You are not logged in.

Announcement

[2017.09.08] DeployStudio build v1.7.8 (checksum, release note).
[2016.08.26] DeployStudio build v1.6.19 (release note).
[2013.02.23] DeployStudio last universal build v1.5.17 (release note).

#1 2019-10-08 17:08:24

jelockwood
Member
Registered: 2009-11-11

DeployStudio, Mojave and Catalina

Firstly an update on my own experiences with Mojave.

1. It is not possible to NetBoot new T2 Macs under any circumstances, we can be confident Apple are not going to restore this capability so Macs from roughly 2018 onwards cannot be netbooted - basically any Macs with a T2 chip
2. It is not with the current out of date DeployStudio possible to build a DeployStudio Runtime boot drive that matches Mojave let alone Catalina, the newest DeployStudio Runtime drive you can make is High Sierra 10.13.6, this can still be useful
3. You can make a USB based Mojave boot drive which contains the full Mojave installation and then put a copy of the DeployStudio Runtime app on that, you can then run that app and connect to the DeployStudio repository, this can then let you run workflows

Based on the above for pre T2 Macs we netboot, then we erase the drive, then we run a workflow which runs a script which runs the standard 'startosinstall' command. For T2 Macs we boot from a USB drive containing a full Mojave installation and run the DeployStudio Runtime app and then do the same thing. After Mojave is installed we immediately reboot before completing the Apple Wizard - booting in the same pre/post T2 method and then run another DeployStudio workflow which does settings, pkg installations etc.

Note: This means turning off SecureBoot on T2 Macs - at least whilst doing this.


For Catalina as one might expect things have changed and more things are broken.

I have managed to create a Catalina installer and script, this can be run on pre T2 Macs via netboot like Mojave as above. For T2 Macs - which I have not yet tried I would expect to need to boot from a USB drive with a full Mojave or Catalina OS depending on the model of Mac. However I did find one major Catalina issue. Before I cover that I have been able to netboot a 2017 model MacBook Pro, run a script and install Catalina.

What I have now found with Catalina is that when running my main DeployStudio workflow which would do settings and pkg installs etc. this fails. It fails right at the beginning. This is because the NetBoot image is a High Sierra based image and whilst the MacBook Pro in question will happily boot from this High Sierra cannot access important parts of the Catalina drive. Remember Catalina makes significant changes to the drive structure and it seems this includes issues above and beyond the fact the data (user) space is now on a separate volume.

It turns out that High Sierra and Mojave cannot see the content of /private on a Catalina boot drive. As a result the initial DeployStudio runtime script immediately fails because it is trying to check the content of directories inside /private

To progress further my plan is to make a new Catalina based USB boot drive and again put a copy of the DeployStudio Runtime app on that. If that runs successfully I will then try running my main workflow again.

I have confirmed that Terminal in Mojave cannot see the Catalina contents of /private and that Terminal in the Catalina recovery partition _can_ see the contents of the Catalina /private directory. I therefore see no reason why DeployStudio runtime script should not be able to as long as it otherwise works in Catalina which is going to be my next task once I get and build a new USB drive.


Note: I have long given up on restoring 'fat' images. I have also given up on using AutoDmg images although I believe this would be possible for Mojave at least.

Offline

#2 2019-10-10 20:07:55

sebus
Member
Registered: 2011-07-19

Re: DeployStudio, Mojave and Catalina

Do we at any point capture Mojave image (to be able to just do restore on another machine?

Offline

#3 2019-10-10 20:30:11

jelockwood
Member
Registered: 2009-11-11

Re: DeployStudio, Mojave and Catalina

> sebus wrote:

> Do we at any point capture Mojave image (to be able to just do restore on another machine?

As I mentioned I long ago gave up on using restoring 'fat' images. For Mojave I have successfully used AutoDmg but these days I use either a bootable macOS install disk or run a script which in turn runs the startosinstall command.

It may be possible to do a fat image restore but this approach does not run any firmware updates and also does not correctly add and name network interfaces. Since almost every update to Mojave has included firmware updates this is an important issue and a major fact as to why Apple actively disavow using imaging any more.

I have ordered a new bigger USB drive which I will therefore use to build a full Catalina operating system on along with the DeployStudio Runtime app and hopefully this approach will still work to run the script which runs the startosinstall and also then the main Deploystudio workflow to configure things.

