Last updated 2008/03/18
Return to the Suffield Academy Network Documentation Homepage
A printable version of this document is also available.
We repair and set up hundreds of machines each year at Suffield Academy. To help us with this process, we have set up several pre-made system images that we use to reformat computers. Each image contains an operating system and common applications.
This document describes how to build a new image for computers running Mac OS X. It is intended for someone who has experience installing applications on Macs, and who has a general familiarity with the applications used at Suffield. No system administration experience is necessary.
Note: this document describes how to create images that will be installed on user machines (erasing and replacing whatever is there). We also use a special rescue image for booting machines and running diagnostics. If you need to know how to create a rescue image, please see our NetBoot documentation on rescue image creation.
When building an image, always start with a clean machine. If possible, restore the computer using the restore CDs (or DVD) that came with it. Otherwise, erase the hard drive and perform a full install of the operating system from installation media.
Use the newest model of computer available when you build your image. Try to find one with as many "extra" features in it (such as DVD burners, large screens, etc). Images built on the best machines tend to work well on all other machines. Images built on "average" machines, however, do not tend to work well on better machines.
Try to build images for "classes" of machines. For example, if you're building an image that will primarily be used for laptop computers, build it on the best laptop you can find. If you're building an image for a group of machines in a lab that are all the same, choose the best machine from the lab. And if you're building an image for desktop machines, choose the best desktop machine available.
We're assuming that you're starting with a machine that has a fresh install of the OS on it. The Apple Registration program should launch on start, and ask you the basic configuration questions.
Register the computer to Suffield Academy, and provide the school's
address and phone number for the registration form.
When asked to create a user account, use Suffield Academy
as the name, and suffieldacademy as the short name. Use 1833 as
the password if this is a personal machine (e.g., a laptop), or
the proper master password for shared machines. If you do not know
which password to use, consult the Network Administrator.
Continue through the rest of the setup program, setting up the network, date and time, and other settings.
When you're done with the registration program, the computer should boot to a default desktop, and be ready to use.
Suffield uses a custom background picture so we can tell which computers have been restored with our system image. These images reside on our file server. To get them, connect to the fileserver and mount the Groups partition. Then, open the Tech Repair folder. There is a folder called Boot Images that contains the pictures we need.
The Desktop folder contains a series of background images for use
on the machines. Choose the one for the type of machine you're
setting up. In general, Laptop Aqua Blue.jpg is used for personal
machines, and Suffield Aqua Blue.jpg is used for machines that the
school owns (such as office machines). Select the correct image and
copy it to your desktop.
This copies the default background (when prompted, enter your administrative password):
cd "/System/Library/CoreServices/" sudo cp "DefaultDesktop.jpg" "DefaultDesktop_original.jpg" sudo cp ~/Desktop/"Laptop Aqua Blue.jpg" "DefaultDesktop.jpg"
When you're done, you may quit Terminal.app and remove the images
from your desktop.
Run Software Updates on the computer until there are no updates left to run. This may require multiple installations and reboots.
Now enter the System Preferences application. For each preference pane listed below, follow the instructions given.
For Power Adapter set the computer to Never sleep, and set the display to sleep after 30 minutes. For Battery Power, leave the defaults.
In the Computer Name field at the top of the screen, enter
unregistered.
Find the Set Date & Time Automatically checkbox, and make sure it
is selected. In the input box, type ntp.suffieldacademy.org.
Click on the Time Zone tab and confirm that the computer's time zone is set to an appropriate time zone (e.g., Boston).
We need to teach the laptop about the wireless networks available on campus. Click on the AirPort icon, and then click on the Advanced button.
Under Preferred Networks, click the plus sign to add a network. Choose "Suffield Guest" as the first network. Click the plus sign again, and choose "Suffield Auth" as the network. Do not enter any name or password; just add the network.
Drag the network names so that "Suffield Auth" appears at the top of the list. Click OK, and then click Apply at the main Network screen.
When prompted to join the network, enter a testing name and password, and select the "Only use this password once". When presented with the certificate information, be sure to choose Always trust this certificate.
Open Keychain Access and unlock the System keychain. Find the Suffield Academy Self-Signed certificate and edit its trust settings to Always Trust. Save your changes and exit.
Suffield has licenses for several commonly-used applications. You must install these applications before building the image so that they are immediately available when a computer is re-imaged.
The applications in this section should be installed on all computers at Suffield Academy. We have unlimited licenses for them, and they are used by nearly everyone on campus.
Install the FirstClass 9 client from the file server (you can find it in the Suffield Installers folder).
Once installed, FirstClass automatically launches. Quit the program immediately.
Move into the user Library/FirstClass/Settings folder and
delete the entire FirstClass folder.
Copy the home.fc file on the server into the global
/Library/FirstClass/Settings folder.
Re-start FirstClass and ensure that the settings are now correct
(e.g., the server listed is fc.suffieldacademy.org).
Add the FirstClass client to the dock.
