Bootable images/Reimaging with T2 Chip

[BLUEDOG314]

Curious if anyone has come across the answer to this or is willing to try a scenario to test. Given the way the T2 chip in the 2018 MBP machines (and iMac Pro) works with encryption, I am trying to figure out how capturing an image and moving it to another machine, or using bootable images may work.

The way I understand it currently, if your machine is encrypted and has a T2 chip, in addition to your password the T2 chip also generates and stores a separate unique key specific to that set of encrypted data. Would this not mean that if you block copy the encrypted storage you would not be able to boot this copy on any other machine? Further, if you make a bootable image of a T2 encrypted drive, then erase the drive the image was taken from, and try to restore the image (to the internal storage) and boot again, it would not work as the key the T2 chip stores would have been lost?

Does this make sense?

 

[maflynn]

if you make a bootable image of a T2 encrypted drive,

It depends on how you created the cloned image, yes if the used an app that does a block by block copy, then the cloned imaged will be encrypted. If you use CCC then it won't be encrypted.

 

[chrfr]

Curious if anyone has come across the answer to this or is willing to try a scenario to test. Given the way the T2 chip in the 2018 MBP machines (and iMac Pro) works with encryption, I am trying to figure out how capturing an image and moving it to another machine, or using bootable images may work.

Imaging is dead with Macs that have the T2 in them. The T2 will prevent this from working.

 

[upandown]

I've been wondering the same thing as the OP.

Also let's say we can get a good cloning program to work with the T2. In general is cloning a better back up/more reliable than time machine?

I just tried using TM to migrate everything to my 2018 mbp and it failed. Wondering if cloning would be better moving forward. I don't need nightly/weekly backups.

 

[BLUEDOG314]

Imaging is dead with Macs that have the T2 in them. The T2 will prevent this from working.

I don't have a machine to test it, I have a 2017 15", but if I was the betting type I would think that you can still image a T2 mbp so long as it doesn't involve encryption in any way.

As far as backing up, I hate time machine, and don't know why everyone loves CCC and other similar programs. I fully acknowledge that this concept cannot work for everyone, but I am a fan of organizing files such that I can just copy desktop, documents, downloads, and music to a new machine and reinstall all of my programs cleanly. Never really liked the idea of migrating everything, seen migrations fail too often. That being said, I DO use time machine to back up just the folders I listed above. Saves time and space to leave out other root level folders, user library etc.

My new backup method since I have a FreeNas box now and don't need an archival backup is a weekly rsync.

 

[chabig]

Imaging is dead with Macs that have the T2 in them. The T2 will prevent this from working.

I don't get this. Even if the SSD is encrypted I think you ought to be able to image the drive just fine. Data still flows through the T2 chip, which will decrypt it before going out the USB port.

 

[Aea]

You have a very confusing avatar.

 

[radus]

Well I could not boot from a CCC backup of the old Macbook Pro, I even tried to install the new Macbook Pro's variant of 10.13.6 unsing "Command + R" boot - did not work - I had to copy the folders and reiinstall the programs.
But I could create a bootable backup of the new mid 2018 15" Macbook Pro using CCC.

 

[BLUEDOG314]

Well I could not boot from a CCC backup of the old Macbook Pro, I even tried to install the new Macbook Pro's variant of 10.13.6 unsing "Command + R" boot - did not work - I had to copy the folders and reiinstall the programs.
But I could create a bootable backup of the new mid 2018 15" Macbook Pro using CCC.

I guess what I'm trying to figure out is that while it is bootable, will it remain bootable if you wiped the internal drive causing T2 to re key for the internal drive. If there is a re key, possibly the bootable clone you made will be useless. Per a support article on Apple, the drive is always encrypted with T2.

https://support.apple.com/en-us/HT208344

 

[duervo]

You’ll have to get somebody with a T2-enabled system to test that scenario for you.

Bombich does have a support article dealing with booting problems with a clone. It specifically mentions T2 Macs, but only with regards to changing a System Preference to allow booting from external devices. However, that alone would appear to suggest that booting a CCC clone on a T2-enabled system is supported, contrary to what some others may believe.

https://bombich.com/kb/ccc5/help-my-clone-wont-boot

Side Note: T2-enabled macs do not support booting from a network-based image.

 

[donawalt]

Would changing settings here help you?

 

[radus]

That is what I did.

 

[Kingcr]

I don't get this. Even if the SSD is encrypted I think you ought to be able to image the drive just fine. Data still flows through the T2 chip, which will decrypt it before going out the USB port.

This sounds right considering target disk mode still works with the T2.

 

[BLUEDOG314]

Thanks for all the replies. I think if I get my hands on one of these at some point I will do some testing. The reason I had this question was that I actually used to work in an Apple store, and we were told that if you say pulled the internal storage from an iMac Pro and placed it in another iMac Pro it would not boot. Further, if you replaced the internal storage of an iMac Pro, reinstalled macOS, then put the original (working, non faulty) storage back in, it would not be able to boot without an erase and reinstall. Not sure the truth behind this because much of what we were told was blatantly wrong, and I never had the chance to try it, but I felt that implied that the T2 could only "pair" to one storage device at a time and it because cryptographically linked in a sense to it.

