
.............................................. Creating packages from the command line 5
........................... Using receipts to track installer package installations 6
............................. Creating installer packages with third-party utilities 7
...................................................... 2 Creating System Images 8
.................................................................................... Hands-off deployment 8
..................... Creating images with Disk Utility and the command line 8
............................................................................... Preparing a system for imaging 9
.............................................................. Removing unneeded LKDC information 9
......................................................................................... Removing .DS_Store files 11
.................................................................................. Removing other system files 11
......................................... Customizing the default User Template directory 12
................................................................................................. Self-removing scripts 12
......................................................................... Creating images with Disk Utility 14
.............................................. Creating a disk image from the command line 16
........................................... Creating images with System Image Utility 17
............................................................................................. NetInstall from Installer 17
......................................................................................... NetRestore from Installer 19
..................................................... Using NetRestore from a prepared volume 21
............................................................ Automations with System Image Utility 23
.................................................. Additional System Image Utility preferences 31
..................................................................................... Additional resources 31
........................................................................ 3 Deployment 32
.......................................................................................... Local deployment 32
................... Creating a bootable disk or volume from a NetInstall image 32
..................................................................................... Deploying with Disk Utility 34
............................................................................ Deploying with NetInstall 34
.......................................................................................... NetInstall considerations 35
.............................................................................. Configuring a NetInstall server 35
...................................................................................... Custom source NetRestore 38
Setting clients to boot from a network disk image using the bless
................................................................................................................... command 39
................................................................................. Using NetBoot DHCP helpers 39
.................................................................................................................. bootpd relay 40
................................................... Restoring with Apple Software Restore 41
............................................................... Unicast Apple Software Restore (ASR) 41
2013 Apple Inc. Apple confidentialfor internal and channel use only iii
........................................................ Multicast Apple Software Restore (mASR) 42
...................................................................... Minimal-touch deployments 44
............................................................ Third-party deployment solutions 45
..................................................................................... Additional resources 45
.......................................... 4 Caching Software Downloads 46
................................................................................................. Requirements 46
................................................................... Managing the Caching service 47
...................... Comparing the Caching and Software Update services 49
.................................................................................................... Client configuration 49
.......................................................................................... Download management 49
........................................................................................................... Software cached 49
......................................................................................... When software is cached 50
..................................................................................... Additional resources 50
2013 Apple Inc. Apple confidentialfor internal and channel use only iv
Introduction
This guide is designed to introduce the basic concepts and techniques for deploying
OS X Mountain Lion in commercial and government organizations. It provides an introduction to
the following topics:
Installation packages
Imaging
Deployment
Caching service
Note that this guide is not comprehensive. Each section provides just enough information to get
you started. After youve become comfortable with the steps provided, you can refer to the
Additional resources sections of the guide for more in depth reading.
About this series
This guide is one of a four-part series designed to help IT professionals who are evaluating and
deploying OS X Mountain Lion on Mac computers in commercial and government organizations.
The other guides in the series are:
OS X Technical Training: Integration
OS X Technical Training: Management
OS X Technical Training: Security
OS X Mountain Lion Technical Training: Deployment
2013 Apple Inc. Apple confidentialfor internal and channel use only 1
1 Creating Installer Packages
A common method for installing software is drag and drop, where the application and associated
files are copied from the distribution media to the target volume. Although this method is easy
and works well when the application files only need to be copied to one or two places in the file
system, its not the most flexible method of installing software on multiple computers.
In OS X, installer packages are a common means of delivering new software, software updates, or
collections of documents. Installer packages are, in effect, documents for the Installer application.
Each package includes the files to be installed, the target locations for each file, and the
information to be presented during the installation process.
An additional advantage to creating installer packages is that you can create customized images
with System Image Utility. In a later chapter, youll learn how you can create an image with
preinstalled software by combining the OS X Installer with installer packages.
About installer packages
Imaging often includes packaging software for distribution. OS X has a number of tools for
creating installation packages and distributing those packages.
