Help

Force "Erase all Contents and Settings" on MacOS via command line

leancea
New Contributor

Posted on ‎02-07-2024 03:20 AM

Dear Community,

we are switching from Meraki to Jamf and would like to trigger the "Erase all Content and Settings" function on our employees' Macs via the Meraki command line without the employee having to make an entry.

Do you have any ideas on how we can implement this?

 

I've currently found the following option:
1. make the user an admin
2. trigger the setting

Here the employee still has to enter his user password:

sudo dseditgroup -o edit -a username admin
/usr/bin/su \- "`/usr/bin/stat -f%Su /dev/console`" -c "/usr/bin/open '/System/Library/CoreServices/Erase Assistant.app'"

0 Kudos
4 REPLIES 4

scottlep
Contributor II

Posted on ‎02-07-2024 08:48 AM

I am not positive, but it may not be possible from commandline since EACAS prompts for a local admin user password. Doesn't Meraki have an MDM command to wipe/reset the Macs? Jamf has the "Wipe Computer" MDM command which should behave the same as EACAS on compatible Macs. On Macs/OS versions not compatible with EACAS, it would just completely wipe the hard drive.

 

Screenshot 2024-02-07 at 11.45.06 AM.jpg

0 Kudos

leancea
New Contributor
In response to scottlep

Posted on ‎02-07-2024 11:17 PM

Thank you for your answer. Meraki has an erase function, but MacOS must then be completely reloaded via the recovery mode. This takes several hours and is not an option for a few hundred employees.

0 Kudos

joshuasee
Contributor III

Posted on ‎02-08-2024 09:58 AM

The MDM command is provisioned by Apple and will have the same behavior on any management platform, leaving the machine with no OS installed. Your best bet for mimicking the EACaS behavior would be to use a macOS installer and startosinstall with the --eraseinstall flag set on an APFS formatted machine. To automate it you will also need the credentials of a volume owner on the machine. SecureToken users aren't exactly the same thing, but a good proxy in most cases.

0 Kudos

scottlep
Contributor II

Posted on ‎02-08-2024 10:36 AM

In our environment, the Wipe Computer command always does an EACaS. We use this when Macs are returned from departed employees. As soon as received, we send the Wipe command and Mac is reset and ready to deployed to next user and re-enrolled in Jamf. All of our Macs are ADE/DEP enrolled and have a bootstrap token escrowed to Jamf.

 

See https://learn.jamf.com/bundle/jamf-pro-documentation-current/page/Remote_Commands_for_Computers.html

Wipe Computer - Important: Supported computers with macOS 12.0.1 or later installed will attempt to Erase All Content and Settings by default when the Wipe Computer command is sent. Your computer will automatically go through an Erase All Content and Settings preflight check to determine if your device can perform the command. If the preflight check fails, your chosen fallback behavior will be performed. By default, the fallback behavior erases the devices.

For more information about requirements and methods for remotely wiping computers, see Erase Apple devices in Apple Platform Deployment.

 

0 Kudos