Posted on 07-17-2018 10:26 AM
Thanks, Apple! Back to the manual method of walking through Apple's setup process to image.
At least until we enroll in DEP.
Posted on 08-09-2018 01:13 PM
When you did recovery, did you do command+r
or option+command+r
?
Posted on 08-09-2018 01:16 PM
@dubprocess Welcome to the club, been stuck at the same spot for over a week. Two bricks at my desk.
@nvandam Netiher recovery works for us, assuming Apple hasn't made the latest build available.
Posted on 08-09-2018 01:20 PM
Okay. Mine kept failing when I'd try just command+R
. But when I did option+command+R
to install the latest compatible macOS it worked right away. ¯_(ツ)_/¯
Posted on 08-10-2018 09:36 AM
Was able to contact an Apple Engineer via our Apple Enterprise support and they basically told us to kick rocks getting a hold of the latest High Sierra 10.13.6 build 17g2208
Posted on 08-10-2018 09:40 AM
@nvandam There’s no problem restoring 2018 Mac with command+r. The problem is with building a bootable SSD with the new hardware support in it. For that we need the mac installer build that is not available
Posted on 08-10-2018 11:57 AM
@dubprocess , try this on a machine that has the build. installinstallmacos.py
Posted on 08-14-2018 09:34 AM
@nvandam Awesome thanks for the link. Curious if its possible to create an installer file and not just install macOS on a disk.
Posted on 08-14-2018 12:15 PM
@dubprocess , It is. Once you run it you'll get the macOS Installer.app, but the contents will all be that of the newest build on the T2 MBP. I have a Self Service policy that download the macOS Installer.app to /Applications then uses the -eraseinstall command to wipe and reinstall macOS. It wasn't working on the T2 Mac, but once I got this script and got the newer installer it worked.
Posted on 08-14-2018 02:45 PM
@nvandam Awesome We will give it a shot..Once I saw Greg Neagle's name I knew it had to be the work of a true ninja. haha
Posted on 08-16-2018 08:42 AM
Since the T2 chips don't support netboot, is there a way to turn an existing NetRestore .nbi into a bootable USB?
Thanks for your time!
Posted on 08-21-2018 06:37 AM
Myself and another tech spent a day trying to boot to a USB stick with varying OSes. We completely disabled security in the "Secure Setup Utility." We kept getting messages to "update," then had to click to connect to the internet. It went through some process, but still failed to boot to ANY USB drive. I went as far as upgrading the USB stick OS to 10.13.6, the same OS that was on the 2018 MBP, and still could not boot to it. We followed ALL of Apple's instructions for booting to USB and all failed. We use TechTools for diagnostic and creating bootable OS USB drives, and no drive w/ their configuration would boot. I consulted Micromat who really had no answer....remove external devices, ensure your admin account is good, etc. We could not boot a 2018 MBP or iMac Pro to a USB device.
It's certainly nice that Apple has locked the Macs down so tightly, but that's left admins in the dark for all we've been doing for a long time. And with everything in the cloud....what real point was there in locking out everyone on the endpoint? Hack the data at rest....there are more holes in the cloud storage than most local devices anyway.
Posted on 08-24-2018 07:45 AM
The initial account that gets created can be used to change settings in the security utility. If the password to this account gets changed it does not seem to update the account that has access to the security utility. Also when i add additional admin accounts it does not give them access to the security utility. I've tried the command diskutil apfs updatePreboot / but it does not seem to update or add accounts.
Any one had success updating and adding new accounts giving them access to the security utility?
Posted on 08-24-2018 01:38 PM
A little cheat I will share... some may find it helpful.....
We notice with the iMac Pro's it didn't require Secure Token on their original build (10.13.2 forked). You can mount the recovery/installesd.dmg and find the Startup Security Utility.app. You can grab that and run it locally (Without running it in the recovery mode) to make changes with a built in account without a SecureToken.
Posted on 08-24-2018 01:58 PM
@rvandam
Am curious about the pre-installed OS version on your mbp’s.
Our 13” T2 mbp’s are pre-installed with 10.13.4, the 15” mbp’s have 10.13.6, the 13” gives problems.
After starting in recovery modus and re install the OS, problems are gone.
Posted on 08-28-2018 02:55 PM
I noticed Apple released Supplemental Update for 2018 MB Pro models today 10.13.6 builds 17G2037/15P6805 (prior builds were 17G2208/15P6703) . We ended up switching over to a DEP type deployment so imaging for us may go bye bye..Im sure its Apple's master plan as we all know.
Posted on 10-18-2018 12:43 PM
End of third party repair life. Time to change other to work.. Bye Apple..
Posted on 03-20-2019 10:03 AM
Just wait until Apple stops signing the Internet Recovery image! :-)
Posted on 03-20-2019 10:49 AM
just wait until macOS & iOS merge..... :D lol
Posted on 03-20-2019 12:29 PM
PhoneBook Pro.
Posted on 03-20-2019 12:55 PM
@mikecardii I was able to clone a 10.13 Netboot.dmg from a nbi set, to an External SSD and use it to image T2 Macs. Here is my process:
Posted on 03-20-2019 01:32 PM
Ran across this in a different thread earlier today - https://twocanoes.com/disable-sip-quickly/
csrutil netboot add address - Set allowed netboot servers
Any more info on what that might do? Mind you this was in reference to iMac Pros... but seems like this might be the missing sauce for NetBooting T2 Macs? Anyone have any more information on csrutil netboot add address?
Posted on 03-20-2019 08:58 PM
nevermind
Posted on 03-21-2019 12:50 AM
csrutil netboot add
That's for pre-T2 Macs and was introduced due to security enhancements to El Capitan; you could only remotely bless/instruct a Mac to NetBoot from a whitelisted server added with that command. We had to do it to our labs otherwise someone would have to walk round option-booting them to NetBoot when it was time to wipe and refresh.
See here for more details:
https://support.apple.com/en-gb/HT205054
T2 Macs will not NetBoot, never ever, sadly. Along with User Approved MDM, bridgeOS/Firmware issues etc etc, an erase/install workflow (using Internet Recovery or pushing the installer application down and running startosinstall --eraseinstall) then DEP enrolment into your MDM is the way Apple are pushing (or have pushed) organisations to go.
Posted on 03-21-2019 08:24 AM
So everything I'm seeing in testing and reading in these threads indicates either Apple has really messed this up, or JAMF does not have proper support for T2 systems. We can not manage startup security on ANY system with a T2 chip, because they all claim there is no Administrator account. There are two, so something is broken. It appears what is broken is SecureToken is not enabled on the admin accounts created by JAMF on DEP systems. As a result, we're locked out of doing anything other than internet recovery to wipe and reload a system as you can't boot external devices (or even the internal recovery for some reason), and dual boot doesn't work because you can never authorize the Windows partition as bootable. Anyone know if this comes down to JAMF not creating accounts properly to be compatible on the new hardware, or Apple not allowing them to because you can ONLY ever get SecureToken on the account created directly by SetupAssistant and no automated bypass of it? Not sure which company we need to hound about fixing this. We've also found single use mode no longer exists on T2 and that's square on Apple...