Help

Erase all content and settings missing (macOS)

rpayne
Contributor II

Posted on ‎11-03-2021 08:12 PM

I have multiple machines (m1, Intel with T2) that are missing the "Erase all content and settings" from the system preferences menu. I can't find anything on the issue except for a reddit post that was never resolved. ALL machines used to have the option. Anyone seen this?

0 Kudos
12 REPLIES 12

talkingmoose
Moderator
Moderator

Posted on ‎11-03-2021 08:56 PM

Jamf Pro 10.33 includes a new setting to allow/deny Erase All Content and Settings. Could that have been turned off?

Check for any configuration profiles with a Restrictions payload. Then look under the Functionality tab toward the bottom of the page.

talkingmoose_0-1635998154748.png

0 Kudos

rpayne
Contributor II

Posted on ‎11-03-2021 09:25 PM

After checking all the profiles installed just to verify, only one has restrictions configured and is set to allow. It is important to note though that I noticed this before 10.33.

0 Kudos

Tribruin
Valued Contributor II

Posted on ‎11-04-2021 08:41 AM

I hate to ask the obvious question, but you are looking at computers with Monterey installed, correct? This feature was introduced with Monterey.

0 Kudos

rpayne
Contributor II
In response to Tribruin

Posted on ‎11-30-2021 11:15 AM

I am sure.

0 Kudos

TrentO
Contributor II

Posted on ‎11-05-2021 06:57 AM

Currently having the same issue. The machine has no restriction profiles installed. The option was available and then after using the option to reset the device, the option has never reappeared. The device is an M1 Macbook Air.

0 Kudos

TrentO
Contributor II

Posted on ‎11-05-2021 01:47 PM

After some research, I found the issue with our devices. It appears that another user account (not the management account) was being created before the account in Setup Assistant. As such this "other" account was being granted the Secure Token and volume ownership rather than the one I was using. As soon as I stopped the other account from being created so early the option to "Erase All Content and Settings" reappeared.

A way to test this would be to check if the account you are using is enabled for Secure Token and volume ownership. Here's a link to Apples docs on how to do this: https://support.apple.com/guide/deployment/use-secure-and-bootstrap-tokens-dep24dbdcf9e/web

mrheathjones
New Contributor III

Posted on ‎12-21-2021 07:14 AM

I am also seeing this issue. I have a Restrictions payload with the "Allow Erase all content and settings" enabled, and still the option doesn't present in the System Preferences menu. I have even removed the Restrictions policy all together. I have found the Security & Privacy payload is the culprit in my case. The profile only has the security and privacy payload configured and once I remove that profile, the "Erase All Content & Settings" option is available in the Sys Prefs menu. Any idea why this would be the case?

0 Kudos

GabeShack
Valued Contributor III

Posted on ‎02-02-2022 08:35 AM

We are seeing the issue with the "Erase All Content and Settings" only showing on the standard user account which then gives a message saying admin user required.  Then when I log into our local admin user on the M1, it doesnt even show the Erase All Content and settings in the system preference window, and if I bring up the Erase Assistant from /System/Library/CoreServices/ it says "This mac isnt supported".

 

Something about this feature is broken.  WE are using 12.2 and an M1 MacBook Air.

 

The Wipe command from Jamf is working with the dumb "Activating" screen coming up in between which is really not great or helpful for us admins.

 

EDIT: @TrentO seems we are in the same boat.  Our prestage is supposed to setup a local admin user 1st, however they are not getting the Secure Token or Volume Ownership since the admin user doesn't get logged in first.  Going to have to figure out how to get the PreStage Created Admin user to be granted a secure token as well.

Gabe Shackney
Princeton Public Schools
0 Kudos

mrheathjones
New Contributor III
In response to GabeShack

Posted on ‎02-02-2022 08:48 AM

@GabeShack My prestage is creating an enrollment user (as admin) that I configure to auto-login to begin our provisioning process (using octory as the splash screen). I'm also creating our local admin account via Enrollment Complete trigger (created during Setup Assistant). During the 1st couple steps of provisioning our local admin account is then granted the secure token via script policy. At the end of the provisioning process I clean up the auto login config and octory files then reboot. We have a remove enrollment account policy that runs to cleanup the enrollment user. Sounds convoluted but it seems to work pretty well for our deployments. This is all possible with enrollment packages in our prestage. 

0 Kudos

GabeShack
Valued Contributor III

Posted on ‎02-02-2022 09:09 AM

@mrheathjones would you mind sharing the script policy you use to grant the secure token for the local admin?

I'd love to play around.

Also does that mean that the first "Standard" user login is unable to process system upgrades due to not being the volume owner/Secure token holder?  (Which is fine, since we can make self service policies to get around this as we do now).

 

Gabe Shackney
Princeton Public Schools
0 Kudos

rpayne
Contributor II
In response to GabeShack

Posted on ‎02-23-2022 03:08 PM

You and me both

0 Kudos

mrheathjones
New Contributor III

Posted on ‎02-24-2022 04:34 AM

@GabeShack @rpayne The script isn't anything extravagant honestly. It's just the grant secure token command line. I suppose I could save a couple steps by just using our standard local admin for the enrollment process, but I'm hoping to use this account for future enrollment workflows as well. 

 

sysadminctl -adminUser "<accountThatNeedsToken>" -adminPassword "accountThatNeedsTokenPassword" -secureTokenOn "adminAccountThatHasToken" -password " adminAccountThatHasTokenPassword"

 

Our workflow is as follows:

  1. Prestage Enrollment "Account Settings" Payload
    1. Create a local administrator account before the Setup Assistant
    2. Skip Account Creation
      1. This account is only used for the enrollment/configuration process
      2. After Mac has been configured it is then deleted via a Jamf Policy
    3. Configure "Auto-Login" for the Enrollment user 
      1. Deploy a package containing script to enable auto-login
    4. Create local admin account policy via "Enrollment" Trigger
      1. This account is our standard local admin used for troubleshooting
    5. Grant SecureToken to local admin policy via "Enrollment" Trigger
      1. This has to be done after the local account is created (of course). 
      2. We name the policies with numbers prepended so the policies apply in sequential order
    6. Reboot policy via "Enrollment" Trigger 
      1. After all of our "Enrollment" policies are applied the final policy with the "Enrollment" trigger is a reboot policy
      2. This ensures the Mac is auto-logged in as the enrollment account
    7. Once logged in a script is run via LaunchAgent
      1. Script launches Octory (Enrollment SplashScreen) in full screen mode
      2. Script runs custom trigger to fire the "Enrollment Script" policy
    8. Enrollment script provisions our Macs
      1. Script disables auto login for enrollment user
      2. cleans up Octory files
      3. Reboots mac
    9. Upon next login Enrollment user is deleted via policy
    10. Done

After writing it all out it sounds like a super complex process but it really isn't. Hope this helps.

0 Kudos