Jamf Nation Community

user-JamkUnnTYp · ‎06-11-2024

Hey guys, our users have no admin rights on their Macs. Is it possible to allow them to use the Erase option in settings app (General => transfer and reset => erase all content and settings? It seems like the erase app actively needs admin rights, and these things seems like cannot be handled using privilege management systems like BeyondTrust.

We tried to run the commands stated here from self service, but also there same message as stated above. Any hints / proposals?

If not, I guess the only way for users is holding down their power button and reinstall from there, right?

However we would prefer the way from settings app since it's more convenient.

Thank you so much for your thoughts on that.

best

Flory

jamf-42 · ‎06-11-2024

send a remote wipe from jamf? as long as the device is on 13+ and is T2 or ARM it will do erase content and settings

You also get this tagged in the Audit history.. rather than a user saying 'yes I wipe it'

View solution in original post

SCCM · ‎06-11-2024

just get them to reboot into recovery, they can erase it from there

View solution in original post

user-JamkUnnTYp · ‎06-11-2024

thank you so much, yeah I think that's (along with the wipe from admin portal) the state of the art solution to wipe. thank you so much!

View solution in original post

SCCM · ‎06-12-2024

One thing to bare in mind is, that the device normally needs to be activated when wiped. The user doesn't always get the option to connect to a WiFi to activate it. You sometimes need to connect the device to the internet via a usb-c to Ethernet adapter. If these devices are remote, and they don't have a adapter, you leave them stuck (thats a apple issue which was meant to have been fixed in sonoma, but they haven't).

View solution in original post

jamf-42 · ‎06-11-2024

send a remote wipe from jamf? as long as the device is on 13+ and is T2 or ARM it will do erase content and settings

You also get this tagged in the Audit history.. rather than a user saying 'yes I wipe it'

user-JamkUnnTYp · ‎06-11-2024

thank you so much for response @jamf-42 . I totally get what you mean. But in addition we wanted to give the user the possibility to simply wipe it without needing to contact IT. Any other idea?

jamf-42 · ‎06-11-2024

add a self service item to elevate them to admin, after all if they are going to wipe it.. then being admin shouldn't be an issue. You can elevate to admin via DSCL command and open the app with

open -a "Erase Assistant"

Tangentism · ‎06-12-2024

You have 2 options then (there are more but these are obvious to me with less work involved)

1. Elevate the user to admin and so they can click 'Erase All Contents & Settings" under System Settings

2. Set up an API script in Self Service that sends a remote wipe command for that computer

1 would require that you have some kind of checking that removes admin rights after a period of time to counter the user cancelling the policy before the device wipes

2 would require that you have plenty of confirmations so it wasnt clicked by mistake or you have to manually scope it to the user when required.

user-JamkUnnTYp · ‎06-12-2024

thanks @Tangentism . to be honest not directly a fan of both. but indeed good solutions. Just don't like it because it's error prone as you write (solution 1 user could find solutions to outbreak before wipe happens and ends up with admin rights and solution 2 this could be tampered as well and misused from any malware. Guess for now we stick to recovery mode from user or wipe using IT. Probably apple comes up with letting the user use settings app erase without admin rights. Staying tuned for tomorrow's device configuration WWDC event.

thanks again!

obi-k · ‎06-11-2024

Can you use the "--eraseinstall" command?

An old script example:

#!/bin/zsh

echo "Running startosinstall..."

'/Applications/Install macOS Ventura.app/Contents/Resources/startosinstall' --agreetolicense --eraseinstall --forcequitapps &

exit $?

user-JamkUnnTYp · ‎06-11-2024

thanks @obi-k I think that would need to download the whole image again since it's normally not there anymore. But thanks - I proposed internally whether we go with wipe from admin portal or alternatively going with "press and hold power button" if it should be run from user end directly. Thanks, your response is much appreciated ! love this community

SCCM · ‎06-11-2024

just get them to reboot into recovery, they can erase it from there

Tangentism · ‎06-12-2024

That requires giving the user either EFI password or the recovery key, which is a massive no-no with a lot of my project customers

SCCM · ‎06-12-2024

If its apple silicone it doesn't have a efi password. You could be setting recovery lock passwords (you would have the same issue if users had admin in that case). And you dont need a filevault password to wipe the device, on the same screen which asks for the password, you can wipe the device in recovery.

user-JamkUnnTYp · ‎06-12-2024

Thanks for reply ! You are totally right. think we are pretty state of the art with using no admin hence going and use wipe (with help of it) or long press power button to get user by himself into recovery mode.
Would appreciate if Apple would make the Erase action from system settings available for users using mdm config. So we as admins could enable users to reset the device easily. For sure to be secure from any malware. / misuse it should ask for a password (no elevation / just to verify identity of the user) from the currently logged in user.

Thanks again.

______________________________________________________________

Krones AG
Vorstand: Christoph Klenk, Vorstandsvorsitzender,
Uta Anders, Thomas Ricker, Markus Tischer, Ralf Goldbrunner
Vorsitzender des Aufsichtsrats: Volker Kronseder
Registergericht: Regensburg HRB 23 44, Umsatzsteuer-ID-Nummer: DE 133 695 999

______________________________________________________________

Der Inhalt dieser E-Mail und jeder Anhang ist vertraulich.
Diese Inhalte sind nur fuer die benannten Adressaten.
Wenn Sie diese E-Mail durch einen Fehler erhalten haben,
benachrichtigen Sie sofort Ihren Administrator oder den Absender.
Behandeln Sie die E-Mail vertraulich.

* Diese E-Mail wurde auf Viren und gefaehrlichen Inhalt geprueft. *

______________________________________________________________

The contents of this email and any attachments are confidential.
They are intended for the named recipient(s) only.
If you have received this email in error please notify the system manager
or the sender immediately and do not disclose the contents to anyone or
make copies.

* This e-Mail was scanned for viruses, vandals and malicious content. *

SCCM · ‎06-12-2024

One thing to bare in mind is, that the device normally needs to be activated when wiped. The user doesn't always get the option to connect to a WiFi to activate it. You sometimes need to connect the device to the internet via a usb-c to Ethernet adapter. If these devices are remote, and they don't have a adapter, you leave them stuck (thats a apple issue which was meant to have been fixed in sonoma, but they haven't).

user-JamkUnnTYp · ‎06-13-2024

you're so right. Just faced same issue today. Would be so nice if the recovery is would support captive portals or certificate / user password based authentication to wifi. Or at least support usb-c ethernet adapter drivers. The one we tried didn't work unfortunately. Hopefully Apple adds these features soon, since that would be urgently required.

thanks for your post, since I'm so happy not being alone with these topics.

user-JamkUnnTYp · ‎06-11-2024

thank you so much, yeah I think that's (along with the wipe from admin portal) the state of the art solution to wipe. thank you so much!

Jamf Nation Community

Erasing a Mac from system settings