Disable Netboot?

ChickenDenders
New Contributor III

Hello Everybody!

We are looking to disable booting into our Netboot partition. A user managed to find his way to the Netboot partition on his workstation by holding the option key during startup - I think he was trying to throw a PRAM reset?

Anyway, he didn't do anything majorly destructive once he got in, but we found that he was able to enable wifi, and delete folders off the workstation's internal hard drive.

The environment I'm administering was mostly already set up before the previous admin left the company. I've been building and managing packages, but setting up the Netboot server isn't something I was involved in. I figure it is necessary to not completely remove the Netboot functionality, in the event that a full workstation reimaging is ever necessary.

Is it possible to remove the ability for users to boot into the Netboot partition on their own, and restrict it to something I have more control over? Maybe a JSS policy that I can just keep disabled until it is needed? Or, go into the Netboot image itself and lock it down more than it currently is. Suggestions?

Thank you!

1 ACCEPTED SOLUTION

rhoward
Contributor

You should use a firmware password. This would also prevent people from using the recovery drive as well. You can create a policy in the JSS to scope the EFI password.

View solution in original post

3 REPLIES 3

rhoward
Contributor

You should use a firmware password. This would also prevent people from using the recovery drive as well. You can create a policy in the JSS to scope the EFI password.

ChickenDenders
New Contributor III

Thank you, I'll give that a try today!

For anybody else with the same question, here's the JAMF doc for how to set the EFI password.

http://docs.jamfsoftware.com/9.96/casper-suite/administrator-guide/Administering_Open_Firmware_EFI_P...

ChickenDenders
New Contributor III

To be clear, should this policy be scoped out to all workstations, or just the Netboot server?

Should I encounter any problems, is the EFI policy able to be pulled back easily by setting the Security level of the EFI configuration back to "none"?

e3509568a20844cf81c6aa15af5becc8

Taking a look at this discussion post, it looks like some users have had trouble with the startup disc becoming inaccessible after applying an EFI password.

Looks like the issue is caused by a Yosemite security update...

the startup disk value is stored in PRAM, when the EFI password is enabled, without intervention, the system will only look for that volume to startup from. The Yosemite Recovery Update unceremoniously overwrites the Recovery partition with a new one, so that the value stored in PRAM is no longer valid, for the former Recovery Partition in order to unlock FileVault. So when the system restarts the volume it wants is no longer present, and returns a flashing folder with a question mark.

These systems are not touching the internet, and will not be receiving any updates. Recovery partition should not be touched, so maybe it is a non-issue.

Thank you!