Question: What are the ASR commands for the following scenarios?:
1. Replication of an APFS volume to an existing target, where target volume is erased
2. Replication of an APFS volume to a newly-created target volume
3. Replication of an APFS snapshot to an existing target volume, where target volume is erased
4. Replication of an APFS snapshot to a target volume with an earlier snapshot on it, to bring the target volume up to date with the latest snapshot.
Answer:
Replication of an APFS volume to an existing target, where target volume is erased as part of the process:
asr restore --source filename_here.dmg --target /Volumes/target_volume_name_here --erase
Replication of an APFS volume to a newly-created target volume:
asr restore --source filename_here.dmg --target /dev/disk_id_goes_here
Replication of an APFS snapshot to an existing target volume, where target volume is erased:
asr restore --source filename_here.dmg --target /Volumes/target_volume_name_here --toSnapshot snapshot_name_here
Replication of an APFS snapshot to a target volume with an earlier snapshot on it, to bring the target volume up to date with the latest snapshot:
asr restore --source filename_here.dmg --target /Volumes/target_volume_name_here --fromSnapshot first_snapshot_name_here --toSnapshot second_snapshot_name_here
Watch https://developer.apple.com/videos/play/wwdc2019/710/ to get commands.
Question: Can firmlinks be created by endusers, or are they reserved to the system? If they can be created by the enduser, what commands are used to create them?
Answer: No, firmlinks can't be created by endusers. This is reserved currently to the system. There will be synthetic firmlinks coming, which can be used as mount points for network resources.
Question: If firmlinks can be created by endusers, is there an advantage to using firmlinks over using Unix symlinks?
Answer: Firmlinks can't be created by endusers. Symlinks will be more flexible because they are path-based and able to point to that path regardless of volume ID changes. Firmlinks will be referring to a particular volume.
Question: If making the system volume read/write on Catalina via disabling SIP, does disabling SIP by itself make the system volume read/write? If not, what additional commands are needed to make the system volume read/write?
Answer: Disabling SIP by itself won't make system volume read/write. You will need to run an additional command:
mount -uw /
This mounts the system volume as a read-write volume. The change is not permanent; rebooting will cause the system volume to go back to being read-only.
Question: Do the commands used to make the system volume read/write need to be run from macOS Recovery?
Answer: The mount command can be run from outside Recovery, once SIP is disabled.
Question: Have there been improvements to diskutil apfs updatePreboot? Currently unable to remove UUIDs from removed users.
Answer: This is a bug. To help fix, file Radar with a sysdiagnose and the output of the following command:
diskutil apfs listusers APFS_volume_id_here
For example:
diskutil apfs listusers /dev/disk1s1
Also, please take pictures of the FileVault pre-boot login when it's showing a deleted user at the pre-boot login screen.
Question: With the new ‘read-only’ (read: SIP-protected) volume, can Admins put things on there in a persistent way, e.g. verifiable via a UAMDM/DEP allowance?
Answer: No. The read-only system volume is Apple's and reserved for their use only.
Question: One of the bootstrap token criteria states: “The Mac must be enrolled in an MDM solution associated with Apple School Manager or Apple Business Manager.”
Does this mean that this is for ONLY ABM-based MDM enrollments or does a UAMDM enrolled system whose MDM is also configured in DEP meet this requirement?
Answer: Ask in Security Lab. These commands are reserved for supervised macOS, so UAMDM may not be enough. For more details, please see the links below:
Set Bootstrap Token: https://developer.apple.com/documentation/devicemanagement/set_bootstrap_token
Get Bootstrap Token: https://developer.apple.com/documentation/devicemanagement/get_bootstrap_token