Jamf Nation Community

Right it could go either way, but even then it's just the 1st step to locking the OS to the hardware. Why would you lock-down the T2 OS and not lock-down the macOS... From some of the reviews there is a mode that

"Full security" ensures that only the latest and most secure software can be run. Apple says this mode requires a network connection at the time of software installation.

C

Still not 100% clear but....

"iMac Pro computers don't support starting up from network volumes"

From the learn more section...

https://support.apple.com/en-gb/HT202770

C

There's quite a bit of discussion on both of these topics (related but separate) on the Mac Admins Slack, but here's my take in summary:

• The KBase article at the top of this thread is referring to when you brick an iMac Pro during what we would have previously called an EFI firmware upgrade. This article could be deemed to be good news, as you have been given a method that doesn't require a trip to an Apple Authorised repair depot. It is related to the T2 chip.
• Another Apple KBase article discusses Secure Boot: https://support.apple.com/en-us/HT208330; note the possibility of changing settings.
• Because so few people have iMac Pros in hand, there is uncertainty about the definitiveness of the other KBase article cited above ("iMac Pro computers don't support starting up from network volumes"). You might be able to NetBoot if you turn off the restriction on booting from external volumes, which would make sense, because you can currently boot a Mac from a NetInstall (NetBoot) set on an external drive.
• As of High Sierra, Apple says that installing the OS requires an Internet connection. (There is a way to build an installer to use offline, but you have to build it while online.)
• Apple is saying to customers at scale, "select your MDM vendor." As a Jamf customer, you already have one. :-) This is another sign that MDM and DEP (where available) are the future of deployments.

In summary, imaging is on its last legs. There are ways to keep it alive for now, but anyone who still expects to be a Mac Admin a year or two from now should be developing workflows that install the OS (if not already present and useable) rather than relying on those that block copy a bootable system. Secure Boot will be a great security boon, but it is yet another nail in the imaging coffin.

Anthony Reimer

The term imaging does not imply that one uses a booted OS.

I actually laughed out loud when I saw this!

@iaml I liked your comment not because I am pleased by it about it but because it possesses inevitable truth.

I just wish there were a way to shoehorn in locally connected content - there this misconception that everyone has unlimited bandwidth to shuttle terabytes of content around, whereas sneakernet is still king, especially if you can get your support crew a handful of USB-C SSDs to rebuild machines... rather than spending 3 minutes just waiting for internet recovery to come up over a gig connection you could have imaged multiple Macs.

In the tradeoff between security and productivity, this is NOT the place to make it.

@Nix4Life Nice gif - it makes me wonder if Apple's actually already brought Skynet online. Think about it - internet recovery is essentially required for all T2-equipped Macs, and don't they have Liquid Metal patents... and Time Machine is built into macOS.

@Sterritt you might like this solution: https://twocanoes.com/products/mac/mac-deploy-stick/ and/or this https://www.jamf.com/blog/reinstall-a-clean-macos-with-one-button/ :)

@Sterritt

You may also want t to look at bootstrappr and installr, which were the inspiration for the twocanoes project. I have used both with JAMF and Munki, while a client was setting up DEP. USB drives were converted to .dmg and hosted on a simple webserver. We did nightly builds so Techs always had the latest and greatest.

Yeah I think @Chris_Hafner and I were going back and forth and that GIF came to mind. We were discussing how some admins were trying to delay the T2 and hold on to imaging,

Yep!