The documentation from MacSysAdmin 2016 is now available, with the session slides and videos being accessible from the link below:

http://documentation.macsysadmin.se

The videos of my sessions are available for download from here:

• What’s new in File System: http://docs.macsysadmin.se/2016/video/Day2Session1.mp4
• Going from Physical to Virtual – Creating, hosting and managing OS X VMs with VMware Fusion and ESXi: http://docs.macsysadmin.se/2016/video/Day3Session6.mp4

I also like to thank Tycho Sjögren and Apoio AB again for inviting me to speak at this year’s MacSysAdmin.

I’ll be speaking about how to various ways to document your Casper Suite and other IT needs at JAMF Nation User Conference 2016, which is being held from October 18th – 20th, 2016 in Minneapolis, MN. For those interested, my talk will be on Thursday, October 20th.

For a description of what I’ll be talking about, please see the Preparing for the Road Ahead: Documenting Your Casper Suite Setup session description. You can see the whole list of JNUC sessions here on the Sessions page.

Starting in OS X El Capitan, Apple overhauled Disk Utility’s various functions to add new features and remove others. As of macOS Sierra, it appeared at first that the abilities to unlock or decrypt a FileVault 2-encrypted drive had both been removed from Disk Utility. After some investigation though, it looks like the ability to decrypt has been removed, but you can still unlock using Sierra’s Disk Utility. For more details, see below the jump.

1. Boot your Mac and hold down ⌘-R (Command –R) to boot from the Mac’s Recovery HD partition.

Note: You can also boot from and use any other 10.12.x-booting drive. As long as you have macOS Sierra’s Disk Utility, the process below should work.

2. Open Disk Utility.

3. Select your locked FileVault 2-encrypted boot drive.

4. Under the File menu, select Mount to mount the drive. The mount attempt should generate a password prompt to unlock the encrypted drive.

5. When prompted for a password, you can enter the password of any FileVault 2-enabled account on the drive.

6. Once you have unlocked the drive, you should then be able to use Disk Utility’s repair tools to hopefully fix whatever problem your Mac is having.

As part of releasing Microsoft Office 2016 15.27, Microsoft has also updated Microsoft AutoUpdate (MAU) to include an interesting new feature: Automatically Download and Install. In MAU 3.8 and later, this feature will automatically download updates for Office 2016 applications and do the following:

• If an Office application is not running – Automatically install and update the application
• If an Office application is running – Prompt the customer and give them the option of updating later or restarting the application. If the customer chooses to restart their application, the application will be closed, updated and then re-opened

To enable the automated download and install option, open the Microsoft AutoUpdate application and set the Automatically Download and Install option.

For more information on this new feature, please see the following link:

What’s New in Microsoft AutoUpdate 3.8: http://macadmins.software/docs/MAU_38.pdf

To enable the automated download and install option via the command line for Microsoft AutoUpdate 3.8, the following defaults command can run by the logged-in user:

defaults write com.microsoft.autoupdate2 HowToCheck AutomaticDownload

Microsoft is planning to move the MAU preferences to /Library/Preferences as part of an upcoming Microsoft AutoUpdate release, so the following defaults command can be run with root privileges to enable the automated download and install option for those future versions of Microsoft AutoUpdate:

defaults write /Library/Preferences/com.microsoft.autoupdate2 HowToCheck AutomaticDownload

For those who want to enable the automated download and install option using management profiles, I’ve created a .mobileconfig file and posted it here on Github:

https://github.com/rtrouton/profiles/tree/master/EnableAutomaticDownloadandInstallofOffice2016Updates

I’ll be speaking at MacTech Conference 2016, which is taking place from November 16-18, 2016 in Los Angeles at the Westin Hotel LAX. My session will be an overview of Apple’s past and present filesystems, with an introduction to Apple File System (APFS) and a discussion of its current state of development.

You can see the entire list of MacTech Conference speakers at http://conference.mactech.com/speakers/.

When building virtual machines for testing, my preferred method is to leverage VMware Fusion’s NetBoot support to NetBoot to a DeployStudio server and run workflows. The process to build a NetBoot-ready VM through VMware Fusion looks like this:

1. Open VMware Fusion

2. In the Select the Installation Method window, choose Create a custom virtual machine and then click the Continue button.

