“Reinstall a Clean macOS with One Button” webinar resource page

talkingmoose
Moderator
Moderator

Hi everyone!

For those who attended Jamf’s “Reinstall a Clean macOS with One Button” webinar this week, we’ll have the recording posted hopefully sometime next week. In the meantime, here’s the link to the resources discussed.

https://jamf.it/eraseinstall-webinar

115 REPLIES 115

gachowski
Valued Contributor II

I copy the OS installer and startosinstall script to machines then run the script. I have seen that sometimes (almost every time) the OS installer gets "made by untrusted vendor" message are you sure you want to open? When this happened my script quits and the OS fails to start the install. I just manually run the installer in the GUI quit it and then run the script... Is it possible that you are seeing the same issue but not the same symptoms? What happens when you run the installer in the GUI after the failure?

C

davidhiggs
Contributor III

I’ve been using this for a few years now, highly recommended: https://github.com/kc9wwh/macOSUpgrade/

mhegge
Contributor III

No getting any "made by untrusted...." No errors in policy logs. The Mojave installer is fresh on this machine. Just ran the same policy on identical machine a short time ago. It makes zero sense. @davidhiggs Not upgrading, wiping and installing.

mhegge
Contributor III

Running the command right in terminal has the same results. Nothing. No errors. No dialog box messages.

nelsoni
Contributor III

I know it is a dumb question, but you are sure the macOS installer is cached in Applications?

mhegge
Contributor III

@talkingmoose Any input? I am stumped.

mhegge
Contributor III

system.log

7bae3e2a81684f6bbdd30598f47f16eb

mhegge
Contributor III

Dec 10 15:21:03 xxxx osinstallersetupd[2331]: objc[2331]: Class BOSError is implemented in both /System/Library/PrivateFrameworks/BridgeOSInstall.framework/Versions/A/BridgeOSInstall (0x7fffaafb0170) and /Applications/Install macOS Mojave.app/Contents/Frameworks/OSInstallerSetup.framework/Versions/A/Frameworks/IABridgeOSInstall.framework/IABridgeOSInstall (0x103ba62c8). One of the two will be used. Which one is undefined.

raphhyyy
New Contributor III

running into a couple of "issues" when running the upgrade.
once initiated via Self Service, the computer restarts as expected, does a couple of restarts then hangs on a black screen for awhile. once i hit the spacebar (or any key), the machine wakes up and continues the process.

the second one is that in the middle of an upgrade, it will take me to the login screen to enter my password. i enter the password and the machine goes back to the update screen (about x minutes remaining... )

anyone else experiencing this? obviously we would ideally want the user to kick off the upgrade and not have to monitor to enter credentials and enter their password if it's going to keep upgrading after.

nelsoni
Contributor III

@raphhyyy , what you are describing seems to be expected behaviour based on the method JAMF is using to perform the upgrade. I have yet to see any upgrade scenario outside of the official Apple method that allows the upgrade to fully complete unattended.

mhegge
Contributor III

I finally was able to get it working again. I will have to see how pushing it out instead of Self Service goes. I downloaded a fresh Mojave installer, used Composer to create the package, created or updated my current Policy that installs the installer to Applications, and then adjusted my command in Self Service Policy to:
"/Applications/Install macOS Mojave.app/Contents/Resources/startosinstall" --nointeraction --eraseinstall --newvolumename "Macintosh HD" --agreetolicense

talkingmoose
Moderator
Moderator

@mhegge, finally getting caught up with posts. Glad you got something working for you.

I noted a couple of things from your earlier posts:

  1. Each version of startosinstall (Catalina, Mojave, High Sierra, etc.) has a lot in common but also some things not in common. Some options like --forcequitapps aren't available in every installer app. You'll need to run startosinstall --usage for the supported list of options for that app version.

  2. The softwareupdate command with the options --fetch-full-installer and --full-installer-version are only available to macOS Catalina. You can't use those options with Mojave or earlier. However, you can run them on Catalina to download earlier versions of installers like Mojave and High Sierra.

And I wouldn't be surprised some folks are using community-created scripts to download installer apps from Apple. If so, I've found there's usually no need to run sudo to run those scripts. That runs them as root, which isn't necessary because the script isn't modifying a location that requires elevated privileges. The app installer also seems to need permissions changes too if run with sudo.

