MDS 6 Administrator Guide

Created On
Last Updated On
byMaren
You are here:

Overview

MDS is a macOS application for running workflows to add required software and setup to any Mac. With Apple Silicon Macs, MDS can be used to install users, software, and configuration after the device has been reset using DFU mode. For Intel Macs, MDS can erase the drive, reinstall macOS and install required software and setup to the Mac.

Why MDS?

MDS is based on the idea that you should be able to wipe and reinstall a Mac quickly and easily, i.e., in an automated way. Apple provides the ability to reinstall macOS from the recovery partition, but the installer must be downloaded during the install process; many manual steps must be taken in the installer screens. This is not difficult for an individual user but, for larger organizations or deployments, it can be cost prohibitive due to the setup time. Apple also provides the Deployment Enrollment Program (DEP) for initial setup and enrollment in an MDM service. However, using DEP requires both that an organization be enrolled in DEP and that all Macs be purchased and enrolled in DEP. Older machines can only be enrolled in DEP if they were purchased via the correct channel. Finally, even if a Mac is enrolled in DEP, if it needs to be reset and is not able to contact the MDM server, the OS must be manually reinstalled. This can be a labor-intensive process.

MDS works great with both DEP and MDM by preloading content. This way, your Mac is usable from the moment your new user receives it. DEP kicks off the software installation process, though this can take a long time; using MDS with DEP allows an administrator to preload all applications and settings, allowing users to skip setup at first login.

How MDS Works

MDS creates all the resources required to install macOS and install software packages for enrolling in MDM. The resources are organized into workflows, which can be selected as you set up the Mac. The resources and workflows are saved to an external drive or to a disk image for copying to a web server. Once saved, the target Macs are booted to the recovery partition and a script is run from the disk image on the web server or directly from the external drive. To further automate the process, MDS can flash an Arduino to turn it into an MDS Automaton, which gives the keystrokes for automatically selecting the recovery partition and running the script.

The methodology for using MDS depends on the hardware (Apple Silicon or Intel).

Apple Silicon Macs

Apple Silicon Macs must be erased using “Erase All Contents and Settings” or using DFU restores. We recommend that you use DFU Blaster Pro to install the version of macOS you require. After the device has been reset, an MDS workflow can be run from the recovery partition of the target Mac. On reboot, the resources will be installed. This results in fast, scalable and repeatable way to set up an Apple Silicon Mac.

Intel Macs

On Intel Macs, MDS used in macOS recovery (either Internet Recovery or booting to the recovery partition) to wipe the drive, install macOS and install software, users and configuration.

Time Savings

The goal of MDS is to provide a way to quickly wipe and restore any Mac to a state where it can be immediately deployed. MDS is most useful in environments when the state of the Mac must be known prior to deployment.

MDS can be used with other tools to increase automation and efficiency. Using the Automaton and the resources created by MDS, a workflow can be run with minimal user intervention. In terms of time for technician interaction with the Mac, it takes just a few seconds to plug in the Automaton and the external drive, boot into recovery to start the startup selector, and then return a few minutes later to disconnect the Automaton and external volume. This can dramatically reduce setup time and result in large savings in both time and labor costs. This same process can be used for Macs that need to be re-setup either onsite or offsite.

Main Interface

MDS is organized into a side navigation panel and a main work area. The side panel has sections for Preferences, Deployment, Services, and Tools.

Under Deployment, the Workflows panel is the core of MDS. When opening MDS, the Workflows panel is automatically selected. This panel is used to set the majority of options for organizing and creating the resources to deploy your Macs. A workflow is the collection of steps that are done to erase the volume, install macOS, specify which packages and profiles to install, and specify which scripts to run before or after installation.

