Child pages
  • First Boot Script
Skip to end of metadata
Go to start of metadata


Using a first boot script enables administrators to run custom code every time a Mac boots. First boot scripts require two files to be written to the system.

The first file that is required is a script. The script can be in any language, as long as it is able to be run from the command line. In this example, we use a bash script. Normally, the script is installed in a path on the system that is not readable by standard users. Common locations are "/Library/<youradmindir>/" or "/var/root/".

The second file that is required is a LaunchDaemon plist. This plist is run by the launchd process when the system boots. LaunchDaemons are stored in "/Library/LaunchDaemons/". LauncDaemon plists are named using the reverse FQDN of the creator, for Penn State that is usually "edu.psu.<dept>.<script>.plist".

Next, we'll walk through setting up a first boot script. Start by downloading the following files:

1) Bash Script:

2) LaunchDaemon plist: edu.psu.firstboot.plst

Once these files are saved locally, open the "" script. This script uses 5 different commands to unload the LoginWindow so that directory services has time to initialize before showing. We use this script with CLM Macs on 10.7.4 because of a bug that keeps the loginwindow from authenticating kerberos users after a first boot.

The LaunchDaemon plist is configured to run this script at every boot. It has three fields of interest for us. The first field that may need updated is the "Label". The label is simple the name of the LaunchDaemon plist, without the ".plist" ending. If you update the name of the file, you will need to update the label. The second field is "ProgramArguments", which points to the location of the first boot script on the file system. This path needs updated to match the location of the first boot script. The last field is "RunAtLoad", which is a boolean field. A boolean field can only be set to true or false. In this case we have set "RunAtLoad" to true, which causes the LaunchDaemon plist to run the script during a system boot.



The script should be installed in a location that standard users can not view. We will create a new directory under /Library to house the script, and change its permissions so that only admins can view the contents. The first command we will use is "mkdir", which will create the folder. The second command "chown" changes the ownership of the folder to your admin account. Replace your local admin account short name where "<admin account>" is in the second line below. The third command changes permissions on the folder so that only your local admin account can write to the folder, only the administrators on the Mac can read the folder, and no one else can view, edit, or read.

After you've created the folder, you will need to install your script there. You can either drag and drop the script to the location, or use the following command in the After typing "cp" and space, drag the script to the terminal window and hit space again. Finish the command with the path to your newly created folder. 

You will have to make sure the script is executable for it to work. Change the ownership to your local admin account and update the permissions with these two commands. Chown updates the ownership to ensure that only your local admin account and admins can read, write, an execute the script. Replace your local admin account short name where "<admin account>" is in the first line below. The second line changes the permissions on the files so that the owner and group can read, write, and execute the script, but no one else can.


You will need to update the LaunchDaemon plist to point to the new location of the script. Open the edu.psu.firstboot.plist in a text editor and update the path in the "ProgramArguments" string. The path we created above to the script is "/Library/PSUscript/". 

Save the updated LaunchDaemon plist and use the following commands to properly install it. It is very important to get the ownership and permissions correct or the system will not enable the plist at boot and your script will not run. The first command we use will copy the plist into the /Library/LaunchDaemons folder. The "chown" command sets the owner of the plist to root and the group to wheel. The third command, "chmod" changes the permissions to read & write for the owner and read for the group and others. This combination of owner, group, and permissions are required for LaunchD to properly load the plist.

Now that the script and the LaunchDaemon is installed with the correct owners and permissions, the script will execute the next time the system boots. Restart your computer and watch the /var/log/system.log to see the code execute! See the example logs below:

Learn how to create an installer package for easy deployment of your script and launchdaemon plist with the SysAdminVideoSeries:

See some great examples of first boot scripts from Rich Trouton here:

  • No labels