- Jamf Nation Community
- Products
- Jamf Pro
- Re: Mass Upgrade & Erase for Apple Silicon or Mass...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Mass Upgrade & Erase for Apple Silicon or Mass Actions for EaCS
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-07-2022 10:41 AM
I am in the process of designing a workflow to refresh for our M1 Macs in our computer labs (30 Mac each). The goal will be to erase and upgrade from Big Sur to Monterey. I have a few options:
1. Deploy OS installer, run this
echo 'P@55w0rd' | '/Applications/Install macOS Big Sur.app/Contents/Resources/startosinstall' eraseinstall
--agreetolicense --forcequitapps --newvolumename 'Macintosh HD' --user adminuser --stdinpass2. Use mass actions to send a OS Upgrade MDM command to the latest version, once done, send a Wipe Device command (EaCS)
I prefer option 2 since I do not need to send credentials over, but JAMF does not offer mass actions for wipe device. I am also thinking about doing in API, but involves a R&D hours and likely above my skill set.
Do you guys have a different workflow for this type of work?
10 REPLIES 10
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-07-2022 12:16 PM
Check out Erase & Install. Worked very well for our Apple Silicon devices
Reply
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-07-2022 12:39 PM
I've considered this for Self Service to the end user. I am wondering if there are less clicky way of achieving this like the Intel counterpart.
Reply
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-10-2022 08:47 PM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-10-2022 11:35 PM
My goal is to create an automated method, with the least user interactions. I guess what I am asking is a pipe dream given the new security Apple included.
On Intel devices, the method in the blog works perfectly with no interactions needed.
It's M1 requiring credentials that is a challenge, that article includes my option #1 above, which I am not a big fan of sending credentials in a policy where anyone can access JAMF log or from /var/log/jamf.log. Method #1 also requires a local admin account with secure token already existed. Since JAMF and Apple discourage IT admin from having an institutional local admin account on workstations, I want to create ONE plan that is sustainable and applicable to all the devices we have.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-11-2022 08:53 AM
While it doesn't help getting existing devices from Big Sur to Monterey, once you are there, refreshing lab devices should be easier if you leverage a workflow using a combination of 'Erase all Content and Settings' and the 'Automatically advance through Setup Assistant' option in PreStage.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-11-2022 09:07 AM
That is exactly in option #2 that I am working on, however I need to upgrade and erase every summer time so there really isn't a solution from what I can gather. There is no mass action for "wipe device" just FYI, I will have to open up each computer record and send wipe command and enter a 6 digits code every time.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-18-2022 05:47 AM
You could send credentials through a script parameter option in the policy, then call as below;
localPassword="$4"
localUsername="$5"
"${existing_installer}/Contents/Resources/startosinstall" --pidtosignal "$PID" --agreetolicense --eraseinstall --nointeraction --forcequitapps --newvolumename Macintosh\ HD --user "$localUsername" --stdinpass <<< "$localPassword"
In my environment, sending the credentials this way works well for both intel and m1 machines (m1 requiring secure token).
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-18-2022 06:05 PM
This is great, do you mind sharing the script (or part of)? I am interested to see how others are achieving this. I'd assume Intel just ignores the --stdinpass correct?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-18-2022 06:53 PM
No worries. For whatever reason I wasn't able to use grahampugh's fantastic script so I had to mish-mash some together from the clever folks in links below.
https://github.com/grahampugh/erase-install/blob/main/erase-install.sh
https://github.com/jamf/API_Scripts/blob/master/DeleteComputersBySerial.sh
https://github.com/rtrouton/rtrouton_scripts/blob/934cba2a5f6ee9b2e9c0a30c6c7f2c3dc2b3847d/rtrouton_...
I believe Big Sur Intel still requires the user / pass to start the installer for non admin accounts. You could always split up the two commands using the arch command;
[ $( /usr/bin/arch ) = "arm64" ] && "${existing_installer}/Contents/Resources/startosinstall" --pidtosignal "$PID" --agreetolicense --eraseinstall --nointeraction --forcequitapps --newvolumename Macintosh\ HD --user "$localUsername" --stdinpass <<< "$localPassword" || *Intel command here*#!/bin/bash
apiuser="$4"
apipass="$5"
localUsername="$6"
localPassword="$7"
jamfProURL=$(/usr/bin/defaults read /Library/Preferences/com.jamfsoftware.jamf jss_url)
jamfProURL=${jamfProURL%%/}
serialNumber=$(system_profiler SPHardwareDataType | grep 'Serial Number (system)' | awk '{print $NF}')
jamfHelper="/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper"
existing_installer=$(echo | find /Applications/*macOS* -maxdepth 2 -type d -name "Install*.app")
dialog_erase_icon="${existing_installer}/Contents/Resources/InstallAssistant.icns"
dialog_confirmation_icon="/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/AlertStopIcon.icns"
macosEraseInstallLog="/var/log/macosEraseInstallLog.log"
DeleteJamfProSerial () {
/usr/bin/curl -k -v -u "${apiuser}:${apipass}" "${jamfProURL}/JSSResource/computers/serialnumber/${serialNumber}" -X DELETE
}
JamfHelper () {
"${jamfHelper}" \
-windowType fs \
-heading "Erasing macOS" \
-description "Preparing the installer may take up to 30 minutes. Once completed your computer will reboot and continue the reinstallation. Start time: $( /bin/date +'%r' )" \
-icon "${dialog_erase_icon}" & PID=$!
}
EraseInstall () {
"${existing_installer}/Contents/Resources/startosinstall" --pidtosignal "$PID" --agreetolicense --eraseinstall --nointeraction --forcequitapps --newvolumename Macintosh\ HD --user "$localUsername" --stdinpass <<< "$localPassword" >> "${macosEraseInstallLog}" 2>&1
}
JamfHelper
DeleteJamfProSerial
EraseInstall
exit 0
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-18-2022 07:20 PM
Awesome, I am using grahampugh's script for Self Service used by the end users.
I am going to have a look at yours tomorrow.
Be careful of including JAMF credentials being installed on end users, I read that (can't find the link) it is no longer a best practice. To remove the failed MDM, I am using this: https://aporlebeke.wordpress.com/2019/01/04/auto-clearing-failed-mdm-commands-for-macos-in-jamf-pro/
