Sysprep techniques for OS X machines

It is possible to deploy OS X with different tools, for larger over the network deployments it is preferable to use DeployStudio or Apple’s NetInstall software. DeployStudio is the most preferable option because you have a truckload of customization option. In a future blogpost I want to discuss these options. For now I want to look at some OS X sysprep techniques you can use for small scale sneakernet deployments.

The first thing you want to do is choosing an OS X machine that will function as image builder. Keep in mind when you choose your hardware you cannot deploy the created image on a newer generation of hardware. So when you have an image build on a 2009 iMac you cannot use this image on a 2012 iMac. This will most likely not work at all and if the system boots it will be unstable or you cannot use some features. In contrary, if you use an 2012 iMac for building the image you will be able to deploy this image on 2009 iMacs.

When you have chosen a machine you make a clean OS X installation. After the installation you apply updates and install all software you want to include in the image. When you are ready to create the image there are some sysprep techniques that can be used.

The first technique is not really a sysprep one but this can still be very useful!

Making an hidden admin account:

sudo defaults write /Library/Preferences/ HiddenUsersList -array-add %user%

Before applying the command you need the create the admin account in OS X. With this command the user sees his own account at login where he only needs the enter his password. Next to the users account a separate login window is displayed where both the username and password needs to be entered.

Reactivate the startup wizard at reboot:

sudo rm -rf /var/db/.AppleSetupDone

With this command the first time wizard will reappear after rebooting the machine. When you have deployed the image and the system is rebooted it will show the wizard where the user can enter his own password, information and settings.

Delete swapfiles: 

rm /private/var/vm/swapfile*

This says it all, it deletes the swapfile.

Clean up caches and temp data:

rm -rf /Library/Caches/*
rm -rf /System/Library/Caches/*
rm -rf /Users/Shared/*
rm -f /private/etc/ssh_host*

With these commands you clean-up the system caches and temporary data.

Clean up log files:

rm /private/var/log/%specifylog%
touch /private/var/log/%specifylog%

There are a lot of different log files in OS X. I will give you some examples:

  • /alf.log
  • /cups/access_log
  • /cups/error_log
  • /cups/page_log
  • /ftp.log*
  • /httpd/*
  • /lastlog
  • /mail.log*
  • /secure.log
  • /system.log*

It is important to use the touch command after each removal because syslog will not recreate a missing log on his own.

After you have used the above commands to create a clean image the system can be rebooted. You can now start from an external disk and use the disk utility to create an image from the system disk.


I want to tell you briefly about the keychain system in OS X. Keychains are used to store sensitive critical data. You can think of:

  • Resource passwords (only if allowed to save)
  • Wireless passwords
  • Kerberos items
  • Certificates
  • Keys
  • Website forms
  • Secure notes

Only the account password is not stored in the keychains.

The keychains are files encrypted with the Triple DES algorithm and located in different locations.

  • /Users/%username%/Library/Keychain/login.keychain

The login.keychain is automatically created for every user and is unlocked when the user successfully logs in. This keychain contains user specific items.

  • /Library/keychain/System.keychain

Non user specific items are stored in the System.keychain. Here you can find wireless passwords, network passwords and Kerberos items. Only administrators can make changes in this keychain.

  • /Library/Keychain/FileVaultMaster.Keychain

This keychain can only be opened with the File Vault master password. I will make a future blog post about File Vault where this is explained.

  • /System/Library/Keychains

This is also a keychain where only administrators can make changes. It is used to store root certificates.

With the Keychain Access application found in /Applications/Utilities you can open and edit the keychain. You can add, delete and modify entries. It is also possible to repair keychains. The keychain Access application opens with the user’s login.keychain as a default. Here you see different entries and you can resolve passwords. If you want to show a password you will be prompted for the user account password.

As mentioned earlier the login.keychain password is the same as the user account password. When a user changes his password the login.keychain password is also changed but if the password is reset by an administrator the login.keychain password is not changed. When the user logs in after a reset by an administrator there will be the following prompt:


The user can choose to update the keychain password but fore this the user needs to remember his forgotten password. So normally the user needs to create a new keychain. This new keychain is then created with the new user password. Because there is a new keychain the saved password etc. from the old locked keychain are not present anymore.

The old keychain is saved in the user’s  ~/Library/Keychains folder. It can still be unlocked with the Keychain Access application when the user remembers the old password. If OS X can’t open the keychain and it is corrupted you can repair it with the Keychain Access application. In the Keychain Access menu you can choose Keychain First Aid. Here you need to enter a username and password, select the repair option and click on the Start button.

Nice little extra: If you travel a lot and want to take notes etc. securely with you, you can safe them in a keychain file. With the Triple DES encryption the keychain file is securely encrypted and you can only open the keychain again with the password you used to create the keychain.

Apple XProtect

In the past couple of months Apple has blocked unsafe versions of Java and Flash for OS X systems. Because of this, older Java and Flash versions are suddenly not working anymore. Sometimes the software developer needs to develop a bugfix or the user needs to update to the latest version of the used software.

So how can Apple remotely block software on your system? The answer is: XProtect. I will give you a short overview of this protection mechanism in this blogpost.

Since OS X v10.6 the XProtect framework checks every download for malicious code. The XProtect definitions where updated with the normal OS X software update. Recently Apple released an update for the XProtect framework so it can check for updates on itself. This way Apple can react faster on potential threads.

This mechanism is controlled with the XProtect.plist file. This file can be found in the following location:

System -> Library -> CoreServices -> CoreType.bundle -> Contents -> Resources

Here you can also see the XProtect.meta.plist file. In this file you can find the version number, this is used to check if an update is needed. Here you can also find software that is blocked.


When you open the XProtect.meta.plist file with an texteditor it is possible to change the string value of blocked software so that older versions of the software are usable. Keep in mind that it is blocked with a reason.

It is possible to turn the automatic update feature of XProtect off. You can do this by going to the following location:

Preferences -> Security -> General -> Advanced

Here you can choose to turn the automatic update feature off. If you want to force a manual update of the definitions you can run the following command in a terminal.

sudo launchctl start

It is nice to have a build in solution to protect users. But you always need to remember the fact that XProtect is not a antivirus replacement. The on-access scanning from known antivirus products reacts a lot faster than the XProtect mechanism. To be as safe as possible I would suggest using XProtect in combination with a known antivirus product.