Offline

#4 2019-10-11 22:23:01

sebus
Member
Registered: 2011-07-19

Re: DeployStudio, Mojave and Catalina

Sure, I can boot with USB-C SSD (which is almost as fast as internal drive on MBP 15,4) to  full install of Mojave (actually a clone of internal drive at some point, before I blown it away few times)
I can run DS Runtime, so I suppose I can run few bits that I need (rename, few little packages installs etc)

What I miss from my "fat" image is pre-configured default user folder

AutoDmg images work perfectly fine for asr restore in Mojave, in which case there is no need to reboot to carry on with DS settings etc

Last edited by sebus (2019-10-11 22:28:47)

Offline

#5 2019-10-12 09:15:54

jelockwood
Member
Registered: 2009-11-11

Re: DeployStudio, Mojave and Catalina

The way I preconfigure the default user folder is a combination of a script running 'default write' commands and also copying some pre-configured files in to the appropriate places.

Also somethings that would be configured this way might be configurable via MDM settings.

Offline

#6 2019-10-12 15:19:22

sebus
Member
Registered: 2011-07-19

Re: DeployStudio, Mojave and Catalina

I am sure it can be configured with MDM, I still like the simplicity of DS to do things
I see no reason why DS can not be used together with MDM

Offline

#7 2019-10-14 12:31:05

jelockwood
Member
Registered: 2009-11-11

Re: DeployStudio, Mojave and Catalina

Ok I got my new USB drive and have made some tests trying to use DeployStudio with Catalina.

As already mentioned I can have a Catalina boot disk and on that have the DeployStudio Runtime and via that login to the DeployStudio repo. I can also run a workflow which runs a script which does nothing except run the standard apple startosinstall command and this successfully triggers the install in this case of Catalina.

What I was then trying to do was run the rest of my normal configuration workflow. This time because I am running DeployStudio Runtime from within a Catalina version of the operating system it does see the contents of /private and hence can see /private/var, /private/var/db and /private/etc amongst others.

However I now hit new problems with DeployStudio Runtime trying to run a workflow. These basically boil down to the new brutally vicious settings in Security & Privacy and specifically what apps are allowed to modify folders.

I have tried adding Terminal and DeployStudio Runtime and even ditto to the list of apps allowed full disk access but this still does not seem sufficient. I get errors like the following.

2019-10-14 12:11:19.397 DeployStudio Runtime.bin[4102:45231] /usr/bin/ditto --rsrc "/tmp/DSNetworkRepository/Packages/Catalina Touch-1.0.pkg" "/Volumes/Macintosh HD/etc/deploystudio/ds_packages/Catalina Touch-1.0.pkg" 2>&1
2019-10-14 12:11:19.405 DeployStudio Runtime.bin[4102:45231] ditto: /private/tmp/DSNetworkRepository/Packages/./Catalina Touch-1.0.pkg: Operation not permitted

The above is when a DeployStudio workflow tries to copy an installer package configured as a postponed execution. Because it cannot be 'dittod' it then of course cannot be chmod configured because it does not exist in the destination folder.

Similarly if I try running a workflow command to copy a file these also fail.

2019-10-14 10:15:19.547 DeployStudio Runtime.bin[4102:20017] /usr/bin/ditto --rsrc /tmp/DSNetworkRepository/Files/Preferences "/Volumes/Macintosh HD/System/Library/User Template/English.lproj/Library/Preferences" 2>&1
2019-10-14 10:15:19.553 DeployStudio Runtime.bin[4102:20017] ditto: /private/tmp/DSNetworkRepository/Files/Preferences/.: Operation not permitted

I would say most of these issues boil down to ditto being blocked and this causing subsequent errors. I shall have to try some alternatives to ditto such as mounting a disk image from a network share containing the installer pkg or the cat-eof script commands.

Note: All 'postponed' scripts and pkgs require using the ditto command and hence are currently blocked. :(

Last edited by jelockwood (2019-10-14 13:13:36)

Offline

#8 2019-10-14 13:30:59

jelockwood
Member
Registered: 2009-11-11

Re: DeployStudio, Mojave and Catalina

Ok some progress.

If I give /bin/sh full disk access this lets DeployStudio successfully run shell scripts which will cause the creation of files. Based on this a similar process may apply for file copy and install packages but I have to find which process is involved.

Whilst this might sound like it is significantly reducing the security this should only apply to the special Catalina boot drive being used to run DeployStudio Runtime and not the one being built and configures.

Offline

#9 2019-10-14 13:33:48

jelockwood
Member
Registered: 2009-11-11

Re: DeployStudio, Mojave and Catalina

Looking promising, it looks like /bin/sh is the parent process for all the DeployStudio tasks i.e. copy, install, scripts etc.

Offline

#10 2019-10-14 14:02:20

jelockwood
Member
Registered: 2009-11-11

Re: DeployStudio, Mojave and Catalina

Ok, shell scripts and copy commands seem to work now that /bin/sh is given full disk access however postponed installer packages seem busted still.

Very few installer packages can be run as non-postponed due to their structure.

(It would be helpful for others to jump in and contribute.)

Offline

Board footer

Powered by FluxBB