Mass Upgrade & Erase for Apple Silicon or Mass Actions for EaCS

killer23d
New Contributor III

I am in the process of designing a workflow to refresh for our M1 Macs in our computer labs (30 Mac each). The goal will be to erase and upgrade from Big Sur to Monterey. I have a few options:

1. Deploy OS installer, run this

echo 'P@55w0rd' | '/Applications/Install macOS Big Sur.app/Contents/Resources/startosinstall'   eraseinstall
--agreetolicense --forcequitapps --newvolumename 'Macintosh HD' --user adminuser --stdinpass

2. Use mass actions to send a OS Upgrade MDM command to the latest version, once done, send a Wipe Device command (EaCS)

I prefer option 2 since I do not need to send credentials over, but JAMF does not offer mass actions for wipe device. I am also thinking about doing in API, but involves a R&D hours and likely above my skill set.

 

Do you guys have a different workflow for this type of work?

10 REPLIES 10

Jason33
Contributor II

Check out Erase & Install.  Worked very well for our Apple Silicon devices

https://github.com/grahampugh/erase-install

killer23d
New Contributor III

I've considered this for Self Service to the end user. I am wondering if there are less clicky way of achieving this like the Intel counterpart.

Samstar777
Contributor

Hello Killer23D,

You can check this blog here from Jamf which can help you achieve your ask.

-Sam

killer23d
New Contributor III

My goal is to create an automated method, with the least user interactions. I guess what I am asking is a pipe dream given the new security Apple included.

 

On Intel devices, the method in the blog works perfectly with no interactions needed.

 

It's M1 requiring credentials that is a challenge, that article includes my option #1 above, which I am not a big fan of sending credentials in a policy where anyone can access JAMF log or from /var/log/jamf.log. Method #1 also requires a local admin account with secure token already existed. Since JAMF and Apple discourage IT admin from having an institutional local admin account on workstations, I want to create ONE plan that is sustainable and applicable to all the devices we have.

jcarr
Contributor III

While it doesn't help getting existing devices from Big Sur to Monterey, once you are there, refreshing lab devices should be easier if you leverage a workflow using a combination of 'Erase all Content and Settings' and the 'Automatically advance through Setup Assistant' option in PreStage.

killer23d
New Contributor III

That is exactly in option #2 that I am working on, however I need to upgrade and erase every summer time so there really isn't a solution from what I can gather. There is no mass action for "wipe device" just FYI, I will have to open up each computer record and send wipe command and enter a 6 digits code every time.

Bol
Contributor II

You could send credentials through a script parameter option in the policy, then call as below;

 

localPassword="$4"

localUsername="$5"

"${existing_installer}/Contents/Resources/startosinstall" --pidtosignal "$PID" --agreetolicense --eraseinstall --nointeraction --forcequitapps --newvolumename Macintosh\ HD --user "$localUsername" --stdinpass <<< "$localPassword"

In my environment, sending the credentials this way works well for both intel and m1 machines (m1 requiring secure token).

killer23d
New Contributor III

This is great, do you mind sharing the script (or part of)? I am interested to see how others are achieving this. I'd assume Intel just ignores the --stdinpass correct?

Bol
Contributor II

No worries. For whatever reason I wasn't able to use grahampugh's fantastic script so I had to mish-mash some together from the clever folks in links below. 

https://github.com/grahampugh/erase-install/blob/main/erase-install.sh 
https://github.com/jamf/API_Scripts/blob/master/DeleteComputersBySerial.sh
https://github.com/rtrouton/rtrouton_scripts/blob/934cba2a5f6ee9b2e9c0a30c6c7f2c3dc2b3847d/rtrouton_...

I believe Big Sur Intel still requires the user / pass to start the installer for non admin accounts. You could always split up the two commands using the arch command;

[ $( /usr/bin/arch ) = "arm64" ] && "${existing_installer}/Contents/Resources/startosinstall" --pidtosignal "$PID" --agreetolicense --eraseinstall --nointeraction --forcequitapps --newvolumename Macintosh\ HD --user "$localUsername" --stdinpass <<< "$localPassword" || *Intel command here*
#!/bin/bash

apiuser="$4"
apipass="$5"
localUsername="$6"
localPassword="$7"

jamfProURL=$(/usr/bin/defaults read /Library/Preferences/com.jamfsoftware.jamf jss_url)
jamfProURL=${jamfProURL%%/}
serialNumber=$(system_profiler SPHardwareDataType | grep 'Serial Number (system)' | awk '{print $NF}')
jamfHelper="/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper"

existing_installer=$(echo | find /Applications/*macOS* -maxdepth 2 -type d -name "Install*.app")
dialog_erase_icon="${existing_installer}/Contents/Resources/InstallAssistant.icns"
dialog_confirmation_icon="/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/AlertStopIcon.icns"
macosEraseInstallLog="/var/log/macosEraseInstallLog.log"

DeleteJamfProSerial () {
/usr/bin/curl -k -v -u "${apiuser}:${apipass}" "${jamfProURL}/JSSResource/computers/serialnumber/${serialNumber}" -X DELETE
}

JamfHelper () {
"${jamfHelper}" \
-windowType fs \
-heading "Erasing macOS" \
-description "Preparing the installer may take up to 30 minutes. Once completed your computer will reboot and continue the reinstallation. Start time: $( /bin/date +'%r' )" \
-icon "${dialog_erase_icon}" & PID=$!
}

EraseInstall () {
"${existing_installer}/Contents/Resources/startosinstall" --pidtosignal "$PID" --agreetolicense --eraseinstall --nointeraction --forcequitapps --newvolumename Macintosh\ HD --user "$localUsername" --stdinpass <<< "$localPassword" >> "${macosEraseInstallLog}" 2>&1
}

JamfHelper
DeleteJamfProSerial
EraseInstall

exit 0

 

killer23d
New Contributor III

Awesome, I am using grahampugh's script for Self Service used by the end users.

I am going to have a look at yours tomorrow.

Be careful of including JAMF credentials being installed on end users, I read that (can't find the link) it is no longer a best practice. To remove the failed MDM, I am using this: https://aporlebeke.wordpress.com/2019/01/04/auto-clearing-failed-mdm-commands-for-macos-in-jamf-pro/