Menu Close

Testing “sideways” Jamf Pro enrollments with Tart

March 2024 Updates

Updated commands for macOS Sonoma 14.4.1 (23E224).

U of U Mac Admins, July 2022

Honored to co-present with Fedor Korotkov at the July 2022 U of U Mac Admins meeting.

Background

The Updates and Releases section of Armin Briegel’s Weekly News Summary for Admins included a reference to Tart with the following one-line description:

macOS VMs on Apple Silicon to use in CI and other automations

Hoping that someone had figured out a way to specify a VM’s Serial Number for Automated Device Enrollment testing using a Mac with Apple silicon as the host, I quickly installed Homebrew and Tart on my test M1 MacBook Air running macOS 13.1.

# Confirm "arm64" architecture of host Mac
arch

# Install Homebrew; see https://brew.sh
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"

# Install Tart via Homebrew
brew install cirruslabs/cli/tart

# Confirm installed version of Tart
tart --version

# Review Tart's help
tart --help

TL;DR

Specifying a VM’s Serial Number with Tart is not possible.

Custom Serial Injection #59

First Impressions

Running a Tart VM on a Mac with Apple silicon worked precisely as advertised and — not counting download time — the monterey-base VM was running within minutes.

The anticipation increased as I entered tart set --help in Terminal, hoping to see a way to specify a VM’s Serial Number. Alas, only cpu, memory and display settings can be modified via the tart set command.

After poking around the OS for a few minutes, I gracefully shutdown the VM a tad deflated.

The “What if …” moment

Having read on MacAdmin’s Slack about others who were fine testing User-initiated Enrollment with VMs hosted on M1 Macs, the following occurred to me:

  • Computers enrolled via User-initiated Enrollment are most often used by C-level individuals who tend to ”go around” normal purchasing channels — where we leverage Automated Device Enrollment — because they want the latest Apple hardware now!
  • Why not test User-initiated Enrollment with a VM?
  • Perhaps I could get an enrollment to go ”sideways” (i.e., FileVault enabled pre-enrollment) and then make sure my auto-repair policies are working as expected

Creating from Scratch

The Creating from Scratch instructions also worked liked a champ, although I opted to download the release candidate from Ryan’s Apple Silicon M1 Full macOS Restore IPSW Firmware Files Database.

# Create a "base" VM from the macOS 14.4.1 (23E224) IPSW in ~/Downloads
tart create --from-ipsw=/Users/`id -n -u`/Downloads/UniversalMac_14.4.1_23E224_Restore.ipsw 14.4.1_23E224-base

# List VMs
tart list

# Increase VM CPU cores to four
# tart set 14.4.1_23E224-base --cpu 4 # now default with Tart version 0.4.1

# Set VM display
tart set 14.4.1_23E224-base --display 2048x1000x72

# Run VM
tart run 14.4.1_23E224-base

# Configure macOS general settings as desired, then shutdown gracefully via:  > Shutdown…

# Capture the current date / time for repeated use
timestamp=$(date '+%Y-%m-%d-%H%M%S')

# Create a timestamped-clone of "base" VM
tart clone 14.4.1_23E224-base 14.4.1_23E224-clone-$timestamp

# List VMs
tart list

# Reduce VM display
tart set 14.4.1_23E224-clone-$timestamp --display 1024x768x72

# Boot to macOS Recovery 
tart run 14.4.1_23E224-clone-$timestamp --recovery

Having tested Automated Device Enrollment almost exclusively for the last several years, it was a nice change to see all the Setup Assistant steps; I even enabled Choose your Look in our lower-lane PreStage Enrollments.

Apple’s Setup Assistant “Choose Your Look”

After you’ve completed the unfettered Setup Assistant, my recommend first modification is System Preferences > Dock & Menu Bar > Clock and at least enable Flash the time separators.

System Preferences > Dock & Menu Bar > Clock

(You might as well ensure the Time Zone is correct while you already have System Preferences opened.)

Before enabling these options, on multiple, multiple occasions, I wasn’t sure if the VM was hung or under-powered or something else. With these settings enabled, you can instantly know if you need to bounce your VM (either via the tart > Quit tart Menu Bar or via Control-C in Terminal).

I was initially convinced I caused the vast majority of OS hangs by rapid two-finger scrolling instead of clicking-and-dragging the scroll bar; looks like more cowbell will do the trick (i.e., --cpu 4)

VMs always freeze/lock up after a few minutes. #84

After poking around on the host, I discovered the VMs live inside of ~/.tart/vmswhich doesn’t currently appear to be documented — and I deleted several of my failed attempts.

Next, ensure File Sharing is enabled on the host Mac and the first thing I copied was a text clipping of the FileVault Recovery Key.

User-initiated Enrollment

My first attempts at User-initiated Enrollment failed to reach my lower-lane server until I realized the host Mac had an active VPN connection; disconnecting the host’s VPN connection allowed the VM to reach the lower-lane server as expected.

I also discovered I had locked down UIE via Single Sign-on too far and having corrected the SSO settings, UIE worked as expected.

Watching the UIE workflow again was a good experience and motivated me to self-schedule time to update my internal documentation.

False Assumptions

Once the device was enrolled, I was excited to test our new Setup Your Mac workflow with a UIE device, but I purposely opted to not run it immediately post-enrollment.

I quickly learned that while our FileVault Recovery Key Reissue Self Service policy worked, it presumed all our client-side functions were already in-place as a result of the user having previously completing the Setup Your Mac process.

While Jamf Pro correctly reports the computer as having a Processor Type: Apple M1 (Virtual), the Disk Encryption information is lacking.

Jamf Pro Computer Record > Disk Encryption

Time Machine

You’ll most likely want to add a Time Machine exclusion for the ~/.tart directory.

Exclude Tart from Time Machine backups (thanks, Nate Felton!): tmutil addexclusion -p ~/.tart

Continuing Impressions

While authoring this post, I’ve had to bounce the VM more times than I can count; perhaps Tart isn’t designed for the use-case of testing Jamf Pro User-initiated Enrollment and its related policies and instead sticking to CI integration.

Regardless, Tart is snappy and is certainly worth a look.

Update (16-May-2022)

Since I wrote this two days ago, there’s already been multiple updates:

% brew update

% brew outdated
cirruslabs/cli/tart (0.2.4) < 0.3.1

% brew upgrade
==> Upgrading 1 outdated package:
cirruslabs/cli/tart 0.2.4 -> 0.3.1

Update (18-May-2022)

Evidently others are also observing VM freezes and the recommend approach is to increase the number of CPU cores; Tart 0.4.1 now defaults to four:

tart set 14.4.1_23E224-clone-$timestamp --cpu 8

Update (20-May-2022)

All my reported issues have already been resolved with 0.5.0:

And, can you say “macOS Recovery” ?

tart run 14.2_23C64-clone-$timestamp --recovery

Update (02-Jun-2022)

Probably the easiest way to interact with your Tart VM is via a VNC client (i.e., Apple Remote Desktop):

tart run 14.4.1_23E224-clone-$timestamp --no-graphics --vnc
Posted in Jamf Pro, macOS, Tips & Tricks

Related Posts