The initial account that gets created can be used to change settings in the security utility. If the password to this account gets changed it does not seem to update the account that has access to the security utility. Also when i add additional admin accounts it does not give them access to the security utility. I've tried the command diskutil apfs updatePreboot / but it does not seem to update or add accounts.
Any one had success updating and adding new accounts giving them access to the security utility?

A little cheat I will share... some may find it helpful.....

We notice with the iMac Pro's it didn't require Secure Token on their original build (10.13.2 forked). You can mount the recovery/installesd.dmg and find the Startup Security Utility.app. You can grab that and run it locally (Without running it in the recovery mode) to make changes with a built in account without a SecureToken.

@rvandam
Am curious about the pre-installed OS version on your mbp’s.
Our 13” T2 mbp’s are pre-installed with 10.13.4, the 15” mbp’s have 10.13.6, the 13” gives problems.
After starting in recovery modus and re install the OS, problems are gone.

I noticed Apple released Supplemental Update for 2018 MB Pro models today 10.13.6 builds 17G2037/15P6805 (prior builds were 17G2208/15P6703) . We ended up switching over to a DEP type deployment so imaging for us may go bye bye..Im sure its Apple's master plan as we all know.

End of third party repair life. Time to change other to work.. Bye Apple..

Just wait until Apple stops signing the Internet Recovery image! :-)

just wait until macOS & iOS merge..... :D lol

PhoneBook Pro.

@mikecardii I was able to clone a 10.13 Netboot.dmg from a nbi set, to an External SSD and use it to image T2 Macs. Here is my process:

1. Restore Netboot.dmg to a GUID partitioned External SSD (APFS or NFS+ both works)
2. Boot to the external, upgrade the external drive OS to 10.14.3, with JAMF Imaging auto launch at root account auto login.
3. On a T2 Mac, startup to Recovery and launch Startup Security Utility. Change to ALLOW external boot and set security to Medium.
4. With the external booted on T2 chip Macs, I am able to image it to Mojave with baseOS 10.14.3 created from AutoDMG.

Ran across this in a different thread earlier today - https://twocanoes.com/disable-sip-quickly/

csrutil netboot add address - Set allowed netboot servers

Any more info on what that might do? Mind you this was in reference to iMac Pros... but seems like this might be the missing sauce for NetBooting T2 Macs? Anyone have any more information on csrutil netboot add address?

nevermind

@Sterritt

csrutil netboot add

That's for pre-T2 Macs and was introduced due to security enhancements to El Capitan; you could only remotely bless/instruct a Mac to NetBoot from a whitelisted server added with that command. We had to do it to our labs otherwise someone would have to walk round option-booting them to NetBoot when it was time to wipe and refresh.

See here for more details:

https://support.apple.com/en-gb/HT205054

T2 Macs will not NetBoot, never ever, sadly. Along with User Approved MDM, bridgeOS/Firmware issues etc etc, an erase/install workflow (using Internet Recovery or pushing the installer application down and running startosinstall --eraseinstall) then DEP enrolment into your MDM is the way Apple are pushing (or have pushed) organisations to go.

So everything I'm seeing in testing and reading in these threads indicates either Apple has really messed this up, or JAMF does not have proper support for T2 systems. We can not manage startup security on ANY system with a T2 chip, because they all claim there is no Administrator account. There are two, so something is broken. It appears what is broken is SecureToken is not enabled on the admin accounts created by JAMF on DEP systems. As a result, we're locked out of doing anything other than internet recovery to wipe and reload a system as you can't boot external devices (or even the internal recovery for some reason), and dual boot doesn't work because you can never authorize the Windows partition as bootable. Anyone know if this comes down to JAMF not creating accounts properly to be compatible on the new hardware, or Apple not allowing them to because you can ONLY ever get SecureToken on the account created directly by SetupAssistant and no automated bypass of it? Not sure which company we need to hound about fixing this. We've also found single use mode no longer exists on T2 and that's square on Apple...