Help

Removing the 10.10.xx Recovery Partition/Imaging

rhoward
Contributor

Posted on ‎04-23-2015 11:38 AM

Hello everyone,

We are now planning to roll out 10.10 to machines. Currently we remove the recovery partition to prevent students from booting to this and resetting admin password, etc. What we usually do is remove the Recovery HD and merge a blank partition through Terminal on our base image and deploy out that image. However with Yosemite and CoreStorage, this seems to have changed how we do this through terminal/disk utility. I could change the drives from being CoreStorage back to what they were in previous OS, but I'm not how would that work with imaging the computers going forward.

Any and all of the thoughts would be great appreciated.

0 Kudos
6 REPLIES 6

nessts
Valued Contributor II

Posted on ‎04-23-2015 11:42 AM

I think you need a firmware password more than you need to remove the recovery partition. if there is no recovery partition newer Macs will still boot to a recovery mode with command R and do internet recovery. Single user mode is the one most sites tell users how to reset an admin password or elevate ones permissions.
However to answer your question
disktuil cs list get the volume UUID then
diskutil cs revert UUID

0 Kudos

davidacland
Honored Contributor II
Honored Contributor II

Posted on ‎04-23-2015 11:44 AM

In this scenario I would normally recommend a firmware password. This would let you keep all the necessary Mac functionality and prevent them from booting to the recovery partition without the password.

If I just wanted to stop the recovery partition from being used, I would scope a policy to a smart group that checks if the partition exists. The policy could just run a one line terminal command to remove it.

0 Kudos

rhoward
Contributor

Posted on ‎04-23-2015 11:52 AM

Thank for the responses so far.

The terminal command to remove it doesn't give the space back to Macintosh HD. When we run the diskutil mergePartitions command it will not let us merge them due to the CoreStorage woes.

0 Kudos

davidacland
Honored Contributor II
Honored Contributor II

Posted on ‎04-23-2015 11:56 AM

You could switch it back to normal form core storage, as far as imaging devices goes that shouldn't have any impact.

To be honest though you are talking about a very small amount of space so you could just as easily leave it! There's not much of a benefit to be had.

That aside, I would still suggest using a firmware password instead.

0 Kudos

bentoms
Release Candidate Programs Tester

Posted on ‎04-24-2015 08:17 AM

It's only 650MB I think.

You could do this destructively by deleting the coreStorage volumes. Then creating a new one using the whole disk.

There are also some undocumented CoreStorage commands too.

0 Kudos

Chris_Hafner
Valued Contributor II

Posted on ‎04-24-2015 01:08 PM

I have to jump in and just add a +1 to using a firmware password. Not having a recovery volume is completely useless once a student googles "How to gain admin on mac". A simple rm /var/db/.AppleSetupDone and you're there. And just because, I said it I did in fact google that specific string and this solution was available in the very first link. It's actually quite a bit faster than using the recovery partition.

Beyond that, you can use extension attributes to pull a list of admin users. I use such an extension along with a SMART group that shows me any student laptop, that has admin users beyond our normal management account.

0 Kudos