Hope this helps folks going forward.

jsuarez
New Contributor

FYI, if you set your 8GB OS to cache ONGOING you are going to have serious problems with your network. Change that to once per machine or use a caching server. Our whole network went down, we later found out that it was the OS caching "Ongoing". Something like this could get your fired.

talkingmoose
Moderator
Moderator

@jsuarez, in the setup I outlined "Ongoing" doesn't mean "download over and over". It means "ongoing for those Macs in scope". If you're deploying the installer and immediately taking inventory, then those Macs should fall out of scope for the policy and cease downloading the installer.

The advantage of "Ongoing" is that Jamf Pro will be able to redeploy the installer app should someone remove it from the computer.

bishopz
New Contributor III

Yea, Ongoing is only an issue if you are scoping it to all of your machines instead of a smart group of computers that don't have the installer cached.

rhowell
New Contributor III

@talkingmoose hope this is easy... Fairly new to Jamf but would really love having this functionality. I copied the instructions and macOS Catalina is caching the installer properly on the macs but when I press the one touch button in self service it displays the following in the log:
365ddb92ade94d3bb08f682dfb9da3b4

talkingmoose
Moderator
Moderator

@rhowell, your command on line 5 looks perfectly correct. The result you're receiving indicates you are actually calling the command but it thinks at least one of your arguments is wrong.

They look fine to me. Usually when I see this, one of the sets of double-dashes isn't really double-dashes but instead similar looking characters (e.g. non-breaking dashes or short hyphens). This happens oftentimes when copying pasting the entire command from a webpage. Try retyping each set of dashes. Make sure there are no spaces between the dashes and the following word.

rhowell
New Contributor III

@talkingmoose That seems to have taken care of it perfectly! Thanks for the reply

BrentBuena
New Contributor II

Thanks @talkingmoose ! Retyping the dashes worked perfectly!

highlandtel
New Contributor II

Hello all. Been using JAMF for about 2 years, but new to the forum. I have had this working well for a number of months; however, recently the command '/usr/sbin/softwareupdate --download --fetch-full-installer' is not not only downloading the Catalina installer but also running it. I have tested this in terminal as root and see the same results. Anyone else have this happen or have any input on how to prevent the installer from starting?

talkingmoose
Moderator
Moderator

@highlandtel, with the --fetch-full-installer option, you don't need to include --download. I suspect if you remove that the installer will stop launching.

cserfoss
New Contributor

Any suggestions for handling this complication as reported in the policy log?

Result of command: Error: Erase installs are supported only on APFS disks. By using the agreetolicense option, you are agreeing that you have run this tool with the license only option and have read and agreed to the terms. If you do not agree, press CTRL-C and cancel this process immediately.

Our systems are currently running 10.13.6 (HFS+) and I'm wanting to do a clean install of 10.15.x

highlandtel
New Contributor II

Hey talkingmoose, thanks for the reply. Unfortunately, dropping the --download flag has no affect on the launching of the installer.

tcandela
Valued Contributor II

if you take a look at these 2 smart group criteria for 'mac catalina compatible' you will see that there is a slight difference. I've added both links, i'm not sure which one is the correct one to use

one has MacBookPro(9|1[0-5] https://github.com/jamf/erase-install-webinar/wiki
while the other has
MacBookPro(9|1[0-6] https://www.jamf.com/blog/reinstall-a-clean-macos-with-one-button/

J_JohnstonAT
New Contributor II

is there a line I can add to my script, that when the user clicks on this option in the self-service portal, it prompts them to enter a password? which we would then configure to be the password of the supervisor account.

talkingmoose
Moderator
Moderator

@tcandela, I compared the regex strings from the blog and the GitHub page, but they appear identical to me. The correct one should be MacBookPro(9|1[0-6], which I updated back in November when the MacBook Pro 16-inch was released.

Can you verify for me and let me know if you still see the discrepancy?

talkingmoose
Moderator
Moderator

@J_JohnstonAT, not sure what you mean by "supervisor account". Do you mean an admin account on the Mac?

