NetBooting and System Integrity Protection
Apple took an unusual step this week and released a knowledgebase (KBase) article that refers to an as-yet unreleased operating system:
I can only praise the decision to create it. The content covered affects a number of enterprise Mac environments and gives the Mac admins who support those environments time to prepare for an important change which may affect them.
That said, the KBase article itself is confusingly written and also includes an error. For more details, see below the jump.
In El Capitan, System Integrity Protection (SIP) affects the bless command’s ability to set alternate boot disks, including the ability to designate a NetBoot set as a startup drive.
To help folks who need to use bless to set a NetBoot set as a startup drive, Apple is providing functionality in the csrutil tool referenced in the KBase article to add NetBoot servers to a whitelist.
This whitelist will define by IP address which NetBoot servers are trusted in your environment. Once those IP addresses are part of the whitelist, the bless command can set a Mac to NetBoot from a NetBoot set on a trusted NetBoot server.
To hopefully help clarify the issue, please see the graphic below.
Meanwhile, there also appears to be an error in the KBase article. The section with the error is below:
The last sentence includes this part:
“…using the bless command-line tool.” That is incorrect, as bless is not able to tell the Mac to trust the NetBoot server.
The correct way to tell the Mac to trust the NetBoot server is to use the new csrutil tool:
“…using the csrutil command-line tool.”
With that change, the section should now read as follows:
Add a trusted NetBoot server
The System Integrity Protection feature of OS X El Capitan requires that you tell your Mac to trust the NetBoot server. You can do that by using the Bless NetBoot Server action in the System Image Utility app, or by using the csrutil command-line tool.
To help get this issue corrected, I’ve filed a bug report on this KBase article. For those interested in duping it, it’s bug ID 22575339.
For those interested in the details, I’ve also posted the bug report to Open Radar: