[Help] Script to clear logs in JSS and start imaging process

McAwesome
Contributor III

With 10.14 coming out and all devices getting support for APFS, I've started looking into ways to adjust our imaging setup. Right now, we're using Install macOS High Sierra drives to wipe and put in a base OS on a machine. This works, but now that 10.14 brings APFS to everything I think we can do better. I'm trying to find a way to basically put stuff into Self Service to make a one or two click process for wiping a machine. My idea so far is:

  1. VPP purchase & deploy the Install macOS Mojave app to the machine
  2. Once deployed, make a policy available in Self Service
  3. Self Service policy runs a script to flush the JSS logs for that machine
  4. Run the following command (adjusted for eventual macOS Mojave installer name) to wipe and image the machine
"/Applications/Install macOS High Sierra.app/Contents/Resources/startosinstall" --eraseinstall --newvolumename "Macintosh HD" --agreetolicense &

This would get us to a state where the machine is waiting at the Setup Wizard, has no logs left in the JSS, and can be set up for a new person. I have steps 1, 2, and 4 figured out, but not 3. I just can't find a good way to clear the various JSS logs out for the current machine.

Anyone have any suggestions?

1 ACCEPTED SOLUTION

mm2270
Legendary Contributor II

I assume since you said this would run from Self Service that these are enrolled machines, with still valid records in your Jamf console.
If so, in your script, just before you kick off the wipe and reinstall, run this

/usr/local/bin/jamf flushPolicyHistory

That should tell the computer to send a command to the Jamf console to clear out all it's existing policy logs, just for that machine. You'll want to make sure you don't run that too early in your process, since you don't want any policies kicking in again.

View solution in original post

4 REPLIES 4

mm2270
Legendary Contributor II

I assume since you said this would run from Self Service that these are enrolled machines, with still valid records in your Jamf console.
If so, in your script, just before you kick off the wipe and reinstall, run this

/usr/local/bin/jamf flushPolicyHistory

That should tell the computer to send a command to the Jamf console to clear out all it's existing policy logs, just for that machine. You'll want to make sure you don't run that too early in your process, since you don't want any policies kicking in again.

View solution in original post

Look
Valued Contributor III

If your intending to wipe and re-enroll you can set JSS wide wiping of policies on enrollment in the Re-Enrollment settings.
This of course has some implications for machines re-enrolled for other reasons.
I also found with machines that have been there a long time you may need to just pause for a few minutes with a script before checking for new policies as it can take a little while for things to flush.

easyedc
Valued Contributor II

So correct me if I'm wrong, but doesn't DEP not re-run on wiped machines once it has an executed history? Because of that, I have an API call to delete the workstation before my Nuke & Pave script runs.

#!/bin/sh
#
#  Script.sh
#
#  Created by Ed Corfman on 7/17/18.
#
# Get serial to delete workstation from JAMF
#
serial=$( /usr/sbin/system_profiler SPHardwareDataType | /usr/bin/awk '/Serial Number (system)/ {print $NF}' )
#
# Pass the Serial to the API URL to delete the existing entry from JAMF
#
curl -kvX DELETE -u jamfserviceaccount:supersecretpassword https://jamf.myorg.com:8443/JSSResource/computers/serialnumber/$serial
#
# Kick off the erase and install
#
"/Library/Application Support/MyOrg/macOS Installer for nuke and pave/Install macOS High Sierra.app/Contents/Resources/startosinstall" --eraseinstall --newvolumename "Macintosh HD" --agreetolicense &

McAwesome
Contributor III

DEP re-enrolls just fine if it's still in the JSS. My main concern is that I have some On Enroll policies set to one time per machine that would need to run a second time. I'm not the top admin on my JSS install, so I can't change the On Enroll settings to clear all policy logs. The FlushPolicyLogs command seems perfect for my needs.