Deploying Firmware Updates During Imaging

Hey all, this is something we’ve been thinking about internally and, after Allister Banks’ afp548 blog post there’s possibly a workflow to let you have your cake and eat it.

First a caveat:

This is not something supported by Apple and may well break with future updates or in certain workflows.

Background

So first, some background. For a while now Apple have no longer provided some (all?) Firmware updates as a separate update package, instead baking these into macOS installers, updaters and security updates. As a result, if you are deploying your copies of macOS using a disk image, your client devices may not be getting these updates. This would include OSes deployed using AutoDMG / InstaDMG built images, as well as the more traditional Monolithic / ‘Golden Master’ images.

Why is this important?

Well, as with most updates, Firmware updates include bug fixes and miscellaneous new features. As we’re talking about low-level hardware-software interactions, these bug fixes can offer solutions to lots of random issues.

Not enough? How about patches to security issues, like the ‘Thunderstrike 2’ vulnerability?

What do you mean a security issue is still not enough?!? Ok, what about system compatibility? On Thursday, I gave a brief presentation for London Apple Admins on some new Knowledge Base articles Apple released for macOS High Sierra. This KB article talks about the importance of not using monolithic system imaging to update or upgrade an OS. The reason? The device/s will be missing required firmware updates and this “…causes the Mac to operate in an unsupported and unstable state.

So, in summary:

firmware updates == required

But how do I Firmware?

The fully supported solution to this issue is detailed in the same Apple KB article, namely:

An (unsupported) Alternative

We work with a fair amount of education institutions where the above workflows are arguably either impractical or labour intensive, especially for their lab devices. Still, these devices are gonna need these Firmware updates, so how’d we do it?

Second shout out to Allister Banks’ blog which provides instructions on extracting the High Sierra Beta Firmware update package from the ‘Install macOS’ application. I’ve based my below guide on that.

Note: This guide uses the `munkipkg` command line packaging tool, which can be downloaded from here

1) Grab your copy of ‘Install mac OS Sierra.app’ that you’ve used to build your AutoDMG image with.

Note: This should be the exact same version (OS and build number) as your deployed image.

2) Run the following command to mount the InstallESD disk image inside the application

/usr/bin/hdiutil mount /Applications/Install\ macOS\ Sierra.app/Contents/SharedSupport/InstallESD.dmg

3) Run the following command to expand the Firmware update package

/usr/sbin/pkgutil --expand /Volumes/OS\ X\ Install\ ESD/Packages/FirmwareUpdate.pkg /tmp/FirmwareUpdate

4) Run the following command to create the directory to build our package

munkipkg --create /tmp/FirmwareUpdateStandalone

5) Run the following command to copy the post-install update script from the Firmware Update to the package build directory

/bin/cp /tmp/FirmwareUpdate/Scripts/postinstall_actions/update /tmp/FirmwareUpdateStandalone/scripts/postinstall

6) Run the following command to copy the tools from the Firmware Update to the package build directory

/bin/cp -R /tmp/FirmwareUpdate/Scripts/Tools /tmp/FirmwareUpdateStandalone/scripts/

7) Run the following command to create the firmware update package

munkipkg /tmp/FirmwareUpdateStandalone

8) Grab your new package from `/tmp/FirmwareUpdateStandalone/build/`. Personal preference but I renamed mine to include the OS version and build, pulled from the ‘Install macOS Sierra’ application.

9) Upload this into your deployment solution of choice:

  1. If using Imagr, set your 'first_boot' key to 'true'More Info
  2. If using DeployStudio, tick the `Postponed installation (packages will be installed on first boot)` option – More Info Page 66
  3. If using Jamf Pro with Casper Imaging, tick the `Install on boot drive after Imaging` box – More Info

That should be it. Don’t forget:

  • If you start deploying a newer OS, you’ll need to repeat these steps and edit your workflows as required to deploy the updated Firmware updater.
  • If the Mac doesn’t need the Firmware Update, the tools in the package are smart enough to know not to run it
  • This is not an Apple officially sanctioned workflow, so you’re on your own with it!

Summary

And there we go, hopefully that’ll help some of you out, or at least give you some ideas for poking your nose into how and why Apple performs these updates, and how they expect you to deploy Macs. As always, if you have any questions, queries or comments, let us know below (or @daz_wallace on Mac Admins Slack) and I’ll try to respond to and delve into as many as I can.

