Jamf Nation Community

dan-snelson · ‎11-04-2021

Background

Now that macOS Monterey is out, we wanted to allow our opt-in Beta Testers with local admin rights easy access to nuke-and-pave their Macs the "Apple" way:

macOS Monterey includes Erase All Content and Settings, a way to quickly and securely erase all of your settings, data, and apps, while maintaining the operating system currently installed. If your Mac includes this feature when using macOS Monterey, use it instead of other utilities to erase your Mac.
Source: HT212749

Smart Group

Erase Assistant

And / Or		Criteria	Operator	Value
		Operating System Version	greater than or equal	12.0.1
and	(	Architecture Type	is	arm64
or		Boot ROM	like	iBridge	)

Policy

Options

General

Display Name: Erase Assistant
Execution Frequency: Ongoing

Files and Processes

Execute Command:

/usr/bin/su \- "/usr/bin/stat -f%Su /dev/console" -c "/usr/bin/open '/System/Library/CoreServices/Erase Assistant.app'"

Scope

Targets

Erase Assistant

Self Service

Self Service Display Name: Erase All Content and Settings
Button Name Before Initiation: Erase
Button Name After Initiation: Erase
Description:

### Warning: Permanent Data Loss

macOS Monterey includes [Erase All Content and Settings](https://support.apple.com/en-us/HT212749), a way to quickly and securely erase all of your settings, data, and apps, while maintaining the operating system currently installed.

Erase Assistant opens and asks you to sign in with administrator credentials.

Resources

Jared_Y · ‎11-09-2021

There seems to be a discrepancy between the screenshots and the text for the command. In the screenshots there are ` in the first image and none in the second. The text to copy is also missing them. I cannot get this method to work because I am unsure of what the actual command is to call to Erase Assistant to open and run it. Thanks.

dan-snelson · ‎11-09-2021

Thanks for the feedback; hopefully this will work better:

/usr/bin/su \- "`/usr/bin/stat -f%Su /dev/console`" -c "/usr/bin/open '/System/Library/CoreServices/Erase Assistant.app'"

Jared_Y · ‎11-09-2021

Thanks that worked!

@dan-snelson Do you know of a way to invoke and run this from a Standard User account as well? I would block access to it within Self Service by way of limited access logins.

dan-snelson · ‎11-09-2021

For Standard Users, you’ll most likely need to go a different route (i.e., `erase-install`).

iweiss · ‎02-18-2022

@dan-snelson Thank you for this awesome and detailed post! This might be off-topic, but can you clarify why you use the "su -c" convention, rather than using "sudo -u" ?

martin · ‎02-24-2022

You can just run:

open -a "Erase Assistant"

It will start the process for the current logged in user.

And make sure your user is admin. You might want to (temporarily) elevate the standard user permissions to admin.

tjhall · ‎09-26-2022

Is there any benefit to this instead of running it via System Prefs?