https://support.apple.com/en-us/HT202770

I highly recommend getting on DEP sooner than later. Because of things like this. Apple has been telling it's customers to get onto DEP since 2014 so that you don't have to experience "pulled the rug out from under us" moments.

Unfortunately DEP still has a few clicks to get started as well.
Apple probably feel 4 or 5 clicks is not that much, they clearly aren't doing it on a 1000 machines at once!
The sooner DEP just starts by itself the better!

@Look , so true. I don't have any labs at my org, but I can imagine. It'd be great if it were like how Apple TVs work with regard to DEP.

@nvandam yep, once we have this and then either an API or a connector to our CMDB to name / purpose the devices, it will literally be like magic when you put a device on a desk and turn it on! I have actually done the last bit using scripting anyway, but it would be great if JAMF added it as a feature.
I LOVE the --erase-install option in the new macOS installer though! Self Service reimaging is gonna be great this year!

I just got my hands on a 13" Coffee Lake 2018 MacBook Pro with the T2 chip. The boot security on the T2 chip is locked down tight as a drum and prohibits booting from an external USB device. There is no way through the GUI to change settings either.

Confirmed this new security "enhancement" with my Apple Rep..

@mortopc4 , So right now I wipe Macs using a macOS installer on a usb drive. This wouldn't be isn't possible anymore?

Not sure. This is what I got when popping in my trusty OS troubleshooting USB key...

When trying to unlock per the message I get this

mine should be in next week. can't wait to get on it and test stuff out.

Are you able to go into recovery mode, and enable the boot to external device option? How do we get to this option below?

Apple T2 Link

Unfortunately not. I get the "No Administrator Found" box. I hit ok and it takes me back to the "Authentication Required", I hit the "Enter macOS Password" and go straight to "No Administrator Found". Round and Round.......

The box I am testing has 2 admins, root enabled and my Jamf Admin account it so lots of administrators.

Again, my Apple sales guy indicated this may be standard operation procedure now with the T2 chip on the MacBook Pros.

Does the FirstBoot netinstall option still work for these T2 machines? Has anyone gotten a machine to test yet? Mine will be here Monday but I'd like to get a head start on creating the FirstBoot Netinstall image if someone here can confirm it does infact work.

Ideally you should be able to get to the above settings by entering the Recovery Volume, choosing Utilities > Startup Security Utility and entering the administrator password.

However as my screenshots show, when you hit the "Enter macOS Password" box it returns "No Administrator Found"... On the iMacs with the T2 chip, hitting the "Enter macOS Password" box will give you a prompt, enter the admin password and you open the security settings to modify Secure/External Booting...

I have just confirmed this on three (3) Coffee Lake MacBook Pros we received on July 18th.

You need to have an admin with Secure Token to modify these settings.

Ahhhhhhh makes sense. However shouldn't the first admin account you create using the Apple Setup Assistant get assigned a token?

Also after using the Apple Setup Assistant to create an admin account I check the securetokenStatus and see that the sole admin on my test box is DISABLED.

I run secureTokenOn <username> -password <password> and get Operation is not permitted without secure token unlock.

Will dig more.....

Considering the speed improvements over last gen, I'm not sure it's worth buying these "new and improved" macbook pros.

Yes, initial admin from SA should get Secure Token.

Secure Token status isn't that great unless filevault is turned on. Could run

diskutil apfs listusers /

and make sure your admin user's GUID shows up.

Would definitely recommend watching this, it's very helpful

Koalatee - great info, THX!

My question is why would three (3) separate systems, new out of the box, fail to create the secure token......hmmmmmm I guess an undocumented feature.....LOL!

UPDATE!!

SO, I waited a few hours. All the while I was trying to determine WHY the system did not create a SecureToken when creating the sole admin account on the system.

After shutting the system down and letting it sit overnight, I came back to it and ...... a Secure Token had been created.

Not sure if it was needing to wait or what, but I now have a token assigned to the sole box admin and can unlock the Secure Startup Utility.

Koalatee - THANK YOU again for the youtube link. It was REALLY helpful!!!!

Can anyone confirm whether these Macs can start up with a USB key created using the Apple approved "createosxinstallmedia" process using the .app installer? Not talking any sort of USB boot media created outside of this approved workflow.

It works as long as you enable booting from USB in the Recovery Volume, choosing Utilities > Startup Security Utility and entering the administrator password.

So...what happens if a tech needs to reimage a T2 device and doesn't have admin credentials for it? Normally, they'd boot from USB and wipe/reinstall. Is the laptop a brick?

I'm not so worried about initial setup, but I'm very concerned about re-provisioning devices. If I can control this via user-approved MDM, that would work for almost all use cases.

So it seems like Internet Recovery is an option. Hopefully Jamf will provide a way to manage the USB boot setting, as we use a mix of Internet Recovery and USB booters.

"So...what happens if a tech needs to reimage a T2 device and doesn't have admin credentials for it? " Recovery Boot or Internet Recovery Boot and reinstall macOS.

or Target Disk Mode boot, and connect it to another Mac...