The first thing to watch out for is the prompt to replace an account. There are plenty of articles online that already do it (and would do a better job than I would). Also… I’m not going to cover what secure token is here. Even if you aren’t using FileVault, you don’t want to set yourself up for failure in the future. You can do a lot of things to mess this up without knowing it, and since the ultimate fix for a secure token mess is to reimage/wipe the machine, you’ll want to get this right. Okay, here’s where things get a bit complicated. Feel free to play around with what works for you. I also want my newly DEP enrolled machine to maintain its settings rather than inherit the settings of the old machine. I would suggest unchecking the Computer & Network Settings for the simple reason that MDM profiles get messed up when you have this box checked. Boom! Now the FileVault-enabled volume in target disk mode is accessible and ready for migration.Īt this point we open Migration Assistant and get started with the transfer. If you entered everything correctly, you’ll see this output:Īnd the volume should mount on the desktop. …where disk3s1 represents your APFS volume and ABCD-1234-EFGH-5678-IJKL-9012 represents your escrowed recovery key. Now enter this into Terminal: diskutil apfs unlockVolume /dev/disk3s1 -passphrase ABCD-1234-EFGH-5678-IJKL-9012 Now, you’ll need to get the escrowed recovery key ready from your MDM. Basically just scan through all of the info until you can correctly identify the disk you’re looking for. You can see it is titled “Macintosh HD” and FileVault is enabled. In most cases, the disk you’re looking for will assign itself to disk3s1. I have the relevant information in my case annotated above, but you might have to do some searching depending on how many disks you have attached. You’re looking for the entry for the FileVault-enabled disk (source machine) that is in target disk mode. Here is how you connect a FileVault-enabled disk in target disk mode (from your source computer) to your destination computer:Īfter the computers are physically connected, enter this command to list out the connected APFS disks to the machine: diskutil apfs list Hopefully, if you’re administrating your devices, you have your FileVault personal recovery keys escrowed in Jamf or some other MDM. Also, my local admin user is typically not FileVault-enabled for security reasons. In general, I don’t like having users enter their password into weird fields that they don’t understand, so if it can be avoided I’ll make every attempt to do so. In my case, I don’t want the user to stick around to enter their password. Now, if you have the password to enter here, great. When you first connect it to the destination (new) computer, Finder is going to prompt you with something like this: This presents our first hurdle to overcome when the source machine is FileVault-enabled. To start this process, you’re going to want to place the source machine (or in my case, the old computer) in Target Disk Mode. I’d go out on a limb and say this method is about 99% sure to work. This means utilizing Target Disk Mode when possible, or a Time Machine drive. Instead, always try to use an external disk. This includes transferring over ethernet, whether directly connected or transferring over an intranet. Yes, I’ve seen it work quite a bit, but when it doesn’t work you will want to punch a hole in the wall. Really, there’s just one thing to avoid: transferring over a network. Sometimes it has its problems and I’ve seen everything under the sun at this point, but if you have developed a solid process it is pretty much fool proof (which I’ll show you here). I’ve been using it since I was a Genius at Apple for most transfers. If I make this any wider in scope, it’s going to be insanely long.įirst, let’s talk about Migration Assistant. One thing I want to be clear about: This article is only in reference to machines running 10.13 or higher (where Secure Token is applicable) and APFS drives. There are a lot of potential pitfalls and I intend to outline them all in this post. Sounds pretty straight forward, but I can assure you it is anything BUT that. The old machine is typically FileVault-enabled and the new machine has been run through DEP. When a user gets a new computer at my place of work, I am responsible for transferring all of their data from the old machine to the new machine.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |