Posted on 08-07-2019 11:19 AM
I have an iMac lab, all the machines of which were purchased through DEP. They were prepped before we had Jamf, and we're now getting around to wiping them and taking advantage of PreStage Enrollment. I used startosinstall
and --eraseinstall
to wipe these, and it worked great. Additionally, all the machines have been PreStaged.
However, to my horror, I'm finding that PreStage Enrollments do not appear to be possible with my method of --eraseinstall
. I know this because I've clicked through a number of them without seeing my beloved "Remote Management" step. Then I booted one into Recovery, wiped it manually, and—voilà—there's the "Remote Management" step.
Any ideas on why --eraseinstall
wouldn't erase a partition thoroughly enough to allow a PreStage Enrollment to occur? Below is the exact command used. The only thing I can think of is that I used a USB installer instead of an /Applications
installer, but I'm not sure how that would initiate a less complete erase.
"/Volumes/Install macOS Mojave/Install macOS Mojave.app/Contents/Resources/startosinstall"
--eraseinstall --newvolumename "Macintosh HD" --agreetolicense
Posted on 08-07-2019 12:04 PM
Hello @wds do you know if your volumes are HFS+ or APFS? The steps you mentioned, I also do, but I had to make sure all the computers were formatted as APFS. I did that last summer as part of our move to High Sierra. Moving to Mojave was a breeze after that.
Posted on 08-07-2019 01:05 PM
@mconners Good question. Unfortunately, I've manually re-erased and restored all of them, and I neglected to check the file system on any of them before doing so. The file system was whatever startosinstall
installed by default. I believe before the initial erase, they were running APFS High Sierra. (These are SSDs, if that makes any difference.)
Seems like --eraseinstall
would do APFS by default on SSDs.
Posted on 08-07-2019 01:24 PM
@wds your command might be a bit off. The erase install is used the context such as:
OSInstaller/Contents/Resources/startosinstall" --eraseinstall --agreetolicense --nointeraction
I see you called it starttoinstall but it should be startosinstall.
Posted on 08-07-2019 02:01 PM
this is pretty good and easy to use and tweak. works a treat for me.
Posted on 08-07-2019 03:08 PM
@mconners Thanks for the pointing that out. That was just a typo here in the thread. The command itself was input correctly. Again, the issue is not that the command didn't work. Quite the contrary—it was easy and worked as expected. The only hurdle has been that DEP doesn't talk to these machines after they've been erased and restored via startosinstall
/--eraseinstall
, and that seems like a big flaw with DEP (assuming I'm not doing something wrong, of course).
Posted on 08-08-2019 06:38 AM
Hello @wds I can reassure you that the DEP and prestage enrollment process works great. We have been doing this over a year and with our hundreds of Macs being wiped and reset in the method you are attempting to do, it works. In fact, several colleagues of mine were surprised at how smoothly things have went this summer. I'm waiting for faculty and students to return to verify all is well, but our summer classes were here and everything seems to be working. We did nearly 800 Macs in a matter of two weeks with me a student helper periodically.
With all that being said, I suspect you have already scoped in the prestage enrollment section. Also, are the computers assigned in the DEP management settings?
The other thing I followed for our workflow was this. I modified it so I can use it whenever needed. Whether from Jamf Remote or a policy where we recover the OS overnight and the next morning, we simply click through those first three windows to get the computer re-enrolled again.
Posted on 09-26-2019 02:55 AM
@mconners I'm keen to know when and how the computer does the reregistration, after it being eraseinstalled. Normally it is done when running the setup assistant, but that is not doable in a computer lab environment where we want everything done automatically. So, can you elaborate?
Posted on 09-26-2019 03:26 AM
Like @mconners said, I to can assure that when set up properly DEP and prestage work after --eraseinstall.
However there is no simple way to remove the Setup assistant part of the process as DEP does not start without it.
There are a few people working on various methods, as you can specify an after OS install pkg to be deployed, but personally we found it simply not worth it as the devices need to be visited once or twice anyway just to confirm things are as expected.
Posted on 09-26-2019 05:33 AM
Question: Are you erasing the record in JAMF during the eraseinstall process?
Posted on 09-26-2019 05:43 AM
We did this over the summer and did not have an issue. We did a two-stage upgrade, because most of the labs were still on Sierra (not even High Sierra, just Sierra). Stage 1 upgraded them in place to Mojave so that we would have the --eraseinstall feature, and stage 2 did a nuke and pave to get them into DEP registered status.
The only time I saw a system bypass the Remote Management screen was when one got left out of Apple School Manager via a typo in the serial number.
Sorry that's not of more help...
Posted on 09-26-2019 07:08 AM
@marcusbjerknes and @Look in our workflow, we simply provide the correct name and all is tied together. We don't erase anything from the JSS until the computer is officially retired and recycled.
The computers will re-register or re-enroll when the acceptance of the remote management screen is clicked through. We have scripts to name the computer after re-enrolling. If you would like to more details, I would be happy to share a couple of my documents with you. My email is mconners@madisoncollege.edu.
I have one document that provides an overview of the process and another with much greater detail on each script, policy and smart group we use.
Posted on 09-26-2019 11:11 PM
@mconners We had a similar setup.
The devices enroll automatically using DEP during Setup Assistant, after enrollment they automatically renamed themselves from an asset database, this puts them into a variety of smart groups for room specific deployments.
Yes you still have to click through the start of Setup Assistant, but it was fast and accurate and wiping a machine meant it just came back exactly how it was meant to be in fairly short order.
Well worth the time and effort to get sorted!
Posted on 09-27-2019 06:22 AM
We do essentially what @Look just described, using ServiceNow as the authoritative source. We had to write a few shim scripts using both APIs, but it works pretty well.
Posted on 09-27-2019 06:50 AM
@Look you used the phrase, "had." Are you doing something different now? I am curious what your process changed to. I have spent nearly 2 years getting our workflow setup this way and it has been a wonderful change from where we were once. I am awaiting for the time when something changes on Apple's or Jamf's end causing me to make massive adjustments.
Posted on 09-27-2019 08:57 AM
DEP enrollment and using the --eraseinstall
option with the startosinstall command should be completely unrelated.
If the management screen isn't appearing during enrollment, then your Mac is not accessing Apple or the PreStage Enrollment you've stored with Apple after saving in Jamf Pro doesn't think your Mac is scoped. Remember that you should wait about 10 minutes after making a change to your PreStage Enrollment in Jamf Pro to allow time for it to sync with Apple.
If there's no issue with the PreStage syncing with Apple then test connectivity during the Setup Assistant. When you see the second or third screen of the Setup Assistant, press Control Option Command + t
and wait a few seconds. This should open the Terminal app.
Test connectivity to Apple using /usr/bin/nc -z courier.push.apple.com 443
. You want to see a response that looks like Connection to courier.push.apple.com port 443 [tcp/*] succeeded!
. If that works, proceed with enrollment and see what happens.
Posted on 10-02-2019 05:42 PM
@mconners Sorry for the late reply, the "had" was in a personal context, it was in my previous work place (who I am now contracting back to). The system is still currently like that and it works very well, I can't see it being changed until as you say Apple cahnge something.
I hit every Apple rep I meet anywhere with the "please make DEP for macOS start automatically like it does in TVOS" stick..