Author: ab

Apple has included a tool to build a bootable external installer drive with the macOS Installer application for a while now. Apple actually has documentation for this tool.

The tool is called createinstallmedia and can be found in /Applications/Install macOS [[High ]Sierra | Mojave].app/Contents/Resources/.

When run, the tool requires a path to an external volume or partition, which will be erased and replaced with a bootable installer volume.

Note: Secure Boot Macs with the T2 chip cannot boot from external drives in the default configuration. As of this writing this affects the iMac Pro and the 2018 MacBook Pro. But it is expected that any new Macs released from now on (as in maybe at the Apple Event tomorrow?) will also have Secure Boot.
Nevertheless, having an bootable external installer is still every useful for ‘legacy’ (i.e. non-secure boot) Macs. Also, while it not a good general configuration, it can be very useful to enable external boot on machines that you frequently re-install for testing.

While the support article covers the basics, the tool gained a new feature in Mojave which is not documented in the article.

When you run the Mojave createinstallmedia tool without arguments you get the usage documentation:

$ /Applications/Install\ macOS\ Mojave.app/Contents/Resources/createinstallmedia 
Usage: createinstallmedia --volume <path to volume to convert>

Arguments
--volume, A path to a volume that can be unmounted and erased to create the install media.
--nointeraction, Erase the disk pointed to by volume without prompting for confirmation.
--downloadassets, Download on-demand assets that may be required for installation.

Example: createinstallmedia --volume /Volumes/Untitled

This tool must be run as root.

The new argument in the Mojave is called --downloadassets. The description is a bit sparse, but from what I gather this is download additional assets, like firmware installers and bundle them with the other installer files on the installer drive instead of downloading them on-demand during installation.

This will not remove the requirement for the Mac to be connected to the internet during the installation process but it should speed up the process quite a bit.

If you want to learn more about how to create external installers and how to use the macOS Installer app most effectively in your workflows, you can buy my book ‘macOS Installation for Apple Administrators’

Nick asked a question in the comments recently:

Now only if there was as simple a tool for setting the profile pic!

There is no simple tool, but it is not that hard really.

When an individual user wants to change their login picture, they open the Users & Groups preference pane. But if want to pre-set or change it for multiple Computers or Users, then we need to script.

Update 2019-09-20: Some of this seems to have changed since I wrote this. in 10.14.6 you will need to set the JPEGPhoto  attribute as well. Read Alan Siu’s post for details.

Where is it stored?

The data for the user picture is stored in the user record in the directory. If the user is stored locally the directory is just a bunch of property list files in /var/db/dslocal/nodes. However, we do not want to, nor should we manipulate them directly. The tool to interface with directory data is dscl (directory service command line, pronounced diskel)

You can get a user’s record data like this:

$ dscl . read /Users/username

This will dump a lot of data, some of it binary. When you look more closely at the data, you can see that the binary data is in an attribute JPEGPhoto. This is promising, but converting an image file into some binary code and writing it into the attribute does not sound fun.

When you look around the user record some more, you can find another attribute labeled Picture which contains a decent file path (it may be empty on your machine). When JPEGPhoto contains data, Picture will be ignored. But when we delete the JPEGPhoto attribute, then the system will use the file path set in the Picture attribute.

Let’s Change It!

Deleting the JPEGPhoto attribute is easy:

$ dscl . delete /Users/username JPEGPhoto

And so is setting the Picture attribute to a new value:

$ dscl . create /Users/username Picture "/Library/User Pictures/Flowers/Sunflower.tif"

With this you can create a script that resets all user pictures by looping through all the available pictures in the /Library/User Pictures folder.

(Since you are affecting other users’ records, this script needs to be run as root.)

Custom Images

Of course, you don’t have to use the pre-installed User Picture images, but can install your own.

To demonstrate how this would work, I conceived of a little fun exercise. I wanted to write a script that sets the user picture to an image from the ‘User Pictures’ folder which starts with the same letter as the username.

The set of images in the default cover 19 of the 26 letters in the latin alphabet. I created images for the seven missing letters (A, I, J, K, Q, U, and X).

To run the script at login, I created a LaunchAgent. And finally a script which will set the Picture to the appropriate path.

Since LaunchAgents run as the user, we need to be a bit more careful when changing the attributes. While a user has privileges to modify and delete the JPEGPhoto and Picture attribute, they cannot create the attributes, so our sledgehammer method to overwrite any existing value from the script above will not work.

The dscl . change verb, which modifies an attribute has a weird syntax which requires you to pass the previous value as well as the new value. To get the previous value, which may contain spaces, I use the same PlistBuddy trick from this post.

Finally, I built an installer package which installs all the parts (the additional images, the LaunchAgent plist and the script) in the right places. You can get the project here. Run the buildAlphabetUserPkg.sh script to build an installer package.

Since the LaunchAgent will trigger at a user’s login, you will have to logout and back in, before you can see any changes. You could add a postinstall script that loads the launchagent for the current user (when a user is logged in), but I will leave that as an exercise for the attentive student.

You can get all the pointers on how to build installer packages with postinstall scripts in my book: “Packaging for Apple Administrators”

The consulting team at Pro Warehouse has been working on an application. I mentioned this application in my talk at MacSysAdmin. The application is called ‘EraseInstall’ and provides a user interface which runs the startosinstall --eraseinstall command, which is part of the macOS Installer application.

Why?

The startosinstall --eraseinstall command with all its options is fairly accessible for an administrator. There have been some attempts to make the command more accessible to end users.

With Mojave, Apple is enforcing the requirement to have an active internet connection before you start the installation. The startosinstall command will fail if it cannot reach Apple’s servers. Also on Secure Boot Macs, you really want a user to have Find My Mac disabled before a system is wiped.

We chose to build an application with an interface that runs the necessary checks and displays a summary, before the startosinstall --eraseinstall is launched.

This will provide end users, techs and admins easy access to a tool which wipes the system. This will close the lifecycle loop of a Mac, from on-boarding to ‘off-boarding.’

Enter EraseInstall

EraseInstall will show three screens, the first will explain what the application does (wipe everything!) and then you will get a summary of the checks. In this initial version we check whether the system has APFS, if Find My Mac is enabled and if there is an internet connection.

EraseInstall also locates a suitable “Install macOS” application, either “Install macOS High Sierra” for 10.13.4 and higher or “Install macOS Mojave.” It is your responsibility to have the install app on the system before the EraseInstall is run. The app does not have to be installed in /Applications. (EraseInstall uses a spotlight query to locate available installer applications. It may take a few minutes after an installer app has been copied to a system for spotlight to pick it up.)

WARNING: the app as we have posted it is fully functional and will erase and install the system on which it is run. Please only run this on a test machine!

You can watch a video of the installation and workflow here:

How to get it

You can download an installer and the source code for the EraseInstall application here.

The installer will put the EraseInstall.app in /Applications/Utilities/.

You need to install, copy or download the “Install macOS” application (for 10.13.4 or higher) through your management system, VPP or manually.

• EraseInstall source and installer on BitBucket
• Pro Warehouse Press Release (Dutch)