Most application installers place files on an operating system. An installer package is a file, or a
bundle of files, with a .pkg extension. The package bundle contains an archive of files to install,
referred to as the payload. It also can contain scripts that perform specified actions (that can run
before or after the archive of files is placed into the destination that theyre bound for) and
information about how the operating system should interpret the installer. A package can also
include licensing documents and other information, as needed.
An installer package
Installer packages are very useful for installing and managing software. For example, application
developers often use packages to build installers for their software. Apple uses packages to
provide system or application upgrades using Software Update. Administrators often use
packages to deploy small changes to client systems, such as binding to a directory service.
An installer metapackage
OS X Mountain Lion Technical Training: Deployment
2013 Apple Inc. Apple confidentialfor internal and channel use only 2
A metapackage, which has a .mpkg file extension, is a set of packages thats distributed in one
structure. The metapackage typically provides a list of checkboxes that can be used to choose
which packages or components of a larger installation framework are installed.
To install a package, double-click its icon in the Finder. The Installer application opens and guides
you through the necessary steps of the installation. This approach is similar to any application or
installer that provides a dialog box interface in modern computing. You can also install packages
silently through the command line, with Apple Remote Desktop, or use third-party patch
management software solutions.
Many application installers come bundled as standard Apple packages. If an application installer
is already a package, you may not need to build your own packages. Vendors who distribute
packages often have a process for preparing a package for mass deployment (such as
instructions on embedding license keys). Contacting the vendor can often save valuable time,
minimize the amount of user input required to install a package, and avoid unintended
consequences.
Creating installers for different operating systems is a similar process. Therefore, if a member of
your team is already trained in creating installers for Microsoft Windows (that is, .msi or .mst
installers) or Linux, it should be easy for that person to quickly grasp the concepts needed to
build packages in OS X.
Signing installer packages
OS X Mountain Lion users have the option of turning on a security feature called Gatekeeper.
With Gatekeeper, users can choose to install software only from the Mac App Store and identified
developers. If your installer package isnt signed with a Developer ID certificate issued by Apple, it
wont open on systems that have Gatekeeper enabled.
To avoid this situation, you need to sign installer packages using a Developer ID certificate and
thoroughly test the end-user experience using a Gatekeeper-enabled system before you
distribute your installer package.
Obtaining a Developer ID certificate
Only Mac Developer Program members are eligible to request Developer ID certificates from
Apple and sign applications or installer packages using them.
When you enroll in the Mac Developer Program, you become the primary contact for Apple and
are asked to sign legal agreements. Regardless whether you enroll as an individual or company,
youre the team agent and responsible for creating Developer ID certificates. If you enroll as a
company, you can add individuals to your team, but only the team agent has permission to
create Developer ID certificates. Developer ID certificates are owned by the team and not an
individual.
OS X Mountain Lion Technical Training: Deployment
2013 Apple Inc. Apple confidentialfor internal and channel use only 3
To enroll in the Mac Developer Program, go to Apple Developer Program Enrollment at https://
developer.apple.com/programs/start/standard/ where youll be guided through the process of
enrolling. If you havent registered as an Apple Developer yet, you can do so when enrolling in
the Mac Developer Program. When youre prompted to select a program, select the Mac
Developer Program.
To create a Developer ID certificate:
1. In a web browser, go to https://developer.apple.com/account.
If you havent signed in already, youll need to sign in using a Mac Developer account.
2. Under Mac Apps, click Certificates.
This will display any Mac Developer certificates that have been delivered or are in the
process of being fulfilled.
3. Click the Add (+) button to add a Mac certificate.
4. Download and install the Worldwide Developer Relations Certificate Authority and
Developer ID Certificate Authority certificates located near the bottom of the page.
5. In the Distribution section, select Developer ID and click Continue.
6. Select Developer ID Installer and click Continue.
7. In the Finder, open Keychain Access (/Applications/Utilities).
8. Choose Keychain Access > Certificate Assistant > Request a Certificate From a Certificate
Authority.