3. In the Choose Operating System window, set OS as appropriate then click the Continue button.

4. In the Finish window, select Customize Settings.

5. Save the VM file in a convenient location.

6. In your VM settings, select Network Adapter.

7. In the Network Adapter settings, select Autodetect under Bridged Networking.

At that point, you can also adjust your RAM and processor settings but that’s up to you.

The VM is now configured to be NetBoot-ready, where it’s set up to run a particular macOS version but has a formatted and completely empty boot drive.

This setup process has been a largely manual process involving a lot of clicking in the VMware Fusion user interface and I’ve wanted to automate this for a while. Thanks to some recent changes which my colleague Joe Chilcote made to his vfuse VM creation tool, it’s now possible to automate the setup of a NetBoot-ready VM in Fusion with the following configurable options:

• OS version
• VM boot drive size

For more details, see below the jump.

vfuse normally requires the use of an AutoDMG-generated disk image to help build VMs, but Joe has updated the template options for vfuse to include the following new template settings:

When these NetBoot-related values are referenced in a template, it sets up a VM with the following characteristics:

• Formatted and empty boot drive of the specified size
• VM’s OS setting is set to the specified OS version
• VM’s Network Adapter setting is automatically set to Bridged Networking

To run vfuse, have it reference a template and output the new VM to a specific directory, you can run the command shown below with root privileges:

vfuse -t /path/to/vfuse_templates/template_name_here.json -o /path/to/VMware_VM_directory

Once finished, the new VM should be in the specified output directory.

To give an idea what the templates for various versions of OS X and macOS would look like, please see below for 10.7.x – 10.12.x templates:

vfuse template for NetBoot-ready 10.7.x virtual machine

vfuse template for NetBoot-ready 10.8.x virtual machine

vfuse template for NetBoot-ready 10.9.x virtual machine

vfuse template for NetBoot-ready 10.10.x virtual machine

vfuse template for NetBoot-ready 10.11.x virtual machine

vfuse template for NetBoot-ready 10.12.x virtual machine

For those who wanted a copy of my documentation talk at at JAMF Nation User Conference 2016, here are links to the slides in PDF and Keynote format.

PDF – http://tinyurl.com/JNUC2016DocPDF

Keynote – http://tinyurl.com/JNUC2016DocKeynote

I had one of my customers report a problem today after applying software updates to his Mac. His Mac had been able to automount certain network shares via NFS before the updates, but was unable to access those shares following the updates.

I connected remotely to the Mac and verified that I was unable to manually mount the NFS mounts.

When I tried to run the showmount command to get a list of the available NFS mounts on the server, I also received a timeout message:

I was about to send this on to the team that handled our NFS shares, when I remembered I hadn’t verified that I could access the server. Sure enough, I couldn’t:

I could ping Yahoo however, so I could contact the internet.

So I couldn’t access an internal network resource, but I could access the internet. What made this puzzling was that I was connecting remotely to the Mac via the IP address associated with this person’s Ethernet address. This IP address should not have had issues accessing internal network resources. What had happened? For more, see below the jump.

When I checked the network interfaces, I noticed that something weird had happened. Normally, the Ethernet interfaces were set to be the first in the network service order. However at some point, the Wi-Fi network interface had become the first network interface in the network service order.

When I checked the Wi-Fi interface, it was set to connect to our guest WiFi network. This is a network used by guests visiting our facility which allows access to the Internet but doesn’t allow access to our internal network.

At that point, the problem became clear. The Mac was trying to access the NFS network shares via Wi-Fi and was not succeeding because the Wi-Fi network didn’t have access to the server. Rather than trying another network interface, the NFS mount attempt just timed out.

The fix was to re-order the network interface order. Since I was working remotely, I ran the command shown below to display the existing network service order:

networksetup -listallnetworkservices

I then ran the command shown below with root privileges to re-arrange the network service order

networksetup -ordernetworkservices "Ethernet 1" "Ethernet 2" "Wi-Fi" "Bluetooth PAN" "Bluetooth DUN" "FireWire"

Once the new network service order was in place, I checked to make sure the Ethernet interfaces were showing up before WiFi in the service order:

Once the network search order was correct, I verified that I could now connect to the NFS mount that my customer was trying to access.

