Jamf Nation Community

Upgrades in place are a good idea for 1 to 1 distributed machines. For everything that you're considering a 'bare metal' re-imaging approach I would adopt more of a wait and see attitude. While bare metal re-imaging will always be suitable for macOS up to Sierra (at least 10.12.4 anyway,) with the introduction of APFS much of how a machine is 'imaged' is going to change (hopefully to all of our benefit.)

@Eigger Is your Boss trying to save time? just asking because also in K-12 and we re-image every summer. Like you mentioned Teachers are responsible for upgrading their own machine if they want to once our testing has concluded. You could automate a lot of the re -imaging if you haven't already to a one touch setup. I have been doing a "soft" rollout of Sierra for the past 3 weeks, doing OS upgrades with createosxinstallpkg set to lowest priority(20) and install at reboot, plus an app upgrade on 2013 iMacs. Including upgrading the email client and the OS, it takes about 25-30mins. A Nuke and pave 30-35 mins. both include all updates and patches @psliequ brings up a good point, but by then we may be looking at mac OS 10.13

I wouldn't ever recommend that. You don't really know the complete state of the system and could be leaving user data (which would be a major privacy issue) or existing problems in place for the next user to find. It's not fun to try to troubleshoot systems that have gone through this sort of process if a user has problems.

It's just a bad idea. Yes, it saves time, but it's not the right approach. If we did that at my company we'd be in violation of our data security policies.

@alexjdale Unless a user account was intentionally created below the 501 UID that contains sensitive information, that shouldn't be an issue. A strategy like that will depend entirely on the reliability of the state of the machines in question. A corporate environment is also a bit different than K-12 education.

Re-imaging is a faster process today (especially if retaining user data isn't a concern), but was previously mentioned, APFS may put an end to disk-based imaging. An upgrade could be significantly faster than a network recovery, re-enrollment, and re-download of all district software, settings, profiles, etc.

User data can exist outside of the user profile folder. Users can effect change outside of the user folder, even non-admins. Students are notorious for playing around with systems and finding ways around restrictions.

That's all, I just wouldn't feel comfortable without at least erasing the drive between deployments. I'm sure things will be fine most of the time, but it's cutting a corner.

@LSinNY Yes, we are. Being here at the Northern Most City, we always need to travel by plane just to visit our village schools, 7 of them. If we can save time from not imaging, we can do a lot more IT stuff in the school during our summer visits.
@alexjdale I have the same concern as you. But I really have to make it work. When we are visited by our Apple reps. The first thing he told us is "Imaging will go away very soon". So I better start now and fix issues along the way.

@alexjdale If you're going to mention data can exist outside of the user profile folder when they don't have admin privileges, it would be helpful and lend more credibility if you mentioned those locations.

As for imaging or upgrading...I moved to upgrading awhile back and only re-image if I absolutely have to. As far as data we're moving to OneDrive as a storage solution so re-imaging wouldn't be the worst thing in the world once we've migrated.

@alexjdale I wouldn't call it cutting a corner, some might argue that imaging after 1st deployment is cutting a corner in properly maintaining software updates. Assuming that your admin passwords haven't been compromised, there are very few other locations a standard user can write to. Those locations could easily be included in a cleanup script.