Mac Provisioning: Changes in El Capitan to the NetBoot process

Version 2

    Verified Product Versions

    LANDESK Management Suite 9.6LANDESK Management Suite 2016.x

    Description

     

    El Capitan is the most secure OS ever released by Apple, this is a double edged sword when looked at in the light of deploying new operating systems to Mac clients.

     

    With OS X 10.11 (El Capitan) Apple has introduced a new security feature surrounding the Netboot process in efforts to prevent unauthorized Netbooting. While this sounds great in theory, it makes the practice of Netbooting a Mac more difficult for anyone trying to automate the process of OS Deployment on the Mac platform.


    1. Mac clients that are running El Capitan are only allowed to boot from servers listed on trusted Netboot server whitelist.
      • This change allows companies to place tight controls over what machines within their company are allowed to serve up Netboot images. Unfortunately, the process to add Netboot servers to the whitelist requires an Administrator goes hands on with the client machine in question. Also the whitelist is configured individually on each client, and Apple has not provided a method to update it from a central list.
      • The reason an Administrator is required to make the change is the machine must first be booted into Recovery Mode for the commands to be run to add entries to the whitelist.
      • This change is stored in the clients NVRAM and so will persist through all reboots and re-imaging the machine until NVRAM is reset.

     

    Impact

     

    This new change to the architecture of OS X prevents anyone from remotely initiating a Netboot, unless the Netboot Server (PXE Representative and\or OS X Server) has been whitelisted on the specific client that you need to boot. This means that a LANDESK Provisioning Template with a Reboot\Shutdown action that is configured to Netboot a mac will fail unless the Netboot server for that client is whitelisted.

     

    Solution

     

    Being as this is a change in how Apple has architected the Netboot process it is not possible to offer a solution that allows for the same level of ease and functionality, however it is still possible.

     

    1. As mentioned above you can enable remote Netbooting by whitelisting the Netboot Server through a terminal in the OS X Recovery Mode. You can find more information about this from Apple Support:
      1. Prepare for NetBoot, NetInstall, and NetRestore requirements in OS X El Capitan - Apple Support
      2. Also another third party site has posted a detailed description to this process, this is available here:
    2. The alternative method that requires no extra configuration of you OS X 10.11 clients is to manually Netboot the clients and select the provisioning template yourself.

     

    Unfortunately both methods require you to physically touch the machine at least once. However due to the nature of the changes it is not yet possible for LANDESK to control the whitelisting on clients.