Better Optimizing MacOS Deployment

Hello. I work at a small~medium sized company where we handle leasing and computer refurbishment. We’ve had a sudden increase in the number of Macbook Pros we need to reset to factory and it’s taking a very long time to use the traditional route of MacOS Recovery → Install Catalina (from Internet) → Upgrade to Ventura or Sonoma (dependent on model).

One very strict condition we have to deal with is External USB Boot is Disabled and the customers almost always deletes the MacOS install before returning the macbooks to us meaning there’s no administrator account/password to access the MacOS Recovery setting necessary to re-enable USB Boot options.

This leaves us with strictly network based solutions.

Some things I have tested with limited success and please forgive my lack of Mac knowledge but I did find how to download complete OS packages:
softwareupdate --fetch-full-installer --full-installer-version #.#.# This enabled me to download the install MacOS.app folder which I placed on a network SMB share (most of our business is with Windows/PC)

Through MacOS Recovery I found the commands necessary to deploy Sonoma from local network SMB. I can:

  1. Format the SSD
  2. make a folder under /Volumes
  3. Mount a SMB share to the folder
  4. Execute the osinstaller on SMB --acept-EULA --volume /Volumes/Macintosh\ HD

This “works” with Ventura/Sonoma with mixed results. MacOS Recovery HAS to be from Ventura or Sonoma. If MacOS Recovery is for Catalina this process just stops at installos. Similarly it does not always work unless I Internet install Ventura/Sonoma then go back into MacOS Recovery and try again. It behaves like the customer didn’t completely wipe some security setting that prevents this type of deployment.

I do have access to SSH, I can also run SCP so I can copy folders off the SMB server directly to the Macintosh HD though I haven’t had good results deploying with that method.

Another method I’ve tried is Internet installing Catalina, going through the initial setup to get to the desktop, then copying the Sonoma.app folder to /Applications from SMB in the hopes it will let me upgrade without fully downloading it from Apple but this also fails. First it was permissions, then it just threw error numbers with no explanation.

I tried installing Catalina then running the deployment command for Sonoma directly off SMB but this just resulted in a “Validating install macos sonoma.app” dialog box with no options and it just never goes anywhere. Left it overnight.

I am now currently contemplating is it possible to build a MacOS Network Cache? Preferably something I can deploy from a Linux Container or VM. Some sort of DNS that sits in between the PC’s and the Internet so when it wants to download Catalina, Montery, Big Sur, Ventura, or Sonoma it’ll Cache it then all subsequent clients on the network will pull from the Cache.

I will also mention this deployment network is isolated and I have admin control over it so we can freely try different options if there’s solutions I’m not aware of that we could test.

Right now as it stands we waste a lot of time resetting these macbooks and we don’t even have much or any demand for them so I’m pouring tons of time and effort into something that yields a poor turn around but the way the leasing works necessitates I reset every one we get so I feel there has to be a better way of going about this.

Continuing to experiment and research this problem I’ve tried each version of Catalina and in no version does startosinstall work in MacOS Recovery. I found /var/log/install.log and it reports missing library framework errors but I suspect this might be due to the security settings I am unable to change.

From here I’m going to move on to to an alternative solution. Experimenting with lancache.net for DNS (I’ve never used it before). I’m unsure if it will work here for complete MacOS installs but I won’t know unless I try. I’m hoping that the image/update server only uses HTTP since I’m getting the impression lancache can’t work with HTTPS but if this works it will be a much simpler to use solution.

For a proof-of-concept I was able to setup lancache and direct it to a list of apple domains responsible for both oscdn and swcdn. With some mixed results I was able to deploy Catalina and Sonoma extraordinarily faster. Catalina in 1.5mins Sonoma in 3.5mins. Now getting MacOS Recovery to cache is a little buggy. I had it working then it stopped. Behaves as if it’s changing every time it’s downloaded which is interesting so we’ll just have to wait and see how it behaves when I move to a full scale test but things are looking promosing.