@nvandam yep, once we have this and then either an API or a connector to our CMDB to name / purpose the devices, it will literally be like magic when you put a device on a desk and turn it on!
I have actually done the last bit using scripting anyway, but it would be great if JAMF added it as a feature.
I LOVE the --erase-install option in the new macOS installer though! Self Service reimaging is gonna be great this year!
I just got my hands on a 13" Coffee Lake 2018 MacBook Pro with the T2 chip. The boot security on the T2 chip is locked down tight as a drum and prohibits booting from an external USB device. There is no way through the GUI to change settings either.
Confirmed this new security "enhancement" with my Apple Rep..
Unfortunately not. I get the "No Administrator Found" box. I hit ok and it takes me back to the "Authentication Required", I hit the "Enter macOS Password" and go straight to "No Administrator Found". Round and Round.......
The box I am testing has 2 admins, root enabled and my Jamf Admin account it so lots of administrators.
Again, my Apple sales guy indicated this may be standard operation procedure now with the T2 chip on the MacBook Pros.
Ideally you should be able to get to the above settings by entering the Recovery Volume, choosing Utilities > Startup Security Utility and entering the administrator password.
However as my screenshots show, when you hit the "Enter macOS Password" box it returns "No Administrator Found"... On the iMacs with the T2 chip, hitting the "Enter macOS Password" box will give you a prompt, enter the admin password and you open the security settings to modify Secure/External Booting...
I have just confirmed this on three (3) Coffee Lake MacBook Pros we received on July 18th.
Also after using the Apple Setup Assistant to create an admin account I check the securetokenStatus and see that the sole admin on my test box is DISABLED.
I run secureTokenOn <username> -password <password> and get Operation is not permitted without secure token unlock.
Will dig more.....
SO, I waited a few hours. All the while I was trying to determine WHY the system did not create a SecureToken when creating the sole admin account on the system.
After shutting the system down and letting it sit overnight, I came back to it and ...... a Secure Token had been created.
Not sure if it was needing to wait or what, but I now have a token assigned to the sole box admin and can unlock the Secure Startup Utility.
Koalatee - THANK YOU again for the youtube link. It was REALLY helpful!!!!
So...what happens if a tech needs to reimage a T2 device and doesn't have admin credentials for it? Normally, they'd boot from USB and wipe/reinstall. Is the laptop a brick?
I'm not so worried about initial setup, but I'm very concerned about re-provisioning devices. If I can control this via user-approved MDM, that would work for almost all use cases.
Hi all, sorry for the dumb question... have not had the chance to see a 2018 Mac yet...
Other than USB boot... will Netboot/Netrestore be still an option once Secure boot is disabled on a T2 machine?
Thinking of “old style” System Image utility bootable standard OS installer or stand alone bootable net volume to avoid target disk mode
@carlo.anselmi Apple has depreciated NetBoot as well. Yes it can still run on current versions of macOS Server, or some of the open source equivalents, but its no longer supported by Apple, so don't expect the hardware to fully support the feature either.
I'm pretty sure NetBoot is "dead" for anything that ships with a T2 on-board.
Just not sure how much time and resources you want to put into a service that Apple has stated they are no longer supporting starting Fall 2018 when Mojave and it's equivalent Server.app is released.
As @mortopc4 mentioned you need an admin account to turn off the boot utility....so got me thinking - can you create a admin account in terminal in the recovery partition? Would that even work? Haven't had time to poke and test it...but it probably would be the quickest way to disable the boot options on a new machine if it worked.
We are still having big time issues with this. We just received the new T2 MB Pro for testing that one of our service techs had been called on. We disabled the secure boot and selected "No Security" and also selected "Allow boot from external media" When we try to option boot we get prohibitory symbol.
@dubprocess I suspect you would need the latest version of the OS that works on these T2 machines to boot from. You could go to internet recovery and update the OS on your bootstick with one that works.
Still having issues with FileVault disk password not working. Current work around is to go into recovery partition, wipe drive as encrypted, re-install OS, then image machine. But the re-installing OS part can take anywhere from 20-2 hours depending on how machine machines we have in our lab at the time.
Stil waiting to hear back from Apple..they said I should have something by Monday.
So installing Mojave did not fix the issue. I am unable to download the latest build of 10.13.6 even on the latest T2 MacBook Pro via the App Store. I was able to install the latest build (10.13.6 build 17g2208) via Internet Recovery but now I need to get this version somehow to my boot drive.