Remotely Re-image Macs


Has anybody here tried to remotely re-image a computer or a computer lab?

Once a year it's nice for our team to go out and go computer lab by computer lab and get things cleaned up. Everything is pretty much automated now since we enroll via DEP and segregate out our labs based on smart groups that utilize the "Prestage enrollment is __" criteria.

That being said, how should we go about remotely pushing a wipe and re-install of Mojave? Is there an easy way to do it via command line? What about if the Install isn't there anymore since we are on a current rev?

Any insight would be great, as it would be yet another sequence we could be hands off with. Push the command to wipe, drive over to the school site, click the DEP prompts, then come back in an hour with everything done.


Valued Contributor

But even with DEP it still relies on human intervention to actually get the ball rolling doesn't it?

New Contributor II

Yes it's possible. I made a composer package that puts the latest "Install macOS" in /Applications. I then created a Policy set to recurring check in to 1. put the Install macOS package in Applications and 2. under Files and Processes>Execute Command on the same policy put the command

"/Applications/Install macOS" --eraseinstall --newvolumename "Macintosh HD" --agreetolicense &

Whatever machines you scope to this policy will erase and reinstall the OS. You do need to click through the DEP prompts to get them reenrolled and you must remember to remove the machines from the policy scope so they don't reset themselves again (or you could set it to run once but I wouldn't risk it), but it's doable.

Contributor III

The question was can you remotely re-image, the answer is yes and no. Yes you can wipe the OS and get it to the initial setup screen so technically that probably is re-imaged but it's not built so that's a no.

Using this saves all the hassle of keeping images up-to date and deploying them and can easily be run remotely.

Valued Contributor

While I echo many of the comments here, I should mention in our workflow, we have all the steps automated with everything being predicated on the correct name. Once the computer is wiped and the new OS loaded, we only have to someone click through those first three screens to get the computer re-enrolled. When enrolled, we never touch the computer again unless we want to remotely wipe and reload the OS and applications. In many respects, this is a very simple setup for the end users involved in our labs.

Granted, those first three screens are annoying to deal with. To select country, keyboard type and accept remote management seems like something that could be bypassed when using DEP, but that isn't the case yet.

Valued Contributor III

Depending on your bandwidth it is sometimes not really worth the risk.
You know someone has to push the DEP prompts anyway, so why not just put the OS delivery and initial wipe in Self Service available only to those users who are likely to be re-imaging labs.
We did something like a thousand machines like this last year and it was pretty effective, you can at very low risk push but not run the installers out to the machines earlier with a simple policy, although we found even this was pretty unnessary, basically with decent hardward and decent bandwidth what we found was that in a classroom of 40 odd machines, by the time you have got through getting them all booted and kicked off from Self Service, the first machines have almost reached the point of DEP initialisation anyway (something like 20 to 30 minutes later) and then you go around again and start the DEP phase.

Much lower chance of accidentally hitting the wrong machine like this and you have to visit all the labs either way.

Until Apple allow DEP to be completely automatic full remote rebuild is not possible and Self Service is a very flexible way of doing this without complicated timing and auditing to prevent accidental wipes.

New Contributor III

I came up with this solution for rebuilding Macs remotely

Valued Contributor

I edited my entire post, because I initially misunderstood the question. Yes this is entirely possible, after deploying the macOS Mojave to the workstation to run this in a script:

/Applications/Install macOS --eraseinstall --agreetolicense --nointeraction

This erases the system and brings you to the point where a Setup Assistant requires human intervention to click a couple of items before Jamf is installed and the remainder of your configuration and installs can complete.

Originally I had a rant in here about the human intervention requirements of DEP enrollment preventing zero touch lab deployments, but you had already assumed that limitation would be there. To quote the late Gilda Radner playing her SNL character Emily Litella, "Never mind!"


Is there a workflow that instead of using the main HD allows booting from the restore partition to run an erase install then deploy a specified jamf configuration?