Best reimage method for DEP enrollment

mmd
New Contributor

What is the best way to wipe and reimage Mac. We are using DEP with JAMF. In our Network Internet recovery is bit slow and have restriction using Thumb drive also. We are using Sierra, High Sierra and Mojave.
If any Mac requires wipe and reimage to enroll through DEP which method is best to do this. Is that fine if we use recovery partition. if yes please suggest workflow how we can achieve this.

27 REPLIES 27

DBrowning
Valued Contributor II

@mmd I have created a "Factory Reset" tool in Self Service scoped to be run by our Desktop Support folks.

The policy simply downloads a Mojave installer if one is not already present and then runs the following command:

/path/to/Mojave.app//Contents/Resources/startosinstall --nointeraction --eraseinstall

This will wipe the drive and perform a clean install.

Chuey
Contributor III

@ddcdennisb Right now we have thousands of devices that are DEP Capable but were imaged traditionally using DeployStudio. I want to make the jump from Sierra to High Sierra and wondering if I should do DEP on all these guys. As long as I assign a pre-stage enrollment, your method above should still work right?

Or I was thinking throw the installer.app into our deploystudio environment and image them like they're fresh out of the box...do you do anything similar?

DBrowning
Valued Contributor II

We too have thousands of machines that are DEP enrolled and already deployed. As they come back in for a refresh or be deployed to a new user, we add it to a Pre-Stage and run the factory reset. We do DEP on all new devices as its less work for our Techs and a more streamlined process.

sharriston
Contributor III

The Self Service way is an awesome way to do it. I make a netinstall image that auto erases Macintosh HD and host it on our server, it's a little faster than constantly having to download a copy of Mojave.

Chuey
Contributor III

@sharriston So you wipe the HD and then pretty much just install like it's fresh out of the box to setup with DEP? If so thats what im thinking about doing with our DeployStudio instance. Boot, wipe, install right from installer.app and then setup like its out of the box.

sharriston
Contributor III

Essentially thats what I do except I make my netinstaller wipe and erase the drive for me, so i just netboot and as soon as it loads it wipes the drive and starts installing the OS, this was the closest I could get to netrestore images which used to allow me to wipe and reenroll a computer in like 10-15 minutes.

Hugonaut
Valued Contributor II

Pretty Much what @ddcdennisb does. I run the following script. I have it in a policy, the policy has a custom event trigger & then I call that custom event through various means. Sometimes directly in terminal, etc

#!/bin/bash

# Start Erase and Reinstall process Mojave
/Path/To/macOS/Mojave/Install macOS Mojave.app/Contents/Resources/startosinstall --agreetolicense --eraseinstall --newvolumename "Macintosh HD" --nointeraction &

exit 0
________________
Looking for a Jamf Managed Service Provider? Look no further than Rocketman
________________


Virtual MacAdmins Monthly Meetup - First Friday, Every Month

mm2270
Legendary Contributor III

Just as a similar but slightly different alternative, I created a wipe/reinstall application for a customer that they could place on a thumb drive. It was a Platypus built app that contained the latest "Install macOS High Sierra.app" in it's Resources folder. The app runs a script that locates the installer app inside it, prompts them for their admin credentials to run as root, and then pops up a dialog asking them which option they would like to use, either "Install" or "Erase & Install". The former simply reinstalls macOS without erasing the drive, in case they need to do that on occasion, and the latter is self explanatory. They have a 3rd button in the dialog, Cancel, in case they change their mind. It then runs one of two script lines, calling the embedded installer to erase and install or just install, depending on which button they chose.
The app is large (~5+ GB) since it contains the entire OS installer, but they can fit it easily on 8 GB thumb drives and carry it around and reinstall an OS for any machine they need to, provided it's using an APFS formatted disk.

The same process can be used for Mojave of course. It's just that at the time I built it for them, they were still using Macs running High Sierra.

I know the OP mentioned having a restriction on thumb drives, but I wanted to mention that as another option for environments that don't have such external drive restrictions in place.

mmd
New Contributor

@ddcdennisb , Thank you. Shall we add Mojave package in that policy and run from Self service. As i already mentioned , we dont want to use internet recovery.

thebrucecarter
Contributor II

@ddcdennisb Just curious, are you mirroring the installer file somewhere locally (that is, on your site, not on the particular machine) or do you have a link at Apple?

DBrowning
Valued Contributor II

@bcarter5876 I have a copy of the Mojave installer on my DPs. We push the installer to machines prior to allowing users to upgrade, and keep it updated.

