Large-Scale Provisioning of Apple Silicon and Intel Macs

One of the challenges of updating a Mac fleet is processing the current deployed Macs or new Macs that need to be provisioned prior to deployment. Currently deployed Macs need to be processed to make sure there is no user data left on them, document any hardware issues, and prepare them for redeployment (either internally or sold off). New Macs may need to be upgraded to the most recent OS version before deployment.

Twocanoes Software provides tools focused on making this process as efficient as possible. Regardless of its state, any Mac can be wiped, tested and restored quickly and efficiently.

Scope

This article focuses on any Mac from 2013 to currently shipping Macs. This includes Intel Macs, Intel Macs with T1/T2 Co-processors, and Apple Silicon Macs. Apple Silicon Macs introduced a new way to wipe and restore Macs so this article will cover 2 different ways to process the Mac systems.

Tools

The following tools are used in this article:

MDS from Twocanoes Software: MDS is a macOS application to create workflows for installing macOS, macOS applications, scripts, users and configuration. MDS can also host workflows on a web server to make them available to be run over the local network.

DFU Blaster from Twocanoes Software: DFU Blaster is a macOS application to easily put an Apple Silicon Mac into DFU mode, wipe and restore macOS, and capture the serial number. DFU Blaster can automate this process and can integrate with the Acroname Hub3c for multiple Mac restores at one time.

Apple Configurator from Apple: Apple Configurator is a macOS application from Apple, Inc. It provides a command-line tool for restoring macOS to Apple Silicon Macs using by DFU Blaster.

Automaton from Twocanoes Software: The Automaton is a hardware device for typing automated keystrokes on a target Mac.

Hub3c from Acroname: This Hub3c is a fully managed USB-C hub from Acroname. Using the Acroname Hub, DFU Blaster can put a target Mac into restore mode and start restoring. The Acroname Hub3c supports up to 5 target devices and multiple hubs can be attached to a Mac running DFU Blaster to restore up to 10 Macs at one time.

Setup

Set up the system on an Apple Silicon Mac system running the most recent version of macOS.

1. Set the local hostname to mdscentral.local in Settings->General->Sharing.
2. Select Always from the dropdown for Allow Accessories to Connect in Settings->Privacy & Security.
3. Connect Admin device to power.
4. Install MDS.
5. Install DFU Blaster.
6. Install Apple Configurator from the Mac App Store.
7. Install Automaton App.
8. Install Mist from ninxsoft.

Mac Systems with Apple Silicon

To wipe and destroy any existing data on an Apple Silicon Mac, the Mac is put into DFU mode and the current OS is restored. All data on the SSD on Apple Silicon Macs is encrypted and restoring the OS using Apple tools in DFU mode destroys the keys to decrypt the data.

Restore Procedures

When restoring an Apple Silicon Mac system, two scenarios are covered. The first is for an individual restore, and the second is for restoring up to 5 Mac systems at a time per hub.

Procedure 1: Individual Restore

1. Plug the USB-C white power cable from the target Apple Silicon Mac DFU port to the DFU port on the Admin Mac.
2. Connect the target machine to power.
3. Open DFU Blaster and press the DFU Mode button.
4. Select the target Mac from the list at the bottom of the screen and select the “Restore button”.
   
   Note: To further automate this process, the “Auto DFU” and “Automatic Restore” switches can be set to put the target Macs into DFU mode and restore them automatically. Additionally, if a specific macOS version is required to be restored, it can be selected under Settings.

Procedure 2: Acroname Hub

To restore multiple Macs at one time, an Acroname Hub is used to connect to up to 5 systems at once. The Acroname Hub and DFU Blaster can be used to put all Mac systems into DFU mode and start the restore.

1. Plug the Acroname Hub into power from the USB port on the back of the hub.
2. Plug a USB-C white power cable into port 0 on the hub and into the Admin device DFU port.
3. Plug the multiple target Macs into the Acroname Hub Ports 1-5 using USB-C white power cables with the DFU Port.
4. Open DFU Blaster and click the Acroname Hub button in the upper right.
5. Select the target Macs and select the DFU mode button.
6. Once the target Macs are in DFU mode, select the target Macs at the bottom of the main screen of DFU Blaster and click Restore.

Target Mac Identification

Once the restore is complete, the Mac system will reboot into the Setup Assistant. The target Mac’s serial number will be shown, along with a QR code to identify it by serial number. Scan this value or use DFU Blaster’s webhook functionality to automatically populate external systems.

Mac Systems with Intel Processor

Mac systems with an Intel processor are restored by booting to recovery, destroying the APFS containers, and restoring the OS using the command-line installer. To automate the process, an Automaton is used to automate keystrokes to kick off a workflow. MDS is used to create the workflow resources and make them available to the target system when restoring.

Preparation

The process requires an MDS workflow that includes a script and the OS installer. The resources are provided on a local web server. The MDS automaton is used to start the restore with only minimal technical interaction.

Make Image Available via HTTP

1. Create the folder /Users/Shared/web in the Finder.
2. In MDS, click Web Service under Services. Unlock the lock in the lower left and provide the admin password.
3. Click “+” to create a new shared folder.
4. Select the following settings:
   1. Select Folder: /Users/Shared/web
   2. Port: 8088
   3. Allow Directory Listings

5. Start the web service by clicking the button in the upper right corner.
6. Click “Save to Disk Image…” and save the disk image to /Users/Shared/web with the name “mds.dmg”.
7. Verify the dmg is available by going to a browser and navigating to :
   http://<IP ADDRESS>:8088

Automaton

The Automaton app is a macOS app for creating automation routines on the Automaton 2. The Automaton 2 is a small device for automating the steps during startup to start the MDS workflow with minimal technician intervention.

1. Open the Automaton App
2. Select File, Import Workflows and import the MDS Automaton workflows. This will import 3 workflows:
   • MDS Automaton ARM: Automates running a workflow starting from recovery when Apple Silicon Mac is put into recovery with DFU Blaster.
   • MDS Automaton Intel: Boots to recovery, opens Terminal and runs MDS workflow on Intel Mac.
   • MDS Automaton Intel Fast: Opens Terminal and runs MDS workflow on Intel Mac. Assumes Mac is already booted into recovery.
3. Assign the MDS Automaton Arm workflow to button 1, MDS Automaton Intel to button 2, and MDS Automaton Intel Fast to button 3.
4. Plug in the MDS Automaton and click “Update Automaton” in the upper right corner.

Run the Workflow

To restore an Intel Mac system with the setup above, follow the steps below.

1. On the target Mac connect the device to power and ethernet.
2. On the target Mac, hold the option key and press the power button to power up the Intel Mac.
3. When the start disk selector appears, use Option-Command-R to boot to Internet Recovery.
4. When booted into Recovery plug the Automaton into any USB port and press button 3 to run MDS Automaton Intel Fast.

---