Sysprep techniques for OS X machines

It is possible to deploy OS X with different tools, for larger over the network deployments it is preferable to use DeployStudio or Apple’s NetInstall software. DeployStudio is the most preferable option because you have a truckload of customization option. In a future blogpost I want to discuss these options. For now I want to look at some OS X sysprep techniques you can use for small scale sneakernet deployments.

The first thing you want to do is choosing an OS X machine that will function as image builder. Keep in mind when you choose your hardware you cannot deploy the created image on a newer generation of hardware. So when you have an image build on a 2009 iMac you cannot use this image on a 2012 iMac. This will most likely not work at all and if the system boots it will be unstable or you cannot use some features. In contrary, if you use an 2012 iMac for building the image you will be able to deploy this image on 2009 iMacs.

When you have chosen a machine you make a clean OS X installation. After the installation you apply updates and install all software you want to include in the image. When you are ready to create the image there are some sysprep techniques that can be used.

The first technique is not really a sysprep one but this can still be very useful!

Making an hidden admin account:

sudo defaults write /Library/Preferences/ HiddenUsersList -array-add %user%

Before applying the command you need the create the admin account in OS X. With this command the user sees his own account at login where he only needs the enter his password. Next to the users account a separate login window is displayed where both the username and password needs to be entered.

Reactivate the startup wizard at reboot:

sudo rm -rf /var/db/.AppleSetupDone

With this command the first time wizard will reappear after rebooting the machine. When you have deployed the image and the system is rebooted it will show the wizard where the user can enter his own password, information and settings.

Delete swapfiles: 

rm /private/var/vm/swapfile*

This says it all, it deletes the swapfile.

Clean up caches and temp data:

rm -rf /Library/Caches/*
rm -rf /System/Library/Caches/*
rm -rf /Users/Shared/*
rm -f /private/etc/ssh_host*

With these commands you clean-up the system caches and temporary data.

Clean up log files:

rm /private/var/log/%specifylog%
touch /private/var/log/%specifylog%

There are a lot of different log files in OS X. I will give you some examples:

  • /alf.log
  • /cups/access_log
  • /cups/error_log
  • /cups/page_log
  • /ftp.log*
  • /httpd/*
  • /lastlog
  • /mail.log*
  • /secure.log
  • /system.log*

It is important to use the touch command after each removal because syslog will not recreate a missing log on his own.

After you have used the above commands to create a clean image the system can be rebooted. You can now start from an external disk and use the disk utility to create an image from the system disk.


I want to tell you briefly about the keychain system in OS X. Keychains are used to store sensitive critical data. You can think of:

  • Resource passwords (only if allowed to save)
  • Wireless passwords
  • Kerberos items
  • Certificates
  • Keys
  • Website forms
  • Secure notes

Only the account password is not stored in the keychains.

The keychains are files encrypted with the Triple DES algorithm and located in different locations.

  • /Users/%username%/Library/Keychain/login.keychain

The login.keychain is automatically created for every user and is unlocked when the user successfully logs in. This keychain contains user specific items.

  • /Library/keychain/System.keychain

Non user specific items are stored in the System.keychain. Here you can find wireless passwords, network passwords and Kerberos items. Only administrators can make changes in this keychain.

  • /Library/Keychain/FileVaultMaster.Keychain

This keychain can only be opened with the File Vault master password. I will make a future blog post about File Vault where this is explained.

  • /System/Library/Keychains

This is also a keychain where only administrators can make changes. It is used to store root certificates.

With the Keychain Access application found in /Applications/Utilities you can open and edit the keychain. You can add, delete and modify entries. It is also possible to repair keychains. The keychain Access application opens with the user’s login.keychain as a default. Here you see different entries and you can resolve passwords. If you want to show a password you will be prompted for the user account password.

As mentioned earlier the login.keychain password is the same as the user account password. When a user changes his password the login.keychain password is also changed but if the password is reset by an administrator the login.keychain password is not changed. When the user logs in after a reset by an administrator there will be the following prompt:


The user can choose to update the keychain password but fore this the user needs to remember his forgotten password. So normally the user needs to create a new keychain. This new keychain is then created with the new user password. Because there is a new keychain the saved password etc. from the old locked keychain are not present anymore.

The old keychain is saved in the user’s  ~/Library/Keychains folder. It can still be unlocked with the Keychain Access application when the user remembers the old password. If OS X can’t open the keychain and it is corrupted you can repair it with the Keychain Access application. In the Keychain Access menu you can choose Keychain First Aid. Here you need to enter a username and password, select the repair option and click on the Start button.

Nice little extra: If you travel a lot and want to take notes etc. securely with you, you can safe them in a keychain file. With the Triple DES encryption the keychain file is securely encrypted and you can only open the keychain again with the password you used to create the keychain.