For those who want to change the network service order via the GUI, see the procedure below:

1. Open System Preferences

2. Select the Network preferences

3. Click the Action pop-up menu.

4. Choose Set Service Order… from the menu.

5. Drag a network service, such as Ethernet, to the top of the list.

6. When finished setting the service order, click the OK button.

7. To apply the changes, click the Apply button to make the new settings active.

A new feature in macOS Sierra is the ability to put items in the Trash and have those items automatically be deleted after 30 days. This option can be set in the Finder preferences using the process shown below:

1. Open the Finder preferences

2. Select the Advanced options

3. Check the Remove items from the Trash after 30 days checkbox.

It’s also possible to enable or disable this setting from the command line. To enable the Remove items from the Trash after 30 days setting, the following defaults command can run by the logged-in user:

defaults write com.apple.finder FXRemoveOldTrashItems -bool true

To disable it, the following defaults command can be run by the logged-in user:

defaults write com.apple.finder FXRemoveOldTrashItems -bool false

For those who want to enable the Remove items from the Trash after 30 days setting using management profiles, I’ve created a .mobileconfig file and posted it here on Github:

https://github.com/rtrouton/profiles/tree/master/RemoveTrashAfter30Days

Recently, one of my customers had a problem with the font he needed not showing up in all applications. In this particular case, he wanted to use the Symbol font as part of a Keynote presentation he was preparing but it did not appear in Keynote’s font list.

Meanwhile, the Symbol font did appear in PowerPoint 2016’s font list.

Meanwhile, it was possible to copy and paste text using that font from PowerPoint and into Keynote, but then the font list in Keynote showed a blank entry in place of the name of the font.

What was going on? For more details, see below the jump.

After some research, I found an answer. It appears that applications which display this behavior try to display the font’s name using the font. If that’s not possible using Latin alphabet characters, they are left off of the font list.

Symbol uses Greek alphabet characters instead of Latin alphabet characters, so affected applications may not be able to display the font’s name.

In my testing, I found that both Apple’s Keynote and TextEdit applications were affected by this behavior. This character difference explains why the Symbol font showed up as a blank entry in Keynote and was otherwise not selectable from the Keynote font list.

The workaround for affected applications is to use the Fonts palette window to select the affected fonts:

1. Open the application in question.
2. Select the Format menu.
3. Under the Format menu, select Font then Show Fonts

4. The Fonts palette window should appear. All fonts should be displayed and be selectable via the Fonts palette.

Jamf has posted the session videos for from JAMF Nation User Conference 2016, including the video for my documentation session.

For those interested, all of the the JNUC 2016 session videos are available on YouTube. For convenience, I’ve linked my session here.

Recently, I was alerted by Todd Houle that his infosec folks had identified an vulnerability with CasperCheck that should be addressed.

The problem:

CasperCheck downloads a QuickAdd installer from a web server inside a .zip file and initially stores it in the /tmp directory. All users on the system have access to /tmp, so it was possible for an malicious unprivileged user to leverage a race condition to replace the downloaded .zip file with another .zip file with the same name.

Assuming that the replaced .zip file was valid and passed the check for being a valid .zip file, CasperCheck would then expand the contents of the replaced .zip file into the /var/root/quickadd directory. Assuming that the malicious unprivileged user had their own installer package stored inside the replaced .zip file, the next time that CasperCheck would determine that it needs to install the Casper agent via its cached QuickAdd installer, it would instead install that installer package in place of the expected QuickAdd package.

The fix:

The vulnerability assumes that the QuickAdd package is being downloaded to a place where an unprivileged user can access it, so the implemented fix to this problem is to download it to a place where only root has access. Todd fixed the issue by changing the designated download location to the following:

From: /tmp/quickadd.zip
To: $quickadd_dir/quickadd.zip, where the value of $quickadd_dir is /var/root/quickadd

Moving the download location to /var/root/quickadd means that the download is going to a location inside the root account’s home directory. Only root has write access to its home directory, which stops an account which doesn’t have root privileges from being able to swap out the .zip file.

