Lazy VM building hacks with AutoDMG and KextPolicy

When I wrote my Quick user test machines with VMware Fusion post many moons ago I discussed building VMs with Caper Imaging and VMware Fusion, and having the VMware Tools installer run during imaging. What's great about having the VMware Tools automatically installed when setting up a VM via an imagine workflow is that it's one less step to getting a testing VM in shape for drag-and-drop, copy-pasting, and native window resizing.

A bit of a wrench was thrown in the works here due to Secure Kernel Extension Loading with macOS 10.13, where kexts that load must be approved by the user and whitelisted to be run on the machine. As it turns out, that approval for the VMware Tools kext is stored in /var/db/SystemPolicyConfiguration/ in a file called KextPolicy.

Something you can do when building your VM is to pre-install this KextPolicy file alongside the VMware Tools.pkg installer so that while the VM is being built the pre-approval is already there. This really only works with something like AutoDMG which is agnostic to SIP when building the disk image.
So for a quick overview of how this can save you some time and manual configuration of a VM, consider the following workflow:

1. Set up one vanilla VM with VMware Fusion Pro 10, using the newest macOS 10.13 installer disk.

2. Once setup is complete, install VMware Tools.

3. Reboot, then accept the prompt to allow the kernel extension to load on the system and reboot again.

4. Open up Composer on the VM (or your packaging tool of choice) and build a .pkg installer for that KextPolicy file.

5. Save the VMware Tools and KextPolicy installers somewhere easy to access on your host machine or elsewhere.

6. Build yourself a new vanilla AutoDMG image, and drag and drop the installers into the Additional Software window of AutoDMG.

(And don't forget to open Advanced Options and specify the disk size)

7. Once the AutoDMG disk image is built, use it alongside vfuse to build your VM (for more on how that works, check out this guide from Ross Derewianko). When you boot it up (or make a linked/full clone and boot that up, which is what I tend to do) it'll have the Tools and Kext installed and pre-approved so you don't have to bother with manual installs of junk and a bunch of reboots to drag and drop or copy/paste between your host and guest.

Important Note: the KextPolicy file is SIP protected, meaning the above is really the only kind of situation where you can plant a file like this to have a kext pre-approved. If you're concerned about SKEL in your environment consider putting an MDM in place if you haven't already. 

Also important: This kind of workflow is obviously not working with the functionality as it was designed, and is definitely a hack. Don't use this in production, or on actual Macs at your org, that would just be a bad idea all-around. This is really only intended to provide a quick way to spin up testing VMs for macOS 10.13. 

One more thing…: This work-around was pointed out to me by another member of the MacAdmins community who will remain anonymous unless they would like to me to point them out. Because again, hacky.

Fun note: Wouldn't it be nice if VMware found a way to do something comparable so the tools wouldn't have to be manually installed and the kext manually approved when building a 10.13 VM? I mean they have to generate an installation medium anyway. Just a thought…


Post a Comment

Thanks for commenting! Don't forget to follow along on Bloglovin and on Twitter at @emilyooo!