Inquiry about Device Registration for Secure Erase in JamfPro

floh
New Contributor III

Hello everyone,

I am still in the evaluation phase of JamfPro. While testing, I came across a question about whether the devices on which you want to perform Secure Erase must also be registered in the Apple Business Manager, or whether you only need to register devices in Jamf Pro to perform a Secure Erase. Devices that are already in use can only be registered in the Apple Business Manager if you completely erase them. This would not be feasible for my colleagues, so I would want to avoid registering in the Apple Business Manager. Therefore, it is important to know whether self-enrollment in Jamf Pro is sufficient for Secure Erase.

Here a screenshot:

68ad01edd1904b6d96154ccd3aabad6dDoes 'Wipe Computer' in JamfPro perform a secure erase of the entire hard drive (i.e., the Secure Erase command built into macOS), or does it simply delete data from the device?

Best regards
Floh

1 ACCEPTED SOLUTION

talkingmoose
Moderator
Moderator

Self-enrollment should be sufficient and Apple Business Manager shouldn't be required. But if Apple Business Manager is available to you, you should take advantage of it for its other management capabilities.

View solution in original post

5 REPLIES 5

talkingmoose
Moderator
Moderator

Today's macOS encrypts data from the very beginning before the end user even proceeds through the Setup Assistant. The key to unlock the encrypted data is stored within the Mac's Secure Enclave (requires hardware with Intel T2 chip or Apple Silicon).

Sending a wipe command effectively throws away the key leaving the encrypted data unreadable and overwriteable.

See Adopt macOS Erase All Content and Settings for fast and secure redeployment for more detail.

The old notion of a Secure Erase using something like writing all zeroes to the disk multiple times no longer applies to Macs. They all come standard with SSD disks, which can degrade if they were ever securely erased.

floh
New Contributor III

Thank you for your replies. So, it's not a requirement that the device is added to Apple Business Manager by the Device Enrollment Program but can be added to JamfPro by self-enrollment.

talkingmoose
Moderator
Moderator

Self-enrollment should be sufficient and Apple Business Manager shouldn't be required. But if Apple Business Manager is available to you, you should take advantage of it for its other management capabilities.

floh
New Contributor III

Thank you, good to know. I will certainly assign all devices to Apple Business Manager. I will only catch up with the devices that have already been used at a later time.