Changes to CasperCheck:

Fortunately, the changes needed to implement this fix are minor and are in two places:

The quickadd_zip variable has changed:

From: /tmp/quickadd.zip
To: $quickadd_dir/quickadd.zip, where the value of $quickadd_dir is /var/root/quickadd

The update_quickadd function has been updated, to move the following actions to be first:

• The creation of the /var/root/quickadd directory, if that directory is not already present
• The removal of existing files from the /var/root/quickadd directory

I’ve posted an updated CasperCheck script with the described changes to the following location:

https://github.com/rtrouton/CasperCheck/blob/master/script/caspercheck.sh

If you’re a CasperCheck user, I recommend updating to the latest version at your earliest convenience.

The changes to the script can be seen here:

https://github.com/rtrouton/CasperCheck/commit/35e4e1d6ba9f363b894b36535b151637eb70602e

Hat tip: Thanks to Todd to alerting me to this issue and providing help to fix it.

It’s often useful to provide a way for everyone in your shop to be able to look up commonly used websites. Methods I’ve seen of doing this include:

• Wiki pages
• Bookmarks deployed to browsers
• Browser extensions

Another method is to use Casper’s Self Service plug-ins feature.

This makes it easy to set up website bookmarks, which then appear in a sidebar of Self Service.

The main drawback to this method is you can’t scope these bookmarks to appear only to certain users or computers. These will appear on on all managed computers and to all users. If you need to have one set of bookmarks available to Group A in your organization, and a different set of bookmarks appearing to Group B, the Self Service plug-ins feature may not be the best solution.

Fortunately, you can solve this scoping issue using Casper policies and Self Service. For more details, see below the jump.

To help address this issue in my own shop, I wanted to be able to do the following:

1. Provide a way to opening a website page from Self Service
2. Open the website using the logged-in user’s default web browser
3. Open the browser using the logged-in user’s privileges, even if the script itself is being run as root.

To accomplish this, I wrote a script which uses launchctl to open the browser using the logged-in user’s privileges, and uses the best launchctl method for the customer’s version of OS X or macOS. It also is designed to use Casper’s Parameter 4 ($4) value for the website address, which allows the script to be used by multiple policies to open the policy’s desired website.

The script is available below, and is also available from my GitHub repo:

From there, I uploaded the script to Casper:

As part of adding the script to Casper, I set the script’s parameter label for Parameter 4 to the following:

Website address

Once the script has been added to Casper, you can set up a Self Service policy in Casper to use the script and provide the appropriate website address:

Once the policies are built, the policy should be available in Self Service for your customers to access.

As previously discussed here, one of the software packages used in my shop is Clarivate Analytics’ EndNote bibliography software.

Recently, EndNote X8 was released. When the new version’s installer was downloaded, it was discovered to be an installer application, which can pose problems for deployment.

By itself, the change to an installer application may not have been a huge problem as long as it had options for running the installation process from the command line. However, when I checked with EndNote support about the new installer, I was told that there was no option for installing EndNote X8 on a Mac using the command line.

Since the EndNote X8 installer does not have the option of command line installation, the only real option I thought I had was to install EndNote X8, then re-package it as either a drag-and-drop install or an installer package. However, when I dug deeper into the installer, I discovered a .zip file buried inside the installer.

When expanded, this .zip file proved to be a complete install of EndNote X8.

When I ran the EndNote X8 installer, it appeared to be performing the following functions:

1. Checking for Endnote updates
2. Extracting the .zip file into a new EndNote X8 folder

3. Moving the new EndNote X8 folder into /Applications

4. Launching the EndNote X8 application, which automatically loads the EndNote X8 Customizer screen if EndNote hasn’t been configured.

For more details, see below the jump.

Since the majority of the work appears to be unzipping the embedded .zip file into a new EndNote X8 folder, then moving that folder into /Applications, I decided to write AutoPkg recipes to create an installer package for me. The AutoPkg recipe model I used looks like this:

1. Download the installer application from the vendor.
2. As part of the AutoPkg .pkg recipe, take the following actions:

• Copy the zip file from the EndNote X8 installer application.
• Create a package-building directory structure that installs into /Applications
• Uncompress and move the EndNote X8 application directory into the proper location inside the package-building directory structure.
• Set the EndNote X8 application directory with the following permissions:
  • Owner: root – read/write permissions
  • Group: admin – read-only permissions
  • Everyone: read-only permissions
• Build an installer package which installs the EndNote X8 application directory into /Applications.

