Erase, Reenroll Macs in to Jamf.. Zero Touch

TIC
New Contributor II

Had a new deployment of several hundred MacBook Airs last summer ... Delivered from Apple new .. and they were properly wired up in our DEP.

Was able to hand out to users without touching them ... they created their own admin accounts, and the Airs showed up as supervised/managed and enrolled in JAMF. Garageband and iMovie were already in /Applications. Self Service populated with correct Apps.

Nice.

How can I replicate this experience...as the Airs all come back this summer ( K-12 ) and go to new users next year.

Wish list:

  1. Device handed out, users start it up and are at the setup screen
  2. Device enrolls itself?
  3. GarageBand,iMovie,Pages,Keynote are in Applications folder
6 REPLIES 6

DBrowning
Valued Contributor II

wipe/re-install OS from Recovery.

You'll need to create policies to install GB, iMovie, Pages, Keynote, Numbers. Since Pages, Keynote and Numbers are all now free, you can deploy with VPP.

Since devices are already in DEP, when you re-install the OS, DEP will kick in like it did previously.

That's my thoughts.

TIC
New Contributor II

Thanks !
What's the recommended way to wipe/reinstall OS? I booted a sample Air into Target mode .. wiped it that way.

But variations of Option-R, Option-CMD-R all lead to Internet Recovery after wiping the disk .. takes too long. ( There is not bootable recovery drive any more? )

I did boot into Target in this same device later -- and ran the Install macOS Sierra installer with success -- but on reboot it does not pull down it's proper config file from Apple Activation server .. and does not get enrolled.

I can reenroll after the fact -- but also .. takes too long?

Trying to avoid the whole imaging game as I was led to believe this is the way to go nowadays .

DBrowning
Valued Contributor II

Wiping can be a few different ways:

1) Boot Directly to Recovery Partition, wipe and then reinstall
2) Create a barebones image and then use Target Disk Mode Imaging - be sure to run the following commands in single user mode before capturing image - rm /var/db/.AppleSetupDone - rm -rf /var/db/ConfigurationProfiles/ - rm /Library/Keychains/apsd.keychain
3) Create multiple USB Installers and wipe and reinstall from those

georgecm12
Contributor III

Unfortunately, there's no remote "erase all content and settings" command on macOS like there is on iOS... at least, not yet. I wouldn't be surprised to see that added at some point, possibly after an eventual transition from HFS+ to APFS.

Until such time, the best option for (as close to) zero touch is going to be a netboot and restore an image.

jimmy-swings
Contributor II

You guys dont use a firmware password to protect your machines? - https://support.apple.com/en-au/HT204455

TIC
New Contributor II

Used OFPW on older deployments. Users are now own admins and we are not using firmware password any longer. May move back to that one day.