 

[iMacDragon]

Thanks for all the replies. I think if I get my hands on one of these at some point I will do some testing. The reason I had this question was that I actually used to work in an Apple store, and we were told that if you say pulled the internal storage from an iMac Pro and placed it in another iMac Pro it would not boot. Further, if you replaced the internal storage of an iMac Pro, reinstalled macOS, then put the original (working, non faulty) storage back in, it would not be able to boot without an erase and reinstall. Not sure the truth behind this because much of what we were told was blatantly wrong, and I never had the chance to try it, but I felt that implied that the T2 could only "pair" to one storage device at a time and it because cryptographically linked in a sense to it.

That all sounds correct, but this would not apply for an externally imaged clone of the drive.

 

[MacHaltah]

I can confirm that I was able to clone a 2018 MacMini T2 to another 2018 MacMini T2 (both being Mojave 10.14 based) without issue using Bombich Carbon Copy Cloner (CCC). I wrote the process out over in another forum...didn't need to get into menus to change security settings or anything...didn't even boot up the new out of box 2nd MacMini before pushing out the cloned image to it using Target Mode & Thunderbolt3 cable between the two 2018 MacMinis...the entire process takes < 30 minutes start to finish (faster than prior NetRestore process used to take for image deployment). The write-up is at the following link, in the comments section - look for 'Haltah' comments for entire process described.

I've modified the process slightly to be even faster since I wrote that up a week or two ago...setup a 2018 MacMini as a server to host & serve the captured custom 2018 MacMini image via Target-Mode Thunderbolt3, and deployed from this server to the new host Target-Mode 2018 MacMini new out of box...VERY FAST, as the SSD's embedded into the motherboard on these MacMini's are lightning speed compared to the prior removable HDD's or SSD's. ~25GB customized base image pushes in ~10 minutes using CCC...another 5 minutes to finish process/steps & then you're booting into deployed image system normally. I took next step of using Winclone .pkg to deploy Win10Pro custom image also, and that takes another 5-10 minutes...so all-in-all, ~30 minutes for clean dual-boot customized Mac & Bootcamp imaged systems...not bad compared to prior imaging NetRestore process taking 30-45 minutes itself to deploy for 2014 MacMinis.

https://eclecticlight.co/2018/11/21/welcome-to-your-new-mac-living-with-the-t2-chip/

I didn't & won't be testing other hardware or other encryption settings (other than default T2 based encryption), but it should be transferrable to other APFS hardware configs w/ T2 chips. Not sure if this can work w/ FileVault based disk encryption or others.

 

[zedsdeadbaby]

I've cloned a version of my drive to an external then back to the internal once already, (due to a s****y Apple update...), 2018 MBP. Works fine... I've been running the cloned-back volume for 3 weeks now, no issues. I was also able to boot from the cloned external for 4 days and test it before cloning back to the internal.

I cloned to an external SSD that I deliberately formatted as APFS just in case there could be some unexpected APFS weirdness, worked exactly as expected... Granted I don't use FV so I'd email Bombich for FV drives, I do remember reading an article about one specific scenario where FV encrypted clones would not work... (Wasn't a blanket condition from what I remember though, want to say it was something like the drive initially being HFS...) Non-encrypted drives however work as expected once you allow booting from external in the security settings.

As far as moving the image to another machine I don't know for sure, however I had to re-capture my fingerprint to use touch-id when cloned back to the same machine. (that's it though, everything else carried over...) My assumption is imaging to another machine would work the same way... Everything carries over other than machine specific stuff like 3rd party software keys and touch ID.

Either way it's a good idea to clone to a new partition on the internal just in case something were to go wrong...

 

[RobbieTT]

... and we were told that if you say pulled the internal storage from an iMac Pro and placed it in another iMac Pro it would not boot. Further, if you replaced the internal storage of an iMac Pro, reinstalled macOS, then put the original (working, non faulty) storage back in, it would not be able to boot without an erase and reinstall. Not sure the truth behind this...

For once they did speak the truth. Part of the permanent encryption uses the serial number of the flash, the T2 chip and the host machine. Break any of these links and the data is beyond reach, which is what Apple was aiming for.

 

[SuperKafu]

Hi MacHaltah,

I've tried your suggested solution on a T2 MacBook Air that was already imaged and it worked fine. Thank you very much for that. I've used a different cable than suggested and the transfer took longer but it worked. The Image is 14.6.
However, I am attempting the same thing on an out of the box T2 MacBook Air and unfortunately, I haven't been successful. It goes to Internet Recovery on first boot which takes around 9 minutes and reboots into Recovery Mode, prompting me to select the Startup disk or to Update. Once I select the startup disk it will restart and I Option select the drive but it will not boot normally and it goes to Internet Recovery again. If I select the Update instead of the Startup disk, it looks like it's attempting to update and it takes me to OS loading screen for a brief time and it fails, taking me to the Startup disk/Try Again prompt obviously it fails again if a choose to Try Again.

Any ideas?
Thanks