  1. To access the Workflows panel, select Deployment > Workflows in the Side Navigation.
  2. Add, Remove, and Edit Workflow: These buttons add, remove, and edit the above workflows. Double-clicking on a workflow will also open the editing sheet.
  3. Duplicate: Make a copy of the selected workflow(s).
  4. Import/Export Workflows: Select one or more workflows and click Export to save the workflow settings to a file. Click Import to add these workflows to MDS on another machine or after being removed from the workflow list.
  5. Activate/Deactivate Workflows: If a workflow is not active, it will not be included when the resources are saved. Uncheck a workflow to exclude it when saving to volume or disk image.
  6. Connect to Wi-Fi: This option will have the target Mac recovery partition connect to Wi-Fi before launching Imagr (or MDS Deploy) to run workflows.
  7. Check for network: This option will have the target Mac recovery partition check for a network connection when first launching Imagr (or MDS Deploy) to run workflows.
  8. Automatically run workflow: Choose a workflow to be run automatically after the specified delay period.
  9. Set target volume name: This is usually not needed as the default volume selected is “Macintosh HD,” but can be useful if a machine has multiple macOS installations. This will only run the automatic workflow if the specified alternate volume name is found.
  10. Override Workflow Options using Script: If you have a script that you’d like to use to override workflow options, you can select it here.
  11. Save to Disk Image: Prompts for a name and location to save a new disk image that will contain all the resources and workflows. The disk image can be copied to a web server for deploying Macs. (The disk image volume name can be configured in Preferences > General)
  12. Save to Volume: Prompts to select an external HFS+ volume. The resources and workflows will be copied to the selected volume for deployment. A script called “run” will also be created that is used to launch the workflow selector (Imagr or MDS Deploy).
  13. When installed, the DFU Blaster Pro button opens the DFU Blaster Pro app, which lets you put Apple Silicon Mac into DFU mode with a button.
  14. The MIST button opens the MIST app when installed. MIST is used to download macOS installers or IPSW.
  15. The Automaton button opens the Automaton app when installed, allowing you to update and create new workflows for Automaton 2.

Apple Silicon Restore

Apple Silicon Macs can be restored using Apple Configurator, but only once they have been put into DFU mode. MDS makes it easy to put a Mac in DFU mode. Connect a USB-C cable supporting charging and data to the DFU port on each Mac, then click DFU mode. The target Mac will instantly go into DFU mode. The target Mac can be restored by clicking Restore With Apple Configurator 2. Alternatively, the Apple Configurator 2 can be opened, and the Mac can be restored directly from Apple Configurator 2.

To automate the process, click start. MDS will then detect any device plugged into the DFU port, put the Mac into DFU mode, erase and restore macOS.

Acroname Hub

To fully automate restoration, a full featured USB-C hub can be purchased and used with MDS. Plug the included USB-C cable from any USB-C port on the Mac running MDS and plug into port 0 of the Acroname for MDS hub. Plug up to 5 Macs into the USB-C ports 1-5 on the Acroname hub, making sure to select the DFU port on the target Macs. Click Refresh, and the attached Macs will show up for putting into DFU mode and restoring with Apple Configurator 2.

Additional Options

Additional options can be specificed by clicking the Options button:

  1. Remove Apple Configurator temporary cache before each restore: When a Mac is restored, the macOS is unzipped to the local drive by Apple Configurator 2. This results in a very large cache files. Select this option to erase the cache before each restore. You can also click Empty Now to erase the cache now.
  2. Use Custom IPSW: Select a specific version of macOS to restore by selecting an IPSW downloaded from Apple or from Download macOS in MDS.

Workflow Creation and Editing Sheet

Workflow Description

When the workflow is created or edited, a sheet will be shown to edit the workflow.

  1. Workflow Name: A name for the workflow. This will be shown in the recovery partition when selecting a workflow.
  2. Workflow Description: A description for the workflow. This will be shown in the recovery partition when selecting a workflow.
  3. Only show workflow if model identifier contains: When the checkbox is checked, use this field to specify for which models this workflow will appear. For example, entering “MacBook” will have the workflow appear on all computers containing “MacBook” in their model identifier, i.e., all MacBooks and not iMacs.

Workflow macOS Settings

  1. Install macOS: Select a standard macOS installer downloaded from Apple (.app or .sparseimage),select a disk image (.dmg) with the macOS installer inside it, or provide a URL where such a file is hosted.
  2. Erase and Install macOS: If this is checked, the selected macOS partition will be erased and the macOS installer will be used to install macOS. Alternatively, to upgrade the current macOS installation without erasing, leave this option unselected.
  3. Rename volume: Change the volume name to a new value.
  4. Restart/Shutdown: Use this option if an additional restart is needed after the OS and package install process completes or to shut down the machine after the install process.
  5. Do not install macOS: Use this option to only install packages and other content. The current OS will be left on the target volume. This is ideal if you have a new Mac that has the most up-to-date macOS on it and you just want to install packages.

