Mac computers that have the Apple T2 chip don't support starting up from network volumes.

tnielsen
Valued Contributor

Thanks, Apple! Back to the manual method of walking through Apple's setup process to image.

At least until we enroll in DEP.

63 REPLIES 63

tnielsen
Valued Contributor

https://support.apple.com/en-us/HT202770

nvandam
Contributor II

I highly recommend getting on DEP sooner than later. Because of things like this. Apple has been telling it's customers to get onto DEP since 2014 so that you don't have to experience "pulled the rug out from under us" moments.

Look
Valued Contributor III

Unfortunately DEP still has a few clicks to get started as well.
Apple probably feel 4 or 5 clicks is not that much, they clearly aren't doing it on a 1000 machines at once!
The sooner DEP just starts by itself the better!

nvandam
Contributor II

@Look , so true. I don't have any labs at my org, but I can imagine. It'd be great if it were like how Apple TVs work with regard to DEP.

Look
Valued Contributor III

@nvandam yep, once we have this and then either an API or a connector to our CMDB to name / purpose the devices, it will literally be like magic when you put a device on a desk and turn it on! I have actually done the last bit using scripting anyway, but it would be great if JAMF added it as a feature.
I LOVE the --erase-install option in the new macOS installer though! Self Service reimaging is gonna be great this year!

mortopc4
New Contributor III

I just got my hands on a 13" Coffee Lake 2018 MacBook Pro with the T2 chip. The boot security on the T2 chip is locked down tight as a drum and prohibits booting from an external USB device. There is no way through the GUI to change settings either.

Confirmed this new security "enhancement" with my Apple Rep..

nvandam
Contributor II

@mortopc4 , So right now I wipe Macs using a macOS installer on a usb drive. This wouldn't be isn't possible anymore?

mortopc4
New Contributor III

Not sure. This is what I got when popping in my trusty OS troubleshooting USB key...

9c53adb68de145f5822d09186c73ec8f

When trying to unlock per the message I get this

1088d88e587348439ce87c86b57b9208

nvandam
Contributor II

mine should be in next week. can't wait to get on it and test stuff out.

drheiner
New Contributor III

Are you able to go into recovery mode, and enable the boot to external device option? How do we get to this option below? a7e09d045ea4467e85f83bbb422e63d6

Apple T2 Link

mortopc4
New Contributor III

Unfortunately not. I get the "No Administrator Found" box. I hit ok and it takes me back to the "Authentication Required", I hit the "Enter macOS Password" and go straight to "No Administrator Found". Round and Round.......

The box I am testing has 2 admins, root enabled and my Jamf Admin account it so lots of administrators.

Again, my Apple sales guy indicated this may be standard operation procedure now with the T2 chip on the MacBook Pros.

tnielsen
Valued Contributor

Does the FirstBoot netinstall option still work for these T2 machines? Has anyone gotten a machine to test yet? Mine will be here Monday but I'd like to get a head start on creating the FirstBoot Netinstall image if someone here can confirm it does infact work.

mortopc4
New Contributor III

Ideally you should be able to get to the above settings by entering the Recovery Volume, choosing Utilities > Startup Security Utility and entering the administrator password.

However as my screenshots show, when you hit the "Enter macOS Password" box it returns "No Administrator Found"... On the iMacs with the T2 chip, hitting the "Enter macOS Password" box will give you a prompt, enter the admin password and you open the security settings to modify Secure/External Booting...

I have just confirmed this on three (3) Coffee Lake MacBook Pros we received on July 18th.

koalatee
Contributor II

You need to have an admin with Secure Token to modify these settings.

mortopc4
New Contributor III

Ahhhhhhh makes sense. However shouldn't the first admin account you create using the Apple Setup Assistant get assigned a token?

mortopc4
New Contributor III

Also after using the Apple Setup Assistant to create an admin account I check the securetokenStatus and see that the sole admin on my test box is DISABLED.

I run secureTokenOn <username> -password <password> and get Operation is not permitted without secure token unlock.

Will dig more.....

tnielsen
Valued Contributor

Considering the speed improvements over last gen, I'm not sure it's worth buying these "new and improved" macbook pros.

koalatee
Contributor II

Yes, initial admin from SA should get Secure Token.

Secure Token status isn't that great unless filevault is turned on. Could run

diskutil apfs listusers /

and make sure your admin user's GUID shows up.

Would definitely recommend watching this, it's very helpful

mortopc4
New Contributor III

Koalatee - great info, THX!

My question is why would three (3) separate systems, new out of the box, fail to create the secure token......hmmmmmm I guess an undocumented feature.....LOL!

mortopc4
New Contributor III

UPDATE!!

SO, I waited a few hours. All the while I was trying to determine WHY the system did not create a SecureToken when creating the sole admin account on the system.

