Mac computers that have the Apple T2 chip don't support starting up from network volumes.

tnielsen
Valued Contributor

Thanks, Apple! Back to the manual method of walking through Apple's setup process to image.

At least until we enroll in DEP.

63 REPLIES 63

nvandam
Contributor II

When you did recovery, did you do command+r or option+command+r?

jconte
Contributor II

@dubprocess Welcome to the club, been stuck at the same spot for over a week. Two bricks at my desk.
@nvandam Netiher recovery works for us, assuming Apple hasn't made the latest build available.

nvandam
Contributor II

Okay. Mine kept failing when I'd try just command+R. But when I did option+command+R to install the latest compatible macOS it worked right away. ¯_(ツ)_/¯

dubprocess
New Contributor III

Was able to contact an Apple Engineer via our Apple Enterprise support and they basically told us to kick rocks getting a hold of the latest High Sierra 10.13.6 build 17g2208

dubprocess
New Contributor III

@nvandam There’s no problem restoring 2018 Mac with command+r. The problem is with building a bootable SSD with the new hardware support in it. For that we need the mac installer build that is not available

nvandam
Contributor II

@dubprocess , try this on a machine that has the build. installinstallmacos.py

dubprocess
New Contributor III

@nvandam Awesome thanks for the link. Curious if its possible to create an installer file and not just install macOS on a disk.

nvandam
Contributor II

@dubprocess , It is. Once you run it you'll get the macOS Installer.app, but the contents will all be that of the newest build on the T2 MBP. I have a Self Service policy that download the macOS Installer.app to /Applications then uses the -eraseinstall command to wipe and reinstall macOS. It wasn't working on the T2 Mac, but once I got this script and got the newer installer it worked.

dubprocess
New Contributor III

@nvandam Awesome We will give it a shot..Once I saw Greg Neagle's name I knew it had to be the work of a true ninja. haha

mikecardii
New Contributor

Since the T2 chips don't support netboot, is there a way to turn an existing NetRestore .nbi into a bootable USB?

Thanks for your time!

dnevius
New Contributor

Myself and another tech spent a day trying to boot to a USB stick with varying OSes. We completely disabled security in the "Secure Setup Utility." We kept getting messages to "update," then had to click to connect to the internet. It went through some process, but still failed to boot to ANY USB drive. I went as far as upgrading the USB stick OS to 10.13.6, the same OS that was on the 2018 MBP, and still could not boot to it. We followed ALL of Apple's instructions for booting to USB and all failed. We use TechTools for diagnostic and creating bootable OS USB drives, and no drive w/ their configuration would boot. I consulted Micromat who really had no answer....remove external devices, ensure your admin account is good, etc. We could not boot a 2018 MBP or iMac Pro to a USB device.

It's certainly nice that Apple has locked the Macs down so tightly, but that's left admins in the dark for all we've been doing for a long time. And with everything in the cloud....what real point was there in locking out everyone on the endpoint? Hack the data at rest....there are more holes in the cloud storage than most local devices anyway.

BCPeteo
Contributor II

The initial account that gets created can be used to change settings in the security utility. If the password to this account gets changed it does not seem to update the account that has access to the security utility. Also when i add additional admin accounts it does not give them access to the security utility. I've tried the command diskutil apfs updatePreboot / but it does not seem to update or add accounts.
Any one had success updating and adding new accounts giving them access to the security utility?

drheiner
New Contributor III

A little cheat I will share... some may find it helpful.....

We notice with the iMac Pro's it didn't require Secure Token on their original build (10.13.2 forked). You can mount the recovery/installesd.dmg and find the Startup Security Utility.app. You can grab that and run it locally (Without running it in the recovery mode) to make changes with a built in account without a SecureToken.

ateazzie
New Contributor III

@rvandam
Am curious about the pre-installed OS version on your mbp’s.
Our 13” T2 mbp’s are pre-installed with 10.13.4, the 15” mbp’s have 10.13.6, the 13” gives problems.
After starting in recovery modus and re install the OS, problems are gone.

dubprocess
New Contributor III

I noticed Apple released Supplemental Update for 2018 MB Pro models today 10.13.6 builds 17G2037/15P6805 (prior builds were 17G2208/15P6703) . We ended up switching over to a DEP type deployment so imaging for us may go bye bye..Im sure its Apple's master plan as we all know.

csliong
New Contributor

End of third party repair life. Time to change other to work.. Bye Apple..

gabester
Contributor III

Just wait until Apple stops signing the Internet Recovery image! :-)

Hugonaut
Valued Contributor II

just wait until macOS & iOS merge..... :D lol

________________
Looking for a Jamf Managed Service Provider? Look no further than Rocketman
________________


Virtual MacAdmins Monthly Meetup - First Friday, Every Month

woodsb
Contributor

PhoneBook Pro.

jchen1225
New Contributor III

@mikecardii I was able to clone a 10.13 Netboot.dmg from a nbi set, to an External SSD and use it to image T2 Macs. Here is my process:

  1. Restore Netboot.dmg to a GUID partitioned External SSD (APFS or NFS+ both works)
  2. Boot to the external, upgrade the external drive OS to 10.14.3, with JAMF Imaging auto launch at root account auto login.
  3. On a T2 Mac, startup to Recovery and launch Startup Security Utility. Change to ALLOW external boot and set security to Medium.
  4. With the external booted on T2 chip Macs, I am able to image it to Mojave with baseOS 10.14.3 created from AutoDMG.

gabester
Contributor III

Ran across this in a different thread earlier today - https://twocanoes.com/disable-sip-quickly/

csrutil netboot add address - Set allowed netboot servers

Any more info on what that might do? Mind you this was in reference to iMac Pros... but seems like this might be the missing sauce for NetBooting T2 Macs? Anyone have any more information on csrutil netboot add address?

chris_kemp
Contributor III

nevermind

neilmartin83
Contributor II

@Sterritt

csrutil netboot add

That's for pre-T2 Macs and was introduced due to security enhancements to El Capitan; you could only remotely bless/instruct a Mac to NetBoot from a whitelisted server added with that command. We had to do it to our labs otherwise someone would have to walk round option-booting them to NetBoot when it was time to wipe and refresh.

See here for more details:

https://support.apple.com/en-gb/HT205054

T2 Macs will not NetBoot, never ever, sadly. Along with User Approved MDM, bridgeOS/Firmware issues etc etc, an erase/install workflow (using Internet Recovery or pushing the installer application down and running startosinstall --eraseinstall) then DEP enrolment into your MDM is the way Apple are pushing (or have pushed) organisations to go.

yadin
Contributor

So everything I'm seeing in testing and reading in these threads indicates either Apple has really messed this up, or JAMF does not have proper support for T2 systems. We can not manage startup security on ANY system with a T2 chip, because they all claim there is no Administrator account. There are two, so something is broken. It appears what is broken is SecureToken is not enabled on the admin accounts created by JAMF on DEP systems. As a result, we're locked out of doing anything other than internet recovery to wipe and reload a system as you can't boot external devices (or even the internal recovery for some reason), and dual boot doesn't work because you can never authorize the Windows partition as bootable. Anyone know if this comes down to JAMF not creating accounts properly to be compatible on the new hardware, or Apple not allowing them to because you can ONLY ever get SecureToken on the account created directly by SetupAssistant and no automated bypass of it? Not sure which company we need to hound about fixing this. We've also found single use mode no longer exists on T2 and that's square on Apple...