The T2 Macs, the end of NetBoot and deploying from macOS Recovery
In late 2017, Apple released the iMac Pro. Along with the new Secure Enclave protection provided by Apple’s T2 chip, the iMac Pro brought another notable development: It did not support booting from a network volume, otherwise known as NetBoot.
The one exception was Apple’s Internet Recovery, where Apple is providing a NetBoot-like service to provide access to macOS Recovery. The iMac Pro is still able to boot to Internet Recovery, which provides a way to repair the Mac or reinstall the operating system in situations where the Mac’s own Recovery volume is missing or not working properly.
With NetBoot not being available for the iMac Pro but still available for other models, it wasn’t yet clear if NetBoot-based workflows for setting up new Macs or rebuilding existing ones were on the way out. However, Apple’s release of of T2-equipped MacBook Pros in July 2018 which also could not use NetBoot has made Apple’s direction clear. As Apple releases new Mac models equipped with T2 chips and Secure Enclave, it is unlikely that these future Mac releases will be supporting NetBoot.
For Mac admins using NetBoot-based workflows to set up their Macs, what are the alternatives? Apple has been encouraging the use of Apple’s Device Enrollment Program, which leverages a company, school or institutions’ mobile device management (MDM) service. In this case, you would need to arrange with Apple or an Apple reseller to purchase Macs that are enrolled in your organization’s DEP.
When a DEP-enrolled Mac is started for the first time (or started after an OS reinstall), it is automatically configured to use your organizations’ MDM service and the device checks in with the MDM service. The MDM service then configures the Mac as desired with your organization’s software and configuration settings. A good example of what this process may look like can be seen here.
What if you don’t have DEP, or you don’t have MDM? In that case, you may still be able to leverage Recovery-based deployment methods, which would allow you install the desired software and configuration settings onto the Mac’s existing OS, or install a new OS along with software and configuration settings. For more details on these methods, please see below the jump.
To help facilitate deploying software and settings from the Recovery environment, Greg Neagle has released a couple of tools:
bootstrappr: https://github.com/munki/bootstrappr
installr: https://github.com/munki/installr
Both bootstrappr and installr can run in the macOS Recovery environment and work in similar ways. The main difference between the two is the following:
- bootstrappr: Installs one or more packages onto a target volume
- installr: Installs macOS and one or more additional packages onto a target volume
As an example of how bootstrappr works, please see below. In this case, I’ve set up a disk image using the instructions provided at the bootstrappr GitHub repo and copied it to an external drive named Provisioning.
On the disk image, I’ve included one installer package named First Boot Package Install, which was generated by my First Boot Package Install Generator tool.
1. Boot to macOS Recovery
2. Launch Terminal
3. Run the following command:
hdiutil mount /Volumes/Provisioning/bootstrap.dmg
The bootstrap disk image mounts as a new volume named bootstrap.
4. Run the following command:
/Volumes/bootstrap/run
5. Select the volume to install on (in this example, the volume is named Macintosh HD.)
The First Boot Package Install package included in the disk image is installed.
6. Once installation is completed, select the option to restart.
On restart, the First Boot Package Install package is able to run its own workflow, which is able to suppress the Apple Setup Assistant and run its assigned installation task. In this case, I’m only having it check for and install all available Apple software updates but it could be installing any desired package. This could include all software needed to set up a particular Mac, or installing a management agent to handle software installation and configuration.
Leave a Reply
Recent Comments
 | rtrouton on Creating a NexThink installer… |
 | this is not the Pete… on Creating a NexThink installer… |
 | Shri Sivakumaran on Adding password protection to… |
 | isotopp on Creating a sysdiagnose file us… |
 | Daniel O'Donnell on Apple Device Management Second… |
Der Flounder 
no need to create the dmg if you’re running off a usb. you can directly copy the root folder. you’ll just have to know the disk name and adjust your command to run the script according. for example, /Volumes/external/installr/run or bootstrappr/run.
Great post as always Rich.