The purpose of Self Service is to execute policies with admin privileges, potentially allowing non-admins to perform admin tasks. In Jamf Pro, you can set Self Service to either require a user log in or allow a user to log in. Then, if you scope the policy to specific users, only they can run the policy.

tcandela
Valued Contributor II

@talkingmoose its still a discrepancy in Github.

This section is correct ' Regular Expression (regex) to identify Catalina-compatible hardware'

But if you scroll down to the 'macOS Catalina Compatible Macs criteria' you have to update it there.

talkingmoose
Moderator
Moderator

@tcandela, oh, therrrrre it is! I've updated it.

Can you verify one more time?

IDS_TEAM_ADC
New Contributor

@davidhiggs I like really the code you shared in this post inform the end-user. I am new to JAMF Pro and do not understand, how and where to implement the code. I think it must be configured in the same policy for the Self-Service, but I've no idea where exactly.

davidhiggs
Contributor III

@IT_desktopServices it is probably too big for adding to the execute command option in the policy. Make a new script with the code below, add it the policy and set it to run After whatever you are using to get the Catalina installer to the machine.

#!/bin/bash

userConfirmation=$(osascript <<END 
display dialog "Confirm that you want to reset your Mac and lose all data by typing ERASE" with title "Erase Mac and Install macOS" default answer "" buttons {"Exit","Continue"} default button 1
if button returned of the result = "Continue" then return text returned of the result
END)

if [[ $userConfirmation == ERASE ]]
    then
        echo user confirmed intent to reset Mac and erase all data by typing ERASE
    else
        echo user cancelled Mac reset
        osascript -e 'display dialog "Cancelled." with title "Erase Mac and Install macOS" buttons {"OK"} default button 1'
        exit 0
fi

'/Applications/Install macOS Catalina.app/Contents/Resources/startosinstall' --eraseinstall --agreetolicense --forcequitapps --newvolumename 'Macintosh HD'

IDS_TEAM_ADC
New Contributor

Thank you, I will try it.

IDS_TEAM_ADC
New Contributor

@davidhiggs THX a lot. It works like en charm -> works perfectly

mjmclaren
New Contributor

How is Jamf able to connect back to the system after a clean install?

talkingmoose
Moderator
Moderator

@mjmclaren, if your devices are enrolled in Apple Business Manager or Apple School Manager, then you can take advantage of automated device enrollment to get them back into Jamf Pro.

morsepacific
New Contributor III

I have a test machine that we performed a Recovery on, so it went straight to 10.15.4 yesterday; now running this pulls down a version of Mojave!
Not sure if it's just this machine that's gone a bit strange, so trying to test on another to see if it's the version of the OS or Apple that's the problem.

[EDIT]
Seems to be the update; ran the --fetch-full-installer on a 10.15.3 machine and it's still pulling down Catalina as it should.

morsepacific
New Contributor III

@highlandtel Did you ever get the auto-launch issue resolved? I'm seeing this on my machines (even the Mojave abberation above)

highlandtel
New Contributor II

No. I have not resolved the issue @morsepacific

Bernard_Huang
Contributor III

Hi all,

I followed the instructions as best I can. I have the Install macOS Catalina.pkg (this is version 10.15.3) available in Self Service. I am also using the provided command line

'/Applications/Install macOS Catalina.app/Contents/Resources/startosinstall' ‑‑eraseinstall
--agreetolicense --forcequitapps ‑‑newvolumename 'Macintosh HD'

But when executing this, I get a pop-up asking for admin rights before proceeding.
"osinstallersetupd wants to make changes"

35a067f5ac9849f1aee71a77cf0ae642

We do not provide admin rights to any of our staff. So with this pop-up, people can't actually proceed with the erase>install.
Is there anyway to perform this within a person typing in admin credentials?

Edit: Nevermind. The '--' symbols where incorrect and that caused the command line to fail. Typing the command in instead of copy>paste worked.

mad_mickey
New Contributor

Can you confirm with the following commands if it is possible to inplace upgrade for all incremental updates of the OS from 10.14.1, 10.14.2 through to 10.14.6?

sudo /usr/sbin/softwareupdate
--fetch-full-installer
--full-installer-version 10.14.6