Posted on 11-03-2021 08:12 PM
I have multiple machines (m1, Intel with T2) that are missing the "Erase all content and settings" from the system preferences menu. I can't find anything on the issue except for a reddit post that was never resolved. ALL machines used to have the option. Anyone seen this?
Posted on 11-03-2021 08:56 PM
Jamf Pro 10.33 includes a new setting to allow/deny Erase All Content and Settings. Could that have been turned off?
Check for any configuration profiles with a Restrictions payload. Then look under the Functionality tab toward the bottom of the page.
Posted on 11-03-2021 09:25 PM
After checking all the profiles installed just to verify, only one has restrictions configured and is set to allow. It is important to note though that I noticed this before 10.33.
Posted on 11-04-2021 08:41 AM
I hate to ask the obvious question, but you are looking at computers with Monterey installed, correct? This feature was introduced with Monterey.
Posted on 11-30-2021 11:15 AM
I am sure.
Posted on 11-05-2021 06:57 AM
Currently having the same issue. The machine has no restriction profiles installed. The option was available and then after using the option to reset the device, the option has never reappeared. The device is an M1 Macbook Air.
Posted on 11-05-2021 01:47 PM
After some research, I found the issue with our devices. It appears that another user account (not the management account) was being created before the account in Setup Assistant. As such this "other" account was being granted the Secure Token and volume ownership rather than the one I was using. As soon as I stopped the other account from being created so early the option to "Erase All Content and Settings" reappeared.
A way to test this would be to check if the account you are using is enabled for Secure Token and volume ownership. Here's a link to Apples docs on how to do this: https://support.apple.com/guide/deployment/use-secure-and-bootstrap-tokens-dep24dbdcf9e/web
Posted on 12-21-2021 07:14 AM
I am also seeing this issue. I have a Restrictions payload with the "Allow Erase all content and settings" enabled, and still the option doesn't present in the System Preferences menu. I have even removed the Restrictions policy all together. I have found the Security & Privacy payload is the culprit in my case. The profile only has the security and privacy payload configured and once I remove that profile, the "Erase All Content & Settings" option is available in the Sys Prefs menu. Any idea why this would be the case?
Posted on 02-02-2022 08:35 AM
We are seeing the issue with the "Erase All Content and Settings" only showing on the standard user account which then gives a message saying admin user required. Then when I log into our local admin user on the M1, it doesnt even show the Erase All Content and settings in the system preference window, and if I bring up the Erase Assistant from /System/Library/CoreServices/ it says "This mac isnt supported".
Something about this feature is broken. WE are using 12.2 and an M1 MacBook Air.
The Wipe command from Jamf is working with the dumb "Activating" screen coming up in between which is really not great or helpful for us admins.
EDIT: @TrentO seems we are in the same boat. Our prestage is supposed to setup a local admin user 1st, however they are not getting the Secure Token or Volume Ownership since the admin user doesn't get logged in first. Going to have to figure out how to get the PreStage Created Admin user to be granted a secure token as well.
Posted on 02-02-2022 08:48 AM
@GabeShack My prestage is creating an enrollment user (as admin) that I configure to auto-login to begin our provisioning process (using octory as the splash screen). I'm also creating our local admin account via Enrollment Complete trigger (created during Setup Assistant). During the 1st couple steps of provisioning our local admin account is then granted the secure token via script policy. At the end of the provisioning process I clean up the auto login config and octory files then reboot. We have a remove enrollment account policy that runs to cleanup the enrollment user. Sounds convoluted but it seems to work pretty well for our deployments. This is all possible with enrollment packages in our prestage.
Posted on 02-02-2022 09:09 AM
@mrheathjones would you mind sharing the script policy you use to grant the secure token for the local admin?
I'd love to play around.
Also does that mean that the first "Standard" user login is unable to process system upgrades due to not being the volume owner/Secure token holder? (Which is fine, since we can make self service policies to get around this as we do now).
Posted on 02-23-2022 03:08 PM
You and me both
Posted on 02-24-2022 04:34 AM
@GabeShack @rpayne The script isn't anything extravagant honestly. It's just the grant secure token command line. I suppose I could save a couple steps by just using our standard local admin for the enrollment process, but I'm hoping to use this account for future enrollment workflows as well.
sysadminctl -adminUser "<accountThatNeedsToken>" -adminPassword "accountThatNeedsTokenPassword" -secureTokenOn "adminAccountThatHasToken" -password " adminAccountThatHasTokenPassword"
Our workflow is as follows:
After writing it all out it sounds like a super complex process but it really isn't. Hope this helps.