There is also an Imagr commit Greg pushed out that adds a required Python.framework and you can replicate the bootstrappr / installr idea of booting into Recovery and run Imagr.
Initial info is here: https://github.com/gregneagle/imagr/commit/5832e6cfc67b45722e084a711e41d6e81c6b7e7f
All I’m installing are the barebones packages I need: munki, outset, admin account, skip setup assistant.
It really helped me this week to get (40) T2 MacBooks ready!
If all you are doing is installing bootstrapping packages, I still maintain that implementing and using bootstrappr is far easier than getting Imagr working in Recovery. But obviously there are (for now) choices.
I admit Greg’s advice to just use bootstrappr is the common-sense answer. However, since I already have a working Imagr workflow I’m intrigued about having the choice of running bootstrappr and/or Imagr in recovery mode. I’ve been scrutinizing the README file from the link Rod provided but I’m struggling to wrap my n00b head around it.
Greg, is it possible to pls elaborate a bit on your README? For example, I do have a plist with my server info but the readme does not say where to put it. Would you be able to perhaps provide an expanded setup guide?
With Apple going the Microsoft way of providing basically crap tools to reimage a client maybe it is time to drop Apple all together! Don’t see what it would have hurt letting netboot support left in.
Hi Rich
Great tools but while when I tried installr it keeps on coming up with “Error: An internal error occurred while starting the installer”, it works fine if i call the startosinstall directly.
Have you seen that before?
Hugo, this was driving me nuts, such an ambiguous error message.
I am not using imagr, I’m calling startosinstall with a script and using the –installpackage option. Turns out I was using a flat component package rather than the required flat distribution package! To fix/convert the package: productbuild –package /path/to/old_component.pkg /path/to/new_distribution.pkg
Rich covers it in this post: https://derflounder.wordpress.com/2017/09/26/using-the-macos-high-sierra-os-installers-startosinstall-tool-to-install-additional-packages-as-post-upgrade-tasks/
Good luck, with enough finagling we’ll have a “poor man’s DEP” by 10.14 😉
skipping the setup process is probably not a good idea since you will not able to create an account with a security token.
As an experiment I skipped it, having created the users via script in a “First Boot” like package. Even though no user has a Secure Token it will still let you encrypt. It’s only when you have a SecureToken granted user and then you somehow nuke that account, then you are out of luck and will need to re-image in order to encrypt. Otherwise it’s the same situation as a unencrypted 10.12 to 10.13 upgrade: no user has SecureToken yet the machine will allow for encryption to be turned on and then the user to initiate is granted a SecureToken.
If we are using bootstrapper just to get systems deployed and setup with basic packages etc, couldn’t the .AppleSetupDone file be removed to launch setup assistant after the fact?
FYI, I was able to get Netboot working from Apple servers using Command + Shift + Option + R and an ethernet adapter. This works in case you are a dummy like me and blow away the recovery partition and are unable to unlock the T2 settings.
I don’t think this is exactly what your post is solving, but I came here with the problem I described and I think there might be other folks that have the same problem.
Cheers!
That isn’t NetBoot, that is Apple sanctioned Internet Recovery, big difference.
How about including PKGs or FirstBoot-Scripts in a macOS-Install-USB-Drive? Booting from USB-Drives is still possible with T2-Chip.
I have not found a way yet to include packages on a macOS-Install-USB-Drive. System Image Utility used to be able to generate that, but apparently is not working with APFS, so doesn’t work for Mojave at all. 😦
hm
guys
@ Christioan Holton
plse explane how to get Netboot working with new macmini
comm + shift + option + R doe not give the Netbootworkflow
I’ve never attempted this with a Mac mini, so I wouldn’t know. Best of luck, though.
The 2018 T2 fresh out of the box macs came with 10.13 preinstalled, when I boot to internet recovery, it does not show the 10.14 installer. It shows the 10.13 installer itself. I’ve had to use the USB external disk, then it required software updates, after doing this I can see the 10.14 in the internet recovery. Anyone had the similar experience?