September 2023 Updates
Updated commands for macOS Ventura
U of U Mac Admins, July 2022
macOS VMs on Apple Silicon to use in CI and other automations
Hoping that someone had figured out a way to specify a VM’s Serial Number for Automated Device Enrollment testing using a Mac with Apple silicon as the host, I quickly installed Homebrew and Tart on my test M1 MacBook Air running macOS 13.1.
# Confirm "arm64" architecture of host Mac arch # Install Homebrew; see https://brew.sh /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)" # Install Tart via Homebrew brew install cirruslabs/cli/tart # Confirm installed version of Tart tart --version # Review Tart's help tart --help
Running a Tart VM on a Mac with Apple silicon worked precisely as advertised and — not counting download time — the
monterey-base VM was running within minutes.
The anticipation increased as I entered
tart set --help in Terminal, hoping to see a way to specify a VM’s Serial Number. Alas, only
display settings can be modified via the
tart set command.
After poking around the OS for a few minutes, I gracefully shutdown the VM a tad deflated.
The “What if …” moment
- Computers enrolled via User-initiated Enrollment are most often used by C-level individuals who tend to ”go around” normal purchasing channels — where we leverage Automated Device Enrollment — because they want the latest Apple hardware now!
- Why not test User-initiated Enrollment with a VM?
- Perhaps I could get an enrollment to go ”sideways” (i.e., FileVault enabled pre-enrollment) and then make sure my auto-repair policies are working as expected
Creating from Scratch
The Creating from Scratch instructions also worked liked a champ, although I opted to download the release candidate from Ryan’s Apple Silicon M1 Full macOS Restore IPSW Firmware Files Database.
# Create a "base" VM from the macOS 13.5 (22G74) IPSW in ~/Downloads tart create --from-ipsw=/Users/`id -n -u`/Downloads/UniversalMac_14.0_23A344_Restore.ipsw 14.0_23A344-base # List VMs tart list # Increase VM CPU cores to four # tart set 14.0_23A344-base --cpu 4 # now default with Tart version 0.4.1 # Set VM display tart set 14.0_23A344-base --display 2048x1000x72 # Run VM tart run 14.0_23A344-base # Configure macOS general settings as desired, then shutdown gracefully via: > Shutdown… # Capture the current date / time for repeated use timestamp=$(date '+%Y-%m-%d-%H%M%S') # Create a timestamped-clone of "base" VM tart clone 14.0_23A344-base 14.0_23A344-clone-$timestamp # List VMs tart list # Reduce VM display tart set 14.0_23A344-clone-$timestamp --display 1024x768x72 # Boot to macOS Recovery tart run 14.0_23A344-clone-$timestamp --recovery
Having tested Automated Device Enrollment almost exclusively for the last several years, it was a nice change to see all the Setup Assistant steps; I even enabled Choose your Look in our lower-lane PreStage Enrollments.
After you’ve completed the unfettered Setup Assistant, my recommend first modification is System Preferences > Dock & Menu Bar > Clock and at least enable Flash the time separators.
(You might as well ensure the Time Zone is correct while you already have System Preferences opened.)
Before enabling these options, on multiple, multiple occasions, I wasn’t sure if the VM was hung or under-powered or something else. With these settings enabled, you can instantly know if you need to bounce your VM (either via the tart > Quit tart Menu Bar or via
Control-C in Terminal).
I was initially convinced I caused the vast majority of OS hangs by rapid two-finger scrolling instead of clicking-and-dragging the scroll bar; looks like more cowbell will do the trick (i.e.,VMs always freeze/lock up after a few minutes. #84
After poking around on the host, I discovered the VMs live inside of
~/.tart/vms — which doesn’t currently appear to be documented — and I deleted several of my failed attempts.
My first attempts at User-initiated Enrollment failed to reach my lower-lane server until I realized the host Mac had an active VPN connection; disconnecting the host’s VPN connection allowed the VM to reach the lower-lane server as expected.
I also discovered I had locked down UIE via Single Sign-on too far and having corrected the SSO settings, UIE worked as expected.
Watching the UIE workflow again was a good experience and motivated me to self-schedule time to update my internal documentation.
Once the device was enrolled, I was excited to test our new Setup Your Mac workflow with a UIE device, but I purposely opted to not run it immediately post-enrollment.
I quickly learned that while our FileVault Recovery Key Reissue Self Service policy worked, it presumed all our client-side functions were already in-place as a result of the user having previously completing the Setup Your Mac process.
While Jamf Pro correctly reports the computer as having a Processor Type:
Apple M1 (Virtual), the Disk Encryption information is lacking.
You’ll most likely want to add a Time Machine exclusion for the
While authoring this post, I’ve had to bounce the VM more times than I can count; perhaps Tart isn’t designed for the use-case of testing Jamf Pro User-initiated Enrollment and its related policies and instead sticking to CI integration.
Regardless, Tart is snappy and is certainly worth a look.
Since I wrote this two days ago, there’s already been multiple updates:
% brew update % brew outdated cirruslabs/cli/tart (0.2.4) < 0.3.1 % brew upgrade ==> Upgrading 1 outdated package: cirruslabs/cli/tart 0.2.4 -> 0.3.1
tart set 14.0_23A344-clone-$timestamp --cpu 8
All my reported issues have already been resolved with
- 68 Document location of VMs on host
- 88 Heading order reversed in
- 89 Sort
tart listby default
And, can you say “macOS Recovery” ?
Probably the easiest way to interact with your Tart VM is via a VNC client (i.e., Apple Remote Desktop):
tart run 14.0_23A344-clone-$timestamp --no-graphics --vnc