Self Service for macOS: Erase Assistant
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-04-2021 02:48 AM - edited 11-06-2021 06:48 AM
Background
Now that macOS Monterey is out, we wanted to allow our opt-in Beta Testers with local admin rights easy access to nuke-and-pave their Macs the "Apple" way:
macOS Monterey includes Erase All Content and Settings, a way to quickly and securely erase all of your settings, data, and apps, while maintaining the operating system currently installed. If your Mac includes this feature when using macOS Monterey, use it instead of other utilities to erase your Mac.
Source: HT212749
Smart Group
Erase Assistant
And / Or | Criteria | Operator | Value | ||
Operating System Version | greater than or equal | 12.0.1 | |||
and | ( | Architecture Type | is | arm64 | |
or | Boot ROM | like | iBridge | ) |
Policy
Options
General
- Display Name: Erase Assistant
- Execution Frequency: Ongoing
Files and Processes
- Execute Command:
/usr/bin/su \- "/usr/bin/stat -f%Su /dev/console" -c "/usr/bin/open '/System/Library/CoreServices/Erase Assistant.app'"
Scope
Targets
- Erase Assistant
Self Service
- Self Service Display Name: Erase All Content and Settings
- Button Name Before Initiation: Erase
- Button Name After Initiation: Erase
- Description:
### Warning: Permanent Data Loss
macOS Monterey includes [Erase All Content and Settings](https://support.apple.com/en-us/HT212749), a way to quickly and securely erase all of your settings, data, and apps, while maintaining the operating system currently installed.
Erase Assistant opens and asks you to sign in with administrator credentials.
Resources
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 11-09-2021 06:06 PM
There seems to be a discrepancy between the screenshots and the text for the command. In the screenshots there are ` in the first image and none in the second. The text to copy is also missing them. I cannot get this method to work because I am unsure of what the actual command is to call to Erase Assistant to open and run it. Thanks.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 11-09-2021 06:10 PM
Thanks for the feedback; hopefully this will work better:
/usr/bin/su \- "`/usr/bin/stat -f%Su /dev/console`" -c "/usr/bin/open '/System/Library/CoreServices/Erase Assistant.app'"
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 11-09-2021 06:15 PM
Thanks that worked!
@dan-snelson Do you know of a way to invoke and run this from a Standard User account as well? I would block access to it within Self Service by way of limited access logins.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 11-09-2021 06:39 PM
For Standard Users, you’ll most likely need to go a different route (i.e., `erase-install`).
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-18-2022 12:37 PM
@dan-snelson Thank you for this awesome and detailed post! This might be off-topic, but can you clarify why you use the "su -c" convention, rather than using "sudo -u" ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-24-2022 01:42 AM - edited 02-24-2022 01:43 AM
You can just run:
open -a "Erase Assistant"
It will start the process for the current logged in user.
And make sure your user is admin. You might want to (temporarily) elevate the standard user permissions to admin.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-26-2022 08:23 AM
Is there any benefit to this instead of running it via System Prefs?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-11-2024 04:44 AM
is there anything wrong with that command? we try to run that using the command above but also there we get the following error. Is the method stated above still valid?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-11-2024 04:50 AM
The user has to be elevated to admin before running the command.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-11-2024 04:56 AM
thank you so much @tjhall . we run it using self service which should run it with elevated rights. Any other ideas? And do you think that's still the way it should work as it's described above?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-11-2024 05:02 AM - edited 06-11-2024 05:04 AM
The one above doesn't run in elevated rights. It just opens the build in "erase assistant" which requires admin rights to execute.
You can use erase-install instead (using https://github.com/grahampugh/erase-install).
Create a policy which installs the latest erase-install package and then a process payload with: /Library/Management/erase-install/erase-install.sh --erase
Beware though, this will wipe the Mac immediately so you really don't want anyone running it by mistake. I suggest it's scoped to specific users only (so they have to log in to see the policy)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-11-2024 05:37 AM
ok thank you so much for taking the time and for your cool proposal. Usually I would like to avoid third party scripts/tools (this tool uses mistcli), but will double check internally. When we really have to implement it we'll go the route you propsed. Otherwise I would recommend to go with the "hold the power button option" if user wanna reset it by himself. thank you so much, your help is much appreciated!