Mac Management Group

I am in the process of standing up a CMS 7.5 SP1 validation environment, which will run along side my production 7.1 environment. I am coming to the project pretty green, as far as Altiris back ground engineering, but I have already setup my NS, Off-box SQL and Site server. I was trying to test Deployment solution yesterday and seem to be having DHCP problems on the subnet with the DS Site server. 2 Questions:

1) What, if any, DHCP options are needed for PXE booting?

2) When the above failed, I tried getting NetBoot to work, but since the documentation assumes Windows only (and no reference to OSX support) I pulled up the CMS for Mac documentation to find out I was missing Role Services for NFS and Windows Services for Unix (SFU); not mention that I don't remember Site server documentation mentioning needing IIS on DS sites, either, so that was a surprise while troubleshooting. The problem here, is my site server is 2012 R2 as I was led to believe it was supported. Well, I don't see SFU anywhere and have read that they're deprecated. Where does that leave me? Do I have to go all the way back to 2008 R2, or can I get this to work with 2012 at least? To say the least, I'm a bit aggravated that there's specific engineering needs that aren't addressed, even with a hyperlink, in the main Documentation, to Macs Documentation.

Hello SysAdmin_D,

AFAIK, for PXE booting there are no special settings required.

And for NetBooting NFS share is required.

It can be done either through Server Roles or SFU.

But Windows 2k12 R2 already has "Server for NFS" under Server Roles.

Below Videos will assist you in setting up the environment

https://www-secure.symantec.com/connect/videos/configuring-netboot-server-support-bsdp-mac-video

https://www-secure.symantec.com/connect/videos/booting-mac-client-netboot-part-1

https://www-secure.symantec.com/connect/videos/creating-netboot-images-os-x-109-using-mocu-video

https://www-secure.symantec.com/connect/videos/creating-netboot-image-using-mocu-app-video

Regards

Anil

Anil,

Thanks for your time on the response. The videos didn't really help much, for now, but I expect them to help when I get as far as imaging and creating my real NetBoot set; I just ported one over I had made for testing on my OSX 10.9.3 server. It worked great, but without the Agent on it there, there wasn't much I could do. Do you know if anyone has imported other netboot sets, from other 3rd party apps? We are currently using DeployStudio for Mac imaging needs and it would be very beneficial to be able to use its custom NBI to boot my Mac clients until I can get the full Mac infrastructure ported over.

After taking some cool down time, your response did help me get back up on the horse and try again. It also reminded me not to make entry level mistakes and check the firewall. There were some other issues where I had to get my Network Engineer to adjust some things on the subnet, but it all came down to the firewall at the end of the day. I saw that the installer put in application entries for the server (though maybe that's the agent?), so I assumed I was all set, but apparently not as everything (PXE/NBI) came online after turning it completely off. Obviously that's not going to be ideal, especially as I move into CEM/HTTPS communication configuration. I've read so many white pages that my brain is turing to goo (goo-ier?). Any ideas on where to find ports to open on NS and Site servers?

Thanks again.

HI SysAdmin_D,

I am a bit confused by the comments about CEM/https as they relate to netboot and PXE.  These will both not work with CEM.  In order for netboot to work, you either need to be on the same subnet as the netboot server, or have IP helper addresses to allow the target subnet receive broadcast packets from the Netboot server.  With PXE, I beleve you can get around the need for helpers by adding a DHCP option to tell the machine where to look for a PXE server, but I have not ever seen that kind of a setup for NetBoot.  

Are you you hoping to use DeployAnywhere with Altiris?  Or are you just wanting to be able to import the Netboot sets?  Since you need to use MOCU to 'prep' the machine to be turned into a NetBoot image, I don't think there will be any way around using it for creating your netboot image.  If you are just wanting to use your netboot from DeployAnywhere as a startign place, could you just restore the netboot.dmg to a computer, then install the altiris agent and plugins, and then run MOCU to create the new netboot set?

Joe

Joe,

Thanks for taking a look. Comments about CEM/https were in relation to the Windows built-in firewall, which was blocking both PXE and NetBoot processes/communications on my site server. Once I disabled the firewall, I was good to go, but don't want that risk hanging around forever either. As I get further along in validation I plan on moving to CEM and, in general, want SSL communication on the local clients too. So, I want to close down the firewall again and was just wondering which ports I need to be cognizant of, for all CMS if possible, and for OSX and Windows.

I'm pretty sure I knew that Deployment (of images) was not an option over the internet, but a reminder while I am still new is always welcomed.

Your comments about DeployAnywhere confused me a bit. As I understand it, that's simply a driver store for imaging? I do plan to leverage Hardware Independant Imaging down the road, for my Windows boxes, but I don't see how that would relate to OSX? Maybe you thought I misstyped with DeployStudio? DeployStudio is a common, 3rd party, open-source, Mac NetBooting solution. It's what I have been using for a year+ to get the job done as I wasn't experienced enough in Altiris to try and get some kind of Frankenstein DS 6.9 + OSX Server amalgamation to work.

