Has anybody here tried to remotely re-image a computer or a computer lab?
Once a year it's nice for our team to go out and go computer lab by computer lab and get things cleaned up. Everything is pretty much automated now since we enroll via DEP and segregate out our labs based on smart groups that utilize the "Prestage enrollment is __" criteria.
That being said, how should we go about remotely pushing a wipe and re-install of Mojave? Is there an easy way to do it via command line? What about if the Install Mojave.app isn't there anymore since we are on a current rev?
Any insight would be great, as it would be yet another sequence we could be hands off with. Push the command to wipe, drive over to the school site, click the DEP prompts, then come back in an hour with everything done.
Yes it's possible. I made a composer package that puts the latest "Install macOS Mojave.app" in /Applications. I then created a Policy set to recurring check in to 1. put the Install macOS package in Applications and 2. under Files and Processes>Execute Command on the same policy put the command
"/Applications/Install macOS Mojave.app/Contents/Resources/startosinstall" --eraseinstall --newvolumename "Macintosh HD" --agreetolicense &
Whatever machines you scope to this policy will erase and reinstall the OS. You do need to click through the DEP prompts to get them reenrolled and you must remember to remove the machines from the policy scope so they don't reset themselves again (or you could set it to run once but I wouldn't risk it), but it's doable.
The question was can you remotely re-image, the answer is yes and no. Yes you can wipe the OS and get it to the initial setup screen so technically that probably is re-imaged but it's not built so that's a no.
Using this saves all the hassle of keeping images up-to date and deploying them and can easily be run remotely.
While I echo many of the comments here, I should mention in our workflow, we have all the steps automated with everything being predicated on the correct name. Once the computer is wiped and the new OS loaded, we only have to someone click through those first three screens to get the computer re-enrolled. When enrolled, we never touch the computer again unless we want to remotely wipe and reload the OS and applications. In many respects, this is a very simple setup for the end users involved in our labs.
Granted, those first three screens are annoying to deal with. To select country, keyboard type and accept remote management seems like something that could be bypassed when using DEP, but that isn't the case yet.
Depending on your bandwidth it is sometimes not really worth the risk.
You know someone has to push the DEP prompts anyway, so why not just put the OS delivery and initial wipe in Self Service available only to those users who are likely to be re-imaging labs.
We did something like a thousand machines like this last year and it was pretty effective, you can at very low risk push but not run the installers out to the machines earlier with a simple policy, although we found even this was pretty unnessary, basically with decent hardward and decent bandwidth what we found was that in a classroom of 40 odd machines, by the time you have got through getting them all booted and kicked off from Self Service, the first machines have almost reached the point of DEP initialisation anyway (something like 20 to 30 minutes later) and then you go around again and start the DEP phase.
Much lower chance of accidentally hitting the wrong machine like this and you have to visit all the labs either way.
Until Apple allow DEP to be completely automatic full remote rebuild is not possible and Self Service is a very flexible way of doing this without complicated timing and auditing to prevent accidental wipes.
I edited my entire post, because I initially misunderstood the question. Yes this is entirely possible, after deploying the macOS Mojave Install.app to the workstation to run this in a script:
/Applications/Install macOS Mojave.app/Contents/Resources/startosinstall --eraseinstall --agreetolicense --nointeraction
This erases the system and brings you to the point where a Setup Assistant requires human intervention to click a couple of items before Jamf is installed and the remainder of your configuration and installs can complete.
Originally I had a rant in here about the human intervention requirements of DEP enrollment preventing zero touch lab deployments, but you had already assumed that limitation would be there. To quote the late Gilda Radner playing her SNL character Emily Litella, "Never mind!"