Erasing a Mac from system settings

thank you so much for response @jamf-42 . I totally get what you mean. But in addition we wanted to give the user the possibility to simply wipe it without needing to contact IT. Any other idea? 

add a self service item to elevate them to admin, after all if they are going to wipe it.. then being admin shouldn't be an issue. You can elevate to admin via DSCL command and open the app with 

open -a "Erase Assistant"

Can you use the "--eraseinstall" command? 

An old script example: 

#!/bin/zsh

echo "Running startosinstall..."

'/Applications/Install macOS Ventura.app/Contents/Resources/startosinstall' --agreetolicense --eraseinstall --forcequitapps &

exit $?

just get them to reboot into recovery, they can erase it from there

thanks @mvu  I think that would need to download the whole image again since it's normally not there anymore. But thanks - I proposed internally whether we go with wipe from admin portal or alternatively going with "press and hold power button" if it should be run from user end directly. Thanks, your response is much appreciated ! love this community

thank you so much, yeah I think that's (along with the wipe from admin portal) the state of the art solution to wipe. thank you so much!

You have 2 options then (there are more but these are obvious to me with less work involved)

1. Elevate the user to admin and so they can click 'Erase All Contents & Settings" under System Settings

2. Set up an API script in Self Service that sends a remote wipe command for that computer

1 would require that you have some kind of checking that removes admin rights after a period of time to counter the user cancelling the policy before the device wipes

2 would require that you have plenty of confirmations so it wasnt clicked by mistake or you have to manually scope it to the user when required.

That requires giving the user either EFI password or the recovery key, which is a massive no-no with a lot of my project customers

If its apple silicone it doesn't have a efi password. You could be setting recovery lock passwords (you would have the same issue if users had admin in that case). And you dont need a filevault password to wipe the device, on the same screen which asks for the password, you can wipe the device in recovery.

thanks @Tangentism . to be honest not directly a fan of both. but indeed good solutions. Just don't like it because it's error prone as you write (solution 1 user could find solutions to outbreak before wipe happens and ends up with admin rights and solution 2 this could be tampered as well and misused from any malware. Guess for now we stick to recovery mode from user or wipe using IT. Probably apple comes up with letting the user use settings app erase without admin rights. Staying tuned for tomorrow's device configuration WWDC event. 

thanks again!

One thing to bare in mind is, that the device normally needs to be activated when wiped. The user doesn't always get the option to connect to a WiFi to activate it. You sometimes need to connect the device to the internet via a usb-c to Ethernet adapter. If these devices are remote, and they don't have a adapter, you leave them stuck (thats a apple issue which was meant to have been fixed in sonoma, but they haven't).

you're so right. Just faced same issue today. Would be so nice if the recovery is would support captive portals or certificate / user password based authentication to wifi. Or at least support usb-c ethernet adapter drivers. The one we tried didn't work unfortunately. Hopefully Apple adds these features soon, since that would be urgently required. 

thanks for your post, since I'm so happy not being alone with these topics.