Is it possible to fully automate the wipe of an Apple Mac Mini?
Currently, I have a lab of M1 Mac Mini's, these devices will be used by students in an open lab environment. they are configured in a prestage enrollment that seems to be working fine, but when I click the "wipe computer" button from the management tab of the device, it begins the process to wipe the computer correctly, but, it then stops after is activates the device. I have to physically go acknowledge the activation to move the process along. I'm hoping to find a way to automate this. Then, I have to manually start the os install which I would like to automate this too, and after I start the OS install, the device enrolls successfully, but then stops at the user creation screen, and requires me to create a user. Because this is an open lab environment, at the moment, we do not need to create a new user. I would rather JAMF fill this information for me, then JAMF configure that user to autologin......making this wiping process fully automated.
Am I missing something?
You are really dealing with MacOS limitations (apples design desires) more so than JAMF limitations. If I am not mistaken if you remove the authentication requirement for your MDM enrollment it should also do the enrollment automatically. Removing MDM authentication has its own set of security concerns.
Once you clear MDM enrollment you can drop accounts automatically in the prestage if your environment is setup to deploy policies during enrollment.
I have the prestage enrollment configured to create a user, and it successfully creates the user, but, the out of box experience still stops at the user creation portion of the deployment.
So, for example, if I have "NewUser" being created in the prestage enrollment, that user is created successfully. But to move the wipe of the device along, I have to enter user information to create a new user at the prompt. If I enter "NewUser" at that screen, I will have two users, "NewUser" and "NewUser1" (Apple will append the 1 on the end automatically, but let you move forward)
Is there any way to deploy the user with the prestage enrollment, then skip the user creation process, and have the computer login with the user that was created with the prestage enrollment?
So you have a few different things going on here:
I do the following:
1. click "wipe computer"
2. leave "clear activation lock" unchecked
3. enter a 6 digit code for the "Remote Wipe Passcode"
4. Click "Wipe Computer"
5. Click "OK", I am sure
6. The computer reboots pretty much immediately
7. The computer boots into recovery assistant, activates, eventually says "your mac is activated", but sits there, I have to click "Exit to Recovery Utilities". (I let it sit there for multiple minutes, it never automatically rebooted.)
When you say "What are your activation settings on your pre-stage".......I do not see any activation settings I can configure in my prestage enrollment. What payload would the options be under? We are on version JAMF 10.34.1
If a "wipe" on big sur or newer just wipes the user volume......how is it recommended to wipe the whole device?
I think I saw other ideas discussed on other forum posts, discussing using "/startosinstall --eraseinstall"
We do have a directory, Microsoft Active Directory, the next project is to get the devices into that directory, and have all the students login with their accounts to access the Mac's. But, I was putting that part off until later.
Ultimately, I have a lab of around 30 Mac Mini's, it's an open lab, students can walk in and use them as needed.
Every so often, we need to refresh the devices, (new operating systems, software updates, patches, etc). So, it seems most companies are moving to the process of a fresh install of the OS, then have a process to reinstall all the software in settings after the OS is installed. Apple has been following suite. (Instead of the imaging software like Symantec Ghost a while ago or Deploy Studio)
So, I am ultimately wanting to wipe a lab of mac mini's. Maybe I'm going about this wrong by using the "Wipe Computer" button?
To answer your question, yes you can fully automate the wipe and rebuild of a lab of M1 Macs.
commands to check on a device status to receive MDM commands (without this being valid, it won't work.)
There are 3 recent videos on Jamf's YouTube page you should watch regarding device rebuild automation:
The two technologies that enable an auto lab rebuild are 'Auto Advance' and 'Erase All Content & Settings'.
Turning on 'Auto Advance' in your prestage enrolment will auto jump through the setup assistant screens without user interaction. It will sit at the first screen for 30 seconds before proceeding. This works on macOS 11 & 12.
If you create a hidden administrator account in your prestige enrolment, then you should select skip user creation to auto advance past the user creation screen. Don't forget to turn off the other setup assistant screens in your prestage enrolment general settings.
You should be able to create a standard user account using a Jamf Policy and scope it out to your devices instead of creating one manually on every machine. This step won't be necessary when your devices are bound to Active Directory and your students log in with AD network accounts.
Each individual computer record has the wipe command under its MDM management tab. But, you can also create a smart computer group and issue mass action commands to all group devices simultaneously. The mass action commands have extra settings regarding rebuilding a lab all in one go. This also includes deploying software update commands to a lab of M1 devices.
I hope this points you in the right direction.
But, you can also create a smart computer group and issue mass action commands to all group devices simultaneously.
Is there an equivalent to the "Wipe Computer" button as a mass action though? I can find mass actions for upgrading the OS, but not wiping the box. That has to be done by drilling into the computer record and clicking each one. I can sit down with a list of machines and go down them one at a time, but that's clunky and error prone...
Our goal is to be able to re-provision student labs. Ninety Macs currently, but expected to grow rapidly in coming school years. The general idea is to do it over the summer in three stages, initiated from Jamf remotely.
It's that inability to send the wipe command to 30 (or 90, or X) Macs at once that's preventing this from being feasible.
Am I just not spotting the button somewhere? Is there a script to enable it, or some sort of script that can sent the equivalent using API?
Any help is appreciated!
Kudos to @sdagley for pointing our that only Macs with T2 chips or M-series cpus will only have erase all content settings capability. I started to ramble on and didn't stop to think you may not be running the correct hardware for it.
if you have older Mini's, Late 2014's for instance you can still get some semblance of automation. When using the Wipe Computer mdm command on older Macs it will wipe the entire volume(and rename it untitled) and require you do a hands-on OS reinstall. This reason is probably why you landed at the activation screen and it stayed there. My recommendation is to utilize the erase-install script to wipe and reinstall the OS. It can also do double duty and upgrade OS versions as well.
Once that piece is taken care of you then need to decide what do about your accounts. You mentioned automatically logging in an account, but if automation is used at the pre-stage(i.e. auto advance that @snowfox mentioned above) it will generally always drop you at the login window. Enrollment triggered and checkin policies will still run though. so it's not like it's not doing anything while it sits and waits for a login. If you'd rather not bind your machines you can also look into NoMAD Login which can run policies during the login process as well using DEP Notify.