Workflow Resources Settings

  1. Wait for network access before installing resources: This is only needed when a given resource installation requires network access to proceed.
  2. Package & Apps Folder: Specify a path to a folder with packages to be installed when the workflow is run. The packages should be standard macOS package format, regardless of what the type of package it is (flat, bundle, etc); MDS will convert them when the resources are copied. Any “.app” bundles found will also be converted and installed.
  3. Choose when to run each Package or App: You can select from running packages and apps on first boot, when running the workflow, or when the user first logs in.
  4. Scripts Folder: Specify a folder containing scripts to run on the target Mac.
  5. Choose when to run each script: You can select from running scripts after first boot packages are installed, before packages are installed when running the workflow, or when running workflow.
  6. Reboot after first boot: Choose if the Mac should restart after applying the resources that are marked to be installed or run after the first time that macOS finishes booting. Additionally, you can wait for the Setup Assistant to complete before rebooting.
  7. After running workflow: When a workflow does not reinstall macOS, choose to either restart or shutdown the machine when the workflow finishes.

Workflow User Account Settings

MDS can create multiple user accounts. Click the “+” button on the User Account panel to add one.

  1. Full Name, Short Name, and Password: Enter this information to create a new user account on the target Mac.
  2. Set the UID.
  3. Set the photo.
  4. Set an SSH key.
  5. Set the Password Hint.
  6. Choose between /bin/zsh and /bin/bash for the default shell.
  7. Select if the new user account is an administrator.
  8. Hide the user account from other users when logging in: This may be useful for creating admin management accounts that should not be visible to other users.
  9. Automatic login: The selected user will be automatically logged in when macOS is started.

Workflow Options Settings

  1. Join Wi-Fi: The target Mac will be configured to join Wi-Fi when a user logs in. Enter the SSID and Password below the checkbox.
  2. Set Computer Name: When selecting this option, either the admin is prompted for a computer name when the workflow is run or set computer name to the value entered. Include the machine’s serial number if desired by adding {{serial_number}} to the name expression. This is useful when using MDS to deploy a cluster of Macs and identifying them for remote access or when sending logging information while the MDS workflow is run on a cluster of Macs.
  3. Trust Server Certificate in System Keychain: This will use the certificate from “Preferences > Security” so that after the workflow is run, the target machine will be able to use secure Web Services created in MDS.
  4. Skip Setup Assistant: Choose to skip some of the options usually presented during the initial setup of the target Mac.
  5. Skip User Privacy and Location Setup Assistant: Skip only these components of Setup Assistant.
  6. Enable SSH: Enable remote login preferences for administrators.
  7. Disable SIP NVRAM: Turn off macOS System Integrity Protection. This works on Intel Macs only.
  8. Set Target as Startup Disk
  9. Skip installing Rosetta

Workflow Variables Settings

  1. Set Variables: Check to activate the script variables option.
  2. Edit: Click to configure the settings for each variable that will be used.

Editing variables will prompt the user running the workflow to enter values. The values entered will then be available to scripts added to the Resources section of the workflow. Scripts can reference these values as “mds_var1”, “mds_var2”, etc.

Variables can be set to prompt either for text or provide a pop-up with multiple choice. When desired, multiple choice can include an “Other…” option to enter an answer not provided in the list.

Preferences

General Preferences

Preferences are split into multiple sections; the first section is the General tab.

  1. Imagr Download URL: Set the URL for downloading the current version of Imagr (usually leave as default).
  2. Temporary Folder: A local file path that MDS will use to store temporary files.
  3. Clear Files: Clicking will clear the temporary files location.
  4. Disk Image Volume Name: Change the volume name used when saving workflows to a disk image.
  5. Alternate Run Command: When saving workflows to a volume or disk image, MDS will usually create a run script to begin the process to run workflows. If any part of this needs to be customized, the user can write a custom run script and add it here.
  6. Restore Ignore Prompts: Reset calls for system permissions.
  7. Restore All Defaults: Reset original values for all General and Security Preferences.

Security Preferences

The Security Preferences tab manages certificates to secure communication for the services that MDS can run a Web Service.

  1. Hostname: Set the hostname that will be used for the certificate.
  2. Create Self Signed Certificate…: This button will create a X.509 certificate at a location selected. The DNS name on the certificate should match the DNS name that is used to initiate the connection.
  3. SSL Certificate Folder: The “Create Self Signed Certificate…” button above will automatically populate the Certificate and Key values required, but if an existing certificate and key is to be used, they can be selected here.
  4. The current file paths for the certificate and private key are shown.

Packages

The Packages Preferences tab manages how MDS can sign packages with a signing identity.

  1. Sign Packages: Select an item from the macOS keychain to sign packages.
  2. Skip signing if package is already signed: If some packages added to workflows will already be signed, click the second checkbox to leave signed packages as-is and only sign unsigned packages.

Running the Workflow

To run the workflow, you must first boot into recovery (instructions for booting into recovery are separated below between Intel Macs and Apple Silicon Macs). After booting into recovery, start the workflow selector, either Imagr or MDS Deploy, and run the workflow.

