--eraseinstall for macOS Big Sur

DBrowning
Valued Contributor

What are people doing to get around the --passprompt or --stdinpass when running the --eraseinstall command with the Big Sur installer?

I have a script available in Self Service for users that want to wipe their machines that works great in Catalina and I was trying to use it for Big Sur as well, but I'm getting an error "Error: failed to authorize for installation. Provide a password with --stdinpass or --passprompt." This happens even when I use sudo or login as root and try the command.

49 REPLIES 49

Jason33
Contributor II

Sorry, copied my command from the wrong policy. In my policy, I have a script that runs that promotes the currently logged in user to an admin. The user also have securetoken. With the --passprompt flag, shouldnt I receive a pop up asking for the password, in order to proceed?

/Applications/Install macOS Big Sur.app/Contents/Resources/startosinstall --passprompt --agreetolicense --forcequitapps --eraseinstall --newvolumename "Macintosh HD"

From the startosinstall usage, here is what --passprompt says "collect a password for authorization with an interactive prompt"

luke_reagor
Contributor II

@Jason33 You still need the --user parameter to specify the user for which you're tying in the password.

mdls
New Contributor

I was having this exact issue, the terminal command worked flawlessly with Intel and failed as yours on M1 so I opened a support request with Apple Enterprise and this is their response.

The behavior you described is expected on Apple silicon Macs and has been reproduced internally by Apple. Product Engineering is working on a fix that is expected to arrive in a later version of macOS 11.

With that, it seems no matter what we try to do while doing an --eraseinstall, we won't be able to get this going since it's an issue embedded into their OS.

I've been using version 11.4 for the full installer, perhaps using an older version will work instead.

user-TUGybyjVPe
New Contributor

i've read all the message above so if i want to use a one button erase on self service with a M1 mac, i have to put the admin password in clear on the script? There is no another way? My internal security do not want a thing like this

user-TUGybyjVPe
New Contributor

Sorry, but i don't understand a thing after reading all messages. It's not possible actually to do a one button erase in the self service, without putting the password in the script right? Because my internal security will not allow this.

luke_reagor
Contributor II

@user-TUGybyjVPe Unfortunately, the two options are to prompt for the password or to have it provided with the command. We create a generic admin user specific for the startosinstall command, and then encrypt it in the script before decrypting it for the command. It's a pain, but it works for us. It at least keeps it from being in plain text in the script.

Jason33
Contributor II

So here is the script that I put together for this process, but I'm still never prompted for the password. Am I missing something? when I run the policy the only thing that seems to work is elevating the user permissions. After that, the policy just spins and does not do anything further

#!/bin/bash

#get the logged in user

loggedInUser=$(stat -f %Su /dev/console)

osascript -e 'display dialog "Click the button to erase the drive and reinstall macOS Big Sur." buttons {"Erase and Install"} default button 1'

#give the loggedInUser admin privileges

/usr/sbin/dseditgroup -o edit -a $loggedInUser -t user admin

#start macOS Big Sur Installer to erase drive

/Applications/Install macOS Big Sur.app/Contents/Resources/startosinstall --passprompt --user $loggedInUser --agreetolicense --forcequitapps --eraseinstall --newvolumename "Macintosh HD"

exit 0

mdls
New Contributor

looks like it's fixed with 11.5

softwareupdate --fetch-full-installer --full-installer-version 11. 5 ; echo 'Pa$$' | '/Applications/Install macOS Big Sur.app/Contents/Resources/startosinstall' --agreetolicense --eraseinstall --newvolumename 'Macintosh HD' --nointeraction --forcequitapps --user admin --stdinpass

 

this worked for me now

rgarcia2
New Contributor

I'll briefly offer (or add onto this jamboree) that running

 

sudo /Applications/Install macOS Big Sur.app/Contents/Resources/startosinstall --eraseinstall --agreetolicense --passprompt

 

from the Terminal as a Standard user was our undoing. It threw back an "Error: could not get authorization..."

The error followed an attempt to run the command from a Standard user account while invoking an administrative account in the Terminal with...

 

sudo -s [LOCAL_ADMIN_USERNAME]

 

 It only worked after properly logging into the LOCAL_ADMIN_USERNAME from the macOS login prompt and then running the first command mentioned in this post. This was on an M1 MacBook Air running Big Sur 11.15.1. (Of course, as you all know, the above method worked for previous versions of macOS installer on Intel-chip MacBooks.)

fernando_gonzal
Contributor

@DBrowning 

The above examples are great but they do require knowing a secureToken username and password and being able to hard code that into a script (which may not be a good idea security wise).

 

In our case it's not possible since we let the majority of our users deploy the machines themselves and so THEY are the secureToken user. We do add an InfoTech Administrator account we script as a policy but it is not a secureToken account. As well, the password is unique so even if our InfoTech Administrator account was a secureToken account we wouldn't know the password necessarily (not for script purposes in any case).

So in order to make a Self Service item that works in M1s we do the following:

In the part of your script where you would usually just have the startosinstall command line you instead point it over to a .command file payload that will open the Terminal for the logged on user and will prompt for a secureToken credential (you can package up that .command file in a pkg as part of your Jamf policy and place it in a tmp folder):

open /private/tmp/macos-11-M1-eraseandinstall.command

#!/bin/sh

echo "This script will attempt to completely wipe and erase the machine for a macOS reinstall..."
echo "You will be asked to enter the username for a SecureToke Admin account. This could be the InfoTechAdministrator account but only if it can unlock the computer at the FileVault prompt. Otherwise enter any other SecureToken Admin Username..."
echo "Enter a SecureToken Admin Username:"
read securetokenadmin
echo "The SecureToken Admin Username entered is $securetokenadmin ..."
echo "You will be asked to enter the password for $securetokenadmin . Please be aware that the password will be displayed in clear text..." 
echo "Enter the password for $securetokenadmin :"
read pass
echo "Will proceed to attempt a wipe and reinstall of macOS..."
echo "Be aware that this script will only succeed if a valid SecureToken Admin account and password was entered above..."

echo $pass |"/Applications/Install macOS Big Sur.app/Contents/Resources/startosinstall" --user $securetokenadmin --agreetolicense --nointeraction --eraseinstall --newvolumename "Macintosh HD" --stdinpass

Once again for those that want to have a Self Service item that works with any secureToken user account this should do it.