Erase all content and settings missing (macOS)

Contributor II

I have multiple machines (m1, Intel with T2) that are missing the "Erase all content and settings" from the system preferences menu. I can't find anything on the issue except for a reddit post that was never resolved. ALL machines used to have the option. Anyone seen this?



Jamf Pro 10.33 includes a new setting to allow/deny Erase All Content and Settings. Could that have been turned off?

Check for any configuration profiles with a Restrictions payload. Then look under the Functionality tab toward the bottom of the page.


Contributor II

After checking all the profiles installed just to verify, only one has restrictions configured and is set to allow. It is important to note though that I noticed this before 10.33.

Valued Contributor II

I hate to ask the obvious question, but you are looking at computers with Monterey installed, correct? This feature was introduced with Monterey.

I am sure.

Contributor II

Currently having the same issue. The machine has no restriction profiles installed. The option was available and then after using the option to reset the device, the option has never reappeared. The device is an M1 Macbook Air.

Contributor II

After some research, I found the issue with our devices. It appears that another user account (not the management account) was being created before the account in Setup Assistant. As such this "other" account was being granted the Secure Token and volume ownership rather than the one I was using. As soon as I stopped the other account from being created so early the option to "Erase All Content and Settings" reappeared.

A way to test this would be to check if the account you are using is enabled for Secure Token and volume ownership. Here's a link to Apples docs on how to do this:

New Contributor III

I am also seeing this issue. I have a Restrictions payload with the "Allow Erase all content and settings" enabled, and still the option doesn't present in the System Preferences menu. I have even removed the Restrictions policy all together. I have found the Security & Privacy payload is the culprit in my case. The profile only has the security and privacy payload configured and once I remove that profile, the "Erase All Content & Settings" option is available in the Sys Prefs menu. Any idea why this would be the case?

Valued Contributor III

We are seeing the issue with the "Erase All Content and Settings" only showing on the standard user account which then gives a message saying admin user required.  Then when I log into our local admin user on the M1, it doesnt even show the Erase All Content and settings in the system preference window, and if I bring up the Erase Assistant from /System/Library/CoreServices/ it says "This mac isnt supported".


Something about this feature is broken.  WE are using 12.2 and an M1 MacBook Air.


The Wipe command from Jamf is working with the dumb "Activating" screen coming up in between which is really not great or helpful for us admins.


EDIT: @TrentO seems we are in the same boat.  Our prestage is supposed to setup a local admin user 1st, however they are not getting the Secure Token or Volume Ownership since the admin user doesn't get logged in first.  Going to have to figure out how to get the PreStage Created Admin user to be granted a secure token as well.

Gabe Shackney
Princeton Public Schools

@GabeShack My prestage is creating an enrollment user (as admin) that I configure to auto-login to begin our provisioning process (using octory as the splash screen). I'm also creating our local admin account via Enrollment Complete trigger (created during Setup Assistant). During the 1st couple steps of provisioning our local admin account is then granted the secure token via script policy. At the end of the provisioning process I clean up the auto login config and octory files then reboot. We have a remove enrollment account policy that runs to cleanup the enrollment user. Sounds convoluted but it seems to work pretty well for our deployments. This is all possible with enrollment packages in our prestage. 

Valued Contributor III

@mrheathjones would you mind sharing the script policy you use to grant the secure token for the local admin?

I'd love to play around.

Also does that mean that the first "Standard" user login is unable to process system upgrades due to not being the volume owner/Secure token holder?  (Which is fine, since we can make self service policies to get around this as we do now).


Gabe Shackney
Princeton Public Schools

You and me both

New Contributor III

@GabeShack @rpayne The script isn't anything extravagant honestly. It's just the grant secure token command line. I suppose I could save a couple steps by just using our standard local admin for the enrollment process, but I'm hoping to use this account for future enrollment workflows as well. 


sysadminctl -adminUser "<accountThatNeedsToken>" -adminPassword "accountThatNeedsTokenPassword" -secureTokenOn "adminAccountThatHasToken" -password " adminAccountThatHasTokenPassword"


Our workflow is as follows:

  1. Prestage Enrollment "Account Settings" Payload
    1. Create a local administrator account before the Setup Assistant
    2. Skip Account Creation
      1. This account is only used for the enrollment/configuration process
      2. After Mac has been configured it is then deleted via a Jamf Policy
    3. Configure "Auto-Login" for the Enrollment user 
      1. Deploy a package containing script to enable auto-login
    4. Create local admin account policy via "Enrollment" Trigger
      1. This account is our standard local admin used for troubleshooting
    5. Grant SecureToken to local admin policy via "Enrollment" Trigger
      1. This has to be done after the local account is created (of course). 
      2. We name the policies with numbers prepended so the policies apply in sequential order
    6. Reboot policy via "Enrollment" Trigger 
      1. After all of our "Enrollment" policies are applied the final policy with the "Enrollment" trigger is a reboot policy
      2. This ensures the Mac is auto-logged in as the enrollment account
    7. Once logged in a script is run via LaunchAgent
      1. Script launches Octory (Enrollment SplashScreen) in full screen mode
      2. Script runs custom trigger to fire the "Enrollment Script" policy
    8. Enrollment script provisions our Macs
      1. Script disables auto login for enrollment user
      2. cleans up Octory files
      3. Reboots mac
    9. Upon next login Enrollment user is deleted via policy
    10. Done

After writing it all out it sounds like a super complex process but it really isn't. Hope this helps.