Booting Into Recovery

Intel Macs

On the Intel Mac that is to be set up, hold Command-R (⌘R) when starting up the Mac. Once the Mac is booted (to the recovery partition), open the Terminal by selecting Terminal from the Utilities menu. Then, start Imagr from an external volume, a file server, or a web server using the instructions above

Apple Silicon Macs

On Apple Silicon Macs, this process is slightly different, but still largely similar. To boot into recovery, press and hold the power button until the drive and “Options” are showing; then, select Options. You will now boot into One True Recovery (1TR).

Running Imagr/MDS Deploy

External Volume

Plug in the external volume and enter the following command:

/Volumes/<Volume Name>/run

For instance, if the volume name is “MacDeployStick”, enter in:

/Volumes/MacDeployStick/run

Web Server

If the resources were saved to a Disk Image, copy the disk image to the web server and locate the URL to the disk image. To mount the disk image and open Imagr, enter command in this format:

hdiutil mount <URL to Disk Image>
/Volumes/mdsresources/run

For example:

hdiutil mount http://192.168.168.50:8088/images/mds.dmg
/Volumes/mdsresources/run
File Server

If the disk image is hosted on a SMB file server, mount the file server and mount the image directly from the file server. The mount point must be created first, then the file server mounted, and the image then mounted in this format:

mkdir <mountpoint>
mount_smbfs smb://<username>@hostname/<sharedfolderpath> <mountpoint>
hdiutil mount <mountpoint> </path/to/disk/image.dmg>
/Volumes/<Disk Image Volume Name>/run

For example:

mkdir /tmp/mnt
mount_smbfs smb://guest@imac.local/Shared /tmp/mnt
hdiutil mount /tmp/mnt/mds/MDSDiskImage.dmg
/Volumes/MacDeployStickResources/run

Running the Workflow in the Workflow Selector

Intel Macs

When Imagr starts, select the Target and Workflow and click Run Workflow.

Apple Silicon Macs

Once the Mac is booted to the recovery partition, open the Terminal by selecting Terminal from the Utilities menu.

After selecting a Workflow and Partition, click “Run Workflow”. If you need to cancel the workflow, the button will turn into a “Cancel” button after starting to run the workflow.

Web Service

MDS can run several web services. However, it can also create additional services for making files available from a URL. This can be useful when building workflows or running workflows from a disk image instead of saving them to a flash drive.

  1. Click the + button to add a new web service.
  2. View the list of existing web services and click the checkbox to turn individual services on or off.
  3. After configuring Security Preferences in MDS, check “Use TLS” to make the web service secure.
  4. Click the arrow button for each service to load its URL in a browser.
  5. Click the toggle button to turn all current web services on or off.
Adding a Web Service
  1. Select Folder: Select a folder for the web service, such as a location where one has saved workflows to the disk image.
  2. Port: Change the port for the web service or leave the auto-selected value.
  3. Use TLS: you can check this box if needed to make the web service secure.
  4. Allow Directory Listings: Check if relevant to allow or disable a directory listing to show a list of all content in the selected folder.

All web services will remain running even after quitting MDS or logging out the current user from macOS. Use the toggle switch to turn off web services when desired.

Automatons

The Create Mac Automaton function programs an Arduino ItsyBitsy to act as a keyboard when plugged into a USB port. The Automaton should be inserted at the boot selector screen. To enter the boot selector screen, press the power button and immediately hold the option key down. The Mac will show bootable volumes. The Automaton should then be plugged into a USB port. The Automaton will issue a ⌘R keyboard command, which will boot the Mac into the recovery partition. The Automaton will then wait for an adjustable delay period and then issue commands to open the Terminal and launch the workflow selector (Imagr or MDS Deploy). 

After connecting an Automaton device, click Create to program it or update its software version. Devices previously flashed with Automaton software do not require pressing the device’s programming button; devices not previously flashed with Automaton software do.

Once the Arduino has been flashed, a success message will be displayed.

Once programming is complete, disconnect the Automaton. If left connected, it will begin pressing the keyboard strokes.

Configure Automaton

Click “Configure Mac Automaton” to change options.

The Automaton will press the Command-R keyboard shortcut (⌘R) a few seconds after it has been plugged in. It will then wait for a defined startup delay before issuing the commands for opening Terminal and running the specified command. These values can be adjusted using the Configure Mac Automaton sheet.

