My task is to set up a portable classroom set of 26 MacBook Airs so that each user always has a clean logon. To accomplish that, I take advantage of the Guest user logon on MacOS, which is a special logon which is always reset on logoff. The difficulty is, how do you customize a user account that never saves changes? These are the steps, as of MacOS Mojave.
These steps have gotten simpler over the past few MacOS releases, but there's still a few unintuitive parts of the process.
To follow these steps, in addition to the Macs you will be imaging, you will also need these items:
- One more Mac, any model with a Thunderbolt connection
- A Thunderbolt to Thunderbolt cable
- Imaging software, such as Carbon Copy Cloner
Unbox your first Mac and go through all the "welcome" screens, setting up an Administrator account for your future self, until you get to the Desktop. You will need this account for maintaining the computer in the future. I also set up a second "project" account for when users need to use the computer for a long-term project (where their data survives a reboot, unlike the Guest account), but that's specific to my situation and not required for these steps.
In order to enable the full Guest account (and not the neutered Safari-only Guest psuedo-account which is default on MacOS), you will need to make two changes:
- Go to "iCloud" settings and disable "Find My Mac"
- Go to "Security & Privacy" settings and disable "FileVault" – this will take some time and require at least one reboot. My Mac actually crashed during this step, but another reboot brought it back to life, with FileVault disabled.
- Go to "Users & Groups" then click "Login Options" and enable Fast User Switching. Then, enable Automatic login as "Guest User".
I would love it if we were allows to have a full Guest account with both Find My Mac and FileVault enabled, but alas, we cannot.
set your settings
Install all the software you need. Then, log out of Admin and log in as Guest. Open all the software, getting the preferences set in each program that you need set. Customize the Dock and whatever other MacOS Settings you need. Make sure you disable all automatic updating that prompt the Guest user to complete some action, because they will not be able to complete it. Once you have all that finished, quit all programs so that nothing beyond Finder is running, and do not log out, you are ready for the next step.
One optional (but very useful) setting that may be relevant to your needs is allowing the Guest User the ability to add and remove printers. By default, Guest User is stuck with whichever printers you pre-populate on the machine, but you can change this behavior, with the caveat that changes to printers will survive a reboot, unlike other changes made in Guest User mode.
To do this, while logged in as admin, open a Terminal window and run this command:
dseditgroup -o edit -n /Local/Default -u [ADMINISTRATOR] -p -a guest -t user lpadmin
Replace the word [ADMINISTRATOR] above with the username of your admin account.
saving over the guest account
Using Fast User Switching, switch to the Admin account and open Terminal. Run this command (always run it in English, and then run again for additional languages as needed):
sudo cp -r /Users/Guest/ /System/Library/User\ Template/English.lproj/.
You will then need to clear the contents of the Keychain folder for Guest. We will do this by moving it, rather than deleting it, just as a matter of best practice:
mv '/System/Library/User Template/English.lproj/Library/Keychains' '/System/Library/User Template/English.lproj/Library/Keychains.old' mkdir '/System/Library/User Template/English.lproj/Library/Keychains'
image capture and throw
Your Mac should now be a shining example to your other Macs for how to behave. But how to copy this setup onto the others? MacOS comes with a tool called "Disk Utility" that's supposed to do this... but it doesn't work very well. Instead, I recommend a cheap tool called Carbon Copy Cloner.
- On a third Mac, install Carbon Copy Cloner, and reboot your example Mac into Target Disk Mode (power on holding down the T key) and connect the two Macs using a Thunderbolt cable. The hard drive of the Target Disk Mode Mac will show up as an external drive on the machine running CCC.
- Use CCC to make a disk image of that Mac's hard drive. The settings in CCC should have the Target Disk Mode drive as the Source, set to "Copy All Files", with the destination being a "sparsebundle" image file on disk, with SafetyNet Off. After the image capture is complete, eject the example Mac and turn it off (Target Disk Mode can only be turned off by holding down the power button for 8 seconds).
- Boot up the next MacBook you want to image, again using Target Disk Mode, and connect it to the Mac running CCC using the Thunderbolt cable, same as before. Now, use CCC to throw that image from the file to the Hard Drive of the destination Mac (completely wiping out whatever was there before it). The settings in CCC should be the reverse of capturing the image: Source is the "sparsebundle" file on your disk, set to "Copy All Files", and the Destination is the Target Disk Mode disk, with SafetyNet Off.
- Once that's done (for me it took about 45 minutes to write the image), eject the Target Disk Mode disk, reboot your destination Mac, and you should see it boot as an exact copy of your first machine!
- Now you'll probably want to rename the newly imaged Mac with a different network name, so you can tell them apart.
You are now done!
This process is a little kludgy and not officially supported by Apple. Apple does provide something they claim is a better solution to the "classroom cart" problem, but it doesn't work as well as this modified Guest user approach, at least in the opinions of us education IT workers. Maybe one day Apple will bring their official solution in line with the actual needs of real world classrooms, but until then we've got these above instructions.