LANDESK Mac Management Part 10 : Provision a Non-Managed Machine

In the 10th and final part of the LANDESK Mac Management video series, I’ll show you how to add a “bare metal” record into the LANDESK console so that you can target your Provisioning Template created in the 9th video to a machine not currently being managed by LANDESK.  This is a good example of what you could do when you buy a new machine and want to deploy an image to it.

In my example template, I will deploy my latest El Capitan image built with AutoDMG, I’ll deploy TextWrangler, I’ll apply a configuration profile to adjust the Doc and to bind the machine to my domain, I’ll also name the machine and enable Core Storage.  All of this is done with my template, which specifies in which order they are applied.

Also, by way of note, the process to target a managed device inside of LANDESK is very similar to what is shown in this video, you simply need to drag the machine from your All Devices list as opposed to using the bare metal machine method.

LANDESK Mac Management Part 9: Creating an OS X Provisioning Template

In part 9 of the LANDESK Mac Management video series, we more or less get to bring together everything we’ve done up to this point, agent deployment, software deployment, configuration profile deployment which can include binding the machine to the domain , patch deployment and even FileVault deployment; all in a chained template experience when we provision a new device.

I created slides for our Interchange event explaining each step of the provisioning template build process, available here, but for many of you, the video below may be more beneficial.

LANDESK Mac Management Part 8: Building a Gold Image using AutoDMG

In part 8 of the LANDESK Mac Management video series, we’ll download a couple of freeware utilities to assist us in creating a gold image for Provisioning.  The first tool we’ll use is AutoDMG.  This is an image builder tool created by Per Olofsson and can be downloaded from  AutoDMG builds an actual image file directly from an OS X installer, precluding the need to build out an actual machine and capture the image from it.  There are a lot of benefits in going with this approach and is our recommended approach at LANDESK.

Furthemore, AutoDMG, as part of the build process, allows you to bundle in deployment packages as well.  While LANDESK recommends that you exclude bundling software packages directly into your image in most scenarios, there are a couple of configuration packages you may want to bundle in order to make the provisioning process more streamlined.  One of those packages might be the creation of an admin account and setting it to auto-login.  CreateUserPKG, again another utility written by Per Olofsson, is one I recommend.  The video walks you through creating an admin account and setting it to autologin.  See for the utility download.

You may also want to track down other configuration packages to assist you as well, such as Rich Trouton’s recommendations on disabling Apple’s Diagnostics and Usage utility (  or the iCloud confirmation window (


LANDESK Mac Management Part 7: Building a NetBoot Image for OS Deployment

In part 7 of the LANDESK Mac Management video series, we’ll prepare for an operating system deployment by creating a NetBoot image, the equivalent of a WinPE image for the Windows world, to boot the OS X devices into a pre-boot environment.  The video will demonstrate how to use Apple’s System Image Utility and LANDESK’s Startup Disk Stamper to accomplish this task.




Deploying Your OS X Image with LANDESK Mac Provisioning

Image deployment, finally!

Hopefully if you’ve arrived to this point, you’ve already built out the necessary preferred package server, built your NBI file, configured the LANDESK Core server with the NBI details, deployed the service to capture the NetBoot request, blessed your El Capitan clients, created and captured your gold image and it’s finally time to reap the benefits.

Watch the how-to video.

Creating an OS X Image Deploy Template

  1. From the LANDESK Console, open Tools > Provisioning > OS Provisioning
  2. From the menu tree, highlight All My Templates from the My Templates folder or the All Public Templates from the Public folder
  3. Click the New Template dropdown button from the Operating System provisioning toolbar and select the Mac Deploy Template
  4. Provide a name and description
  5. Specify the path to save your Mac and Windows image files.  The path should be smb://fqdn/share/filename.dmg for an OS X image or smb://fqdn/share/filename.image for a Windows image.  Just make sure your preferred server credentials have access to the shares.
      • Alternatively you can also use the afp protocol if you want to host it from an OS X server
  6. Add the path to store the profile, leveraging the same format in the previous step
  7. Push the Create button

Edit the Deploy Template

  1. Right click on the template created and select Edit
  2. Ensure the Netboot action has the Server variable set to your PXE rep or OS X server unless you’re using the USB NetBoot environment.  The server URL format should be bsdp://ipaddress to ensure compatibility with El Capitan’s SIP.
  3. If deploying a Mac and Windows image, adjust the partition sizes in the Create Partitions actions under Pre-OS Installation.  You can set the sizes in percentages so the template can work on any HD size.
  4. Set the correct partition identifier on the Deploy image action(s) under OS installation inside the Command-line parameters box.  Make sure you do this for all Deploy Image actions.
      • For convenience, the action can be renamed in the properties panel if you have multiple images being deployed.   
  5. Add any System Configuration actions desired, such as deploy software

