Skip to main content
Question

Mass Upgrade & Erase for Apple Silicon or Mass Actions for EaCS

  • January 7, 2022
  • 10 replies
  • 66 views
K
Forum|alt.badge.img+7

I am in the process of designing a workflow to refresh for our M1 Macs in our computer labs (30 Mac each). The goal will be to erase and upgrade from Big Sur to Monterey. I have a few options:

1. Deploy OS installer, run this

echo 'P@55w0rd' | '/Applications/Install macOS Big Sur.app/Contents/Resources/startosinstall' eraseinstall --agreetolicense --forcequitapps --newvolumename 'Macintosh HD' --user adminuser --stdinpass

2. Use mass actions to send a OS Upgrade MDM command to the latest version, once done, send a Wipe Device command (EaCS)

I prefer option 2 since I do not need to send credentials over, but JAMF does not offer mass actions for wipe device. I am also thinking about doing in API, but involves a R&D hours and likely above my skill set.

 

Do you guys have a different workflow for this type of work?

    10 replies

    Jason33
    Forum|alt.badge.img+13
    • Jason33
    • Honored Contributor
    • January 7, 2022

    Check out Erase & Install.  Worked very well for our Apple Silicon devices

    https://github.com/grahampugh/erase-install

      K
      Forum|alt.badge.img+7
      • killer23d
      • Author
      • Contributor
      • January 7, 2022

      Check out Erase & Install.  Worked very well for our Apple Silicon devices

      https://github.com/grahampugh/erase-install


      I've considered this for Self Service to the end user. I am wondering if there are less clicky way of achieving this like the Intel counterpart.

        Samstar777
        Forum|alt.badge.img+11
        • Samstar777
        • Valued Contributor
        • January 11, 2022

        Hello Killer23D,

        You can check this blog here from Jamf which can help you achieve your ask.

        -Sam

        K
        Forum|alt.badge.img+7
        • killer23d
        • Author
        • Contributor
        • January 11, 2022

        Hello Killer23D,

        You can check this blog here from Jamf which can help you achieve your ask.

        -Sam


        My goal is to create an automated method, with the least user interactions. I guess what I am asking is a pipe dream given the new security Apple included.

         

        On Intel devices, the method in the blog works perfectly with no interactions needed.

         

        It's M1 requiring credentials that is a challenge, that article includes my option #1 above, which I am not a big fan of sending credentials in a policy where anyone can access JAMF log or from /var/log/jamf.log. Method #1 also requires a local admin account with secure token already existed. Since JAMF and Apple discourage IT admin from having an institutional local admin account on workstations, I want to create ONE plan that is sustainable and applicable to all the devices we have.

        J
        Forum|alt.badge.img+21
        • jcarr
        • Valued Contributor
        • January 11, 2022

        While it doesn't help getting existing devices from Big Sur to Monterey, once you are there, refreshing lab devices should be easier if you leverage a workflow using a combination of 'Erase all Content and Settings' and the 'Automatically advance through Setup Assistant' option in PreStage.

        K
        Forum|alt.badge.img+7
        • killer23d
        • Author
        • Contributor
        • January 11, 2022

        While it doesn't help getting existing devices from Big Sur to Monterey, once you are there, refreshing lab devices should be easier if you leverage a workflow using a combination of 'Erase all Content and Settings' and the 'Automatically advance through Setup Assistant' option in PreStage.


        That is exactly in option #2 that I am working on, however I need to upgrade and erase every summer time so there really isn't a solution from what I can gather. There is no mass action for "wipe device" just FYI, I will have to open up each computer record and send wipe command and enter a 6 digits code every time.

        Bol
        Forum|alt.badge.img+11
        • Bol
        • Contributor
        • January 18, 2022

        You could send credentials through a script parameter option in the policy, then call as below;

         

        localPassword="$4"

        localUsername="$5"

        "${existing_installer}/Contents/Resources/startosinstall" --pidtosignal "$PID" --agreetolicense --eraseinstall --nointeraction --forcequitapps --newvolumename Macintosh\\ HD --user "$localUsername" --stdinpass <<< "$localPassword"

        In my environment, sending the credentials this way works well for both intel and m1 machines (m1 requiring secure token).

        K
        Forum|alt.badge.img+7
        • killer23d
        • Author
        • Contributor
        • January 19, 2022

        You could send credentials through a script parameter option in the policy, then call as below;

         

        localPassword="$4"

        localUsername="$5"

        "${existing_installer}/Contents/Resources/startosinstall" --pidtosignal "$PID" --agreetolicense --eraseinstall --nointeraction --forcequitapps --newvolumename Macintosh\\ HD --user "$localUsername" --stdinpass <<< "$localPassword"

        In my environment, sending the credentials this way works well for both intel and m1 machines (m1 requiring secure token).


        This is great, do you mind sharing the script (or part of)? I am interested to see how others are achieving this. I'd assume Intel just ignores the --stdinpass correct?

