Help

Can we remotely manage Startup Security - External Boot Level yet?

MrRoboto
Contributor III

Posted on ‎04-01-2021 07:51 AM

On T2 Macs we have to allow booting from external media in some cases. Other options are to use internet recovery or MDS.

The new M1 Macs allow external booting by default, just like the old Mac days. To make things consistent across old Mac, T2 Mac and M1 Mac... can we allow external booting on T2 Macs using Jamf?

0 Kudos
Reply
11 REPLIES 11

d_mccullough
New Contributor III

Posted on ‎06-25-2021 10:32 AM

I'm also curious about this. We have a store of MacBook Pros which are on Catalina, which will set up with DEP. We'd like to upgrade them to Big Sur without having to log in, create an admin account, upgrade, and then wipe. Is there a method of allowing external boot without the whole process?

0 Kudos
Reply

sdagley
Esteemed Contributor II

Posted on ‎06-25-2021 10:39 AM

@d.mccullough Can you boot these Macs into Recovery mode? If so, Apple's Mac Provisioner 3.0 tool will allow you to create a USB stick to install Big Sur from Recovery mode on a Mac with Catalina installed.

0 Kudos
Reply

d_mccullough
New Contributor III

Posted on ‎06-25-2021 10:49 AM

Oooh, I like the sound of that. Thanks, @sdagley . I may also have the depot upgrade one and target-disk the rest, kind of a de-facto Jamf Imaging (don't use that word!)

0 Kudos
Reply

sdagley
Esteemed Contributor II

Posted on ‎06-25-2021 10:58 AM

@d.mccullough I'd advise against the TDM idea. At a minimum there will be a bridgeOS update required going from Catalina to Big Sur, and a TDM copy isn't going to do that for you. Successfully copying the Big Sur system partition is another issue.

0 Kudos
Reply

d_mccullough
New Contributor III

Posted on ‎06-25-2021 11:04 AM

Well, if we're running the macOS installer from another Mac and simply installing down to the drive as normal otherwise. it's not a copy so much as installing the OS to an external drive. That is still supported, afaik?

0 Kudos
Reply

sdagley
Esteemed Contributor II

Posted on ‎06-25-2021 11:14 AM

Mac Provisioner doesn't ask for the target, it just does the internal drive of the Mac it's running on, so it won't install to a Mac connected via TDM.

0 Kudos
Reply

d_mccullough
New Contributor III

Posted on ‎06-25-2021 11:34 AM

OK, thanks!

0 Kudos
Reply

Chase
New Contributor II

Posted on ‎08-12-2021 12:36 PM

Is there an answer to the original question? Can we allow external booting on T2 Macs using Jamf?

0 Kudos
Reply

sdagley
Esteemed Contributor II
In response to Chase

Posted on ‎08-12-2021 01:54 PM

@Chase No, there is no mechanism for an MDM to change the boot security settings on a T2 equipped Mac to allow booting from a  USB drive.

Reply

bsuggett
Contributor II

Posted on ‎04-21-2022 06:52 PM

A really big critique of mine with Apple about this...

Dissallow external disk booting (Even to disks/volumes that have been created with createinstallmedia) (aka macOS recovery built by an a Install macOS  *.app)... 

They should have kept/allowed external booting to signed macOS installers (those created by createinstallmedia) then prevent internal disk erasure without a password.

0 Kudos
Reply

sdagley
Esteemed Contributor II
In response to bsuggett

‎04-21-2022 07:04 PM - edited ‎04-21-2022 07:06 PM

@bsuggett You _can_ run a macOS installer (well the startosinstall tool) from a USB drive while booted into Recovery Mode. That you can't boot from a USB drive is really only a problem if you're trying to downgrade the version of macOS installed on the Mac.

Reply