Deploying a Provisioning Template

  1. Right click on the template created previously and select Schedule Template
  2. Drag the desired machine(s) to image onto the task created in Scheduled tasks
    • If deploying to an unmanaged machine(s), create a record for the new device(s) in the Network View > Configuration > Bare Metal Server tool.  See the help file for more info.
  3. Right click on the scheduled task created and select Start Now > All

Creating a LANDESK Preferred Package Server


In order to deploy an image with LANDESK Management Suite, at least one preferred package server must be created.  The Provisioning process within LDMS uses the user account and password supplied for the preferred server to access the share and to write the image files to the shares specified in your capture and deploy templates.

Watch the how-to video.

Create Web Share for Preferred Package Server

Note: This must be done on a server running web sharing services (such as IIS)

  1. Create a folder on the target preferred server that will host your images
  2. For our example we will create the following directory structure:
  3. Open IIS Manager, expand the navigation tree, right-click on Default Web Site and select “Add virtual directory”
  4. Enter “Imaging” for the share alias, and navigate to the C:\Distribution\Imaging directory created in Step 1.
  5. After creating the directory, right-click Imaging in the navigation tree and select “Edit Permissions”

    Permissions should be configured as follows:

    Everyone: List Folder Contents, Read
    IUSR: Read & Execute, List Folder Contents, Read
    NETWORK SERVICE: Full Control
    Administrators: Full Control

  6. Enable directory browsing by selecting the ExampleShare folder in the navigation frame and then clicking the “Directory Browsing” icon and clicking “Enable” in the right-hand pane.

Create UNC Share Distribution

  1. Navigate to the C:\Distribution\Imaging directory and right-click on the Imaging share.
  2. Right-click and go to “Advanced Sharing”
  3. Click “Share this folder”.
  4. Click “Permissions” and give a domain account account Full Control access to the share.   This will be the account used when the provisioning process needs to access or write to the share.
  5. Ensure that the same account is also given Full Control on the Security tab.

Configure the Preferred Server in LANDesk Management Suite

  1. Within the LANDesk Management Suite Console click Configure  Preferred Server
  2. Right-click “Preferred Servers” and select “New Preferred Server”
  3. Enter Server Name and Credentials to the newly created Imaging share on the Preferred Server.  This needs to be the same account supplied in Step 4 in the UNC Share area.
  4. Enter the IP address ranges for the clients subnet(s) that this preferred server will serve.

Capturing Your Gold OS X Image for LANDESK Mac Provisioning

Imaging a device has changed dramatically over the years.  In the early 2000’s one would load everything possible on the image in effort to reduce calls the number of software requests the HelpDesk would receive post deployment.

The term bloated is often used for such corporate images.  Not only did it take forever to deploy the gargantuan images, conflicts between unnecessary and unused software applications were extremely prevalent.

LANDESK recommends the complete opposite approach in 2016.  When creating your corporate gold image, leave it as plain and as vanilla as possible.  Build all customizations into your provisioning templates and inject those customizations during the post-provisioning process.

So doing will allow you to easily update and tweak your applications and customizations realtime, ensuring each device configured contains the latest and greatest.

Watch the how-to video.

Prepare Your Machine for Capture

  1. Obtain the latest and greatest machine you have
  2. Create as small of a partition as possible that’ll contain your OS and apps
  3. Install the desired operating system
  4. Install any desired apps
    • Again, best practice will be to keep the image as thin as possible.  Ideally, applications should be deployed
  5. Install the latest LANDESK agent (9.6 SP2 or greater).  Unlike the Windows process, a LANDESK agent is required to be on the gold image.
  6. Make note of the disk identifier for the partition you want to capture as you’ll need it when creating the capture template.  Do this by launching Terminal and running the command below
Diskutil List

