Posted on 07-17-2018 10:26 AM
Thanks, Apple! Back to the manual method of walking through Apple's setup process to image.
At least until we enroll in DEP.
Posted on 07-17-2018 10:26 AM
https://support.apple.com/en-us/HT202770
Posted on 07-17-2018 10:55 AM
I highly recommend getting on DEP sooner than later. Because of things like this. Apple has been telling it's customers to get onto DEP since 2014 so that you don't have to experience "pulled the rug out from under us" moments.
Posted on 07-17-2018 09:15 PM
Unfortunately DEP still has a few clicks to get started as well.
Apple probably feel 4 or 5 clicks is not that much, they clearly aren't doing it on a 1000 machines at once!
The sooner DEP just starts by itself the better!
Posted on 07-18-2018 09:44 AM
@Look , so true. I don't have any labs at my org, but I can imagine. It'd be great if it were like how Apple TVs work with regard to DEP.
Posted on 07-18-2018 08:38 PM
@nvandam yep, once we have this and then either an API or a connector to our CMDB to name / purpose the devices, it will literally be like magic when you put a device on a desk and turn it on!
I have actually done the last bit using scripting anyway, but it would be great if JAMF added it as a feature.
I LOVE the --erase-install option in the new macOS installer though! Self Service reimaging is gonna be great this year!
Posted on 07-20-2018 11:40 AM
I just got my hands on a 13" Coffee Lake 2018 MacBook Pro with the T2 chip. The boot security on the T2 chip is locked down tight as a drum and prohibits booting from an external USB device. There is no way through the GUI to change settings either.
Confirmed this new security "enhancement" with my Apple Rep..
Posted on 07-20-2018 11:48 AM
@mortopc4 , So right now I wipe Macs using a macOS installer on a usb drive. This wouldn't be isn't possible anymore?
Posted on 07-20-2018 11:56 AM
Not sure. This is what I got when popping in my trusty OS troubleshooting USB key...
When trying to unlock per the message I get this
Posted on 07-20-2018 12:34 PM
mine should be in next week. can't wait to get on it and test stuff out.
Posted on 07-20-2018 12:35 PM
Are you able to go into recovery mode, and enable the boot to external device option? How do we get to this option below?
Posted on 07-20-2018 01:09 PM
Unfortunately not. I get the "No Administrator Found" box. I hit ok and it takes me back to the "Authentication Required", I hit the "Enter macOS Password" and go straight to "No Administrator Found". Round and Round.......
The box I am testing has 2 admins, root enabled and my Jamf Admin account it so lots of administrators.
Again, my Apple sales guy indicated this may be standard operation procedure now with the T2 chip on the MacBook Pros.
Posted on 07-20-2018 01:11 PM
Does the FirstBoot netinstall option still work for these T2 machines? Has anyone gotten a machine to test yet? Mine will be here Monday but I'd like to get a head start on creating the FirstBoot Netinstall image if someone here can confirm it does infact work.
Posted on 07-20-2018 01:14 PM
Ideally you should be able to get to the above settings by entering the Recovery Volume, choosing Utilities > Startup Security Utility and entering the administrator password.
However as my screenshots show, when you hit the "Enter macOS Password" box it returns "No Administrator Found"... On the iMacs with the T2 chip, hitting the "Enter macOS Password" box will give you a prompt, enter the admin password and you open the security settings to modify Secure/External Booting...
I have just confirmed this on three (3) Coffee Lake MacBook Pros we received on July 18th.
Posted on 07-20-2018 01:44 PM
You need to have an admin with Secure Token to modify these settings.
Posted on 07-20-2018 01:56 PM
Ahhhhhhh makes sense. However shouldn't the first admin account you create using the Apple Setup Assistant get assigned a token?
Posted on 07-20-2018 02:07 PM
Also after using the Apple Setup Assistant to create an admin account I check the securetokenStatus and see that the sole admin on my test box is DISABLED.
I run secureTokenOn <username> -password <password> and get Operation is not permitted without secure token unlock.
Will dig more.....
Posted on 07-20-2018 02:09 PM
Considering the speed improvements over last gen, I'm not sure it's worth buying these "new and improved" macbook pros.
Posted on 07-20-2018 02:16 PM
Yes, initial admin from SA should get Secure Token.
Secure Token status isn't that great unless filevault is turned on. Could run
diskutil apfs listusers /
and make sure your admin user's GUID shows up.
Would definitely recommend watching this, it's very helpful
Posted on 07-20-2018 02:32 PM
Koalatee - great info, THX!
My question is why would three (3) separate systems, new out of the box, fail to create the secure token......hmmmmmm I guess an undocumented feature.....LOL!
Posted on 07-23-2018 05:42 AM
UPDATE!!
SO, I waited a few hours. All the while I was trying to determine WHY the system did not create a SecureToken when creating the sole admin account on the system.
After shutting the system down and letting it sit overnight, I came back to it and ...... a Secure Token had been created.
