What is DeployStudio?
DeployStudio is a robust tool used to deploy Macs which has had particular success in education as although it is not as agile as some other tools, it allows for easy replication of a core Apple image build and easy naming conventions.
DeployStudio relies on booting the target Mac up from a network shared disk via the NetBoot utility and deploying an image file (.dmg file) containing the new OS.
The main benefit of this system is that you can add settings and installers to the OS image file or deployment workflow. By NetBooting and deploying a “workflow”, the target Mac gets an OS, named sequentially and can be joined to AD and have any other apps and settings deployed as required.
In addition, this workflow is automated, meaning that the Mac is ready for use with minimal technical input.
What are the problems with using DeployStudio?
Although the above process sounds simple and efficient, in reality, there are a number of drawbacks of using DeployStudio.
- NetBooting onto a macOS 10.13 NetBoot image performs very poorly
NetBoot used to take circa 5 minutes to boot on a Mac running macOS 10.11. With the introduction of 10.12 this slowed considerably to circa 10 minutes. On 10.13, the NetBoot process has slowed further and it is not uncommon for the process to take up to 15 minutes, which in many cases causes the boot process times out.
- Image deployment will not be possible on macOS 10.14 onwards
The second and more major issue is Apple’s introduction of ‘secure boot’. The ‘secure boot’ feature has been introduced with the release of the iMac Pro. On these machines, you cannot boot from a network drive or deploy an OS image to the hard drive. The only way to get an OS on the Mac is by using Apple’s official installer.
- All changes to the core image had to be made to the “gold build” and then all the devices re-deployed or changes had to be made to each device individually.
- Critical security & patch updates also had to follow the above process greatly reducing security & stability
- DeployStudio itself doesn’t provide inventory information.
This ‘secure boot’ feature is expected to be rolled out to all Mac devices as part of the release of macOS 10.14. The impact of this is that the methods DeployStudio utilises to deploy a Mac will cease to function.Essentially, Apple have inhibited the ability to include any additional applications or settings in an OS build using this imaging method.
With secure boot, the only automated way to deploy settings & applications will be via Apple’s Device Enrolment Programme (DEP) in conjunction with a suitable MDM.
There is a way to avoid DEP using a traditional installer package, but this will require a ‘User approved MDM’ (UAMDM) whereby users must manually authorise any enrolment in an MDM solution. In addition to this, any third-party kernel extensions (generally drivers for external devices), will only load if the user approves them in System Preferences. This is at best impractical at worst impossible in an educational environment.
Further details on this can be found in this Moof IT blog
What would Moof IT propose?
To be able to deliver a centralised deployment & management solution, Moof IT would propose configuring & deploying Jamf Pro to manage Macs https://www.jamf.com/products/jamf-pro/
Jamf pro has a wide number of benefits that include:
- It is capable of delivering Apple device deployment and management that overcomes all the challenges as laid out above
- Application & OS patching
- Central application deployment (for new applications)
- Central policy/security management
- Detailed inventory
- One touch deployment of new devices
Why would Moof chose Jamf over other MDM’s?
There are a number of MDM solutions that can achieve basic Mac deployment & can work with DEP, but Jamf is especially strong around third party application deployments (Abode, Office etc), scripting (very important in educational environments) & day zero device compatibility.
Are there any other benefits?
Yes, many, including:
- The ability to deploy and enforce an IT security policy
- Ensure the Mac devices are GDPR compliant
- Manage the device centrally
- Deploy applications centrally
- Pull detailed inventories
- Simplify deployment
- Manage both macOS & iOS devices
- Scale this solution to cope with any number of Apple devices
If you are interested in finding out more, please contact Moof IT at hello@moof-it.co.uk or calling us on 0208 660 7750.
Unfortunately, Jamf won’t manage devices not purchased through our school district’s Apple rep, so it’s kind of useless for our current inventory. My only remaining strategy is to let these Macs die and make sure we don’t waste more public money on future Apple purchases.
BTW…we use JamF for iOS management, and it is one of the most bynantine interfaces I have ever worked with. That said, it’s still sooooo much better than Apple Configurator, which I’ve personally observed make grown librarians cry.