Create the LANDESK Provisioning Capture Template

  1. Within the LANDESK Console, open Tools > Provisioning > OS Provisioning
  2. Expand My Templates from the menu tree and highlight All My Templates 
  3. Click the New Template dropdown button from the Operating System Provisioning toolbar and then select the Empty Template
  4. Provide a template name
  5. Select Netboot from the Boot Environment dropdown list
  6. The target OS should automatically change to Mac OS X, if not, select it from the list
  7. Provide a description if desired
  8. Push the OK button to create
  9. Right click on the template created and select Edit
  10. Now, right click on System Migration and select Add Action
  11. Select the Reboot/shutdown action and select OK
  12. Highlight the Reboot/shutdown action generated and change the Action Properties option to NetBoot
  13. Set the Server option to your PXE representative using the format bsdp://ipaddress.  For convenience when NetBooting manually, you’ll likely want to deselect the checkbox for “Stop processing the template if this action fails.”
  14. Right click on the OS installation and select Add Action
  15. Select the Capture an Image action and select OK
  16. Provide the smb:// or afp:// url to where you would like to save the image.  It should be something similar to smb://servername/share/filename.dmg
  17. Hit the Validate button so the command line parameters are generated and then replace the /dev/disk0s2 with the appropriate identifier discovered from your capture machine, it may be /dev/disk1 or something else entirely
  18. Right click on Post-OS installation and select Add Action
  19. Select the Reboot/shutdown action and select OK.  
  20. Select the radio button Shut down.  Like previously, you’ll likely want to deselect the checkbox for “Stop processing the template if this action fails” and hit OK to save the template

Schedule the Image Capture

  1. Right click on the template created and select Schedule Template
  2. From the Network View, find your machine from the Devices menu tree and drag it to the scheduled task created under your My Tasks folder
    • Remember, when capturing an OS X image, the machine must be a managed node with LANDESK Mac agent installed on it, so make sure you pull the machine from the inventory tree list
  3. Right click on the scheduled task and select Start Now > All

Blessing an El Capitan Device for NetBooting

In OS X 10.11 El Capitan, Apple has introduced their new System Integrity Protection feature which affects how you are able to NetBoot devices. If you think you’ll have the need to NetBoot a device anytime in the future, after it leaves your hands, you’re going to need to “bless” it with your sanctioned NetBoot servers prior to it going out the door.

Blessing a device with a NetBoot server is easy and only takes a couple of minutes per device, however, it is very hands on and will be extremely time consuming if you have a ton of devices – especially if they’re already in the field so plan accordingly prior to upgrading to El Capitan.

Watch the how-to video here

  1. Turn on or restart the device to be “blessed”
  2. Press and hold the keys Command (⌘)-R immediately after you turn on your Mac and hear the startup sound. Keep holding until you see the progress bar.
  3. When the device boots into the Recovery Mode, you should see a Mac OS X Utilities toolbar.  If you end up back to your typical login screen, reboot and try hitting the Command (⌘)-R keys again.Recovery Mode
  4. Navigate to the Utilities menu bar item and select Terminal
  5. Type the following command in Terminal to add a trusted server. Change address to the IP address of your NetBoot server (PXE representatives, preferred servers, core servers)
csrutil netboot add address
  1. Repeat step 5 for any additional NetBoot servers (PXE representatives, preferred servers, core servers)
  2. To verify your NetBoot servers have been added, type the following command in Terminal in either the Recovery Mode session or after having booted back into the OS
csrutil netboot list

How to Configure a LANDESK Core Server with a Mac NBI File

In order to image a Mac device, you need to boot it into a pre-boot environment that is capable of making system level changes to the hard drive.  To make these types of changes, the primary operating system cannot be mounted and therefore an alternative boot environment is required for the device.

The alternative boot environment for OS X is called NetBoot.  While you can take a NetBoot Image file, put it on a USB stick and plug that stick directly into a Mac, such a method requires physical access to the device and is therefore not as desirable.

Alternatively, to forgo the need to have physical access to a device, you can create a service on the network that will listen for a Mac client to make a NetBoot request and then tell the client where to download the NetBoot Image file.

LANDESK has built this service into its PXE Representative technology that is also used for booting Windows devices into its equivalent pre-boot environment WinPE.

The steps below will walk you through configuring your core server with the information regarding the location of the NBI file so when the PXE representative service is established, it will be able to appropriately respond with the information the Mac will need to boot the NetBoot Image file.

Watch the how-to video here

  1. Logon to the device from which you created the LANDESK NBI file outlined previously.
  2. Connect to the server hosting your HTTP share.  For information on how to create an appropriate HTTP share, see
  3. Transfer the LANDESK NBI file to the HTTP share
  4. From the LANDESK Console, open Tools > Provisioning > OS Provisioning
  5. On the Operating System Provisioning toolbar, select the Preboot dropdown button and click on the Manage Netboot Image Mappings
  6. Supply the HTTP path to your Netboot image files and then click Browse to select your appropriate NBI.
    • Ensure your HTTP share has been properly enabled to support files with no extensions as outlined in the link in step 2.
  7. Configure any unique device models that will need an NBI file different from the default.  The list of device models will be automatically populated from the LANDESK inventory
  8. Click OK