Resetting computers to a baseline

valkyrie
New Contributor III

Hi guys!

I'm new here (and quite new to Jamf), but I'm hoping someone can help me out on this one:

We have a couple of MacBooks in our company, which we use for a lending service for our users (for example during events or trainings). After each loan, they return to us, and we reset them. These computers aren't managed by Jamf.

At the moment, resetting the computers is done with a clean OS image on a USB drive (through Recovery - Disk Utility: we wipe the hard drive, and restore from the USB drive).
Is it possible to use Jamf to do this reset? After resetting, all these computers need is a clean OS and a local user (the same local user is used on all the loan computers).

One way I was thinking of (or hoping for), was the following:
When the computer returns to us, we log in to the self service, where only one policy is available for the computer (so only the loan computers would be in the scope of this policy). Running the policy would then reset/restore the computer to the clean OS, and add a local user.

Does anyone have any experience with doing this, or some other way of acchieving the same end result?

Thanks!

10 REPLIES 10

Josh_C
New Contributor

You could use erase-install to speed up the process. https://github.com/grahampugh/erase-install

valkyrie
New Contributor III

I'll check it out, thanks!

valkyrie
New Contributor III

Sadly, erase-install doesn't seem to be working. Inputting 'sudo bash erase-install.sh --help', to check the options, returns 'bash: erase-install.sh: No such file or directory'

I was just thinking, is this something that could be done through DEP and PreStage Imaging? We're not currently doing anything with DEP, but we do have the loan devices added.

tjhall
Contributor III

If the Macs' have 10.13.6 or later installed then the erase/install function should work. If not you need to upgrade the Mac's the this version first.
It also requires that you have a copy of the "MacOS installer" present in the same location specified in the script.

If you use DEP then it should be a breeze. If not you can add additional packages, including "QuickAdd" but it does require signing the packages otherwise they won't install.

Not applicable

Using DEP is the way to go as I'm sure you will eventually replace the device, if you setup a pre-stage for the loaners with that local user as part of the pre-stage config you literally just do internet recovery and erase drive and reinstall, your base config comes back. We do this on ALL our setups and reimages now as the mix of new and old hardware make it difficult to always use one certain workflow. DEP solves that for us. Some of the self service options work...to an extent with hiding the installer and telling it where to erase/install.(this requires you to have the machine already formatted in APFS).

valkyrie
New Contributor III

I have been testing that this afternoon, and DEP seems the way to go indeed. I'm combining the PreStage Enrollment with an erase-install policy in the self service (only available for us), as the OS that is installed with internet recovery is El Capitan rather than Mojave.
Thanks for the help!

robertojok
Contributor

You can also take a look at this interesting process if you want to go the way of self service. I have used it and it works brilliantly. I decided to scope it to a static list so that administrators can enable and disable so as not to avail it lest some user accidentally wipes their computer.
https://scriptingosx.com/2019/04/eraseinstall-update-version-1-2/

valkyrie
New Contributor III

The erase-install works fine now, but the prestage enrollment doesn't seem to be doing its job.
In my prestage enrollment, I specified the items that won't be displayed during enrollment, added a configuration profile to automatically connect to a certain wifi network, and added an additional local admin account. The items I specified are indeed skipped, but connecting to wifi or creating the additional local admin account isn't happening. So when starting the computer for the first time, the user is still asked to create an account, giving a username + password, which is what I'm trying to avoid.
Any thoughts?

tjhall
Contributor III

@valkyrie Is this using DEP or via QuickAdd? Presume you got the predefined JSS admin account and then an additonal local admin account via "Prestage Enrollment"?

valkyrie
New Contributor III

This is using DEP. I've been playing around with it some more yesterday. I tested it on one computer, and it seems to be working for now. I'm testing on another computer, but I don't expect a lot of trouble with the user. I'm close to where I need the enrollment to be, other than some tweaks here and there, and getting the installer to cache. Thanks for all the help!