--eraseinstall for macOS Big Sur

@DBrowning Do you have the --agreetolicense --nointeraction options in your call to startosinstall?

I'm using startosinstall --agreetolicense --nointeraction --forcequitapps --eraseinstall --newvolumename "Macintosh HD"

What happens if you leave out --newvolumename "Macintosh HD"?

So interesting turn of events...I was running this on the new M1 laptop. Just ran it on an Intel MBP and its working......

More fun things about dealing with M1 Macs

Hah! You got forked!

Seeing the same thing on an M1 based MBA.

Apparently on Apple silicon the startosinstall requires authentication by the user.
The policy runs fine on Intel Macs, bit fails on M1 Macs.
Here is the log: “/Applications/Install macOS Big Sur.app/Contents/Resources/startosinstall” --agreetolicense --nointeraction --forcequitapps --eraseinstall --newvolumename “Macintosh HD”...
Result of command:
Error: failed to authorize for installation. Provide a password with --stdinpass or --passprompt.

Attempt to pipe admin password into startosintall command fails with another error: echo “adminpass” | “/Applications/Install macOS Big Sur.app/Contents/Resources/startosinstall” --user admin --stdinpass --agreetolicense --nointeraction --forcequitapps --eraseinstall --newvolumename “Macintosh HD”…
Error: Could not find provided owner on this system…
If I only adding --stdinpass flag without piping the password - the policy hangs at “Running”.

When I enter the password right after --stdinpass flag I’ve got yet another error:
“/Applications/Install macOS Big Sur.app/Contents/Resources/startosinstall” --user admin --stdinpass “adminpass” --agreetolicense --nointeraction --forcequitapps --eraseinstall --newvolumename “Macintosh HD”...
Result of command:
startosinstall: An extraneous argument was specified with option ‘stdinpass’

I hope someone with access to developer documentation can figure out how to use properly the new flags in startosinstall command.
New flags like --stdinpass, --cloneuser or --reducedsecurity are available on M1 Macs.
startosinstall --usage in Terminal shows only this: --user, an admin user to authorize installation.
--passprompt, collect a password for authorization with an interactive prompt.
--stdinpass, collect a password from stdin without interaction.
--reducedsecurity, configure target volume's security policy as Reduced Security (will prompt for authorization after reboot).
--cloneuser, Copy account settings for the owner provided with --user when installing to a new volume.

@Strannik

If I only adding --stdinpass flag without piping the password - the policy hangs at “Running”.

while it was sitting at the blank line, i decided to type in my password. Grant it was in plain text, the process started.

@DBrowning Yes, you can do it in Terminal while running command as admin user, but the question is - how to do it in Self Service, when script runs as a root and better yet - automate it...

@Strannik Yeah..... I'm trying to see if i can figure something out using expect. Not working so well right now....

@Strannik Does trying --user admin --stdinpass, where "admin" is "root" instead do anything? I am about to take a look at this myself

Edit: Please see my below responses

Does this work? echo “YOURPASSWORDHERE” | sudo /Applications/Install macOS Big Sur.app/Contents/Resources/startosinstall --agreetolicense --eraseinstall --user "YOURADMINHERE" --stdinpass

@HCSTech

Manually in Terminal

echo 'YOURPASSWORDHERE' | sudo /Applications/Install macOS Big Sur.app/Contents/Resources/startosinstall --agreetolicense --eraseinstall --stdinpass ```

Worked for me.  Logged in as myself (an admin), and echoing my password.

However, echoing a password of a different user and using --user to specify which user results in

echo 'YOURADMINPASSHERE' | sudo /Applications/Install macOS Big Sur.app/Contents/Resources/startosinstall --agreetolicense --eraseinstall --user "YOURADMINHERE" --stdinpass
Error: could not get authorization... ```

So now to try out some combos in a policy

@HCSTech @Strannik

EDIT: Did not work. I made a dumb

However, it seems that even if you su or sudo to another user, it still checks against the user running it. So in jamfs case, root.

We are piping in the password using the --stdinpass parameter with no issues. Just have to make sure to use the --user parameter.

echo $pass | /Applications/Install macOS Big Sur.app/Contents/Resources/startosinstall --eraseinstall --newvolumename "Macintosh HD" --nointeraction --agreetolicense --forcequitapps  --user $user --stdinpass &

@luke.reagor that is working on M1 macs for you?

@DBrowning Yes. We have an M1 Air and that's the one I'm using it on.

@luke.reagor I could have sworn I tried that.....I may have been missing the --user part. But its working!!

@DBrowning Yeah, that was the last part we had to add to get ours working when we were working through this. But I'm glad you got it going!

@luke.reagor Hmm... I wonder why it didn't work for me?
I was getting this:
echo “adminpass” | “/Applications/Install macOS Big Sur.app/Contents/Resources/startosinstall” --user admin --stdinpass --agreetolicense --nointeraction --forcequitapps --eraseinstall --newvolumename “Macintosh HD”…
Error: Could not find provided owner on this system…
Maybe it didn't like my Admin account which was created by Jamf through PreStage Enrollments > Account settings > Create a local administrator account before the Setup Assistant ?

@Strannik It's possible. Our admin is created the same way with "Make the local administrator account MDM-enabled" and "Skip Account Creation" selected.

It wont work with --user if the --user account does not have a secure token... Just did some testing. That seems to be why it did not work for me

You can test with

sudo sysadminctl -adminUser [admin user] -adminPassword - -secureTokenOn [user being granted SecureToken] -password -

sudo sysadminctl -adminUser [admin user] -adminPassword - -secureTokenOff [user being granted SecureToken] -password -

This will prompt you, at the CLI, to first enter the admin user's password and then the user's password.

I assume this error points to that. I see this error in the "install.log" in console

2020-12-11 09:38:31-05 M1TEST startosinstall[1243]: OSISClient: Failed to set LACredentialTypeBootPassword credential: Error Domain=com.apple.LocalAuthentication Code=-1 "Password rejected (3)" UserInfo={NSLocalizedDescription=Password rejected (3)}

Thats what happens to me if the --user account does not have a securetoken. "LACredentialTypeBootPassword"

So there goes my idea of creating a temp admin account in the script.

@bizzaredm @DBrowning My Admin user, created by Jamf PreStage, did have a secure token, but command running in script

echo “adminpass” | “/Applications/Install macOS Big Sur.app/Contents/Resources/startosinstall” --user admin --stdinpass --agreetolicense --nointeraction --forcequitapps --eraseinstall --newvolumename “Macintosh HD”

failed with error:

Could not find provided owner on this system

That's because although I specified admin user and piped the password the script runs as root.
Solution for me was to run command as user:

/usr/bin/su -l admin -c "echo adminpass | /Applications/Install macOS Big Sur.app/Contents/Resources/startosinstall --eraseinstall --newvolumename 'Macintosh HD' --nointeraction --agreetolicense --forcequitapps  --user admin --stdinpass"

That worked for me to reinstall Big Sur in Self Service on M1 MacBook Air.
I don't like using admin password inside a script, so it would be good to encrypt it as shown here:
https://github.com/jamf/Encrypted-Script-Parameters