  1. Version: View the current Automaton firmware version. MDS will prompt to update the Automaton if it has older firmware than what is provided in the current MDS version.
  2. Delay time after initial startup before running commands.
  3. Command: Listed is the command that will run in Terminal in the recovery partition. It should be adjusted to match the name of the external volume (replace “mds” with the name of the volume that contains the MDS resources). Depending on where the resources are located, the command will be different. See below for examples:


External Volume

/Volumes/mds/run

Web Server

hdiutil mount http://imac.local/mds/MDSDiskImage.dmg && /Volumes/mdsresources/run

SMB Server

mkdir /tmp/mnt && mount_smbfs smb://guest@imac.local/Shared /tmp/mnt && hdiutil mount /tmp/mnt/mds/MDSDiskImage.dmg && 
/Volumes/mdsresources/run
  1. Delay before opening Terminal: The number of seconds between pressing ⌘R and issuing the commands to open Terminal to run the command.
  2. Delay before running command in Terminal: Additional time before the command is executed.
Intel Configuration
  1. Firmware Password: Use only if the target Mac has been configured to use a firmware password. This setting will enter the required firmware password before booting to the recovery partition.
  2. Boot into recovery: Usually this should be left checked. Unchecking this option will disable the Automaton’s normal function of immediately issuing keyboard commands to boot to the recovery partition. Instead the Automaton will wait to receive commands later using its command line interface. This option can also be configured to boot to the different recovery partition options available (Note: some of these may not be available for older macOS versions):
    1. Latest macOS that was installed on your Mac (⌘R)
    2. Latest macOS that is compatible with your Mac (⌥⌘R)
    3. macOS that came with your Mac, or the closest version still available (⇧⌥⌘R)
  3. Open Disk Utility and erase first volume: This is for use with volumes that have FileVault enabled. To avoid being prompted for a password when running the workflow, this option will instead have the Automaton open Disk Utility and delete the first volume in the recovery partition prior to running Imagr. A volume with the same name will be created so that Imagr can then proceed normally.
Apple Silicon Configuration
  1. Boot into recovery: in Apple Silicon, the Automaton can boot into recovery for you to run the workflow. If the Erase Mac option is checked, the Automaton will select the “Erase Mac…” menu option to erase the Mac prior to installing macOS and resources.
  2. Connect to Wi-Fi for activation: here, you can enter the SSID and password of the Wi-Fi needed for activation, skipping manually entering in the information during the workflow itself.

Create Bootable Installer

The Create macOS Bootable Installer sheet provides an easy way to create a bootable macOS installation on an external drive

  1. Select macOS Installer: Click to select a macOS Installer app downloaded from Apple. (MDS provides a feature to do this if needed.)
  2. Target Volume: Select the target volume to install macOS (Note: this volume will be erased and formatted as HFS+).
  3. Click the icon to unlock if needed.
  4. Create: When the macOS Installer and Target Volume are selected, you can now create a Bootable Installer.

Note: this function is not required to restore macOS and packages. This is normally done by booting to the recovery partition. However, in some cases it is convenient to have a bootable external volume.

Running Workflows from External Volume

If you are saving an MDS workflow to a bootable external volume, be aware that the macOS installer presents the volume name as /Volumes/Image Volume rather than /Volumes/<name of volume>. This can cause issues with workflows, since the resources are accessed by the volume name. To resolve this, you can use one of two solutions:

  1. Create two HFS+ partitions on the external drive. Install the bootable macOS on one partition and save the MDS resources to the other partition. You can then run the command using /Volume/<name of volume>/run/
  2. After installing macOS to the external volume, rename it to “Image Volume” then save the resources from MDS to said volume. The workflow resources will then be referenced by the correct name and you can run the workflow by running /Volumes/”Image Volume”/run

More Resources

If you need help configuring MDS Automatons, please visit MDS Automaton Setup.

MDS Keyboard Commands

  • ⇧⌘I: Import Workflows
  • ⇧⌘E: Export Selected Workflows…
  • ⇧⌘M: Save Master for Syncing…
  • ⇧⌘S: Sync Now
  • ⌘N: New Workflow…
  • ⌘D: Duplicate Workflow(s)
  • ⌘E: Edit Selected Workflow…
  • ⌫: Remove Selected Workflow(s)…
  • ⌘W: Close
  • ⌘R: Check For Resources…
  • ⌘K: Clear Resource Cache
  • ⌘L: Show Log

Connect With Us

Sign Up for MDS Security and Product Updates

Enter your information below to receive email updates when there is new information specifically regarding this product and how to use it. Alternatively, to receive email updates for general information from Twocanoes Software, please see the Subscribe page.

Name