Can we remotely manage Startup Security - External Boot Level yet?

MrRoboto
Contributor II

On T2 Macs we have to allow booting from external media in some cases. Other options are to use internet recovery or MDS.

The new M1 Macs allow external booting by default, just like the old Mac days. To make things consistent across old Mac, T2 Mac and M1 Mac... can we allow external booting on T2 Macs using Jamf?

11 REPLIES 11

d_mccullough
New Contributor III

I'm also curious about this. We have a store of MacBook Pros which are on Catalina, which will set up with DEP. We'd like to upgrade them to Big Sur without having to log in, create an admin account, upgrade, and then wipe. Is there a method of allowing external boot without the whole process?

sdagley
Honored Contributor III

@d.mccullough Can you boot these Macs into Recovery mode? If so, Apple's Mac Provisioner 3.0 tool will allow you to create a USB stick to install Big Sur from Recovery mode on a Mac with Catalina installed.

d_mccullough
New Contributor III

Oooh, I like the sound of that. Thanks, @sdagley . I may also have the depot upgrade one and target-disk the rest, kind of a de-facto Jamf Imaging (don't use that word!)

sdagley
Honored Contributor III

@d.mccullough I'd advise against the TDM idea. At a minimum there will be a bridgeOS update required going from Catalina to Big Sur, and a TDM copy isn't going to do that for you. Successfully copying the Big Sur system partition is another issue.

d_mccullough
New Contributor III

Well, if we're running the macOS installer from another Mac and simply installing down to the drive as normal otherwise. it's not a copy so much as installing the OS to an external drive. That is still supported, afaik?

sdagley
Honored Contributor III

Mac Provisioner doesn't ask for the target, it just does the internal drive of the Mac it's running on, so it won't install to a Mac connected via TDM.

d_mccullough
New Contributor III

OK, thanks!

Chase
New Contributor II

Is there an answer to the original question? Can we allow external booting on T2 Macs using Jamf?

sdagley
Honored Contributor III

@Chase No, there is no mechanism for an MDM to change the boot security settings on a T2 equipped Mac to allow booting from a  USB drive.

bsuggett
Contributor II

A really big critique of mine with Apple about this...

Dissallow external disk booting (Even to disks/volumes that have been created with createinstallmedia) (aka macOS recovery built by an a Install macOS  *.app)... 

They should have kept/allowed external booting to signed macOS installers (those created by createinstallmedia) then prevent internal disk erasure without a password.

sdagley
Honored Contributor III

@bsuggett You _can_ run a macOS installer (well the startosinstall tool) from a USB drive while booted into Recovery Mode. That you can't boot from a USB drive is really only a problem if you're trying to downgrade the version of macOS installed on the Mac.