        Bol
        Forum|alt.badge.img+11
        • Bol
        • Contributor
        • January 19, 2022

        No worries. For whatever reason I wasn't able to use grahampugh's fantastic script so I had to mish-mash some together from the clever folks in links below. 

        https://github.com/grahampugh/erase-install/blob/main/erase-install.sh 
        https://github.com/jamf/API_Scripts/blob/master/DeleteComputersBySerial.sh
        https://github.com/rtrouton/rtrouton_scripts/blob/934cba2a5f6ee9b2e9c0a30c6c7f2c3dc2b3847d/rtrouton_scripts/Casper_Scripts/clear_failed_Jamf_Pro_mdm_commands/clear_failed_Jamf_Pro_mdm_commands.sh

        I believe Big Sur Intel still requires the user / pass to start the installer for non admin accounts. You could always split up the two commands using the arch command;

        [ $( /usr/bin/arch ) = "arm64" ] && "${existing_installer}/Contents/Resources/startosinstall" --pidtosignal "$PID" --agreetolicense --eraseinstall --nointeraction --forcequitapps --newvolumename Macintosh\\ HD --user "$localUsername" --stdinpass <<< "$localPassword" || *Intel command here*
        #!/bin/bash

        apiuser="$4"
        apipass="$5"
        localUsername="$6"
        localPassword="$7"

        jamfProURL=$(/usr/bin/defaults read /Library/Preferences/com.jamfsoftware.jamf jss_url)
        jamfProURL=${jamfProURL%%/}
        serialNumber=$(system_profiler SPHardwareDataType | grep 'Serial Number (system)' | awk '{print $NF}')
        jamfHelper="/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper"

        existing_installer=$(echo | find /Applications/*macOS* -maxdepth 2 -type d -name "Install*.app")
        dialog_erase_icon="${existing_installer}/Contents/Resources/InstallAssistant.icns"
        dialog_confirmation_icon="/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/AlertStopIcon.icns"
        macosEraseInstallLog="/var/log/macosEraseInstallLog.log"

        DeleteJamfProSerial () {
        /usr/bin/curl -k -v -u "${apiuser}:${apipass}" "${jamfProURL}/JSSResource/computers/serialnumber/${serialNumber}" -X DELETE
        }

        JamfHelper () {
        "${jamfHelper}" \\
        -windowType fs \\
        -heading "Erasing macOS" \\
        -description "Preparing the installer may take up to 30 minutes. Once completed your computer will reboot and continue the reinstallation. Start time: $( /bin/date +'%r' )" \\
        -icon "${dialog_erase_icon}" & PID=$!
        }

        EraseInstall () {
        "${existing_installer}/Contents/Resources/startosinstall" --pidtosignal "$PID" --agreetolicense --eraseinstall --nointeraction --forcequitapps --newvolumename Macintosh\\ HD --user "$localUsername" --stdinpass <<< "$localPassword" >> "${macosEraseInstallLog}" 2>&1
        }

        JamfHelper
        DeleteJamfProSerial
        EraseInstall

        exit 0

         

        K
        Forum|alt.badge.img+7
        • killer23d
        • Author
        • Contributor
        • January 19, 2022

        No worries. For whatever reason I wasn't able to use grahampugh's fantastic script so I had to mish-mash some together from the clever folks in links below. 

        https://github.com/grahampugh/erase-install/blob/main/erase-install.sh 
        https://github.com/jamf/API_Scripts/blob/master/DeleteComputersBySerial.sh
        https://github.com/rtrouton/rtrouton_scripts/blob/934cba2a5f6ee9b2e9c0a30c6c7f2c3dc2b3847d/rtrouton_scripts/Casper_Scripts/clear_failed_Jamf_Pro_mdm_commands/clear_failed_Jamf_Pro_mdm_commands.sh

        I believe Big Sur Intel still requires the user / pass to start the installer for non admin accounts. You could always split up the two commands using the arch command;

        [ $( /usr/bin/arch ) = "arm64" ] && "${existing_installer}/Contents/Resources/startosinstall" --pidtosignal "$PID" --agreetolicense --eraseinstall --nointeraction --forcequitapps --newvolumename Macintosh\\ HD --user "$localUsername" --stdinpass <<< "$localPassword" || *Intel command here*
        #!/bin/bash

        apiuser="$4"
        apipass="$5"
        localUsername="$6"
        localPassword="$7"

        jamfProURL=$(/usr/bin/defaults read /Library/Preferences/com.jamfsoftware.jamf jss_url)
        jamfProURL=${jamfProURL%%/}
        serialNumber=$(system_profiler SPHardwareDataType | grep 'Serial Number (system)' | awk '{print $NF}')
        jamfHelper="/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper"

        existing_installer=$(echo | find /Applications/*macOS* -maxdepth 2 -type d -name "Install*.app")
        dialog_erase_icon="${existing_installer}/Contents/Resources/InstallAssistant.icns"
        dialog_confirmation_icon="/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/AlertStopIcon.icns"
        macosEraseInstallLog="/var/log/macosEraseInstallLog.log"

        DeleteJamfProSerial () {
        /usr/bin/curl -k -v -u "${apiuser}:${apipass}" "${jamfProURL}/JSSResource/computers/serialnumber/${serialNumber}" -X DELETE
        }

        JamfHelper () {
        "${jamfHelper}" \\
        -windowType fs \\
        -heading "Erasing macOS" \\
        -description "Preparing the installer may take up to 30 minutes. Once completed your computer will reboot and continue the reinstallation. Start time: $( /bin/date +'%r' )" \\
        -icon "${dialog_erase_icon}" & PID=$!
        }

        EraseInstall () {
        "${existing_installer}/Contents/Resources/startosinstall" --pidtosignal "$PID" --agreetolicense --eraseinstall --nointeraction --forcequitapps --newvolumename Macintosh\\ HD --user "$localUsername" --stdinpass <<< "$localPassword" >> "${macosEraseInstallLog}" 2>&1
        }

        JamfHelper
        DeleteJamfProSerial
        EraseInstall

        exit 0

         


        Awesome, I am using grahampugh's script for Self Service used by the end users.

        I am going to have a look at yours tomorrow.

        Be careful of including JAMF credentials being installed on end users, I read that (can't find the link) it is no longer a best practice. To remove the failed MDM, I am using this: https://aporlebeke.wordpress.com/2019/01/04/auto-clearing-failed-mdm-commands-for-macos-in-jamf-pro/

         

        Terms & ConditionsCookie settingsAccessibility statement