If you haven't seen this yet, check our Apple KB HT205054.
Has anyone looked in to ways of automating this? Anyone know if JAMF is going to embed this process into Casper Imaging and Composer?
Page 1 / 2
A once per computer policy would work.
csrutil netboot add addressReplace address with your netboot server
There might be a better way of doing it.
@Abdiaziz Yes, that would work for currently enrolled systems, but what about brand-new out-of-the-box systems? They would need this run before you can image them.
I just know our techs...and anything manual they have to do...well, to say the least is going to involve some complaining.
You can also dig into System Image Utility's scripts in 10.11 and see how they handle this.
You'll need to be booted to Recovery, or a NetBoot environment which supports running Recovery's csrutil in order for csrutil netboot add to work. If you're booted from a regular OS X El Cap install, csrutil netboot add will not add NetBoot servers to the list of whitelisted NetBoot servers.
For more information, see this Apple KBase article:
https://support.apple.com/HT205054
It seems like you can set an option at image creation time with the IP address of the NetBoot server that will be hosting the image, thus avoiding the need for the Recovery boot or the csrutil command.
It's also not completely clear whether these are only needed for scripted selection of NetBoot images via bless, or whether it also affects holding Option or N at boot, or using the GUI.
It's pretty clear that it's only for usage of bless: See the very first first text below the headings of the KB.
The SIP whitelist mainly boils down to "Do you use the bless command for setting a Mac to NetBoot ?" If you do, you'll need to whitelist. If you don't, no need to change anything.
Thanks for all the feedback, but how/where are you guys reading that this only applies to the bless command?
I've been also working with our Apple Sr. Enterprise Systems Engineer and he is not reading it that way and that is also applies to system preferences and holding the N key down.
"With OS X El Capitan, you can continue to use any of these methods to select a NetBoot, NetInstall, or NetRestore disk image from which to start up a Mac:
- Use Startup Disk preferences: Choose Apple menu > System Preferences, then click Startup Disk.
- Use Startup Manager: Hold down the Option key while starting up.
- Hold down the N key while starting up to use the default image on the NetBoot server."
@ Joshua
I had to read it three or four times to understand it : ) clear as mud
The line after that section finally pushed me to believe that GUI options are not effected : )
C
I am so confused by this..
If Netboot servers have to be trusted... and the only way to trust a netboot server is by booting up from the Recovery partition .... how are we supposed to netboot and image completely blank drives that don't have a Recovery partition?
Also... if we can still hold down Option or N to netboot, why would we have a need to add a trusted netboot server in the first place?
You're not the only one confused. I wrote a post to help explain what that KBase is trying to communicate:
https://derflounder.wordpress.com/2015/09/05/netbooting-and-system-integrity-protection/
I also posted something on this titled Faffing Around With csrutil
Happy El Capitan day! I thought this might be a good place to bring up a consideration regarding Apple's System Integrity Protection feature. 'To safeguard against disabling System Integrity Protection by modifying security configuration from another OS, the startup disk can no longer be set programmatically, such as by invoking the bless command.' Therefore using a Casper Suite policy to reboot to a specific local startup disk or current startup disk (if not already blessed) may not reboot to the desired partition. This will be based on current device setup and the SIP status. We are looking into other ways of rebooting with these policies, but for now, please note rebooting to partitions is impacted by SIP status. Using the procedure from Apple will assist with the Netboot workflows though: https://jamfnation.jamfsoftware.com/article.html?id=411
@bentoms does AutoCasperNBI address this? I just used it to create a netboot and it worked fine.
@wmateo it doesn't, as detailed here, but you might not need to worry as detailed here too. (with a link to @rtrouton's blog in there too).
@bentoms I did however tried to create a NetBoot image of latest forked iMAC17,1 using System Image Utility, and it does autologin root during netboot, but brings me to a login screen, and does appear to be netbooted. So this is the same thing as SIP? because root seems to be disabled and I enabled it before I captured it the OS image. has anyone else seen this?
@bentoms I just realized I had captured the root account incorrectly and since then corrected error. I read your blog post on SIP, and IP helpers. Do this does not really affect me since I have IP Helpers setup on my Switches. I Think most environments that have this already set up probably won't see the difference with regards to netboot. Correct me if I am wrong.
@wmateo you should be on then.
Only possible issue is if automating netbooting & imaging via a policy as that uses the bless command.
In regards to the root account, AutoCasperNBI creates one too. So why creating your own?
The solution that worked for us is to have the client machines on the same subnet as the NetBoot Server-thanks @bentoms . Also the late 2015 iMacs have to have 10.11 or above.
Revisiting topic:
We have several IP Helper address in place so we can NetBoot our Macs across our subnets. This has worked really well. However, our new clients are 10.11 and higher and the ability to use a policy to initiate a NetBoot for re-imaging simply isn't working. The whole NetBoot server whitelisting conversation looks to be in place.
I was creating a policy that NetBoots our computers at a given time and off we go. The computers are not attempting to even NetBoot. Is there a easy fix to this for our 10.11 Macs? Moving the clients onto the same subnet is not an option. There must be another method for this.
Thoughts? Thanks for your feedback.
My 2 cents worth...
Duel boot bless from Windows to OS X using the bootcamp.exe works regardless if SIP is enabled or not. Blessing Windows or another OS X partition from OS X can't be done if SIP is enabled.
So this suggest that SIP doesn't protect outside of OS X.
It's a real pain for duel boot environments as we depended on nightly reboots between OS's so Windows can be managed by SCCM and OS X managed by Casper.
@mconners IPHelpers can help.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.