Run the Sophos Anti-Virus Installer off of the file server (you can find it in the Suffield Installers folder).
Run the Microsoft Office installer from the file server (you can find
it in the Suffield Installers folder). When prompted to register
the program, use Suffield Academy as the name, and leave all
other fields blank.
On the package selection screen, choose Select All. Complete the installation.
After installation, Office will run its auto-update tool. Install any pending updates before quitting.
Install from the server, and register with the given serial number.
Run the Adobe installer from the file server (you can find it in the Suffield Installers folder). Perform a default install of the application, but skip the "Version Cue" server.
When installation is complete, launch Photoshop and complete the product registration process (enter the serial number if necessary).
Run the Adobe Updater and all updates (may need to run multiple times to get all updates).
Also, download and install the Canon CanoScan drivers for our scanners.
Also, download and install the Wacom Intuos3 drivers.
Install from the Network folder on the server.
Download from smarttech.com and install.
Download the latest off the web and install.
On the file server, in the Multimedia folder, find and open the folder called Video.
Install ffmpegX, VLC, and Perian.
On the file server, in the Multimedia folder, find and open the
folder called Fonts. Copy the contents of this folder
into the /Library/Fonts/ folder on the computer's hard drive.
The following software should be installed on machines that are owned by Suffield (network workstations)
In the Network folder, install the Suffield Remote Desktop 3 package. This allows us to connect to computers and remotely manage them.
Networked machines should force the user to authenticate before they can use the machine.
Open System Preferences and click on Accounts.
Click the lock to make changes (if necessary) and authenticate.
Click the Login Options button.
In the preference pane that appears, make sure Automatically log in as: is deselected. Also, set Display login window as: is set to Name and password. Finally, make sure Enable fast user switching is deselected.
The following applications should only be installed on computers for Faculty and Staff.
Open the Faculty and Staff folder on the file server. Then find and open the FileMaker folder.
Run the FileMaker Pro 8.5 installer. If asked to register, choose Already Registered.
Once installation is complete, you'll need to copy a few more files
onto the computer. Copy one or more of the FileMaker launch scripts
(e.g., Open-o-Rama or Portal) onto the desktop.
Open the Faculty and Staff folder on the file server. Then find and open the Gradekeeper folder.
Run the installer with the default options. When the installer is done, launch the application.
The application will prompt you to register the product. Click the Enter Code button. The registration information is contained in a text file in the same folder as the application.
Once the application is registered, you can quit it.
Before building an image out of this computer, we need to make sure and "tidy up" any other aspects of the system.
Make sure the dock has all of our standard applications on it. You may wish to remove unused applications (such as Mail and Address Book) to create more space.
Look at the root level of the hard drive and delete any temporarly log files left over from the installation of software.
Any changes we've made to the User's desktop must now be saved so that when the computer is re-registered the user gets the same settings.
Open Terminal.app (in /Applications/Utilities) and type the
following:
sudo -s
You will be asked for the administrator's password. Once you have
correctly authenticated, your prompt will begin with a hash (#).
If you changed the background image and want that to stick for new users, copy the background preferences to the global prefs:
cp "/Users/suffieldacademy/Library/Preferences/com.apple.desktop.plist" \ "/Library/Preferences/"
We need to provide some default settings for new user accounts:
cd "/System/Library/User Template/Non_localized"
That moves you to the folder where the user settings are kept. Before we do anything else, make a copy of the existing settings:
cp -pR Non_localized Original_Non_localized
Now we're ready to copy settings from our current user into the default settings for the machine. Each of the commands below has been split into two lines. You may enter each command on two lines (as shown), hitting the return key after the backslash. Alternately, you may omit the backslash entirely and type the commands all on a single line.
Since we modified the dock to hold our new applications, we'll move that over as well:
cp "/Users/suffieldacademy/Library/Preferences/com.apple.dock.plist" \ "Non_localized/Library/Preferences/"
Copy any custom Sophos settings:
cp -R "/Users/suffieldacademy/Library/Preferences/Sophos" \ "Non_localized/Library/Preferences/"
We'll copy the modified FirstClass settings:
cp -R "/Users/suffieldacademy/Library/firstclass" \ "Non_localized/Library/"
If you've installed Gradekeeper on this computer, you'll need to copy the registration preferences over:
cp "/Users/suffieldacademy/Library/Preferences/Gradekeeper.plist" \ "Non_localized/Library/Preferences/"
If you've installed FileMaker on this computer, and you've copied the Suffield Opener script to the desktop, you'll also want to add those files to the default. Note that the scripts must be on the user's desktop for this line to work:
cp "/Users/suffieldacademy/Desktop/"*.fp? \ "Non_localized/Desktop/"
If you wish to return the computer to a "factory default" state, where
the user must register the machine and create a new admin user, you
can do so. We recommend copying the machine to a disk image, and then
opening the disk image and making the changes. In the example below,
the disk image has been mounted at /Volumes/Macintosh HD.