Not sure if it was needing to wait or what, but I now have a token assigned to the sole box admin and can unlock the Secure Startup Utility.
Koalatee - THANK YOU again for the youtube link. It was REALLY helpful!!!!
Posted on 07-23-2018 09:19 AM
Can anyone confirm whether these Macs can start up with a USB key created using the Apple approved "createosxinstallmedia" process using the .app installer? Not talking any sort of USB boot media created outside of this approved workflow.
Posted on 07-23-2018 10:14 AM
It works as long as you enable booting from USB in the Recovery Volume, choosing Utilities > Startup Security Utility and entering the administrator password.
Posted on 07-23-2018 10:26 AM
So...what happens if a tech needs to reimage a T2 device and doesn't have admin credentials for it? Normally, they'd boot from USB and wipe/reinstall. Is the laptop a brick?
I'm not so worried about initial setup, but I'm very concerned about re-provisioning devices. If I can control this via user-approved MDM, that would work for almost all use cases.
Posted on 07-23-2018 12:03 PM
So it seems like Internet Recovery is an option. Hopefully Jamf will provide a way to manage the USB boot setting, as we use a mix of Internet Recovery and USB booters.
Posted on 07-23-2018 12:38 PM
"So...what happens if a tech needs to reimage a T2 device and doesn't have admin credentials for it? " Recovery Boot or Internet Recovery Boot and reinstall macOS.
or Target Disk Mode boot, and connect it to another Mac...
Posted on 07-23-2018 01:04 PM
@gregneagle , Target Disk Mode utilizes Apple Configurator 2, right?
Posted on 07-23-2018 02:03 PM
Not 100% sure but I think that supported target mode installs stopped working in Sierra...
C
Posted on 07-24-2018 07:21 AM
Posted on 07-25-2018 11:48 AM
@gregneagle , Target Disk Mode utilizes Apple Configurator 2, right?
No. It's just like Target Disk Mode has always worked on macOS -- the Mac in TDM is now an external drive. Install to it, wipe it, back it up, copy things to it; etc.
Posted on 07-25-2018 03:22 PM
Hi all, sorry for the dumb question... have not had the chance to see a 2018 Mac yet...
Other than USB boot... will Netboot/Netrestore be still an option once Secure boot is disabled on a T2 machine?
Thinking of “old style” System Image utility bootable standard OS installer or stand alone bootable net volume to avoid target disk mode
Thank you!
Posted on 07-25-2018 04:47 PM
@carlo.anselmi Apple has depreciated NetBoot as well. Yes it can still run on current versions of macOS Server, or some of the open source equivalents, but its no longer supported by Apple, so don't expect the hardware to fully support the feature either.
I'm pretty sure NetBoot is "dead" for anything that ships with a T2 on-board.
Just not sure how much time and resources you want to put into a service that Apple has stated they are no longer supporting starting Fall 2018 when Mojave and it's equivalent Server.app is released.
~Ted
Posted on 07-31-2018 04:46 AM
As @mortopc4 mentioned you need an admin account to turn off the boot utility....so got me thinking - can you create a admin account in terminal in the recovery partition? Would that even work? Haven't had time to poke and test it...but it probably would be the quickest way to disable the boot options on a new machine if it worked.
Posted on 08-08-2018 03:47 PM
We are still having big time issues with this. We just received the new T2 MB Pro for testing that one of our service techs had been called on. We disabled the secure boot and selected "No Security" and also selected "Allow boot from external media" When we try to option boot we get prohibitory symbol.
Posted on 08-09-2018 06:17 AM
@dubprocess I suspect you would need the latest version of the OS that works on these T2 machines to boot from. You could go to internet recovery and update the OS on your bootstick with one that works.
Still having issues with FileVault disk password not working. Current work around is to go into recovery partition, wipe drive as encrypted, re-install OS, then image machine. But the re-installing OS part can take anywhere from 20-2 hours depending on how machine machines we have in our lab at the time.
Stil waiting to hear back from Apple..they said I should have something by Monday.
Posted on 08-09-2018 10:33 AM
@roiegat Yep updated the drive to the latest Mac OS version 10.13.6 still getting the prohibitory symbol.
Posted on 08-09-2018 11:06 AM
Ah I think we found the issue. The OS version 10.13.6 build for the new 2018 MB Pro with T2 chip is not available through the app store. Going to attempt to update to the latest Mojave beta on the drive to see if it resolves the issue. I will report back.
Posted on 08-09-2018 11:23 AM
Netboot is no longer supported on T2. Going full DEP enrollment management. IF there's a problem, the OS will need to be wiped using internet recovery.
Posted on 08-09-2018 01:09 PM
@tnielsen I am not Netbooting though not sure who that was directed towards?
Posted on 08-09-2018 01:11 PM
So installing Mojave did not fix the issue. I am unable to download the latest build of 10.13.6 even on the latest T2 MacBook Pro via the App Store. I was able to install the latest build (10.13.6 build 17g2208) via Internet Recovery but now I need to get this version somehow to my boot drive.