Posted on 03-14-2019 01:22 AM
What is the best way to wipe and reimage Mac. We are using DEP with JAMF. In our Network Internet recovery is bit slow and have restriction using Thumb drive also. We are using Sierra, High Sierra and Mojave.
If any Mac requires wipe and reimage to enroll through DEP which method is best to do this. Is that fine if we use recovery partition. if yes please suggest workflow how we can achieve this.
Posted on 03-14-2019 04:14 AM
@mmd I have created a "Factory Reset" tool in Self Service scoped to be run by our Desktop Support folks.
The policy simply downloads a Mojave installer if one is not already present and then runs the following command:
/path/to/Mojave.app//Contents/Resources/startosinstall --nointeraction --eraseinstall
This will wipe the drive and perform a clean install.
Posted on 03-14-2019 04:52 AM
@ddcdennisb Right now we have thousands of devices that are DEP Capable but were imaged traditionally using DeployStudio. I want to make the jump from Sierra to High Sierra and wondering if I should do DEP on all these guys. As long as I assign a pre-stage enrollment, your method above should still work right?
Or I was thinking throw the installer.app into our deploystudio environment and image them like they're fresh out of the box...do you do anything similar?
Posted on 03-14-2019 04:59 AM
We too have thousands of machines that are DEP enrolled and already deployed. As they come back in for a refresh or be deployed to a new user, we add it to a Pre-Stage and run the factory reset. We do DEP on all new devices as its less work for our Techs and a more streamlined process.
Posted on 03-14-2019 05:07 AM
The Self Service way is an awesome way to do it. I make a netinstall image that auto erases Macintosh HD and host it on our server, it's a little faster than constantly having to download a copy of Mojave.
Posted on 03-14-2019 05:17 AM
@sharriston So you wipe the HD and then pretty much just install like it's fresh out of the box to setup with DEP? If so thats what im thinking about doing with our DeployStudio instance. Boot, wipe, install right from installer.app and then setup like its out of the box.
Posted on 03-14-2019 05:20 AM
Essentially thats what I do except I make my netinstaller wipe and erase the drive for me, so i just netboot and as soon as it loads it wipes the drive and starts installing the OS, this was the closest I could get to netrestore images which used to allow me to wipe and reenroll a computer in like 10-15 minutes.
Posted on 03-14-2019 05:53 AM
Pretty Much what @ddcdennisb does. I run the following script. I have it in a policy, the policy has a custom event trigger & then I call that custom event through various means. Sometimes directly in terminal, etc
#!/bin/bash # Start Erase and Reinstall process Mojave /Path/To/macOS/Mojave/Install macOS Mojave.app/Contents/Resources/startosinstall --agreetolicense --eraseinstall --newvolumename "Macintosh HD" --nointeraction & exit 0
Posted on 03-14-2019 06:18 AM
Just as a similar but slightly different alternative, I created a wipe/reinstall application for a customer that they could place on a thumb drive. It was a Platypus built app that contained the latest "Install macOS High Sierra.app" in it's Resources folder. The app runs a script that locates the installer app inside it, prompts them for their admin credentials to run as root, and then pops up a dialog asking them which option they would like to use, either "Install" or "Erase & Install". The former simply reinstalls macOS without erasing the drive, in case they need to do that on occasion, and the latter is self explanatory. They have a 3rd button in the dialog, Cancel, in case they change their mind. It then runs one of two script lines, calling the embedded installer to erase and install or just install, depending on which button they chose.
The app is large (~5+ GB) since it contains the entire OS installer, but they can fit it easily on 8 GB thumb drives and carry it around and reinstall an OS for any machine they need to, provided it's using an APFS formatted disk.
The same process can be used for Mojave of course. It's just that at the time I built it for them, they were still using Macs running High Sierra.
I know the OP mentioned having a restriction on thumb drives, but I wanted to mention that as another option for environments that don't have such external drive restrictions in place.
Posted on 03-14-2019 06:23 AM
@ddcdennisb , Thank you. Shall we add Mojave package in that policy and run from Self service. As i already mentioned , we dont want to use internet recovery.
Posted on 03-14-2019 07:44 AM
@ddcdennisb Just curious, are you mirroring the installer file somewhere locally (that is, on your site, not on the particular machine) or do you have a link at Apple?
Posted on 03-14-2019 07:50 AM
@bcarter5876 I have a copy of the Mojave installer on my DPs. We push the installer to machines prior to allowing users to upgrade, and keep it updated.
So if the installer is not present for some reason when the factory reset is run, it will download the latest we have on the DPs to run the command.
