Skip to main content
Jamf Nation, hosted by Jamf, is the largest Apple IT management community in the world. Dialog with your fellow IT professionals, gain insight about Apple device deployments, share best practices and bounce ideas off each other. Join the conversation.

Creating a Minimal Base OS Image


A minimal base OS image can be used to build a NetBoot image and smart configurations for imaging.
Creating a minimal base OS image involves the following steps:

  1. Install a clean copy of macOS.
  2. Configure the OS.
  3. Build a package of the OS.

Products Affected

Casper Suite, Imaging Suite, Composer


Step 1: Install a Clean Copy of macOS

See the following Knowledge Base article from Apple for instructions on how to install a clean copy of macOS:

Step 2: Configure the OS

Before building a package of the OS, you need to ensure that the OS is completely configured to your environment. The way that you decide to configure the OS depends on how you plan to use the minimal base OS image.

If you plan to image computers using the minimal base OS image, consider performing the following tasks:

  1. Create the main administrator's account.
  2. Name the computer in the Sharing pane in System Preferences. For example, "BaseImage".
  3. Name the booted partition in the Startup Disk pane in System Preferences. For example, "Macintosh HD".
  4. Activate Remote Login (SSH) and Remote Management (Apple Remote Desktop). a. Navigate to the Sharing pane in System Preferences. b. Select the Remote Login checkbox in the sidebar to enable SSH. c. Select the Only these users option in the Allow Access For pane. d. Click the Add (+) button and select the main administrator's account and any other accounts you would like to have remote access, and then click Select. e. Select the Remote Management checkbox to enable Apple Remote Desktop. f. Select the Only these users option in the Allow Access For pane. d. Click the Add (+) button and select the main administrator's account and any other accounts you would like to have remote access, and then click Select.

  5. Configure Automatic Login and Login Window settings. a. Navigate to the Accounts or Users & Groups pane in System Preferences. b. Select Login Options in the sidebar. c. If System Preferences does not allow you to make changes, click the lock icon, and then authenticate locally when prompted. d. Select "Off" from the Automatic login pop-up menu. e. Select the Name and password option.

  6. Perform any other system security fortification.

  7. Configure miscellaneous settings, such as:
    a. Energy Saver settings
    b. Keyboard and mouse settings
    c. Network settings
    d. Sharing settings
    e. Name and password or list of users

  8. Run all available software updates.

  9. Turn off automatic software updates.
  10. Confirm Accessibility settings.
  11. Confirm Network Account settings.
  12. Make sure the Trash is empty.

Note: LDAPv3 bindings can often be built into your image.
Note: Active Directory bindings should not be built into the image. Each computer must join the domain.

Step 3: Build a Package of the OS

For instructions on how to build an OS package, see "Building OS Packages" in the Casper Suite Administrator's Guide.

Additional Information

For instructions on how to use a minimal base OS image to create a NetBoot image, see "Creating NetBoot Images for Use with the Casper Suite".

Like Comment
Order by:
SOLVED Posted: by gregneagle

This is not a good practice, and hasn't been for several years. Consider instead using one of the several methods of building "modular" installation images that have never been booted and therefore contain no machine-specifc cruft.

"Monolithic" imaging leads to all sorts of hard to diagnose and fix problems, but more importantly, it's very difficult to repeat accurately. When Apple release the next OS, good luck manually replicating you did with OS-1.

SOLVED Posted: by gregneagle

<deleted accidental double post>

SOLVED Posted: by bheitzig

What's your workflow like for your form of "modular" installation images?

SOLVED Posted: by donmontalvo

@bheitzig Search for "thin imaging" threads, lots of good stuff posted by Steve Wood (et al). Greg is right in that the better method is to not bother touching the OS when deploying new Macs. He has presented on this subject, so he is considered a subject matter expert.

However, in cases where you need to use a Base OS, Composer handles this for you. For the record, we've successfully deployed Composer created Base OS images to 1,000+ Macs in a very high profile multimedia company. Since I left that firm, we've been doing "thin imaging" and have never looked back.

Many ways to surf a wave (since we can't skin cats anymore). :)


SOLVED Posted: by alan.trewartha

I remain very confused on good practice for making a NBI that will let me run Imaging "headlessly", or is the thin-imaging advice these days not to bother with NBI-ing?

SOLVED Posted: by donmontalvo

As @gregneagle][/url][/url hinted, take a look at AutoDMG for looking at never-booted-so-no-cruft images. There's a fairly active community using this tool, you may want to tap into it to get hints on how to take care of all the settings that this JAMF Software KB article steps you other words, while there may be other methods for creating Base OS'es, they come with a learning curve and more work (packages/scripts to do the steps this KB takes care of).


SOLVED Posted: by stevewood

It's understandable how it can get a bit confusing @alan.trewartha. I'm assuming when you say "headlessly", you simply mean being able to plug in a new machine, NetBoot, and have Casper Imaging start automatically and image the machine. This is how I have things setup here at the office. To do this here are the rough steps I use:

\- install an OS on an external drive from the newest machine I have (make sure the OS on the external drive and internal drive are same)
\- boot from the external drive and run all software updates from Apple
\- enable the root user and set the machine to automatically login as the root user
\- install Casper Imaging and any other tools you want on the system
\- open Casper Imaging and set the JSS server address
\- set Casper Imaging to open at login for the root user
\- restart the machine off of the internal drive
\- remove sleepimage and swap files from external drive (/var/vm/)
\- remove all Applications and Utilities I will not need
\- open System Image Utility and create the NBI set of the external drive from the internal drive

Those are the basic steps. You can find more info about removing the sleepimage from this article:

And more about reducing the NBI size from this article:

Once I have the NBI created and uploaded to the NetBoot server, I verify that it works by booting several different machines of different ages and models. I'm then ready to start imaging machines.

