Deploying Firmware Updates During Imaging

Hey all, this is something we’ve been thinking about internally and, after Allister Banks’ afp548 blog post there’s possibly a workflow to let you have your cake and eat it.
First a caveat:
This is not something supported by Apple and may well break with future updates or in certain workflows.


So first, some background. For a while now Apple have no longer provided some (all?) Firmware updates as a separate update package, instead baking these into macOS installers, updaters and security updates. As a result, if you are deploying your copies of macOS using a disk image, your client devices may not be getting these updates. This would include OSes deployed using AutoDMG / InstaDMG built images, as well as the more traditional Monolithic / ‘Golden Master’ images.

Why is this important?

Well, as with most updates, Firmware updates include bug fixes and miscellaneous new features. As we’re talking about low-level hardware-software interactions, these bug fixes can offer solutions to lots of random issues.
Not enough? How about patches to security issues, like the ‘Thunderstrike 2’ vulnerability?
What do you mean a security issue is still not enough?!? Ok, what about system compatibility? On Thursday, I gave a brief presentation for London Apple Admins on some new Knowledge Base articles Apple released for macOS High Sierra. This KB article talks about the importance of not using monolithic system imaging to update or upgrade an OS. The reason? The device/s will be missing required firmware updates and this “…causes the Mac to operate in an unsupported and unstable state.
So, in summary:
firmware updates == required

But how do I Firmware?

The fully supported solution to this issue is detailed in the same Apple KB article, namely:

An (unsupported) Alternative

We work with a fair amount of education institutions where the above workflows are arguably either impractical or labour intensive, especially for their lab devices. Still, these devices are gonna need these Firmware updates, so how’d we do it?
Second shout out to Allister Banks’ blog which provides instructions on extracting the High Sierra Beta Firmware update package from the ‘Install macOS’ application. I’ve based my below guide on that.
Note: This guide uses the `munkipkg` command line packaging tool, which can be downloaded from here
1) Grab your copy of ‘Install mac OS’ that you’ve used to build your AutoDMG image with.
Note: This should be the exact same version (OS and build number) as your deployed image.
2) Run the following command to mount the InstallESD disk image inside the application

/usr/bin/hdiutil mount /Applications/Install\ macOS\

3) Run the following command to expand the Firmware update package

/usr/sbin/pkgutil --expand /Volumes/OS\ X\ Install\ ESD/Packages/FirmwareUpdate.pkg /tmp/FirmwareUpdate

4) Run the following command to create the directory to build our package

munkipkg --create /tmp/FirmwareUpdateStandalone

5) Run the following command to copy the post-install update script from the Firmware Update to the package build directory

/bin/cp /tmp/FirmwareUpdate/Scripts/postinstall_actions/update /tmp/FirmwareUpdateStandalone/scripts/postinstall

6) Run the following command to copy the tools from the Firmware Update to the package build directory

/bin/cp -R /tmp/FirmwareUpdate/Scripts/Tools /tmp/FirmwareUpdateStandalone/scripts/

7) Run the following command to create the firmware update package

munkipkg /tmp/FirmwareUpdateStandalone

8) Grab your new package from `/tmp/FirmwareUpdateStandalone/build/`. Personal preference but I renamed mine to include the OS version and build, pulled from the ‘Install macOS Sierra’ application.
9) Upload this into your deployment solution of choice:

  1. If using Imagr, set your 'first_boot' key to 'true'More Info
  2. If using DeployStudio, tick the `Postponed installation (packages will be installed on first boot)` option – More Info Page 66
  3. If using Jamf Pro with Casper Imaging, tick the `Install on boot drive after Imaging` box – More Info

That should be it. Don’t forget:

  • If you start deploying a newer OS, you’ll need to repeat these steps and edit your workflows as required to deploy the updated Firmware updater.
  • If the Mac doesn’t need the Firmware Update, the tools in the package are smart enough to know not to run it
  • This is not an Apple officially sanctioned workflow, so you’re on your own with it!


And there we go, hopefully that’ll help some of you out, or at least give you some ideas for poking your nose into how and why Apple performs these updates, and how they expect you to deploy Macs. As always, if you have any questions, queries or comments, let us know below (or @daz_wallace on Mac Admins Slack) and I’ll try to respond to and delve into as many as I can.
The usual Disclaimer:
While the author has taken care to provide our readers with accurate information, please use your discretion before acting upon information based on the blog post. Amsys will not compensate you in any way whatsoever if you ever happen to suffer a loss/inconvenience/damage because of/while making use of information in this blog.