It’s hard to get away from the fact that Apple are pushing people away from traditional macOS imaging. A lot of deployment workflows rely on creating an image file and cloning it to a target computers hard drive. The image file can contain an operating system, applications and settings, in a consistent, deployable file.
So whats changed with macOS imaging?
The iMac Pro, by default, does not allow booting to external devices, preventing traditional macOS imaging.
In addition to directly attached boot disks, Apple have noted on thier website “iMac Pro computers don’t support starting up from network volumes.” (https://support.apple.com/en-gb/HT202770).
In early testing, it seems NetBooting is failing, even with secure boot switched off: https://twitter.com/tperfitt/status/946943556190658560
macOS imaging involves replacing the operating system on the Macs hard drive, which requires you to boot from another boot disk. So with no option to boot to an external drive or network volume, imaging is off the table.
Will this affect other models of Mac?
Apple haven’t released information regarding Secure Boot and other models of Macs. Based on the direction they appear to be taking, we would expect this new feature to be rolled out to other models throughout 2018.
Can we just switch it off?
Apple have provided a utility that can be accessed from Startup Security Utility (https://support.apple.com/en-gb/HT208330) that can be used to allow booting to external disks.
The downside is that you have to boot to the recovery partition, launching it from the Utilities menu. Much like SIP (https://support.apple.com/en-gb/HT204899), although it can be switched off, the process is such a faff. It will be easier to adopt new deployment workflows rather than fight against it.
What other workflows are available?
We’ve tested quite a few alternatives, but the ones that we found most “Apple friendly” are:
- Upgrade to the latest macOS: Starting up holding down Option-Command-R will allow you to install the latest available macOS (if you already have 10.12.4 or later installed).
- Erase and install the same macOS: Startup holding down Command (⌘)-R, use Disk Utility to erase the disk, and then re-install the same macOS version.
Using DEp with both of these options will help (https://www.apple.com/business/dep/). Using DEP means that the newly installed Mac will automatically enroll into your MDM server. Ddepending on it’s capabilities, the MDM server can deploy apps and custom settings.
Cool, but how do i do any of that remotely?
I have 2500 remote sites and 10,000 macs how can i image/deploy/provision a lab of machines from my laptop while im on the beach in bora bora. Because i can do that now
Removing netboot is the stupidest thing Apple could do. What other platform would have the gall to treat its users and administrators like this.
Apple have lost the plot
It is a shame, we’ve had very robust deployment workflows for years that can either be fully automated, or require a single button press.
My hope is that this makes things more secure / robust for the Mac users and will ultimately be for the greater good!
I’m really unsure how this is going to help position Apple devices in the enterprise! 🙁 sad times.