[Tennberg]

Hello everyone,

I have taken on the task of creating a standard desktop/laptop image for my company's Macintoshes based on Mac OS 10.2.4. This image will be used by approximately 50-100 people worldwide. Although I have created standard images based on OS 9 before (for previous companies), I don't have much experience doing it with OS X. In addition, OS X presents more issues for a standard image thatn OS 9 did.

My initial questions include the following. I apologize in advance if it's a long list:

1. Could I create 1 image to use across a variety of PMG4s and PBG4s, or would I need to create 2 separate images, one for desktops and one for laptops?

2. We want the users to be able to use their machines as much as possible, but want to prevent unwanted software installation, deleting necessary system files, etc. If the users are just given regular user accounts, what parts of the system will they need full r/w access to beyond their home directory?

3. Most of the users will be graphic designers who use such programs as Photoshop, Illustrator, Acrobat, etc. When I install these on the image, should I do so with an admin account or with a regular user account? Do I need to give the users full r/w access to each of these application's folders or not?

4. Since users will have full r/w access to their own home directory, does this mean they can install *and* run applications from their home directory? This is something I would like to prevent.

5. Our company uses Notes 6.0.x for e-mail/scheduling. How should I install this on the image? Does the data folder go in the Notes folder in Applications, or does it go in the user's home directory folder?

I appreciate any and all help you can provide. Once I get these initial questions answered, I am sure I will have more.

Thanks!

[sandsl]

1. Depends on the image. Images are automatically scaled up or stretched to fill the screen.

2. None (I think)

3. Install in the applications folder using an admin account. All users will by default be able to use any applications in the 'Application' folder. Users may need read/write access on some folders eg. Photoshop plugins folder if they need to modify it.

4. Yes they can download and install *some* apps in any directory (including home directory) they have read/write access. This can't be prevented.

5. You'll have to contact the developer and ask. I don't have any experience with that app.

[macmike42]

sandsl, you kinda missed the boat on point 1, or made a really bad joke. The original poster is talking about disk images, not desktop images. Other than that you are right on.

Mac OS X installs all needed drivers for all the basic hardware it supports. A disk image of a complete 10.2.4 install will boot any Mac that supports it. One thing you might want to keep in mind, if the users will be prevented from installing software of any kind, is to install the newest versions of any available print drivers they might need to use. Apple provides drivers for Epson, HP, and Lexmark printers, but I recommend against installing them, and just grabbing the latest drivers straight from those comanies. Also check out Gimp-Print for maximum flexibility. This combination will allow your PowerBooks to print to pretty much anything, hassle-free.

Other than that, 10.2.4 contains pretty much every driver needed for all built in hardware and lots of common business add-ons. Don't worry about removing anything, since OS X only loads the drivers it needs.

As for permissions, regular user accounts are as secure as you can get without hindering workflow. If a user really wants to change something they shouldn't, they will undoubtedly just get ahold of a Jaguar install CD and change the admin password, so don't go crazy trying to secure everything.

[Mithras]

I trust you've encountered Carbon Copy Cloner. If not, check it out.

In any case, read Mike's very useful page about deploying cloned disks.

You'll also find useful:
* The Bombich forums
* macosxlabs.org
* The Maine Learning Technology Initiative, the project that deployed 36,000 iBooks to students and teachers

Note that you *could* set the users to have 'limited capabilities' - check out the Capabilities button in the Account preference pane. This would allow you to restrict them to launching only pre-defined applications, rather than any app they feel like installing in their home folder.

Another option was used by the Maine program: they installed a script that searches the user's home folder for applications and mp3 files. The script turns off the executable bit of any applications, and turns off the read bit of any mp3s, so they can be deleted, but not used. You would add your script with the -loginHook option in /etc/ttys (see this PDF for more).

However, as macmike42 says, if you restrict them too much, your users will just get mad and flail around to circumvent your restrictions. So I think normal users is a happy medium.

[Alex Duffield]

I just finnished doing this for an install of 12 new G4 systems.

I set up on system just as I wanted it, with all the apps, printers etc...

Then I used Carbon Copy Cloner to make a Disk image of that system

I also built one system with a very minimal install of OSX and and cloned that system to a firewire drive.

Then I muved the image of the compleat install to that firewire drive aswell.

Now I just plug my FW drive into a G4, and boot holding down "option" I select the FW drive to boot from. Once booted,I format the internal drive, mount the full install disk image then use CCC to clone the image to the internal drive.

Then reboot and Im done.

It takes 30 minutes for my setup to nuke and reset up a system.

I would personaly make different images for different types of work stations, for example the laptops have far less drive space then a desktop, so it would be a waist of space to have iDVD on those systems...

So far I have installed an image created on a new 1GHZ system to 12 other G4s ranging from a 400MHZ up to a dual 1GHZ with no problems on any of them.

[Tennberg]

Thanks for all the input so far.

I have approached my manager about purchasing a PMG4 and a PBG4 for creating these images. I can then set them up side by side and for every change I make on the PMG4 image, I can make sure to do it in the PBG4 image.

As for imaging, the previous method I used at other companies for OS 9 imaging was to use Retrospect and create an image file, copy it to a bootable FireWire HD, and then take that from computer to computer.

Now, however, a method that was mentioned that I've used before is Carbon Copy Cloner. Now, whenever a new machine comes in (since it's new it will have FireWire), I just put the new machine into target mode and copy it over that way. One question: If the image is in HFS+, will the new machine also be HFS+?

Second question, should I install *all* software as root and then just make the necessary changes for each user account? My thinking was when I build the image, to make sure the ONLY account on the machine is root. Then, once EVERYTHING is installed and changed, I can create a user account, and make the necessary permission changes.

Thanks for all your help.

[Phoenix1701]

There is no reason I can think of to make different images for a laptop than a desktop; the Mac OS X installation on one is exactly the same as it is on the other. Creating one image for both should work just fine.

There is a way to prevent users from running applications that aren't pre-installed on the machine. Go into the Accounts pane in System Preferences, click the account your user will be using, and then click the "Capabilities" button. In that sheet you will find, among many other useful options, the ability to specify an exclusive list of applications that can be used. Any new applications that are installed will not be on that list, so they will not be runnable.

Hope that's helpful...