I tried a few approaches to no-imaging never-booted Macs, and I'm presenting here a way that worked for me, but you may very well have success with the other methods I tried that I had issues with.
Failed Attempt #1
I tried to make a distribution-style package that had all the minimal pkg files I needed to get the computer ready to run Munki bootstrapped, but when I tried to install it, I got this error message: NoImage can't be installed on this disk. You can only install this software on the disk that is running OS X.
@elios on the Mac Admins Slack Team rightly pointed out it's likely I had accidentally enabled the rootVolumeOnly option (more details in Apple's documentation). I didn't bother going back and testing that approach again, but you may want to—just make sure you have that flag set correctly.
Failed Attempt #2
Tried having Outset do all the work and put Munki itself in the boot-once folder, but it got the boot volume in some weird state where the Apple symbol appeared but the progress bar never moved beyond halfway.
I created a pkg with a payload of the ca.pem (certificate) to /Library/Managed Installs/certs.
I had another payload of the Munki installer and the Outset installer to the /tmp directory.
One last payload is a wireless-connect script to /usr/local/outset/boot-every. It checks to see if there's already an Internet connection. If there is, then the script deletes itself. Otherwise, it connects with the supplied credentials.
And then there's a postinstall_script for the pkg that creates the .AppleSetupDone file, installs Munki and Outset, writes the appropriate values to /Library/Preferences/ManagedInstalls.plist, and creates the Munki bootstrap file.
To deploy the pkg, I have an external drive with macOS set to autologin. Then I boot that on the never-booted Mac and launch up the NoImage pkg to install to the internal drive, and then reboot, and Munki's bootstrap does the rest of the work.
Example munkipkg of the NoImage .pkg
Things to definitely tweak (you can tweak more, obviously, depending on your organization's needs):
- If you have a real certificate for your Munki server, put that in instead of this fake ca.pem file.
- Put real .pkg files for Munki and Outset instead of the placeholders here.
- Put in your actual Munki server short URL, SSID, and wireless password in the WirelessConnect script.
- Put in your actual Munki server URL and basic auth info (if you are using basic auth—obviously if you're not, you're going to have to do more sophisticated tweaks) in the postinstall script.