DeployStudio also creates its own NetBoot sets, for use with OSX Server. OSX Server hands out the NBI, which once loaded, gives you an SSL (if configured) connection to the DeployStudio Server for further workflows: scripting, imaging and software deployment. I was hoping to import the DeployStudio NBI's to altiris, such that I can turn off the NetInstall service on my OSX Server, have Altiris hand out the NBI's, then continue my current SOPs until such a time as I can move over workflows and decommission my OSX server. When I tried this, this morning, I encountered a mega crash. Maybe my NBI's got corrupted, or maybe I told Altiris to import the tools or something which ruined the cutom NBI...don't know, but that's on me to test and confirm. Just wondering if it was possible.

Sorry, I mis-spoke when I mentioned DeployAnywhere.  I meant DeployStudio....  I have used DeployStudio way back in the day before we started using DS 6.9 to image our macs (process I developed: https://www-secure.symantec.com/connect/downloads/mac-imaging-using-deployment-solution-unicast-multicast).  

Now that I get what you are wanting to do with Deploy Studio, you can certainly do that.  When you are adding a prboot, just select your DeployStudio nbi to upload.  Its worth noting that you may want to copy it locally before you upload it as I have seen that page timeout before while attempting to upload.  There is nothing unique about the nbi that is created using the MOCU app.

Regarding CEM, I believe its not recommended to have your CEM server be the same one that is also hosting PXE/netboot.  I think in general, you would have a CEM server in your DMZ just for remote machines, and then another site server to handle internal connections.  With that said, see the following link for port info.  The title shows that its for ITMS 7.1, but if you search for the deployment section, they have listed ports for BSDP (the netboot protocol) as well as the ports needed for PXE.

Thanks,

Joe

Joe,

Sounds like we're on the same page here, now. I knew I needed the CEM server on the DMZ, but I assumed that once you engineer for CEM, all communications (even internal) would be over HTTPS? I honetly haven't read a whole lot. I'm just trying to replicate our 7.1 production environment before running some tests on Patching and Software Management, since we have never used thosee functions as intended.

Your Mac workflow looks intriguing. I'll definitely need more coffee before diving in. ;)

Looks like you forgot to paste the link for ports?

Finally, I'm sure I can find this on my own, but do you have some good links handy for MOCU? The videos above were helpful, and I leanr best from vids, by supporting docs would be good too.

Thanks again.

I believe you are correct that all agent communication occurs over https.  PXE and Netboot (and MTFTP and NFS) are exceptions to this because they are not communicating directly with the agent, but rather with the computer itself.  Because of this, they will still communicate over their designated ports.

As an fyi, if you look at mac patching, be aware that it is VERY different than the way Windows patching in Altiris works.  Mac patching just utilizes the OS X command line utility 'softwareupdate' to get the list of needed packages as well as to install packages (which means you can still, or may want to, utilizes an OS X SUS).

Here is the URL for the ports:

http://www.symantec.com/docs/HOWTO83503

For MOCU, do these help?

https://www-secure.symantec.com/connect/videos/installing-symantec-s-mocu-app-video

https://www-secure.symantec.com/connect/videos/creating-netboot-image-using-mocu-app-video

And as a final tidbit, here is a video to the process I created in 6.9, and should be easily ported to 7.5 (video production credit goes to my old boss Jesse):

http://youtu.be/vtpa5eWHKWQ

Joe

Nice tips all around. Thanks a lot Joe.

Am I reading the documentation right? Do I need to enable the root account? Also, do I have to have both the Deployment Plug-in and Automation folder installed in order to make NetBoot sets and Mac images? I hope it's just old documentation, or at least only on the one machine.

If you are going to use your Deploy Studio  netboot set with Altiris, then you don't need to enable root.  If you use DS 7.5, then you DO need to enable the root user, and furthermore you actually need to login as root to use MOCU.  You do not need the automation folder if you are using Netboot.  The automation folder option would be used if you were not using Netboot.  It creates another partition on the computer that holds another OS that is bootable.  Unfortunately its 10GB's or so.

Joe,

I appreciate all the advice. Final clarification:

If I decide to move to DS 7.5 for Mac Imaging, do I have to enable root on all Macs in the fleet, or just for the machine I am creating NetBoot sets and images on?

Just the macines that will be used for creating the netboot image.  There was a time that it was required for the NS to work (I think 7.1) but I believe that requirement is gone now.  It isn't hard to enable and disable root remotely if ever needed (dsenableroot).

Perfect. I can live with that. Thanks again for all the guidance.