Jamf Nation Community

I had the same exact question as @acdesigntech. Wipe usually means reformat, but it wasn't clear if you meant only to remove the management framework.
Ignoring the reason for wanting to do this for a moment, you could just direct the user to reboot to Recovery HD and wipe and re-install from there. assuming you don't have a Firmware Password on the Mac. But that can be removed with a script.

Can you provide some more details on exactly what you're looking to achieve?

Sorry for the confusion.

I'm talking about the "Wipe" button in the "Management" tab of the JSS Web-GUI to delete all data on a Mac device.

I would like to give the user the possibility to wipe his device (and only his device of course) the same way like if an administrator klicks on this "Wipe" button.

The reason behind my question is, that the user has to return a Mac he doesn't need anymore by mail. Out of security reasons the Mac has to be wiped/reformatted before sending it by mail so no data is left on the device. The process should be as simple, fast and automated as possible. In my opinion it would be the fastest and easiest way to achieve this goal if the user can start the wiping by himself.

Of course I can hand out a manual to the user on how to delete the data by booting to the Recovery HD. Or an administrator klicks the button in the GUI. One of this two possibilities will be plan B. ;-)

I think they are wondering why you wouldn't simply have them send the device back first and then wipe it once you have it back in your possession. If the customer wipes it, it drops off the radar and you cannot track it with your management tools. You may have some very good reason for this that we are not understanding.

With sending by mail I meant the postal mail, if this was not clear. So the device is out of ours or the customers control while it's on the way from the customer to the IT department and could get lost in the worst case. Because of that our security wants us to wipe the devices before sending it by postal mail.

However, this security policy is as it is and I can't change it. ;-)

I would personally like the responsible to completely unmanage and wipe a machine left up to a sys admin or tech. Having them manually go in and click "Wipe Device" ensures only the right machine is being wiped.

Do they have access to NetBooting? If so you could create a custom netboot that has a executable script or applescript that kicks off manually or at login. Your end users could click a policy in Self Service that would bless the machine and reboot it to your custom netboot. In the end that seems like a look of work over having a tech confirm a request from an end user and clicking "Wipe Device", but gives the user the control to wipe their own device.

Example of script:

diskutil secureErase JHFS+ diskname diskidentifier

If it's a security concern, why not have the user enable File Vault before shipping instead? The disk data will be encrypted, and you'll still have the machine in your system. Then you can take responsibility for wiping it out when it arrives.

+1 for FV2

(or complex password if it's an iOS "Mac device" <g>)

What @chris.kemp said. Enable FV2 (and if you want to be extra careful, a Firmware Password too) and you should be fine. The odds of anyone being able to get into the Mac if it gets lost will be very negligible at that point. All our Mac laptops have firmware password and FV2 or McAfee Endpoint Encryption enabled and we ship them around a bit with no worries.

I had also thought of the Netboot process proposed by @tron_jones, but I'm guessing this user is either remote, or is in an office with no IT personnel and equipment (or else they'd just hand it to them I guess) so the probability of being able to Netboot isn't very high. Being able to Netboot across subnets, while possible, involves some work with the network team, if its not already in place. Likely not worth the effort unless its required for other reasons.