The usual Disclaimer:

While the author has taken care to provide our readers with accurate information, please use your discretion before acting upon information based on the blog post. Amsys will not compensate you in any way whatsoever if you ever happen to suffer a loss/inconvenience/damage because of/while making use of information in this blog.

9 Replies to "Deploying Firmware Updates During Imaging"

  • Dan

    Can we do normal imaging using this method with an APFS base system? I’m using JAMF Pro Imaging and am trying to figure out if I can build an APFS base system, add this package at reboot and image like normal?

    • Darren Wallace

      Hi Dan,

      I’m afraid that deploying a firmware update alone will not affect imaging with an APFS system. It’ll surely be needed from the High Sierra installer but there are more ‘moving parts’ for this.

      I’ve not yet tested deployment methods for High Sierra so my suggestion would be to reach out to other Mac Admins via Slack or JamfNation, or contact your Jamf Buddy.

      Good luck!
      Darren

  • Darren,

    Thank you for this writeup. However, I do have a question. Yesterday I downloaded the official release of High Sierra. But the thing is, is that I can’t find SharedSupport/InstallESD.dmg anywhere in the app bundle.

    Any advice?

    Sincerely,

    Andrew

    ——-

    Andrew W. Johnson
    Sr Macintosh Systems Administrator
    Desktop and Systems Engineering
    Division of Information Technology
    Stony Brook University
    Computing Center Room 115
    Stony Brook, NY 11794-2400

  • Hey Darren, Thanks for this post! I’ve been thinking a lot about different ways to roll out High Sierra to a collection of mbps I currently help manage using Jamf etc. Unfortunately for me – the company I work for conveniently blocks all network traffic to and from apple server IP addresses (amongst a long list of others) because of security/data loss paranoia. Essentially, we run a tightly controlled, air-gapped desktop environment.

    This being the case – do you think forcing the ‘FirmwareUpdateStandalone-1.0.pkg’ to all mbps in the company device collection via Jamf policy before forcing a further set of ‘Install macOS Sierra.app’ cache and ‘Install macOS Sierra.app’ install Jamf policies would work?

    I’m going to test this over the next couple of days regardless. But interested to hear other mac admins approaches!

    Thanks, Chris

    • Darren Wallace

      Hey Chris,

      Thanks for your comment. With High Sierra and APFS it’s a little different as you’ll almost certainly need the firmware installed before the device reboots to the new OS. This is part-documented on the Imagr wiki which you may be able to translate the information into DeployStudio-speak.

      You mention Air-gapped Macs, with the High Sierra changes to UEKEL your devices will (at minimum) need to be enrolled in an MDM to be able to load third party kernel extensions (such as for AV and Data Loss Prevention (DLP) solutions – to name a few) without prompting the user.
      Secondly, based off these Open Radars, you’re really really gonna wanna have devices enrolled via DEP to be able to manage the newer security areas of macOS. Rumour has it, Apple may move some of the more sensitive MDM payloads behind the UAMDM ‘wall’ – think a Supervision-mode for macOS. It’ll provide greater control and protections for your Macs, but you’ll need to use Apple’s systems for it.

      And Finally, if you’re air-gapping your Macs, you’ll need to make allowances for the requirement to download firmware updates from the Internet, as detailed here:

      …You must be connected to the Internet when you upgrade your macOS. After your Mac confirms your connection, the Installer uses the model number of your Mac to locate and download a firmware update specific to only that Mac.
      Only the macOS Installer can download and install the firmware update. Firmware updates can’t be done on external devices, like those connected via Target Disk Mode, Thunderbolt, USB, or Firewire….

      I hope that helps out, and is certainly worth discussing with your security team to find out what is more important to them short and long term.

      Feel free to jump on the Mac Admins Slack to discuss these items. There’s now over 13,000 of us all with opinions and thoughts 😉

      Darren

  • Andrew, with the latest 10.13.6 installer, when I expand FirmwareUpdate.pkg, there is no postinstall_actions folder anymore. /update doesn’t exist, is not copied to the new package as postinstall, and therefore the resulting package creation creates a package that does nothing.
    Any ideas?

  • Andrew, I was able to download the 10.13.2 update installer and pull out the Firmware Update package from that to get the postinstall_actions folder and it’s scripts. I think just incorporating this will resolve my issue.

Leave a Reply

Your e-mail address will not be published. Required fields are marked *