Posted on 03-14-2019 08:27 AM
We made the decision to move to APFS last summer with High Sierra. We knew, after talking with apple engineering, APFS is required going forward for the erase install method mentioned above to work. We have 86% of installed Macs on APFS. Using the above ideas, it works great, especially with everything being done via DEP now. Remotely send the commands and off it goes.
Posted on 05-08-2019 06:54 AM
@sharriston Would you be willing to share how you created the Netinstall image that wipes and restores 10.14?
Posted on 05-08-2019 06:58 AM
Sure in System Image Utility I select NetInstall Image then about three clicks later I check off Erase and Install to target volume and enter Macintosh HD. Then I just host the nbi file on my netboot server.
Granted if the Macintosh HD has been renamed it will just be a normal NetInstaller and you need to actually click which volume you want to erase but this method has been working ok for me when we redeploy a machine. Hopefully it will become like iOS soon where the base OS is on it's volume and you can just click remove all user data to start over.
Posted on 05-08-2019 08:44 AM
We have Mojave installer hosted on our DP's and use free MDS https://twocanoes.com/products/mac/mac-deploy-stick
Boot to recovery and it pulls image over local network.
Even have it automated with Arduino Micro's programmed so you just have to power it on and plug in the Arduino, it takes care of the rest.
Posted on 05-08-2019 12:39 PM
@sharriston I used the System Image Utility before posting, pointed to the Mojave Installer, created the NetInstall image and when I boot my Mac Mini to it -- it shows spinning world loading the NetInstall, then it shows Apple logo with progress bar and that will be fully loaded but never do anything....Have you seen this?
Posted on 05-08-2019 12:46 PM
@sharriston I figured it out -- under the settings of the NetInstall Image -- it was made available over HTTP -- I set it to NFS like all my others and it's working :)
Posted on 05-09-2019 05:08 AM
When you erase and reinstall via the various methods listed above, what do you do on the JSS (if anything) to let the computer re-enroll and pull down all the post-enrollment policies and scripts so it can be deployed again? I wouldn't want the fact that a computer installed an app in a previous life to prevent it from installing it in its new life.
Posted on 05-09-2019 05:13 AM
Posted on 05-09-2019 06:11 AM
1.) I assign the computer to a pre-stage enrollment group so after it wipes and is at the new setup screen (like out of the box) it will check in with apple > apple tells the computer it's DEP and to look at my JAMF instance > then since it's in a pre-stage enrollment group -- gets auto-enrolled into JAMF Pro.
2.) I have a smart group that is built based off of the Pre-stage Enrollment Group criteria so after the computer enrolls it falls into this Smart Group. Then I have a policy that triggers on enrollment complete (scoped to that same SmartGroup looking at that Pre-stage enrollment group criteria) which cURLs down a CSV file onto the mac's /tmp directory with all serial numbers & computer names (12345,NameHere)
I exported that CSV from JAMF Pro and then the policy runs a script i wrote to name the computer based off that CSV using this handy JAMF command:
jamf setComputerName -fromFile /path/to/local/csv
That gets my computer named.
3.) At this point if your policies are based strictly off naming conventions - you should get the same policies it use to have. In my case I have to BIND it to active directory and there are policies that are based on the BIND (OU membership), name, as well as macOS Version. So I have a few more things I need to do.
4.) I have another policy that scoped to that same Pre-stage enrollment SmartGroup which is set to a customTrigger that I can call which BINDs my computer....that custom trigger gets called as the very last thing in my script from Step 2. I use it like this:
jamf policy -event bindTrigger
5.) Once the computer is bound and named I'm good to go .... I have smart groups that calculate based on OS version and then those SmartGroups are tied to specific policies. Every environment is different but as long as you make sure you have your stuff configured it should get everything it use to get.
Posted on 05-09-2019 07:47 AM
Is it possible to have the students run the factory reset tool?
IOW, we'd scope the tool to the student self service scoped by grad year.
Posted on 05-09-2019 10:13 AM
Posted on 05-28-2019 06:08 AM
@sharriston I just noticed using this method of a NetInstall Image --- I do not have a Mojave Recovery Partition when I hold 'OPTION'
Is that same for you?
Posted on 05-28-2019 06:43 AM
Posted on 05-28-2019 07:41 AM
@Tangentism These machines are between 2012-2015 Mac Mini's or MacBook Airs running 10.12.6
I am upgrading them to Mojave.
Posted on 05-30-2019 10:49 AM
+1 on MDS as posted by @ekrizon even without the arduino, this still very useful especially for those who have IT provision laptops and not the End User.
Posted on 07-23-2019 08:30 AM
In your Step 2: Could you skip the Pre-stage Enrollment Group membership and scope to All Computers, since only those that enroll will get the file anyways?