Help

Inquiry about Device Registration for Secure Erase in JamfPro

Go to solution
floh
New Contributor III

Posted on ‎02-28-2023 05:08 AM

Hello everyone,

I am still in the evaluation phase of JamfPro. While testing, I came across a question about whether the devices on which you want to perform Secure Erase must also be registered in the Apple Business Manager, or whether you only need to register devices in Jamf Pro to perform a Secure Erase. Devices that are already in use can only be registered in the Apple Business Manager if you completely erase them. This would not be feasible for my colleagues, so I would want to avoid registering in the Apple Business Manager. Therefore, it is important to know whether self-enrollment in Jamf Pro is sufficient for Secure Erase.

Here a screenshot:

68ad01edd1904b6d96154ccd3aabad6dDoes 'Wipe Computer' in JamfPro perform a secure erase of the entire hard drive (i.e., the Secure Erase command built into macOS), or does it simply delete data from the device?

Best regards
Floh

0 Kudos
Reply
1 ACCEPTED SOLUTION

Go to solution
talkingmoose
Moderator
Moderator

Posted on ‎03-01-2023 05:40 AM

Self-enrollment should be sufficient and Apple Business Manager shouldn't be required. But if Apple Business Manager is available to you, you should take advantage of it for its other management capabilities.

View solution in original post

0 Kudos
Reply
5 REPLIES 5

Go to solution
talkingmoose
Moderator
Moderator

Posted on ‎02-28-2023 06:43 AM

Today's macOS encrypts data from the very beginning before the end user even proceeds through the Setup Assistant. The key to unlock the encrypted data is stored within the Mac's Secure Enclave (requires hardware with Intel T2 chip or Apple Silicon).

Sending a wipe command effectively throws away the key leaving the encrypted data unreadable and overwriteable.

See Adopt macOS Erase All Content and Settings for fast and secure redeployment for more detail.

The old notion of a Secure Erase using something like writing all zeroes to the disk multiple times no longer applies to Macs. They all come standard with SSD disks, which can degrade if they were ever securely erased.

Reply

Go to solution
floh
New Contributor III

Posted on ‎02-28-2023 07:02 AM

Thank you for your replies. So, it's not a requirement that the device is added to Apple Business Manager by the Device Enrollment Program but can be added to JamfPro by self-enrollment.

0 Kudos
Reply

Go to solution
talkingmoose
Moderator
Moderator

Posted on ‎03-01-2023 05:40 AM

Self-enrollment should be sufficient and Apple Business Manager shouldn't be required. But if Apple Business Manager is available to you, you should take advantage of it for its other management capabilities.

0 Kudos
Reply

Go to solution
floh
New Contributor III

Posted on ‎03-02-2023 04:58 AM

Thank you, good to know. I will certainly assign all devices to Apple Business Manager. I will only catch up with the devices that have already been used at a later time.

0 Kudos
Reply