Category Archives: netboot

Configuring System Integrity Protection in a NetBoot environment

System Integrity Protection (SIP) can be enabled and disabled using csrutil from OS X Recovery per Apple’s documentation.  However, booting to Recovery is a local-only procedure and allows no remote access capabilities. I work remotely so it interests me to have capabilities to remotely change SIP status instead of walking a user thru the Recovery process which is daunting over the phone. We currently have NetBoot with Apple Remote Desktop (ARD) access in all offices and that can be leveraged for our needs.

The NetBoot environment by default doesn’t allow for csrutil access to enable or disable SIP: original-netboot-no-csrutil-access.png

However, if we copy boot.efi from a Recovery partition and use it to replace the i386/booter file in the NetBoot NBI the NetBoot environment can adjust SIP’s status:adjusted-netboot-csrutil-access.png

To extract the boot.efi first we have to determine which partition the Recovery OS is on and mount it. In this example the Recovery OS is on /dev/disk1s3 and is on an APFS formatted disk.  Use mount -t apfs /dev/disk1s3 /path/to/mountpoint to mount it to a mount point and copy the boot.efi file off:mount-recoveryhd.pngNow copy the boot.efi in the NBI’s i386/ directory, name it booter and give it 664 root:admin permissions:copy-boot.efi-to-booter-in-NBI.png

Now when I NetBoot to that NBI I can gain access with ARD and adjust SIP status with csrutil.

Tagged , , , , , ,

Netboot compatibility chart for Thunderbolt adapters and docks – community feedback requested

Since Apple’s laptops have gotten thinner there’s less room for IT-important things like Ethernet ports.  Many of us use a network based imaging process to get machines ready for our respective environments.  The lack of a built-in Ethernet port forces us to use Ethernet adapters whether it be USB2.0, USB3.0, Thunderbolt, or Thunderbolt Docks.  Unfortunately the vendors that make these devices don’t seem to worry about the Netbootability of their adapters or docks.  That functionality is a big unknown.  At $2-300/dock guessing wrong isn’t cheap.  Some work if you hold down the “n” or “Option” key on boot but don’t provide Netboot options when trying to set it via the Startup Disk Preference Pane or using the ‘bless’ command from the command line and vice versa.  In my environment it is important to be able to send a command remotely to have the computer Netboot.  Physically holding a key is as good as not having it at all.

I’m sending a call out to all Mac admins willing and able to report back what has and has not worked for you with the adapters you’ve tried.  I’ve started a publicly accessible spreadsheet at Google Sheets trying to detail all the pertinent information.  I’m sure there are others out there that have tried and tested other adapters and docks with varied success.  All could benefit from this gathered information so please contribute if you can.

To supply feedback on different adapters and docks please do the following.  The Netboot columns require specific tests be run as the method matters:

  1. “Netboot ‘n’ on boot” : Hold the ‘n’ key down when powering on the computer.
    Success = booting to the NBI.
  2. “Netboot Boot Picker (option key) : Hold the ‘option’ key down when powering on the computer.
    Success = if you see NBI(s) to pick from the boot picker interface
  3. “Netboot ‘bless’ command” : With the computer booted to the internal drive issue the command ‘sudo bless --netboot --server bsdp://‘ and reboot.
    Success = booting to the NBI
  4. “Netboot Startup Disk” : Boot up the computer to the internal disk and log in.  Open the Startup Disk System Preference.
    Success = if you see NBI(s) to pick as the startup disk

The other columns like Vendor ID, Product ID, etc., can be found by running ‘system_profiler SPUSBDataType‘ or ‘system_profiler SPThunderboltDataType‘ depending on what type of adapter you’re using.

Thanks, and go team!

Tagged , ,

Installing VMWare Tools on a Netboot NBI

Netboot is great.  VMWare Fusion is great. Yosemite is….Netboot and VMWare are great. I use VMs to test things on our builds at work.  To get those VMs setup I use our imaging process that utilizes Netboot.  However, I discovered that, new with Yosemite, when the VM Netbooted to our Yosemite NBI I wasn’t able to login to OS X. After typing in the username and password the login attempt would just hang with the spinning gear turned beachball.  No bueno. Turns out all it requires is getting the VMWare Tools installed on the NBI.  No problem right? But VMWare’s installer (read: .app) doesn’t allow installing on a non-boot volume.  Crap.  This wouldn’t be a very interesting post if we stopped here so…

TL;DR: you need to mount the NBI and install the tools via the CLI ‘installer’ command.

First, make sure that your existing NBI is read/write when mounted.  In my case the NBI is actually a .sparseimage but renamed to .dmg for Netboot use.  When mounting the image named .dmg it mounts as read-only.  Renaming the .dmg to .sparseimage mounts the volume as read-write. YMMV. There are ways to convert disk images to read-write. I’ll leave that discovery up to you if your environment requires it.

VMWare Tools acquisition/installation:

There are a couple ways to get the tools.  I prefer to pull the tools from the VMWare bundle itself to guarantee that the version of VMWare Fusion you’re running is compatible with the tools. If you want an automated way using AutoPkg to get the latest tools check out Rich Trouton’s post at Der Flounder.  You can also download the tools if you know what version you need at VMWare’s repository.

Locally, the tools are located in the application bundle found at /Applications/VMware\


Mounting that image results in the installer and uninstaller.


However attempting to use the .app installer will fail as it won’t let you target the install on a non-boot drive.  Since it’s a .app “installer” there must be a .pkg buried in the bundle. To get the actual installer .pkg right click on “Install VMWare” and choose “Show Package Contents”.  Navigate to the /Volumes/VMware\ Tools/Install\ VMware\ directory.  There you’ll find “VMWare Tools.pkg”. Jackpot.


Copy the “VMWare Tools.pkg” to the computer where the NBI is mounted and run ‘installer’ pointing the target at the mounted Netboot NBI.

 sudo installer -pkg /Volumes/VMware\ Tools/Install\ VMware\\ Tools.pkg -target /Volumes/Yosemite\ NetBoot -verbose

That will install on the mounted volume.  Once complete, unmount the NBI, rename it if necessary, and you should now be able to log into a Yosemite NBI when Netbooted in VMWare Fusion.

Tagged ,