When I get a batch of new machines in, I use a barcode reader to scan the serial numbers into a spreadsheet I keep (a receiving log of sorts). I then copy those serial numbers into a Pre-Stage Imaging workflow that I have setup. I then unbox the machines and NetBoot them from the NBI. The machines boot, run Casper Imaging, and then restart with my first boot script ready to kick off the rest of the installs.

Hope that helps you understand a little better. I'm sure there might be other ways to do some of this stuff. If you have any more questions be sure to post back on the list.


SOLVED Posted: by alan.trewartha

Thanks Don, I had already downloaded that as it happens and have been playing with it a little just to make a vanilla ASR-able DMG (I used to use InstaDMG back in the DeployStudio days here.)

Thanks Steve \- that's more or less what I do do already. perhaps I was misled by Greg's initial posting which seems to contradict this 'machine specific' and 'actual booting' approach to making an NBI

appreciate the replies, guys, ta

SOLVED Posted: by donmontalvo

Also be aware AutoDMG creates a DMG that has both Macintosh HD and Recovery HD. This might be an issue in environments that has a baseline requirement mandating removal/hardening. YMMV

PS, Until today, I had no idea a DMG can have multiple partitions, thanks to @jaharmi ( for schooling us on that point. :)


SOLVED Posted: by bentoms

@donmontalvo Well a Disk Image is merely an Image of a Disk, & Disk's can be partitioned... So why not?

We actually create a Configuration that we compile using the Install ESD & just an Admin account.

That's what we use as a clean never booted DMG.

SOLVED Posted: by donmontalvo

We've always created images of partitions, never the disk. Good to know. :)

SOLVED Posted: by johnboots

So I've run into an issue. I have a clean install of 10.10.3, If I boot the machine to Target Disk Mode and connect it to my workstation where I have Composer installed, I can't access the partition where the OS is installed - it shows up in Composer greyed-out. I feel like I'm missing something really obvious, but I don't do this often and I don't remember what to do next. Please advise?

SOLVED Posted: by nessts

Are you using Composer 9.7? 10.10.3 images are core-storage by default, so you either have to revert it back to non CS or use the newer composer which I believe I saw is able to handle this now. I do not use composer for my base images so I do not know for sure.

SOLVED Posted: by BVikse

We still use full imaging in our district to take care of the "To many hands have made to many changes" situations such as computer labs and when we re-purpose a computer.

Each year we image all of our computer labs so the kids have a fresh OS to use and abuse for the new school year.

SOLVED Posted: by FoxSports

I am also having issues creating a OSX image with composer 9.81
Wont let me select the Macintosh HD partition it is greyed out

SOLVED Posted: by donmontalvo

@haroulak won't work if you're booted into the OS.

Another reason to use AutoDMG, it doesn't have that limitation.

Nor does AutoDMG "lock you in"...Per outlines what AutoDMG does and how it does it).

From his Wiki:

# Mount the install media.
hdiutil attach -noverify -mountpoint /tmp/installesd /Applications/Install\ OS\ X\
# Create a sparse read/write disk image.
hdiutil create -size 32g -type SPARSE -fs HFS+J -volname "Macintosh HD" -uid 0 -gid 80 -mode 1775 /tmp/output.sparseimage
# Attach it.
hdiutil attach -noverify -mountpoint /tmp/os -owners on /tmp/output.sparseimage
# Install the OS.
installer -pkg /tmp/installesd/Packages/OSInstall.mpkg -target /tmp/os
# Detach the images.
hdiutil detach /tmp/os
hdiutil detach /tmp/installesd
# Convert the image to read only.
hdiutil convert -format UDZO /tmp/output.sparseimage -o output.dmg
# Scan the image for restore. (Not actually in!)
asr imagescan --source /tmp/output.dmg
SOLVED Posted: by eob455

Man I hate JAMF documentation, after a good hour of circling through the support site and the Admin Guide, I have my OS image, where do I put it? How do I get it into a new configuration? Do I literally drag it onto a new config and Casper Imaging will magically know to image the machine with that dmg?

SOLVED Posted: by bentoms

@eob455 upload it via Casper Admin, create a configuration with the OS set to priority 1.

Launch Casper Imaging & the configuration should be accessible.

SOLVED Posted: by wangl2

I am creating a minimal OS image using 10.11. It is not minimal at all and the size went over 15GB. All I want is to create a NetBoot image base on this minimal image so I can run Casper Imaging. Is there any way of reducing the size of the OS. I want something really basic and slim I guess. The smaller the size the better.

SOLVED Posted: by m.entholzner

@wangl2 , have you ever heard of AutoDMG and AutoCasperNBI?
They will solve all of your problems :)

SOLVED Posted: by wangl2

I actually just created a NetBoot image using AutoCapserNBI base on an image produced from AutoDMG. The NBI finally made is still 10GB.
@bentoms Can I copy this NBI folder directly to the NetBoot Server? I guess I don't need System Image Utility anymore as I used to.

SOLVED Posted: by wangl2

Actually guys, I cannot just copy the NBI folder to the NetBoot server due to some permission issues. The SIU used to create NetBoot Image and create NBI folders in that location. Should I just modify the permission and copy that NBI folder to /Library/NetBoot/NetBootSP0
or Should I use SIU to do it?

SOLVED Posted: by m.entholzner

You can copy the AutoCasperNBI Output to /Library/NetBoot/NetBootSP0. But please note that you copy the folder with the .nbi extension, not the whole output folder. You won't need SIU for that.

SOLVED Posted: by wangl2

Thanks @m.entholzner I will try that.


Jamf wants to hear your feedback around Jamf Pro: LDAP Servers and Reports!