NetBoot Server Now Needs to be Trusted for OS X El Capitan

Rosko
Contributor II
Contributor II

If you haven't seen this yet, check our Apple KB HT205054.

Has anyone looked in to ways of automating this? Anyone know if JAMF is going to embed this process into Casper Imaging and Composer?

31 REPLIES 31

Aziz
Valued Contributor

A once per computer policy would work.

csrutil netboot add address

Replace address with your netboot server

There might be a better way of doing it.

Rosko
Contributor II
Contributor II

@Abdiaziz Yes, that would work for currently enrolled systems, but what about brand-new out-of-the-box systems? They would need this run before you can image them.

I just know our techs...and anything manual they have to do...well, to say the least is going to involve some complaining.

timsutton
Contributor

You can also dig into System Image Utility's scripts in 10.11 and see how they handle this.

Aziz
Valued Contributor

@Roskos

I totally agree, we're going to have the same issue when we purchase new Mac's.

rtrouton
Release Candidate Programs Tester

You'll need to be booted to Recovery, or a NetBoot environment which supports running Recovery's csrutil in order for csrutil netboot add to work. If you're booted from a regular OS X El Cap install, csrutil netboot add will not add NetBoot servers to the list of whitelisted NetBoot servers.

For more information, see this Apple KBase article:
https://support.apple.com/HT205054

bvrooman
Valued Contributor

It seems like you can set an option at image creation time with the IP address of the NetBoot server that will be hosting the image, thus avoiding the need for the Recovery boot or the csrutil command.

It's also not completely clear whether these are only needed for scripted selection of NetBoot images via bless, or whether it also affects holding Option or N at boot, or using the GUI.

timsutton
Contributor

It's pretty clear that it's only for usage of bless: See the very first first text below the headings of the KB.

rtrouton
Release Candidate Programs Tester

The SIP whitelist mainly boils down to "Do you use the bless command for setting a Mac to NetBoot ?" If you do, you'll need to whitelist. If you don't, no need to change anything.

Rosko
Contributor II
Contributor II

Thanks for all the feedback, but how/where are you guys reading that this only applies to the bless command?

I've been also working with our Apple Sr. Enterprise Systems Engineer and he is not reading it that way and that is also applies to system preferences and holding the N key down.

timsutton
Contributor

"With OS X El Capitan, you can continue to use any of these methods to select a NetBoot, NetInstall, or NetRestore disk image from which to start up a Mac:

  • Use Startup Disk preferences: Choose Apple menu > System Preferences, then click Startup Disk.
  • Use Startup Manager: Hold down the Option key while starting up.
  • Hold down the N key while starting up to use the default image on the NetBoot server."

gachowski
Valued Contributor II

@ Joshua

I had to read it three or four times to understand it : ) clear as mud

The line after that section finally pushed me to believe that GUI options are not effected : )

C

AVmcclint
Honored Contributor

I am so confused by this..

If Netboot servers have to be trusted... and the only way to trust a netboot server is by booting up from the Recovery partition .... how are we supposed to netboot and image completely blank drives that don't have a Recovery partition?

Also... if we can still hold down Option or N to netboot, why would we have a need to add a trusted netboot server in the first place?

rtrouton
Release Candidate Programs Tester

@AVmcclint,

You're not the only one confused. I wrote a post to help explain what that KBase is trying to communicate:

https://derflounder.wordpress.com/2015/09/05/netbooting-and-system-integrity-protection/

bentoms
Release Candidate Programs Tester

I also posted something on this titled Faffing Around With csrutil

beth_lindner
New Contributor
New Contributor

Happy El Capitan day! I thought this might be a good place to bring up a consideration regarding Apple's System Integrity Protection feature. 'To safeguard against disabling System Integrity Protection by modifying security configuration from another OS, the startup disk can no longer be set programmatically, such as by invoking the bless command.' Therefore using a Casper Suite policy to reboot to a specific local startup disk or current startup disk (if not already blessed) may not reboot to the desired partition. This will be based on current device setup and the SIP status. We are looking into other ways of rebooting with these policies, but for now, please note rebooting to partitions is impacted by SIP status. Using the procedure from Apple will assist with the Netboot workflows though: https://jamfnation.jamfsoftware.com/article.html?id=411

wmateo
Contributor

@bentoms does AutoCasperNBI address this? I just used it to create a netboot and it worked fine.

bentoms
Release Candidate Programs Tester

@wmateo it doesn't, as detailed here, but you might not need to worry as detailed here too. (with a link to @rtrouton's blog in there too).

wmateo
Contributor

@bentoms I did however tried to create a NetBoot image of latest forked iMAC17,1 using System Image Utility, and it does autologin root during netboot, but brings me to a login screen, and does appear to be netbooted. So this is the same thing as SIP? because root seems to be disabled and I enabled it before I captured it the OS image. has anyone else seen this?

bentoms
Release Candidate Programs Tester

@wmateo SIP has nothing to do with this.

How are you creating the root account?

wmateo
Contributor

@bentoms I just realized I had captured the root account incorrectly and since then corrected error. I read your blog post on SIP, and IP helpers. Do this does not really affect me since I have IP Helpers setup on my Switches. I Think most environments that have this already set up probably won't see the difference with regards to netboot. Correct me if I am wrong.

bentoms
Release Candidate Programs Tester

@wmateo you should be on then.

Only possible issue is if automating netbooting & imaging via a policy as that uses the bless command.

In regards to the root account, AutoCasperNBI creates one too. So why creating your own?

PEGS_JAMF_Suppo
New Contributor II

The solution that worked for us is to have the client machines on the same subnet as the NetBoot Server-thanks @bentoms . Also the late 2015 iMacs have to have 10.11 or above.

mconners
Valued Contributor

Revisiting topic:

We have several IP Helper address in place so we can NetBoot our Macs across our subnets. This has worked really well. However, our new clients are 10.11 and higher and the ability to use a policy to initiate a NetBoot for re-imaging simply isn't working. The whole NetBoot server whitelisting conversation looks to be in place.

I was creating a policy that NetBoots our computers at a given time and off we go. The computers are not attempting to even NetBoot. Is there a easy fix to this for our 10.11 Macs? Moving the clients onto the same subnet is not an option. There must be another method for this.

Thoughts? Thanks for your feedback.

bsuggett
Contributor II

My 2 cents worth...

Duel boot bless from Windows to OS X using the bootcamp.exe works regardless if SIP is enabled or not. Blessing Windows or another OS X partition from OS X can't be done if SIP is enabled.

So this suggest that SIP doesn't protect outside of OS X.

It's a real pain for duel boot environments as we depended on nightly reboots between OS's so Windows can be managed by SCCM and OS X managed by Casper.

bentoms
Release Candidate Programs Tester

@mconners IPHelpers can help.

wangl2
Contributor

@Rosko I am still quite confused about this post and all the ref links within. What's the final words on this? We are purchasing a fleet of new iMacs and I am hoping to NetBoot them to image as the first thing powering up.
Which approach should I take? We are running multi-VLAN and Option + N won't Netboot the device. In the past, I ran Bless command after logging into the new iMac to Netboot by specify the NetBoot Server and Image (very long command). When do I add this extra process (or command) of trusting the NetBoot Server?
Thanks for all help!

rtrouton
Release Candidate Programs Tester

@wangl2, to hopefully help clarify the issue, please see the graphic below.

01424557f75342dc80d4db3cfa7a1719

wangl2
Contributor

Thanks Rich!
We do use Bless command to NetBoot iMacs. So where about do we fit in this extra command to trust the NetBoot server?
Regards,

itupshot
Contributor II

I'm not sure what is the issue discussed here. I haven't run into this.

When we receive a new Mac, we just NetBoot it, image it, and go. All the ones we got this year have all had El Capitan factory-installed, and I've been able to NetBoot, and re-image all of them without any problems.

Is this an issue when adding a NetBoot server to JSS? We don't do that here.

bentoms
Release Candidate Programs Tester

@wangl2 You cannot automate it.

You'll need to boot into recovery & add the IP via csrutil, then NetBoot.

But.. the values you add via csrutil are wiped when PRAM reset.

The proper fix is IPHelpers.

@itupshot it's only an issue of NetBoot Server is not on the same Vlan as the Macs & no IPHelper in place.

wangl2
Contributor

@bentoms Thanks dude. You must remembered my old post.
Yes we always had problem with NetBoot and every time there is a new release of OS X, I have to alter the command. Maybe I have been been doing the wrong way that's why I am always hoping someone can direct me to the right path. We run multi VLAN and cannot simple NetBoot it by holding Option + N. We run quite a complex Bless command to boot new iMacs, which not only specify the IP of the NetBoot Server, but also the path to the right NBI files. So we prepare the NetBoot image on the NetBoot server to create a NBI by using System Image Utility. Then run the Bless command on the new iMacs, which we have to turn it on, go through the activation thing and create a local account. To keep the NetBoot image consistent with the newer iMacs, the image size just grows bigger and bigger. Usually I just take a snapshot of the factory image and add Casper Suite, use that as a minimal image to create my NetBoot Image using SIU. I just did one for 10.11 and the size has grown to over 15GB.
I don't like this process at all. So anyone have better ideas of doing this, please let me know.
Thanks all