After shutting the system down and letting it sit overnight, I came back to it and ...... a Secure Token had been created.

Not sure if it was needing to wait or what, but I now have a token assigned to the sole box admin and can unlock the Secure Startup Utility.

Koalatee - THANK YOU again for the youtube link. It was REALLY helpful!!!!

dgreening
Valued Contributor II

Can anyone confirm whether these Macs can start up with a USB key created using the Apple approved "createosxinstallmedia" process using the .app installer? Not talking any sort of USB boot media created outside of this approved workflow.

jconte
Contributor II

It works as long as you enable booting from USB in the Recovery Volume, choosing Utilities > Startup Security Utility and entering the administrator password.

alexjdale
Valued Contributor III

So...what happens if a tech needs to reimage a T2 device and doesn't have admin credentials for it? Normally, they'd boot from USB and wipe/reinstall. Is the laptop a brick?

I'm not so worried about initial setup, but I'm very concerned about re-provisioning devices. If I can control this via user-approved MDM, that would work for almost all use cases.

dgreening
Valued Contributor II

So it seems like Internet Recovery is an option. Hopefully Jamf will provide a way to manage the USB boot setting, as we use a mix of Internet Recovery and USB booters.

gregneagle
Valued Contributor

"So...what happens if a tech needs to reimage a T2 device and doesn't have admin credentials for it? " Recovery Boot or Internet Recovery Boot and reinstall macOS.

or Target Disk Mode boot, and connect it to another Mac...

nvandam
Contributor II

@gregneagle , Target Disk Mode utilizes Apple Configurator 2, right?

gachowski
Valued Contributor II

Not 100% sure but I think that supported target mode installs stopped working in Sierra...

C

nvandam
Contributor II

gregneagle
Valued Contributor
@gregneagle , Target Disk Mode utilizes Apple Configurator 2, right?

No. It's just like Target Disk Mode has always worked on macOS -- the Mac in TDM is now an external drive. Install to it, wipe it, back it up, copy things to it; etc.

carlo_anselmi
Contributor III

Hi all, sorry for the dumb question... have not had the chance to see a 2018 Mac yet...
Other than USB boot... will Netboot/Netrestore be still an option once Secure boot is disabled on a T2 machine?
Thinking of “old style” System Image utility bootable standard OS installer or stand alone bootable net volume to avoid target disk mode
Thank you!

taugust04
Valued Contributor

@carlo.anselmi Apple has depreciated NetBoot as well. Yes it can still run on current versions of macOS Server, or some of the open source equivalents, but its no longer supported by Apple, so don't expect the hardware to fully support the feature either.

I'm pretty sure NetBoot is "dead" for anything that ships with a T2 on-board.

Just not sure how much time and resources you want to put into a service that Apple has stated they are no longer supporting starting Fall 2018 when Mojave and it's equivalent Server.app is released.

~Ted

roiegat
Contributor III

As @mortopc4 mentioned you need an admin account to turn off the boot utility....so got me thinking - can you create a admin account in terminal in the recovery partition? Would that even work? Haven't had time to poke and test it...but it probably would be the quickest way to disable the boot options on a new machine if it worked.

dubprocess
New Contributor III

We are still having big time issues with this. We just received the new T2 MB Pro for testing that one of our service techs had been called on. We disabled the secure boot and selected "No Security" and also selected "Allow boot from external media" When we try to option boot we get prohibitory symbol.

roiegat
Contributor III

@dubprocess I suspect you would need the latest version of the OS that works on these T2 machines to boot from. You could go to internet recovery and update the OS on your bootstick with one that works.

Still having issues with FileVault disk password not working. Current work around is to go into recovery partition, wipe drive as encrypted, re-install OS, then image machine. But the re-installing OS part can take anywhere from 20-2 hours depending on how machine machines we have in our lab at the time.

Stil waiting to hear back from Apple..they said I should have something by Monday.

dubprocess
New Contributor III

@roiegat Yep updated the drive to the latest Mac OS version 10.13.6 still getting the prohibitory symbol.

dubprocess
New Contributor III

Ah I think we found the issue. The OS version 10.13.6 build for the new 2018 MB Pro with T2 chip is not available through the app store. Going to attempt to update to the latest Mojave beta on the drive to see if it resolves the issue. I will report back.

tnielsen
Valued Contributor

Netboot is no longer supported on T2. Going full DEP enrollment management. IF there's a problem, the OS will need to be wiped using internet recovery.

dubprocess
New Contributor III

@tnielsen I am not Netbooting though not sure who that was directed towards?

dubprocess
New Contributor III

So installing Mojave did not fix the issue. I am unable to download the latest build of 10.13.6 even on the latest T2 MacBook Pro via the App Store. I was able to install the latest build (10.13.6 build 17g2208) via Internet Recovery but now I need to get this version somehow to my boot drive.