Home > Mac administration, macOS, macOS Recovery, NetBoot, Secure Enclave > The T2 Macs, the end of NetBoot and deploying from macOS Recovery

The T2 Macs, the end of NetBoot and deploying from macOS Recovery

In late 2017, Apple released the iMac Pro. Along with the new Secure Enclave protection provided by Apple’s T2 chip, the iMac Pro brought another notable development: It did not support booting from a network volume, otherwise known as NetBoot.

The one exception was Apple’s Internet Recovery, where Apple is providing a NetBoot-like service to provide access to macOS Recovery. The iMac Pro is still able to boot to Internet Recovery, which provides a way to repair the Mac or reinstall the operating system in situations where the Mac’s own Recovery volume is missing or not working properly.

With NetBoot not being available for the iMac Pro but still available for other models, it wasn’t yet clear if NetBoot-based workflows for setting up new Macs or rebuilding existing ones were on the way out. However, Apple’s release of of T2-equipped MacBook Pros in July 2018 which also could not use NetBoot has made Apple’s direction clear. As Apple releases new Mac models equipped with T2 chips and Secure Enclave, it is unlikely that these future Mac releases will be supporting NetBoot.

Screen Shot 2018 08 15 at 10 23 19 AM

For Mac admins using NetBoot-based workflows to set up their Macs, what are the alternatives? Apple has been encouraging the use of Apple’s Device Enrollment Program, which leverages a company, school or institutions’ mobile device management (MDM) service. In this case, you would need to arrange with Apple or an Apple reseller to purchase Macs that are enrolled in your organization’s DEP.

When a DEP-enrolled Mac is started for the first time (or started after an OS reinstall), it is automatically configured to use your organizations’ MDM service and the device checks in with the MDM service. The MDM service then configures the Mac as desired with your organization’s software and configuration settings. A good example of what this process may look like can be seen here.

What if you don’t have DEP, or you don’t have MDM? In that case, you may still be able to leverage Recovery-based deployment methods, which would allow you install the desired software and configuration settings onto the Mac’s existing OS, or install a new OS along with software and configuration settings. For more details on these methods, please see below the jump.

To help facilitate deploying software and settings from the Recovery environment, Greg Neagle has released a couple of tools:

bootstrappr: https://github.com/munki/bootstrappr
installr: https://github.com/munki/installr

Both bootstrappr and installr can run in the macOS Recovery environment and work in similar ways. The main difference between the two is the following:

  • bootstrappr: Installs one or more packages onto a target volume
  • installr: Installs macOS and one or more additional packages onto a target volume

As an example of how bootstrappr works, please see below. In this case, I’ve set up a disk image using the instructions provided at the bootstrappr GitHub repo and copied it to an external drive named Provisioning.

On the disk image, I’ve included one installer package named First Boot Package Install, which was generated by my First Boot Package Install Generator tool.

1. Boot to macOS Recovery

Screen Shot 2018 08 15 at 9 31 47 AM

2. Launch Terminal

Screen Shot 2018 08 15 at 9 32 44 AM

3. Run the following command:

hdiutil mount /Volumes/Provisioning/bootstrap.dmg

Screen Shot 2018 08 15 at 9 33 31 AM

The bootstrap disk image mounts as a new volume named bootstrap.

Screen Shot 2018 08 15 at 9 33 42 AM

4. Run the following command:

/Volumes/bootstrap/run

Screen Shot 2018 08 15 at 9 34 33 AM

5. Select the volume to install on (in this example, the volume is named Macintosh HD.)

Screen Shot 2018 08 15 at 9 34 59 AM

The First Boot Package Install package included in the disk image is installed.

Screen Shot 2018 08 15 at 9 35 13 AM

6. Once installation is completed, select the option to restart.

Screen Shot 2018 08 15 at 9 35 46 AM

On restart, the First Boot Package Install package is able to run its own workflow, which is able to suppress the Apple Setup Assistant and run its assigned installation task. In this case, I’m only having it check for and install all available Apple software updates but it could be installing any desired package. This could include all software needed to set up a particular Mac, or installing a management agent to handle software installation and configuration.

Screen Shot 2018 08 15 at 9 40 52 AM

  1. e
    August 15, 2018 at 6:47 pm

    no need to create the dmg if you’re running off a usb. you can directly copy the root folder. you’ll just have to know the disk name and adjust your command to run the script according. for example, /Volumes/external/installr/run or bootstrappr/run.

  2. Rod Christiansen
    August 15, 2018 at 7:14 pm

    Great post as always Rich.

    There is also an Imagr commit Greg pushed out that adds a required Python.framework and you can replicate the bootstrappr / installr idea of booting into Recovery and run Imagr.

    Initial info is here: https://github.com/gregneagle/imagr/commit/5832e6cfc67b45722e084a711e41d6e81c6b7e7f

    All I’m installing are the barebones packages I need: munki, outset, admin account, skip setup assistant.

    It really helped me this week to get (40) T2 MacBooks ready!

  3. August 15, 2018 at 8:31 pm

    If all you are doing is installing bootstrapping packages, I still maintain that implementing and using bootstrappr is far easier than getting Imagr working in Recovery. But obviously there are (for now) choices.

  4. cashxx
    August 17, 2018 at 1:22 pm

    With Apple going the Microsoft way of providing basically crap tools to reimage a client maybe it is time to drop Apple all together! Don’t see what it would have hurt letting netboot support left in.

  5. August 21, 2018 at 7:57 pm

    Hi Rich
    Great tools but while when I tried installr it keeps on coming up with “Error: An internal error occurred while starting the installer”, it works fine if i call the startosinstall directly.
    Have you seen that before?

  6. Peter
    August 30, 2018 at 5:31 pm

    skipping the setup process is probably not a good idea since you will not able to create an account with a security token.

    • September 11, 2018 at 9:44 pm

      As an experiment I skipped it, having created the users via script in a “First Boot” like package. Even though no user has a Secure Token it will still let you encrypt. It’s only when you have a SecureToken granted user and then you somehow nuke that account, then you are out of luck and will need to re-image in order to encrypt. Otherwise it’s the same situation as a unencrypted 10.12 to 10.13 upgrade: no user has SecureToken yet the machine will allow for encryption to be turned on and then the user to initiate is granted a SecureToken.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: