You'll need to be booted to Recovery, or a NetBoot environment which supports running Recovery's
csrutil in order for
csrutil netboot add to work. If you're booted from a regular OS X El Cap install,
csrutil netboot add will not add NetBoot servers to the list of whitelisted NetBoot servers.
For more information, see this Apple KBase article:
It seems like you can set an option at image creation time with the IP address of the NetBoot server that will be hosting the image, thus avoiding the need for the Recovery boot or the
It's also not completely clear whether these are only needed for scripted selection of NetBoot images via
bless, or whether it also affects holding Option or N at boot, or using the GUI.
Thanks for all the feedback, but how/where are you guys reading that this only applies to the
I've been also working with our Apple Sr. Enterprise Systems Engineer and he is not reading it that way and that is also applies to system preferences and holding the N key down.
"With OS X El Capitan, you can continue to use any of these methods to select a NetBoot, NetInstall, or NetRestore disk image from which to start up a Mac:
I am so confused by this..
If Netboot servers have to be trusted... and the only way to trust a netboot server is by booting up from the Recovery partition .... how are we supposed to netboot and image completely blank drives that don't have a Recovery partition?
Also... if we can still hold down Option or N to netboot, why would we have a need to add a trusted netboot server in the first place?
You're not the only one confused. I wrote a post to help explain what that KBase is trying to communicate:
Happy El Capitan day! I thought this might be a good place to bring up a consideration regarding Apple's System Integrity Protection feature. 'To safeguard against disabling System Integrity Protection by modifying security configuration from another OS, the startup disk can no longer be set programmatically, such as by invoking the bless command.' Therefore using a Casper Suite policy to reboot to a specific local startup disk or current startup disk (if not already blessed) may not reboot to the desired partition. This will be based on current device setup and the SIP status. We are looking into other ways of rebooting with these policies, but for now, please note rebooting to partitions is impacted by SIP status. Using the procedure from Apple will assist with the Netboot workflows though: https://jamfnation.jamfsoftware.com/article.html?id=411
@bentoms I did however tried to create a NetBoot image of latest forked iMAC17,1 using System Image Utility, and it does autologin root during netboot, but brings me to a login screen, and does appear to be netbooted. So this is the same thing as SIP? because root seems to be disabled and I enabled it before I captured it the OS image. has anyone else seen this?
@bentoms I just realized I had captured the root account incorrectly and since then corrected error. I read your blog post on SIP, and IP helpers. Do this does not really affect me since I have IP Helpers setup on my Switches. I Think most environments that have this already set up probably won't see the difference with regards to netboot. Correct me if I am wrong.
We have several IP Helper address in place so we can NetBoot our Macs across our subnets. This has worked really well. However, our new clients are 10.11 and higher and the ability to use a policy to initiate a NetBoot for re-imaging simply isn't working. The whole NetBoot server whitelisting conversation looks to be in place.
I was creating a policy that NetBoots our computers at a given time and off we go. The computers are not attempting to even NetBoot. Is there a easy fix to this for our 10.11 Macs? Moving the clients onto the same subnet is not an option. There must be another method for this.
Thoughts? Thanks for your feedback.
My 2 cents worth...
Duel boot bless from Windows to OS X using the bootcamp.exe works regardless if SIP is enabled or not. Blessing Windows or another OS X partition from OS X can't be done if SIP is enabled.
So this suggest that SIP doesn't protect outside of OS X.
It's a real pain for duel boot environments as we depended on nightly reboots between OS's so Windows can be managed by SCCM and OS X managed by Casper.
@Rosko I am still quite confused about this post and all the ref links within. What's the final words on this? We are purchasing a fleet of new iMacs and I am hoping to NetBoot them to image as the first thing powering up.
Which approach should I take? We are running multi-VLAN and Option + N won't Netboot the device. In the past, I ran Bless command after logging into the new iMac to Netboot by specify the NetBoot Server and Image (very long command). When do I add this extra process (or command) of trusting the NetBoot Server?
Thanks for all help!
I'm not sure what is the issue discussed here. I haven't run into this.
When we receive a new Mac, we just NetBoot it, image it, and go. All the ones we got this year have all had El Capitan factory-installed, and I've been able to NetBoot, and re-image all of them without any problems.
Is this an issue when adding a NetBoot server to JSS? We don't do that here.
@wangl2 You cannot automate it.
You'll need to boot into recovery & add the IP via csrutil, then NetBoot.
But.. the values you add via csrutil are wiped when PRAM reset.
The proper fix is IPHelpers.
@itupshot it's only an issue of NetBoot Server is not on the same Vlan as the Macs & no IPHelper in place.
@bentoms Thanks dude. You must remembered my old post.
Yes we always had problem with NetBoot and every time there is a new release of OS X, I have to alter the command. Maybe I have been been doing the wrong way that's why I am always hoping someone can direct me to the right path. We run multi VLAN and cannot simple NetBoot it by holding Option + N. We run quite a complex Bless command to boot new iMacs, which not only specify the IP of the NetBoot Server, but also the path to the right NBI files. So we prepare the NetBoot image on the NetBoot server to create a NBI by using System Image Utility. Then run the Bless command on the new iMacs, which we have to turn it on, go through the activation thing and create a local account. To keep the NetBoot image consistent with the newer iMacs, the image size just grows bigger and bigger. Usually I just take a snapshot of the factory image and add Casper Suite, use that as a minimal image to create my NetBoot Image using SIU. I just did one for 10.11 and the size has grown to over 15GB.
I don't like this process at all. So anyone have better ideas of doing this, please let me know.