9. In the Certificate Assistant window, enter the following information:
Data RateThis is the desired data rate in bytes per second. On average, the
stream will go slightly slower than this speed, but will never exceed it.
1. Set up the plist file. For these purposes, use a filename of asrsetup.plist in the folder
/asrconfig (which has been chosen arbitrarily). Create the directory using the following
command:
mkdir /asrconfig
2. Use the defaults command to populate the file with the settings that were planned for
earlier:
defaults write /asrconfig/asrsetup.plist "Data Rate" -int 10000000
defaults write /asrconfig/asrsetup.plist "Multicast Address"
192.168.0.2
You can also provide other optional information in the asrsetup.plist configuration file. You
can define the Client Data Rate, which is the slowest rate a client can operate at without
running into errors. The DNS Service Discovery is defined as a -bool for boolean, and
defines whether the ASR server should use Bonjour. Loop Suspend is an integer that limits
the number of times an image is streamed without any clients using it before stopping the
ASR server and waiting for new clients. You can customize Multicast TTL and port as well,
although its rare for them to be changed from their default settings.
3. After youve set up your .plist file, take an image (in the form of a .dmg file) and move it into
the /asrconfig directory.
4. Start up the ASR server with the following command:
OS X Mountain Lion Technical Training: Deployment
2013 Apple Inc. Apple confidentialfor internal and channel use only 42
sudo asr -server /asrconfig/asrsetup.plist -source /asrconfig/
myimage.dmg
5. Now that you have a functional ASR server, tell a client to look to the server for connectivity.
This is fairly straightforward in either Disk Utility or with the command line. In the following
example, the source computer is myasrserver.pretendco.com and the image is called
myimage:
sudo asr restore --source asr://myasrserver.pretendco.com/myimage.dmg
--target /Volumes/Mac\ OS\ X/ -eraseCreating NetRestore NetBoot Sets
To create a NetBoot set for NetRestore using System Image Utility:
As mentioned earlier, you can use the NetBoot service in OS X Server to assist in restoring Mac
computers with ASR. This section describes how to create a minimal NetRestore image that
allows you to predefine, manually enter, or browse for source locations of ASR images (for
example, file, URL, and so on), when theyre accessible with Bonjour.
1. Open System Image Utility (located in /System/Library/CoreServices).
2. Click the Add (+) button in the lower-left corner of the window.
3. Choose Create New Workflow.
4. Read the software license agreement, and click Agree.
5. In the window that shows the NetRestore options, click the Close (x) button for the Define
Image Source and Create Image steps to remove them and leave the area empty.
6. From the Automator Library, drag the Define NetRestore Source action to the workflow
screen.
7. Click the Add (+) button within the Define NetRestore Source action and enter the path
where the .dmg is located.
OS X Mountain Lion Technical Training: Deployment
2013 Apple Inc. Apple confidentialfor internal and channel use only 43
8. In the Enable browsing for section, select the ASR multicast streams checkbox if you want
to see a list of all available ASR multicast streams.
9. To search for other NetRestore sources from the network (such as http), select the Other
NetRestore sources checkbox.
10. To allow users to manually provide a path to a .dmg, select the Allow manual source entry
checkbox.
11. From the Automator Library, drag the Create Image action into the workflow, below the
Define NetRestore Source area.
12. Leave Type set to NetRestore, and enter the names for the image and the network disk.
13. Enter a description to help keep track of NetBoot sets; and an image index, which is a unique
identifier you havent used for a NetBoot set.
14. Click Save, and save the workflow with a name that you can easily find later.
15. Click Run, and wait for the NetBoot set for NetRestore to complete. The time this process
requires depends on the size of the NetBoot set and speed of the volumes to which the
NetBoot set is being written.
Minimal-touch deployments
By following Apples best practices, you can achieve minimal touch, or even zero- touch
deployments with OS X. There are three main components to a minimal-touch deployment.