sudo dscl /usr/bin/dscl -f \
/Volumes/Macintosh\ HD/var/db/dslocal/nodes/Default \
localonly -delete /Local/Target/Users/suffieldacademy
for g in *.plist; do group=${g%.plist}; echo $group
sudo dscl -f \
/Volumes/Macintosh\ HD/var/db/dslocal/nodes/Default \
localonly -delete \
/Local/Target/Groups/$group GroupMembership suffieldacademy
done
sudo rm \
/Volumes/Macintosh\ HD/var/db/dslocal/nodes/Default/config/SharePoints/Suffield*.plist
sudo rm /Volumes/Macintosh\ HD/var/db/.AppleSetupDone
Those lines remove the user from the directory, remove it from all the groups, drop any shares associated with the user, and finally, remove the AppleSetup flag (which forces re-registration).
For networked workstations (not laptops), we add a special group so that we can easily administrate the computers with our own usernames and passwords.
In the terminal, type the following:
dscl /Search -read /Groups/helpdesk GeneratedUID
That will give you the UID of the group you'd like to nest (use something else instead of "helpdesk" for your group name).
Now:
dscl . -append /Groups/admin NestedGroups GENERATED-UID-OF-NETWORK-GROUP
Substitute the UID you got from the first step.
That adds our OpenDirectory "helpdesk" group to the local administrators group, granting us the rights to make administrative changes on the machine.
To actually build the image, you'll need to use another method of booting the computer (you can't build an image of a hard drive that contains the booted OS). Perhaps the easiest way to do this is by booting the computer into Target Disk Mode, and use another computer to build the image.
Alternately, you could boot the computer using NetBoot, and build the image out to an externally-connected FireWire drive. We do not recommend building the image directly over the network to a file server.
We use Carbon Copy Cloner to create our disk images. The program is freely available, and requires OS X 10.4 to run.
You will need this program on the machine that will build the image (or on your NetBoot image).
You are now ready to build the image. Click on the lock icon and enter your administrator password. Then, click Clone to begin building the image.
Building the image takes some time, depending on the speed of the computer and the amount of data in the image. It may take several hours, so be patient.
If you selected Prompt to remove users (for forced registration),
CCC will prompt you during the image process to select usernames to
remove from the computer. You should have only created on user,
suffieldacademy, so select that username and click OK. The
imaging process will continue.
When the image is complete, a new file with the name of your hard
drive (and the word asr) will appear on your target drive. This
is the image file, which should now be copied to the NetBoot server
for use.
Once you've built a NetRestore image, you have to make NetRestore aware that it exists. A quick configuration file change allows NetRestore to "see" the new image and make it available for restoring.
Note: The reader is assumed to have some general experience with NetRestore; we do not provide an in-depth discussion of what NetRestore is or how it works. For more information on NetRestore (including documentation), please see the NetRestore web site.
If you're building an image that replaces an existing one, you simply need to copy the new image onto the NetBoot server and replace the existing image. Currently, all images on the NetBoot server reside on the Images drive, filed away by image type.
You may wish to move the existing image to a temporary location before deleting it, in case the new image does not work as expected.
Once the image is copied, make sure it has the proper permissions. You can easily do this from the command line by running the following commands:
sudo chown netrestore_access:netrestore_admin ImageFile.dmg sudo chmod 464 ImageFile.dmg
Replace ImageFile.dmg with the full path to the image file you
copied.
Once this is done, the change should take effect immediately. NetRestore should begin using the new image without needing any further configuration.
In some cases, you may want to add a new image type to NetRestore. First, follow the instructions above for adding an image to the server and setting its permissions. In this case, however, do not replace an existing image; rather, pick a new name for the image that reflects what it does.
Next, you will need to update the netboot-configurations.plist file on
the server. Currently, that file lives on the Images volume, in
a folder called WebConfig. When our NetBoot image runs
NetRestore, it loads this folder over the network and reads the
configuration file found there.
The easiest way to add an image is to copy an existing stanza from this file and customize it for a new image. Here is a skeleton stanza you might want to use:
<key>Image Name</key>
<array>
<string>afp</string>
<string>veronica.suffieldacademy.org</string>
<string>Images</string>
<string>Path/To/ImageFile.dmg</string>
<string>netrestore_access</string>
<string>password</string>
<string>Description of Image</string>
</array>
Assuming you store the image on the Images volume, you only need
to customize the Image Name to give a short title to the image,
the Path/To/ImageFile.dmg field to include the relative
path to your image (relative to the Images volume), the
password line to include the password to the server (ask the
Network Administrator if you don't know it), and the Description
field to define what the image does.
Once this file has been saved, the changes take effect immediately for clients accessing the settings via the web. Launch NetRestore and verify that the information is correct.
Mike Bombich is the creator of Carbon Copy Cloner (to create disk images) and NetRestore (to reimage the machines). His main web site is www.bombich.com, and it contains a wealth of information on building images and managing large numbers of computers.