The recipes are available on GitHub via the link below:

https://github.com/autopkg/rtrouton-recipes/tree/master/EndNote

For those who wanted a copy of my filesystem talk at MacTech Conference 2016, here are links to the slides in PDF and Keynote format.

PDF – http://tinyurl.com/MT2016FileSystemPDF

Keynote – http://tinyurl.com/MT2016FileSystemKeynote

I’ll be speaking at Mac Admin & Developer Conference UK 2017, which is taking place in London from February 7th – 8th, 2017. My session will be an overview of Apple’s past and present filesystems, with an introduction to Apple File System (APFS) and a discussion of its current state of development..

You can see the entire list of speakers at http://www.macad.uk/macad2017-speakers/

In the wake of VMware’s release of ESXi 6.5, I was able to upgrade my ESXi 6.0 Update 2 server to ESXi 6.5 using SSH and esxcli. For those interested in doing likewise, please see below the jump for the details of the process I used.

To upgrade from ESXi 6.0 to 6.5 using esxcli

1. Shut down all VMs running on your ESXi host machine.

2. Connect to your ESXi server via SSH.

3. Once logged in, run the following command to enter maintenance mode:

vim-cmd /hostsvc/maintenance_mode_enter

4. After putting ESXi into maintenance mode, run the following command to set the correct firewall rules for the httpClient:

esxcli network firewall ruleset set -e true -r httpClient

5. Next, run the following command to list the ESXi 6.5 updates available. You want the latest one that ends in “-standard” for your version of VMware.

esxcli software sources profile list -d https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml | grep ESXi-6.5

6. Once you’ve identified the correct version of VMware (as of 11-22-2016, this is ESXi-6.5.0-4564106-standard), run the following command to download and install the update.

esxcli software profile update -d https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml -p ESXi-6.5.0-4564106-standard

Note: It is very important that you run esxcli software profile update here. Running esxcli software profile install may overwrite drivers that your ESXi host needs.

7. Once the update has been installed and prompts you to reboot, run the following command to restart:

reboot

8. After your ESXi host restarts, connect via SSH and run the following command to exit maintenance mode:

vim-cmd /hostsvc/maintenance_mode_exit

At this point, your ESXi host should be upgraded to ESXi 6.5.

As previously discussed, a number of folks in my shop use Clarivate Analytics’s EndNote bibliography software. Clarivate Analytics provides EndNote X8 with an installer application, but I need an installer package in order to easily deploy it to my customers. EndNote X8 was initially problematic in that regard, but I was able to write AutoPkg recipes for EndNote X8 to handle converting Clarivate Analytics’s installer application into a deployable installer package, including a recipe that would automate uploading the latest EndNote installers to my Casper server.

Once AutoPkg was able to provide an EndNote X8 installer package for deployment, the remaining hurdle was that the EndNote X8 installer from AutoPkg installs an unlicensed copy of EndNote and I needed to have installed copies of EndNote automatically use my shop’s EndNote site license.

Fortunately, EndNote X8’s volume license can be deployed just like EndNote X7’s volume license. The volume license is stored in as an invisible file named .license.dat in /Applications/EndNote X8  and it has a format that looks like this:

Company Name
1234567890
V2ZMQT6556P8WMH38MTQ6YSM8UXCCRYQ5MDS4WJGLKMP7RGSWECBCMT77556P8WCE8KMTQ6YSMNXJCCRYQ59MD9WJGLKMCSESSWECBCMB76556P8WCU3NMTQ6YSMLUYCCRYQ5MET8WJGLKMPSMJSWECBCM57F556P8WCU3CMTQ6YSM9DECCRYQ59XSCWJGLKMPNE9SWECBCMB79556P8WCH8KMTQ6YSMDXECCRYQ5MTSMWJGLKMPYRMSWECBCB7W7556P8W

Note: The Company Name part may show up twice in your .license.dat file.

