Apple also provides instructions for downloading many older macOS versions via your terminal: https://support.apple.com/en-us/102662#terminal
Is there a limit on number of instances you can have per physical mac? i recall there was a hard limit of 2 because of EULA, unless Apple has changed it. (Cupertino really likes to sell you their Macs)
There's a kernel-level check in the Hypervisor framework that enforces the 2 VM limit, and bypassing it violates Apple's EULA.
Nice technical deep-dive on the how here: https://khronokernel.com/macos/2023/08/08/AS-VM.html
So we just click through like a human would via VNC. Version-specific but works with their security model rather than against it.
We've also built a broader ecosystem on top - the Cua computer and agent framework for building computer-use agents: https://cua.ai/docs
We went through the comparison with Tart, Lima etc here: https://github.com/trycua/cua/issues/10
Not seeing any reference to Tart at that link. Tart also has registry support for VM images it treats them very much like Docker images, is that what you are doing too?
Is it worth putting a comparison up somewhere other than a Github thread? Seems to be a frequently asked question at this point.
Also worth drawing attention to Tart being source available not open source.
We just put one together (with some help from Claude Code, naturally): https://cua.ai/docs/lume/guide/getting-started/comparison
Fixed the registry description—you're right, GHCR is an OCI registry. Both tools use OCI-compatible registries, we just default to GHCR/GCS.
Added licensing to the "when to choose" sections.
This feels disingenuous. Tart has unattended setup support as well, and it's based on the same VNC + OCR technique as Lume. In fact Tart had it first, and your approach seems to be heavily inspired by it. In addition the boot command instructions you're using came from https://github.com/cirruslabs/macos-image-templates/
The only material difference is whether it's built-in or integrated via Packer.
- macOS GUI apps (Xcode, Numbers, Safari, etc.) - macOS desktop automation (screenshots, mouse/keyboard input, accessibility APIs) - macOS CI/CD (building iOS/macOS apps, running XCTest)
...you need an actual macOS VM, which is what Lume provides.
The unattended setup is a large improvement, which also begs the question: Mac OS doesn't have an unattended.xml alternative for its installer?
A closer comparison here is Lumier, which provides a "Docker-like" interface to spin up VMs with a noVNC server: https://cua.ai/docs/lume/guide/advanced/lumier/docker
The key difference: dockur/macos uses QEMU+KVM, which only works on Linux hosts. It can't run on macOS hardware since Apple doesn't expose KVM. See: https://github.com/dockur/macos/issues/256
I thought this was a silly way to do it too, but upon reflection I don’t know if you can zero touch setup a Mac without registering a device in DEP.
You're both right - Apple's official zero-touch setup requires MDM + DEP, which needs Apple Business Manager (and yes, a DUNS number).
But for VMs specifically, DEP doesn't work anyway - VMs don't have real serial numbers that can be enrolled in Device Enrollment Program.
VNC-based setup automation is the only practical option - it's what the ecosystem has converged on for macOS VMs. Lume connects to the VM's VNC server and programmatically tabs, clicks, types through Setup Assistant.
Slight tangent - do the VMs have decent graphics performance? I live in fear of one day accidentally pressing the Update button and being forced into the GUI mess that is Tahoe. Knowing I could just use a VM with Sequioa as my primary desktop would dramatically lower my anxiety.
Good news is there are hints of GPU passthrough coming (_VZPCIDeviceConfiguration symbol appeared in Tahoe's Virtualization framework), so that might land in a future macOS release. We're keeping an eye on it.
You can automate at least some of this with `defaults write` commands or copying files to the right places. If you look at what some existing MDM platforms do you should be able to do this a lot more efficiently.
defaults write only works after you have shell access, which means Setup Assistant is already done.
There are tools that modify marker files like .AppleSetupDone via Recovery Mode, but that's mainly for bypassing MDM enrollment on physical Macs - you'd still need to create a valid user account with proper Directory Services entries, keychain, etc.
The VNC + OCR approach is less elegant but works reliably without needing to reverse-engineer macOS internals or rely on undocumented behaviors that might break between versions.
One thing I've been thinking about with agents running in isolated environments: how do you handle visibility into what API calls the agent is making from within the VM? Right now we rely on proxying outbound requests to see what's actually happening. Does Lume expose any of that through the MCP interface?
Nice work on the unattended setup - that's usually the painful part.
For agent observability, we handle this at the Cua framework level rather than the VM level:
- Agent actions and tool calls are logged via our tracing integration (Laminar, OpenTelemetry) - You can see the full decision trace - what the agent saw, what it decided, what tools it invoked - For the "what HTTP requests actually went out" question, proxying is still the right approach. You could configure the VM's network to route through a transparent proxy, or set up mitmproxy inside the VM. We haven't built that into Lume itself since network inspection feels orthogonal to VM management.
That said, it's an interesting idea - exposing a proxy config option in Lume that automatically routes VM traffic through a capture layer. Would that be useful for your workflow?