Posted on 10-28-2019 02:09 PM
We are not a big Mac shop so we can't have terminated user's machine laying around for 2 weeks+ in case the manager ask for data from terminated user's Mac. We were able to get around this by taking the full disk image using Disk Utility but this feature seems to be impossible for Mac with T2 chip.
Here is the steps I usually take the disk image. 1. Place the terminated user's Mac to a target mode. Connect to Mac Mini using thunderbolt 3 cable. 2. On Mac Mini, open Disk Utility. The disk from terminated user's Mac is detected in Disk Utility. 3. Unmount Macintosh HD, Select APFS container and go to File > New Image > Image from "Container disk1"
This process takes a complete backup of Mac disk in DMG format.
Posted on 10-30-2019 09:25 AM
I actually have a ticket opened with Apple regarding this very thing... they say "the primary change to the workflow is that valid admin/secureToken enabled credentials will be needed every time the system is connected via Target Disk Mode to access the T2's encryption-at-rest." If FileVault is enabled, Personal Recovery Key, Institutional Recovery Key, or FV user credentials - which needs an enabled SecureToken - must be used to unlock the data on the disk. Once authenticated, the filesystem can be mounted and viewed.
I got this to work - finally - with a target-mode Mojave Mac connected to a Catalina-booted Mac, and then to a Mojave Mac. Previously I had been attempting this on Macs booted to recovery mode or USB OS installers.
The real challenge here is that we won't be able to capture an image of a never-booted T2 Mac for purposes of restoring the default Apple software load, as we have to create an account on it first to enable external booting and target disk mode access. I hope I'm mistaken...