With some additional testing, I found that I could remove an existing .license.dat file (if one was present) and replace it with my shop’s site license’s .license.dat file. That allowed me to use the EndNote X8 installer produced by AutoPkg by having Casper install it, then apply our site license file as a post-installation action. For more details, see below the jump.

For my post-installation licensing, I’ve developed a script that does the following:

1. Checks for the presence of an existing .license.dat file in /Applications/EndNote X8.
2. If an existing .license.dat file is found, it is removed from /Applications/EndNote X8.
3. A new .license.dat file is created with the data from my shop’s .license.dat file and stored in /Applications/EndNote X8.
4. The permissions on the new .license.dat file are changed so that it is read-write only by the license file’s owner. If this script is run with root privileges, the owner will be root.

The script is available below.

The script is also available on Github at the following address:

https://github.com/rtrouton/rtrouton_scripts/tree/master/rtrouton_scripts/set_endnote_volume_license/set_endnote_8_volume_license

In my shop, we’re not currently using Apple’s VPP program for purchasing applications from the Mac App Store (MAS). However, we do want to make it convenient for our users to be able to access and install some commonly used applications which are available from the App Store. Casper 9.4 and later natively supports providing access to MAS applications, but this approach is more focused on VPP-purchased applications. In my shop’s case, our customers are more likely to purchase apps from the MAS using Apple’s consumer payment model and then get reimbursed.

To help with this, I originally used a process similar to this one developed by Bryson Tyrell. I wanted to make the process more modular though, where I only needed to supply a URL from the MAS and have a scripted solution handle the rest. For more details, see below the jump.

To help address this issue in my own shop, I wanted to be able to do the following:

1. Provide a way to open the Mac App Store application from Self Service
2. Open the Mac App Store application using the logged-in user’s privileges, even if the script itself is being run as root
3. Go to a specified application’s page in the Mac App Store

To accomplish this, I wrote the following script. It uses launchctl to open the Mac App Store application using the logged-in user’s privileges, and uses the best launchctl method for the customer’s version of OS X or macOS. It also is designed to use Casper’s Parameter 4 ($4) value for the address of a specified application’s page in the Mac App Store, which allows the script to be used by multiple policies to open the policy’s desired application page in the MAS.

The script is also available on GitHub via the link below:

https://github.com/rtrouton/rtrouton_scripts/tree/master/rtrouton_scripts/Casper_Scripts/open_macappstore_address_via_self_service

From there, I uploaded the script to Casper and set the parameter label for Parameter 4 to the following:

Mac App Store address

When setting up a policy using the script, the first thing you need is the URL of the application’s page in the Mac App Store. You can get the URL using the following method:

1. Open the Mac App Store
2. Click the disclosure triangle next to the app’s price

3. Select Copy link

After clicking the Copy link option, the URL for that Mac App Store page is copied to the clipboard and can be pasted where needed.

Note: For more information on this process, please see the following Apple developer documentation:

Technical Q&A QA1633: Creating easy-to-read short links to the App Store for your apps and company
https://developer.apple.com/library/content/qa/qa1633/_index.html

Once you have the URL, a Self Service policy in Casper can be set up to use the script to open the Mac App Store and display specified application’s page in the MAS. For the Parameter 4 ($4) value, use the URL taken from the application’s page the Mac App Store page. It will be automatically translated to use the correct macappstore:// address

For example, to access the Slack application page on the Mac App Store, enter the following URL:

https://itunes.apple.com/us/app/slack/id803453959?mt=12

The script will translate it to the following URL, which will trigger the Mac App Store application
to open the URL instead of the user’s default web browser:

macappstore://itunes.apple.com/us/app/slack/id803453959?mt=12

From there, you can build a Self Service policy which uses the script and the Mac App Store application’s URL. Here’s an example policy that installs the Slack application from the Mac App Store.

Once built, the policy should be available in Self Service for your users to access.

Please see below for what the process looks like from the customer’s perspective.

Providing new installs of macOS, or upgrading to newer versions, can be a challenge in many Mac environments. Apple’s OS distribution model is focused around the Mac App Store (MAS), which may not be an option for a number of managed Mac environments. The MAS-distributed OS installer also does not include the option of adding additional third-party packages to the OS installation process; it only installs the software that Apple itself includes in the OS installer.

