While there are any number of tutorials on using NetBoot and NetRestore to install images on your Macintoshes you need to know how to do it easily and securely on a large campus.

I use Mac OS X Server (I have 10.4 but this method works with anything after 10.3) to NetBoot Macs across a wide campus and install an image onto the target Mac. It could be one of a number of images, each change fairly often. To make matters worse the same NetBoot and image server is used by support staff within faculties for their images and Macintoshes.

This means that until I refined our method too many people had access to administer the server, too many people could make a mistake and hang the whole process. At one time there were nine different boot images and I didn’t know who was responsible for each.

The first thing I needed to do was create a single netboot image that could be used by everyone. Fortunately 10.5 is a universal OS so I don’t need to worry about PPC vs Intel.

The secret to this is to use OS X Server’s ability to serve web pages and NetBoot’s ability to load preference files from a web server. When you use NetRestore Helper to build your NetBoot image you can specify a URL for NetRestore to get both it’s preference file (which specifies such things as if it should automatically start loading an image and if it should reboot after the image process) and the configuration file (which specifies details of where to get images).

Serve these out using the web server on OS X and you are close to the perfect solution. At least now we have a single boot image that can be easily reconfigured.

The next step is to deal with those pesky images that keep on changing. While you can keep on updating the configuration file picked up by NetRestore there is an easier way.

It turns out that we don’t even need that configuration file. Have a look at the directory structure of your NetBoot images. They live in /Library/Netboot/NetbootSP0 in a bunch of folders that end in “.nbi”, presumably short for net boot image. If you place a folder in there called “Resources” it then holds three sub folders called “Pre-actions”, “Post-actions” and, most important, “Disk Images”. It turns out that any image in the “Disk Images” folder is automatically placed in the pop up image menu in NetRestore.

Now if you carefully read all of the above you might realise that the only places on the server you now need to change to totally modify the behaviour and resources for NetRestore are in two folders.

This means you can now secure your server totally from all support staff and only allow them access to two shares – one the folder served out via http so they can alter the way NetRestore runs and the second the folder containing the images to be installed. So share those out to be read/write a special user group called “Image Admins” and they no longer need to either log in to the server or access it via Server Admin.

You now have a totally secure, totally reliable, easily supported way of NetBooting your Macs and installing any image desired. Time for a well earned coffee.