T2 Chip Macbooks - Preboot/Recovery showing Encrypted at Rest and won't boot

Joined
Dec 17, 2018
Messages
1
Reaction score
0
Points
1
I'm trying to get imaging working for the new T2 Chip machines. I know apple is trying to move away from imaging, but I don't see the sense in manually reinstalling the OS every time we want to start a machine over from scratch plus installing all the software/configurations etc. Anyway I feel like I'm close to finding a way to do this, but getting hung up in a few areas. I know this isn't specifc to Jamf, but with all the wealth of knowledge this group has out there I wanted to share here in case anyone had insight into this.

We have originally used DeployStudio to create and restore our images. I'm having a problem with the work flow currently on this new machine. I have it booted to an external drive with 10.14.2 installed on it. that drive has DeployStudio Runtime on it. If I restore our regular image its not bootable due to the "Encrypted at rest" flag on the preboot and the Recovery partitions. For example.

Out of the box the configuration of "diskutil apfs list" shows output with this. (not all information shown just the relevant part)

Volume disk1s1
name: macintosh HD
Filevault: No (Encrypted at rest)

Volume disk1s2
name: Preboot
Filevault: No

Volume disk1s3
name: Recovery
Filevault: No

If you notice the main drive shows Encrypted at Rest but the Preboot and the Recovery Partition do not show that.

If I use Deploystudio to lay down an image that I captured using the Capture task sequence in DeployStudio the layout changes to this:

Volume disk1s1
name: macintosh HD
Filevault: No (Encrypted at rest)

Volume disk1s2
name: Preboot
Filevault: No (Encrypted at rest)

Volume disk1s3
name: Recovery
Filevault: No (Encrypted at rest)

In this state the machine will not boot, it shows the flashing folder with a ?
I already mounted the Preboot volume to make sure the UUID folder is correct inside of that. The Bless -info also shows the correct information. I think the root issue is encrypted at rest component.

If I create an image with AutoDMG and restore that image it actually lays down the preboot and recovery partitions correctly without the encrypted at rest flag.

I can also use asr command line to restore the image I built but that only works if the preboot and recovery partitions are already there. If the drive gets formatted for some reason and I have to start from scratch the only workflow I have so far that works is to restore the AutoDMG image first, then asr restore my real image after that.

Couple things I looking for. Is there a way to make the AutoDMG image read/write so I can just edit that DMG to the correct image since that DMG file works as expected? I already tried hdiutil convert but it says the image is not recognized.

The other option would be a way to turn off encryption at rest for those partitions, or to delete them and create new ones without the encryption at rest enabled.
 

Shop Amazon


Shop for your Apple, Mac, iPhone and other computer products on Amazon.
We are a participant in the Amazon Services LLC Associates Program, an affiliate program designed to provide a means for us to earn fees by linking to Amazon and affiliated sites.
Top