To address these needs, an open-source tool named createOSXinstallPkg is available. createOSXinstallPkg allows you to create an Apple installer package from an “Install macOS.app”. You can use this package for the following:

• Installing OS X or macOS onto an empty drive
• Upgrading existing OS X or macOS installations to a newer version of the operating system

The advantage of using this tool is that a number of system deployment tools for Macs can deploy the installers created by this tool, allowing OS installations or upgrades to be performed by the system management tool already in use by a particular IT shop. One great thing about using this tool is that createOSXinstallPkg will create an installer package that either installs a stock copy of either OS X or macOS, or you can add additional packages to the stock OS install.

When adding packages, there are a couple of guidelines to keep in mind:

1. There is about 350 megabytes of free space available in the OS installer. This is sufficient space for configuration or bootstrapping packages, but it’s not a good idea to add Microsoft Office or similar large installers.
2. The limitations of the OS install environment mean that there are a number of installers that won’t install correctly.

In particular, packages that use pre-installation or post-installation scripts may fail to run properly when those packages are run as part of the OS installation process. To help work around this limitation, I’ve developed a solution which I’ll be discussing later in the post. For more details, see below the jump.

Building a stock macOS installer package using createOSXinstallPkg

1. If needed, download the latest version of createOSXinstallPkg.
2. Consult the createOSXinstallPkg documentation on how to create a new installer package that only installs macOS Sierra.

As an example of how I’m doing it, I’m running the following commands:

A. Change to the createOSXinstallPkg application directory

cd /path/to/createOSXinstallPkg

B. Create a stock macOS Sierra installer:

computername:createOSXinstallPkg username$ sudo ./createOSXinstallPkg --source "/Applications/Install macOS Sierra.app"

Here’s what the output of the example process above looks like:

C. Once you have your macOS installer built, you can use it as-is or use your system management tool to deploy it.

Building a modified macOS installer package using createOSXinstallPkg

createOSXinstallPkg also has options for adding third-party packages to the OS installation, but as mentioned previously, the limitations of the OS install environment mean some packages won’t install correctly. In particular, packages that use preinstall or postinstall scripts as part of their normal installation process may fail to run properly in the OS install environment.

To help work around this limitation, I’ve developed First Boot Package Install Generator.app, an application that generates installer packages that enable other packages to be installed during the Mac’s first boot following the OS installation. This solves the issue because the installers are no longer running in the OS install environment and can run any associated preinstall or postinstall scripts. For information about building a firstboot package using First Boot Package Install Generator.app, please see the link below:

https://derflounder.wordpress.com/2014/10/19/first-boot-package-install-generator-app/

Another option for building firstboot packages is Graham Gilbert’s first-boot-pkg tool, which is designed to create a flat package that will install a series of packages when a Mac boots for the first time. It has configuration options which are not available in First Boot Package Install Generator.app, so if First Boot Package Install Generator.app does not meet all of your needs, please take a look at first-boot-pkg:

https://github.com/grahamgilbert/first-boot-pkg

Once you have your third-party package(s) available, see below for how to create a new installer package that installs macOS Sierra and includes an additional third-party installer package.

1. If needed, download the latest version of createOSXinstallPkg.
2. Consult the createOSXinstallPkg documentation on how to create a new installer package that installs macOS Sierra and includes additional installer packages.

As an example of how I’m doing it, I’m running the following commands:

A. Change to the createOSXinstallPkg application directory

cd /path/to/createOSXinstallPkg

B. Create a macOS Sierra installer with the following options:

• Use the —pkg option to include one installer package named Sierra First Boot Package Install.pkg, which is stored in /Users/username/createOSXinstallPkg/first_boot
• Use the —output option to set the Sierra installer package’s name to be Sierra 10.12.1 Installer.pkg.

sudo ./createOSXinstallPkg --source "/Applications/Install macOS Sierra.app" --pkg "/Users/username/createOSXinstallPkg/first_boot/Sierra First Boot Package Install.pkg" --output "Sierra 10.12.1 Installer.pkg"

Here’s what the output of the example process above looks like:

C. Once you have your modified macOS installer built, you can use it as-is or use your system management tool to deploy it.