Skip to main content
Solved

Disable Netboot?

C
Forum|alt.badge.img+6

Hello Everybody!

We are looking to disable booting into our Netboot partition. A user managed to find his way to the Netboot partition on his workstation by holding the option key during startup - I think he was trying to throw a PRAM reset?

Anyway, he didn't do anything majorly destructive once he got in, but we found that he was able to enable wifi, and delete folders off the workstation's internal hard drive.

The environment I'm administering was mostly already set up before the previous admin left the company. I've been building and managing packages, but setting up the Netboot server isn't something I was involved in. I figure it is necessary to not completely remove the Netboot functionality, in the event that a full workstation reimaging is ever necessary.

Is it possible to remove the ability for users to boot into the Netboot partition on their own, and restrict it to something I have more control over? Maybe a JSS policy that I can just keep disabled until it is needed? Or, go into the Netboot image itself and lock it down more than it currently is. Suggestions?

Thank you!

Best answer by rhoward

You should use a firmware password. This would also prevent people from using the recovery drive as well. You can create a policy in the JSS to scope the EFI password.

View original
    Did this topic help you find an answer to your question?

    3 replies

    R
    Forum|alt.badge.img+7
    • rhoward
    • Contributor
    • 69 replies
    • Answer
    • October 4, 2016

    You should use a firmware password. This would also prevent people from using the recovery drive as well. You can create a policy in the JSS to scope the EFI password.

    C
    Forum|alt.badge.img+6

    Thank you, I'll give that a try today!

    For anybody else with the same question, here's the JAMF doc for how to set the EFI password.

    http://docs.jamfsoftware.com/9.96/casper-suite/administrator-guide/Administering_Open_Firmware_EFI_Passwords.html

    C
    Forum|alt.badge.img+6

    To be clear, should this policy be scoped out to all workstations, or just the Netboot server?

    Should I encounter any problems, is the EFI policy able to be pulled back easily by setting the Security level of the EFI configuration back to "none"?

    Taking a look at this discussion post, it looks like some users have had trouble with the startup disc becoming inaccessible after applying an EFI password.

    Looks like the issue is caused by a Yosemite security update...

    the startup disk value is stored in PRAM, when the EFI password is enabled, without intervention, the system will only look for that volume to startup from. The Yosemite Recovery Update unceremoniously overwrites the Recovery partition with a new one, so that the value stored in PRAM is no longer valid, for the former Recovery Partition in order to unlock FileVault. So when the system restarts the volume it wants is no longer present, and returns a flashing folder with a question mark.

    These systems are not touching the internet, and will not be receiving any updates. Recovery partition should not be touched, so maybe it is a non-issue.

    Thank you!

    Reply


    Most helpful members this week

    Terms & ConditionsCookie settingsAccessibility statement

    Cookie policy

    We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

     
    Cookie settings