Skip to main content

I know I'm doing things the hard way. When a user gives up their Mac and it is still a viable machine, we would like to be able to use it again. Finding that getting a machine wiped and ready for redeployment to be an excruciating task. This is what we are doing now - and this is only because we obviously don't know any better:

  • Get the Personal Recovery Key from Jamf Pro
  • Boot in Recovery
  • Reset the user password
  • Log in as the user
  • Upgrade to the latest macOS
  • Boot into internet recovery
  • Wipe the drive
  • Install from internet

That all takes hours and I am sure there is a better way to do this.

Would love to just boot off a USB disk and wipe the machine with the latest macOS supported for the hardware.I feel like that used to be a thing. Now I try and do that and cannot boot from USB, try to enable boot from USB and get Authentication Needed - Enter macOS Password - Recovery is try to change system settings. No administrator was found.As far as I know, there is a local admin set up as part of the policy our Jamf consultant set up. When someone needs something, we use that macadmin user and it works.

I can’t really give step by step specifics as it’ll depend on what you’re allowed to do with your organizational policies. 
But my recommendation would be to address your “hand-in” process. If a computer is being handed in, wipe it right then and there before it is put on a shelf and waits for reassignment. If you’re using internet recovery it sounds like you’re still using Intel-based Macs? Either way, use the “erase all content and settings” feature available in modern versions of macOS, or send MDM commands to erase the system. Get it to a fresh OS, then power down so that when it comes down to rebuild for the next employee; it’s a far more efficient process and you don’t have the security issue of having to manually reset the former user’s password and have access to all the data that had yet to be erased. 

I can’t really give step by step specifics as it’ll depend on what you’re allowed to do with your organizational policies. 
But my recommendation would be to address your “hand-in” process. If a computer is being handed in, wipe it right then and there before it is put on a shelf and waits for reassignment. If you’re using internet recovery it sounds like you’re still using Intel-based Macs? Either way, use the “erase all content and settings” feature available in modern versions of macOS, or send MDM commands to erase the system. Get it to a fresh OS, then power down so that when it comes down to rebuild for the next employee; it’s a far more efficient process and you don’t have the security issue of having to manually reset the former user’s password and have access to all the data that had yet to be erased. 


Yes, still have some 2020 Intel iMacs. The majority are M1/M2 MacBook Pros. Not sure what is done with the Apple silicon machines, but will check with the team. I should just need to go to Jamf and wipe with the Apple silicon machines?

Found that transfer/erase settings are in something newer than macOS 12.

Yes, still have some 2020 Intel iMacs. The majority are M1/M2 MacBook Pros. Not sure what is done with the Apple silicon machines, but will check with the team. I should just need to go to Jamf and wipe with the Apple silicon machines?

Found that transfer/erase settings are in something newer than macOS 12.


Erase All Content and Settings should be available on any device with T2 or Apple Silicon as long as it is on macOS Monterey or newer.  If you're not seeing it on your devices with macOS 12 now, perhaps there is a .x update available (12.7.3 is the most recent release).

For 1:1 computers with FV enabled and no IT-admin account present:

Intel Macs (all years)

- Boot to recovery, choose Erase Mac option

- Boot to internet recovery

- Connect MDS and run workflow to erase & install macOS

Apple Silicon Macs

- Boot to DFU mode

- Use AC2 to restore latest macOS from IPSW file

 

For all computers when the user hands in their old Mac:

- Ask user to login and run Erase All Content and Settings

Yes, still have some 2020 Intel iMacs. The majority are M1/M2 MacBook Pros. Not sure what is done with the Apple silicon machines, but will check with the team. I should just need to go to Jamf and wipe with the Apple silicon machines?

Found that transfer/erase settings are in something newer than macOS 12.


I always prefer to wipe an Apple Silicon machine through "Erase all contents in settings" with the computer in hand. Yes, you can wipe the device in Jamf, but knowing the computer is in hand is more reliable than using a remote command. 

For Intel macs, I would create a bootable installer with the latest OS installer. Instructions for that can be found here: https://support.apple.com/en-us/101578

 

The bootable installer method will cut your down the time needed for upgrading the OS, boot to internet recovery, and to install from internet. I

For Apple Silicon devices - go with Apple Configurator and get the latest macOS  IPSW you want. Takes about 12-15 Minutes.

You could also deploy a policy allowing the user to wipe the machine before they hand it in, not all will do it as experience tells but every one you don't have to touch seems like a win.

Reply


Terms & ConditionsCookie settings