Deployment imaging. The first step of any deployment (and especially with a minimal-touch
deployment) is the development of a good deployment image. A deployment image should
contain as few customizations as possible to protect it from constant revisions and make it as
OS X Mountain Lion Technical Training: Deployment
2013 Apple Inc. Apple confidentialfor internal and channel use only 44
business-unit agnostic as possible. Ideally, it only contains OS X, local settings, and keystone
applications. Keystone applications are software packages installed on 100 percent of the Mac
computers in your organization.
Directory services. By fully utilizing directory services, you gain centralized control over user
identities and user data and provide for the delivery of a cohesive management policy
framework. You should build a script that binds the Mac to your directory service into your
deployment image.
Client management. Using a client management system completes the minimal-touch
deployment, and you should build this client management agent into your deployment
image. On initial startup, the Mac contacts the client management suite and uploads its
inventory information. At this point, any unit-specific software is provisioned, along with any
update deltas that exist for the current deployment image. With most client management
suites, optional applications are delivered to users Mac computers via self-service software
tools.
When you use this type of workflow in conjunction with having systems imaged at the factory
(or by an Apple Authorized Reseller) before they arrive at your location, you can achieve a zero-
touch deployment.
Third-party deployment solutions
The following is a partial list of third-party solutions for OS X deployment:
DeployStudio http://www.deploystudio.com
JAMFs Casper Suitehttp://www.jamfsoftware.com
Absolute Managehttp://www.absolute.com
KACEhttp://www.kace.com
LANDeskhttp://www.landesk.com
FileWavehttp://www.filewave.com
Additional resources
For more information about deploying Mac computers, refer to the following resources:
Other services section, OS X Server: Advanced Administrationhttp://help.apple.com/
advancedserveradmin/mac/10.8/
OS X Education Deployment Guidehttp://www.apple.com/education/resources/information-
technology.html
OS X Mountain Lion Technical Training: Deployment
2013 Apple Inc. Apple confidentialfor internal and channel use only 45
4 Caching Software Downloads
The Caching service speeds up the download of software purchased through iTunes and the Mac
App Store. The software thats cached includes software updates, purchased apps, and books.
Without any configuration, OS X computers are able to take advantage of a Caching server. When
you set up a Caching server, the server registers its public IP address with Apple. When the Mac
App Store or iTunes apps on OS X computers that share the same public IP address make
download requests, the client computers are automatically redirected to the local Caching
server. When a client computer leaves the network, such as when a MacBook is taken home, it
reverts back to getting software directly from Apple.
Requirements
The Caching server supports clients with OS X v10.8.2 or later and requires that clients share the
same public IP address behind a NAT. If you have more than one Caching server on your
network, clients automatically select the right server.
The following figure is an example of a single subnet with a Caching server:
If your network has multiple subnets that share the same public IP address, the subnets can take
advantage of the Caching server. For example, the following figure shows a network with two
subnets sharing a single Caching server:
OS X Mountain Lion Technical Training: Deployment
2013 Apple Inc. Apple confidentialfor internal and channel use only 46
You can get the best performance from your Caching server by connecting it to your network
using Ethernet. The Caching server can serve hundreds of clients concurrently, saturating a
Gigabit Ethernet port. Therefore, in most small- to medium-scale deployments, the performance
bottleneck is usually the bandwidth of your local network. To determine if your server hardware
is your performance bottleneck when a large number of clients are accessing the server
simultaneously, check the Processor Usage graph in the Stats pane. If the processor usage is
constantly at or near the maximum, you may want to add additional Caching servers to distribute
your clients caching requests across multiple servers. Also, if your server is in an environment
where clients download a wide variety of large amounts of content, be sure to set the cache size
limit high enough. This prevents the Caching server from deleting cached data frequently, which
may cause the redownloading of the same content at the expense of more Internet bandwidth
consumption.
Managing the Caching service
The default location for cached content is the boot volume. You can choose an alternate location
and specify how much of the volume is used by the service.
As the Caching server gets request for content to be downloaded and cached, more of your disk
space is used to store the cached content. When the disk space of the cached content reaches
the maximum you specified in the Caching pane, or when the available space on the volume
reaches 25GB, the Caching server deletes the least recently used cached content to make space
for the next request.
To start the Caching service:
1. Open the Server app (located in /Applications/).
2. From the Services list on the left, click Caching.
3. Click the on/off switch to turn on the Caching service.
OS X Mountain Lion Technical Training: Deployment
2013 Apple Inc. Apple confidentialfor internal and channel use only 47
At this point and without any additional configuration, the Caching service will start to cache the
Mac App Store and iTunes downloads.
To select a volume for caching:
1. In the Caching pane, click Edit.
2. Select a storage volume.
3. Click Use Selected Volume.
To delete all cached content:
1. If you want to delete all cached content, click Reset in the Caching pane.
2. If youre sure you want to proceed, click Reset again.
To set cache size:
In the Caching pane, use the slider to adjust the caching limit.
OS X Mountain Lion Technical Training: Deployment
2013 Apple Inc. Apple confidentialfor internal and channel use only 48
Comparing the Caching and Software Update services
The Software Update server and the Caching server both provide updates to software installed
on Mac clients. However, the following are key differences between these services:
The Software Update server caches only updates; the Caching server can cache both updates
and purchases from the Mac App Store.
With the Software Update server, you need to manually configure clients to only use a specific
software update server; with the Caching server, no client configuration is required. Clients
automatically access the available Caching server on the network theyre currently on, making
it mobile-client friendly. For example, when a client is at work, it can use the Caching server at
work, and when the same client is at home, it can use another Caching server at
home automatically.
The Software Update server downloads and caches all available updates when it first starts up;
the Caching server downloads and caches software based on client requests.
The Software Update server provides client management functionality, such as the ability for
administrators to restrict which updates can be seen and downloaded by clients; the Caching
server doesnt provide any client management functionality.
If you need client management functionality, use the Software Update server. Also, if you
configure your client to use the Software Update server, it takes precedence and the client
cannot use the Caching server for software updates.
Important: The Caching server and Software Update server can coexist on the same server, but
they dont share cached content, which may result in additional disk space being used.
Client configuration
In order to access your Software Update server, the Software Update preferences on your client
computers need to be configured to direct them to the server. This is typically done through
managed preferences in Workgroup Manager or configuration profiles, but can also be done by
modifying the preferences directly.
No client configuration on your part is required with the Caching service. On a regular basis, a
Caching server registers itself and its public IP address with Apples software servers. When client
devices attempt to access Apples servers, the devices are automatically directed to the Caching
server associated with your public IP address.
Download management
With the Software Update service, you can select which updates are available to the client
computers. This is useful for organizations that want to restrict access to new software until it has
been tested for compatibility.
The Caching service doesnt provide any control over software availability.
Note that client computers that are configured to use your Software Update server dont access a
Caching server for software updates. They do, however, still use the Caching server for other
downloads, such as app purchases.
Software cached
Both services cache Apple-provided software updates, however, the Caching service also caches
other content downloaded using iTunes or the Mac App Store, such as apps and books.
Note that currently iOS doesnt access a Caching server. The server caches OS X apps and books
downloaded using iTunes on a Mac or Windows computer.
OS X Mountain Lion Technical Training: Deployment
2013 Apple Inc. Apple confidentialfor internal and channel use only 49
When software is cached
With the Software Update service, all updates are downloaded in advance of client computers
requesting them, usually when the Software Update service is turned on, and as additional
updates become available afterwards.
With the Caching service, software is downloaded and cached as client computers request it. The
first computer to request an app experiences a longer download time. All computers requesting
the same app afterwards experience faster downloading as they get the app from the Caching
server.
Additional resources
For more information about setting up and configuring the Caching service:
OS X Server: Advanced configuration of the Caching servicehttp://support.apple.com/kb/
HT5590
Caching Content from Apple, OS X Server Essentials: Using and Supporting OS X Server on
Mountain Lion, Peachpit Press
OS X Mountain Lion Technical Training: Deployment
2013 Apple Inc. Apple confidentialfor internal and channel use only 50