Jamf Nation Community

add a self service item to elevate them to admin, after all if they are going to wipe it.. then being admin shouldn't be an issue. You can elevate to admin via DSCL command and open the app with 

open -a "Erase Assistant"

 

You have 2 options then (there are more but these are obvious to me with less work involved)

1. Elevate the user to admin and so they can click 'Erase All Contents & Settings" under System Settings

2. Set up an API script in Self Service that sends a remote wipe command for that computer

1 would require that you have some kind of checking that removes admin rights after a period of time to counter the user cancelling the policy before the device wipes

2 would require that you have plenty of confirmations so it wasnt clicked by mistake or you have to manually scope it to the user when required.

thanks @Tangentism . to be honest not directly a fan of both. but indeed good solutions. Just don't like it because it's error prone as you write (solution 1 user could find solutions to outbreak before wipe happens and ends up with admin rights and solution 2 this could be tampered as well and misused from any malware. Guess for now we stick to recovery mode from user or wipe using IT. Probably apple comes up with letting the user use settings app erase without admin rights. Staying tuned for tomorrow's device configuration WWDC event. 

 

thanks again!

thanks @mvu  I think that would need to download the whole image again since it's normally not there anymore. But thanks - I proposed internally whether we go with wipe from admin portal or alternatively going with "press and hold power button" if it should be run from user end directly. Thanks, your response is much appreciated ! love this community

That requires giving the user either EFI password or the recovery key, which is a massive no-no with a lot of my project customers

If its apple silicone it doesn't have a efi password. You could be setting recovery lock passwords (you would have the same issue if users had admin in that case). And you dont need a filevault password to wipe the device, on the same screen which asks for the password, you can wipe the device in recovery.

Thanks for reply ! You are totally right. think we are pretty state of the art with using no admin hence going and use wipe (with help of it) or long press power button to get user by himself into recovery mode.
Would appreciate if Apple would make the Erase action from system settings available for users using mdm config. So we as admins could enable users to reset the device easily. For sure to be secure from any malware. / misuse it should ask for a password (no elevation / just to verify identity of the user) from the currently logged in user.

Thanks again.

______________________________________________________________

Krones AG
Vorstand: Christoph Klenk, Vorstandsvorsitzender,
Uta Anders, Thomas Ricker, Markus Tischer, Ralf Goldbrunner
Vorsitzender des Aufsichtsrats: Volker Kronseder
Registergericht: Regensburg HRB 23 44, Umsatzsteuer-ID-Nummer: DE 133 695 999

______________________________________________________________

Der Inhalt dieser E-Mail und jeder Anhang ist vertraulich.
Diese Inhalte sind nur fuer die benannten Adressaten.
Wenn Sie diese E-Mail durch einen Fehler erhalten haben,
benachrichtigen Sie sofort Ihren Administrator oder den Absender.
Behandeln Sie die E-Mail vertraulich.

* Diese E-Mail wurde auf Viren und gefaehrlichen Inhalt geprueft. *

______________________________________________________________

The contents of this email and any attachments are confidential.
They are intended for the named recipient(s) only.
If you have received this email in error please notify the system manager
or the sender immediately and do not disclose the contents to anyone or
make copies.

* This e-Mail was scanned for viruses, vandals and malicious content. *

you're so right. Just faced same issue today. Would be so nice if the recovery is would support captive portals or certificate / user password based authentication to wifi. Or at least support usb-c ethernet adapter drivers. The one we tried didn't work unfortunately. Hopefully Apple adds these features soon, since that would be urgently required. 

thanks for your post, since I'm so happy not being alone with these topics.