NetBoot, NetInstall, and NetRestore requirements in OS X El Capitan

OS X El Capitan adds security enhancements that change the way you use the bless command to select a network disk image.

Select a network disk image

With OS X El Capitan, you can continue to use any of these methods to select a NetBoot, NetInstall, or NetRestore disk image from which to start up a Mac:

  • Use Startup Disk preferences: Choose Apple menu > System Preferences, then click Startup Disk.
  • Use Startup Manager: Hold down the Option key while starting up.
  • Hold down the N key while starting up to use the default image on the NetBoot server.

Add a trusted NetBoot server

If you use the bless command to choose a network disk image, the System Integrity Protection feature of OS X El Capitan requires you to first set your Mac to trust the NetBoot server. You can do this by using the Bless NetBoot Server action in the System Image Utility app, or by using the csrutil command-line tool.

Use the Bless NetBoot Server action

Use the Bless NetBoot Server action when creating the NetInstall or NetRestore image.

  1. The Bless NetBoot Server action is available by clicking the Customize button in System Image Utility. This action requires that you input the NetBoot server's IP address.
  2. Copy the image to your NetBoot server.
  3. On the client Mac, start up from the image using one of the methods described above.
  4. After deploying the image to your Mac, you can use the bless command to select network disk images hosted on your NetBoot server.

Use csrutil

If you don't use the Bless NetBoot Server action, you can use these steps instead.

  1. Start up in OS X Recovery by holding down Command-R while the Mac is starting up.
  2. Choose Terminal from the Utilities menu.
  3. Type the following command in Terminal to add a trusted server. Change address to the IP address of your NetBoot server.

    csrutil netboot add address

  4. Press Return.
  5. Choose Restart from the Apple menu. You can now use the bless command to select network disk images served from your NetBoot server.

To stop trusting a NetBoot server or to view a list of currently trusted servers, start your Mac from OS X Recovery, then follow these steps:

  • Open Terminal from the Utilities menu and enter the following command to tell your Mac to stop trusting the NetBoot server. Change address to the IP address of your NetBoot server or the index of the image.

    csrutil netboot remove address

To view a list of authorized NetBoot servers that you can use with bless, open Terminal from the Utilities menu, and enter the following command. (It's not necessary to start up in OS X Recovery for this command.)

csrutil netboot list

Published Date: 2016-06-10