10 Replies
      Latest reply on Jun 7, 2019 1:26 PM by cashxx
      rtrouton Level 1 Level 1 (0 points)

        Question: What are the ASR commands for the following scenarios?:

         

         

        1. Replication of an APFS volume to an existing target, where target volume is erased

        2. Replication of an APFS volume to a newly-created target volume

        3. Replication of an APFS snapshot to an existing target volume, where target volume is erased

        4. Replication of an APFS snapshot to a target volume with an earlier snapshot on it, to bring the target volume up to date with the latest snapshot.

         

         

        Answer:

         

         

        Replication of an APFS volume to an existing target, where target volume is erased as part of the process:

         

        asr restore --source filename_here.dmg --target /Volumes/target_volume_name_here --erase

         

         

         

        Replication of an APFS volume to a newly-created target volume:

         

        asr restore --source filename_here.dmg --target /dev/disk_id_goes_here

         

         

         

        Replication of an APFS snapshot to an existing target volume, where target volume is erased:

         

        asr restore --source filename_here.dmg --target /Volumes/target_volume_name_here --toSnapshot snapshot_name_here

         

         

        Replication of an APFS snapshot to a target volume with an earlier snapshot on it, to bring the target volume up to date with the latest snapshot:

         

        asr restore --source filename_here.dmg --target /Volumes/target_volume_name_here --fromSnapshot first_snapshot_name_here --toSnapshot second_snapshot_name_here

         

        Watch https://developer.apple.com/videos/play/wwdc2019/710/ to get commands.

         

         

         

         

        Question: Can firmlinks be created by endusers, or are they reserved to the system? If they can be created by the enduser, what commands are used to create them?

         

         

        Answer: No, firmlinks can't be created by endusers. This is reserved currently to the system. There will be synthetic firmlinks coming, which can be used as mount points for network resources.

         

         

         

         

        Question: If firmlinks can be created by endusers, is there an advantage to using firmlinks over using Unix symlinks?

         

         

        Answer: Firmlinks can't be created by endusers. Symlinks will be more flexible because they are path-based and able to point to that path regardless of volume ID changes. Firmlinks will be referring to a particular volume.

         

         

         

         

        Question: If making the system volume read/write on Catalina via disabling SIP, does disabling SIP by itself make the system volume read/write? If not, what additional commands are needed to make the system volume read/write?

         

         

        Answer: Disabling SIP by itself won't make system volume read/write. You will need to run an additional command:

         

        mount -uw /

         

         

        This mounts the system volume as a read-write volume. The change is not permanent; rebooting will cause the system volume to go back to being read-only.

         

         

        Question: Do the commands used to make the system volume read/write need to be run from macOS Recovery?

         

        Answer: The mount command can be run from outside Recovery, once SIP is disabled.

         

         

         

         

        Question: Have there been improvements to diskutil apfs updatePreboot? Currently unable to remove UUIDs from removed users.

         

        Answer: This is a bug. To help fix, file Radar with a sysdiagnose and the output of the following command:

         

        diskutil apfs listusers APFS_volume_id_here

         

         

        For example:

         

        diskutil apfs listusers /dev/disk1s1

         

        Also, please take pictures of the FileVault pre-boot login when it's showing a deleted user at the pre-boot login screen.

         

         

         

        Question: With the new ‘read-only’ (read: SIP-protected) volume, can Admins put things on there in a persistent way, e.g. verifiable via a UAMDM/DEP allowance?

         

        Answer: No. The read-only system volume is Apple's and reserved for their use only.

         

         

         

         

        Question: One of the bootstrap token criteria states: “The Mac must be enrolled in an MDM solution associated with Apple School Manager or Apple Business Manager.”

         

        Does this mean that this is for ONLY ABM-based MDM enrollments or does a UAMDM enrolled system whose MDM is also configured in DEP meet this requirement?

         

         

        Answer: Ask in Security Lab. These commands are reserved for supervised macOS, so UAMDM may not be enough. For more details, please see the links below:

         

         

        Set Bootstrap Token: https://developer.apple.com/documentation/devicemanagement/set_bootstrap_token

         

         

        Get Bootstrap Token: https://developer.apple.com/documentation/devicemanagement/get_bootstrap_token