Using the -Bless Command on Multiboot Macs with 10.11 El Capitan
As part of our standard deployment, we tend to deploy multiple OSs on Macs, from 10.7 to 10.11. However, with the new SIP (System Integrity Protection), the -bless command no longer works properly.
I need the Macs to boot to each OS during the initial configuration to properly name the OS for Active Directory binding and then do the actual binding.
I've tried to use the "csrutil disable" command recommended in some other places, but that requires booting into the Recovery OS and that change is stored in the NVRAM, so it's local to whatever machine I'm using. Meaning that it won't be part of the 10.11 image deployed.
In the end, I need to be able to script multiple -bless commands, telling the Mac to boot to different OSs on separate partitions on the internal hard drive. It's critical to the image process.
Does anyone have any idea on how to do such a thing?
I've had good luck using AutoDMG and munki's crgateosxintallpkg scripts with 10.11 in beta. I haven't done the work yet on the current build, but i think these SIP issues and bless changes were fit in by Apple before release so you shouldn't have issues using these tools.
Are you running into a specific error? What MDM or deployment framework are you using? If you have scripts, it might be easier to adopt one of the standard tools than re-working yours, but both are on github so you can see how they are handling SIP/bless if you need that level of detail.
- https://github.com/MagerValp/AutoDMG
- https://github.com/munki/createOSXinstallPkg
- Automate Yosemite Upgrade
- https://jamfnation.jamfsoftware.com/article.html?id=334
- https://support.apple.com/en-us/HT205054
The last link is Apple's official word on how you will need to script your client Mac to trust the netboot server and the commands needed to navigate the SIP changes for distribution of 10.11 images.
In a nutshell, you can list the "blessed" netboot servers as opposed to blessing the image itself.
csrutil netboot add 10.0.10.10
csrutil netboot list