Jamf Nation Community

Hrm. I would probably disable user creation during prestatge, and have a policy run after enrollment to create the account that way. 

I do the following:
1.  click "wipe computer"
2.  leave "clear activation lock" unchecked
3.  enter a 6 digit code for the "Remote Wipe Passcode"
4.  Click "Wipe Computer"
5.  Click "OK", I am sure
6.  The computer reboots pretty much immediately
7.   The computer boots into recovery assistant, activates, eventually says "your mac is activated", but sits there, I have to click "Exit to Recovery Utilities".  (I let it sit there for multiple minutes, it never automatically rebooted.)  

When you say "What are your activation settings on your pre-stage".......I do not see any activation settings I can configure in my prestage enrollment.  What payload would the options be under?  We are on version JAMF 10.34.1

If a "wipe" on big sur or newer just wipes the user volume......how is it recommended to wipe the whole device?

I think I saw other ideas discussed on other forum posts, discussing using "/startosinstall --eraseinstall"

We do have a directory, Microsoft Active Directory, the next project is to get the devices into that directory, and have all the students login with their accounts to access the Mac's.  But, I was putting that part off until later.

To clarify what @mainelysteve writes about an MDM wipe only erasing the "user" volume - that only applies to Intel based Macs with a T2 chip or Macs with an M-series processor, and running macOS Monterey which introduced the Erase All Contents and Settings feature for macOS.

Hi Mike,

To answer your question, yes you can fully automate the wipe and rebuild of a lab of M1 Macs.

Criteria:

• Their serials must be registered in Apple School Manager and assigned to a prestage enrolment.
• They must go through Automated Device Enrolment.
• They must use wired ethernet connections. ('Auto Advance' won't work over a wi-fi connection.)
• They must be M1 devices
• They must be running Monterey 12
• They must have a valid escrowed 'bootstrap token' on the Jamf server for each computer record.  This is normally generated automatically for a device that goes through Automated Device Enrolment but won't be escrowed to the Jamf server until an account with a secure token logs in to the device (This is the default behaviour. Thanks Apple!).  You can also force the escrow of a bootstrap token on each device manually by using the 'profiles' command to install a bootstrap token from the Terminal.
• If the device doesn't have a properly escrowed bootstrap token, the wipe command will stop at the recovery console and ask for the 6 digit pin, instead of running the Erase All Content and Settings command and then automating the Mac Activation section and reboot.
• You may want to upgrade your Jamf server version to 10.39 (10.40 is also about to come out.)

commands to check on a device status to receive MDM commands (without this being valid, it won't work.)

• sudo profiles status -type=bootstraptoken 
• sudo profiles validate -type=bootstraptoken
• sudo profiles install -type=bootstraptoken 

There are 3 recent videos on Jamf's YouTube page you should watch regarding device rebuild automation:

• https://www.youtube.com/watch?v=gt45TF8qf7k
• https://www.youtube.com/watch?v=1Aq2FBpxFLY
• https://www.youtube.com/watch?v=UtdPLbpREtM

The two technologies that enable an auto lab rebuild are 'Auto Advance' and 'Erase All Content & Settings'. 

Turning on 'Auto Advance' in your prestage enrolment will auto jump through the setup assistant screens without user interaction.  It will sit at the first screen for 30 seconds before proceeding.  This works on macOS 11 & 12.

If you create a hidden administrator account in your prestige enrolment, then you should select skip user creation to auto advance past the user creation screen.  Don't forget to turn off the other setup assistant screens  in your prestage enrolment general settings.

You should be able to create a standard user account using a Jamf Policy and scope it out to your devices instead of creating one manually on every machine.  This step won't be necessary when your devices are bound to Active Directory and your students log in with AD network accounts.

Each individual computer record has the wipe command under its MDM management tab.  But, you can also create a smart computer group and issue mass action commands to all group devices simultaneously.  The mass action commands have extra settings regarding rebuilding a lab all in one go.  This also includes deploying  software update commands to a lab of M1 devices.

I hope this points you in the right direction.

But, you can also create a smart computer group and issue mass action commands to all group devices simultaneously. 

Is there an equivalent to the "Wipe Computer" button as a mass action though? I can find mass actions for upgrading the OS, but not wiping the box. That has to be done by drilling into the computer record and clicking each one. I can sit down with a list of machines and go down them one at a time, but that's clunky and error prone...

Our goal is to be able to re-provision student labs. Ninety Macs currently, but expected to grow rapidly in coming school years. The general idea is to do it over the summer in three stages, initiated from Jamf remotely.

1. Upgrade OS (can be done en masse)  -  gets everything up to date
2. Wipe Computer (can only be done per record?)  -  clears off student data
3. Pre-Stage and Auto-Advance (can be done en masse)  -  reinstalls the software, printers, etc. etc. etc.

It's that inability to send the wipe command to 30 (or 90, or X) Macs at once that's preventing this from being feasible.

Am I just not spotting the button somewhere? Is there a script to enable it, or some sort of script that can sent the equivalent using API?

Any help is appreciated!