Skip to main content
Question

(Yet another) Erase-install thread macOS Monterey on Apple Silicon M1 question

  • July 14, 2022
  • 6 replies
  • 31 views
R
Forum|alt.badge.img+13

Hi all,

 

Lots of threads out there but have not found a definitive answer.

 

I am using Graham Pugh's erase install script. It is working flawlessly on both architectures. My question(s) are:

Has anyone gotten around the need to be logged into a Mac to enter credentials for a secure token user?
If the answer is yes, how?
Is there a way to hard code credentials (bad but effective) in the script? Or, is there a way to be able to enter them into Parameter fields in Jamf (better)?

I manage a computer lab and logging into 700 end points to enter these credentials is going to bring sadness.

TIA,

/randy

    6 replies

    AJPinto
    Forum|alt.badge.img+26
    • AJPinto
    • Legendary Contributor
    • 2802 replies
    • July 14, 2022

    If I remember correctly anything involving OS updates and upgrades requires a GUI interaction from a user unless it comes from a MDM command with a bootstrap token on Apple Silicon. I don't think you can bypass this check with CLI, you must use MDM commands for no user interaction.

     

    JAMF does not really advertise this very much, but "Wipe Computer" MDM command should leave the Mac at setup assistant when its done. 

    Fluffy
    Forum|alt.badge.img+10
    • Fluffy
    • Honored Contributor
    • 209 replies
    • July 14, 2022

    The thing that requires the password is Apple Silicon Macs. See erase-install documentation here. #JustAppleThings

    If MDM update commands work for you, do as @AJPinto said.

    R
    Forum|alt.badge.img+13
    • Randydid
    • Author
    • Contributor
    • 101 replies
    • July 14, 2022

    If I remember correctly anything involving OS updates and upgrades requires a GUI interaction from a user unless it comes from a MDM command with a bootstrap token on Apple Silicon. I don't think you can bypass this check with CLI, you must use MDM commands for no user interaction.

     

    JAMF does not really advertise this very much, but "Wipe Computer" MDM command should leave the Mac at setup assistant when its done. 


    @AJPinto wrote:

    If I remember correctly anything involving OS updates and upgrades requires a GUI interaction from a user unless it comes from a MDM command with a bootstrap token on Apple Silicon. I don't think you can bypass this check with CLI, you must use MDM commands for no user interaction.

     

    JAMF does not really advertise this very much, but "Wipe Computer" MDM command should leave the Mac at setup assistant when its done. 

    Can this be done on a group of computers? I have only seen the command in the inventory record of individual Macs. In other words, one at a time. If it is there I am just not seeing it.

    AJPinto
    Forum|alt.badge.img+26
    • AJPinto
    • Legendary Contributor
    • 2802 replies
    • July 14, 2022
    @AJPinto wrote:

    If I remember correctly anything involving OS updates and upgrades requires a GUI interaction from a user unless it comes from a MDM command with a bootstrap token on Apple Silicon. I don't think you can bypass this check with CLI, you must use MDM commands for no user interaction.

     

    JAMF does not really advertise this very much, but "Wipe Computer" MDM command should leave the Mac at setup assistant when its done. 

    Can this be done on a group of computers? I have only seen the command in the inventory record of individual Macs. In other words, one at a time. If it is there I am just not seeing it.


    I do not think you can wipe multiple devices with a mass action. I see there being a LOT of risk bulk wiping devices, so its something JAMF has not implemented. 

     

    It looks like you can script the Erase Device MDM command with JAMF API and the computercommands endpoint. However, I would be extremely careful with this.

     

    B
    Forum|alt.badge.img+4
    • bzuidema
    • New Contributor
    • 5 replies
    • July 14, 2022

    This is the documentation that I have been using and it has been working.
    https://www.jamf.com/blog/reinstall-a-clean-macos-with-one-button/

    I have a policy that runs this command in the "Execute Command" field on the Files and Processes page.

    echo 'P@55w0rd' | '/Applications/Install macOS Monterey.app/Contents/Resources/startosinstall' --eraseinstall --agreetolicense --forcequitapps --newvolumename 'Macintosh HD' --user adminuser --stdinpass

    Just replace the echo'ed  password at the beginning of the command set the username towards the end.

    R
    Forum|alt.badge.img+13
    • Randydid
    • Author
    • Contributor
    • 101 replies
    • July 15, 2022

    We have a bit of a moving target as we have two accounts for different admin purposes. Not all of the macs have had either logged into them. Let's call them Admin-Mary and Admin-Bob. In some cases, Bob has logged in and in other instances, Mary has, and complicating things, there are some machines that neither of them has logged in nor do they show up in the Secure Token Users list in inventory. 


    Terms & ConditionsCookie settingsAccessibility statement