So if the installer is not present for some reason when the factory reset is run, it will download the latest we have on the DPs to run the command.

mconners
Valued Contributor

We made the decision to move to APFS last summer with High Sierra. We knew, after talking with apple engineering, APFS is required going forward for the erase install method mentioned above to work. We have 86% of installed Macs on APFS. Using the above ideas, it works great, especially with everything being done via DEP now. Remotely send the commands and off it goes.

Chuey
Contributor III

@sharriston Would you be willing to share how you created the Netinstall image that wipes and restores 10.14?

sharriston
Contributor III

Sure in System Image Utility I select NetInstall Image then about three clicks later I check off Erase and Install to target volume and enter Macintosh HD. Then I just host the nbi file on my netboot server. 6ad7ab7b466c4df3b2cb682e89a6be11
f16bcd55710c41a89ef1aca5ca8a79cc Granted if the Macintosh HD has been renamed it will just be a normal NetInstaller and you need to actually click which volume you want to erase but this method has been working ok for me when we redeploy a machine. Hopefully it will become like iOS soon where the base OS is on it's volume and you can just click remove all user data to start over.

ekrizon
New Contributor II

We have Mojave installer hosted on our DP's and use free MDS https://twocanoes.com/products/mac/mac-deploy-stick

Boot to recovery and it pulls image over local network.

Even have it automated with Arduino Micro's programmed so you just have to power it on and plug in the Arduino, it takes care of the rest.

Chuey
Contributor III

@sharriston I used the System Image Utility before posting, pointed to the Mojave Installer, created the NetInstall image and when I boot my Mac Mini to it -- it shows spinning world loading the NetInstall, then it shows Apple logo with progress bar and that will be fully loaded but never do anything....Have you seen this?

Chuey
Contributor III

@sharriston I figured it out -- under the settings of the NetInstall Image -- it was made available over HTTP -- I set it to NFS like all my others and it's working :)

Thank you

AVmcclint
Honored Contributor

When you erase and reinstall via the various methods listed above, what do you do on the JSS (if anything) to let the computer re-enroll and pull down all the post-enrollment policies and scripts so it can be deployed again? I wouldn't want the fact that a computer installed an app in a previous life to prevent it from installing it in its new life.

sharriston
Contributor III

Awesome @Chuey Sorry I just saw this response now.

Chuey
Contributor III

@AVmcclint

1.) I assign the computer to a pre-stage enrollment group so after it wipes and is at the new setup screen (like out of the box) it will check in with apple > apple tells the computer it's DEP and to look at my JAMF instance > then since it's in a pre-stage enrollment group -- gets auto-enrolled into JAMF Pro.

2.) I have a smart group that is built based off of the Pre-stage Enrollment Group criteria so after the computer enrolls it falls into this Smart Group. Then I have a policy that triggers on enrollment complete (scoped to that same SmartGroup looking at that Pre-stage enrollment group criteria) which cURLs down a CSV file onto the mac's /tmp directory with all serial numbers & computer names (12345,NameHere)

I exported that CSV from JAMF Pro and then the policy runs a script i wrote to name the computer based off that CSV using this handy JAMF command:

jamf setComputerName -fromFile /path/to/local/csv

That gets my computer named.

3.) At this point if your policies are based strictly off naming conventions - you should get the same policies it use to have. In my case I have to BIND it to active directory and there are policies that are based on the BIND (OU membership), name, as well as macOS Version. So I have a few more things I need to do.

4.) I have another policy that scoped to that same Pre-stage enrollment SmartGroup which is set to a customTrigger that I can call which BINDs my computer....that custom trigger gets called as the very last thing in my script from Step 2. I use it like this:

jamf policy -event bindTrigger

5.) Once the computer is bound and named I'm good to go .... I have smart groups that calculate based on OS version and then those SmartGroups are tied to specific policies. Every environment is different but as long as you make sure you have your stuff configured it should get everything it use to get.

SMG2009
New Contributor III

Is it possible to have the students run the factory reset tool?

IOW, we'd scope the tool to the student self service scoped by grad year.

Chuey
Contributor III

@johnnyg08 I don't see why not

Chuey
Contributor III

@sharriston I just noticed using this method of a NetInstall Image --- I do not have a Mojave Recovery Partition when I hold 'OPTION'

Is that same for you?

Tangentism
Contributor II

@Chuey Netinstall was removed in Mojave. You can no longer boot from a net image.

Chuey
Contributor III

@Tangentism These machines are between 2012-2015 Mac Mini's or MacBook Airs running 10.12.6

I am upgrading them to Mojave.

Eigger
Contributor III

+1 on MDS as posted by @ekrizon even without the arduino, this still very useful especially for those who have IT provision laptops and not the End User.

thomH
New Contributor III

@Chuey

In your Step 2: Could you skip the Pre-stage Enrollment Group membership and scope to All Computers, since only those that enroll will get the file anyways?

cheers,