Help

(Yet another) Erase-install thread macOS Monterey on Apple Silicon M1 question

Randydid
Contributor II

Posted on ‎07-13-2022 05:00 PM

Hi all,

 

Lots of threads out there but have not found a definitive answer.

 

I am using Graham Pugh's erase install script. It is working flawlessly on both architectures. My question(s) are:

Has anyone gotten around the need to be logged into a Mac to enter credentials for a secure token user?
If the answer is yes, how?
Is there a way to hard code credentials (bad but effective) in the script? Or, is there a way to be able to enter them into Parameter fields in Jamf (better)?

I manage a computer lab and logging into 700 end points to enter these credentials is going to bring sadness.

TIA,

/randy

0 Kudos
6 REPLIES 6

AJPinto
Honored Contributor II

Posted on ‎07-14-2022 06:13 AM

If I remember correctly anything involving OS updates and upgrades requires a GUI interaction from a user unless it comes from a MDM command with a bootstrap token on Apple Silicon. I don't think you can bypass this check with CLI, you must use MDM commands for no user interaction.

 

JAMF does not really advertise this very much, but "Wipe Computer" MDM command should leave the Mac at setup assistant when its done. 

Randydid
Contributor II
In response to AJPinto

Posted on ‎07-14-2022 11:05 AM

@AJPinto wrote:

If I remember correctly anything involving OS updates and upgrades requires a GUI interaction from a user unless it comes from a MDM command with a bootstrap token on Apple Silicon. I don't think you can bypass this check with CLI, you must use MDM commands for no user interaction.

 

JAMF does not really advertise this very much, but "Wipe Computer" MDM command should leave the Mac at setup assistant when its done. 

Can this be done on a group of computers? I have only seen the command in the inventory record of individual Macs. In other words, one at a time. If it is there I am just not seeing it.

0 Kudos

AJPinto
Honored Contributor II
In response to Randydid

Posted on ‎07-14-2022 11:50 AM

I do not think you can wipe multiple devices with a mass action. I see there being a LOT of risk bulk wiping devices, so its something JAMF has not implemented. 

 

It looks like you can script the Erase Device MDM command with JAMF API and the computercommands endpoint. However, I would be extremely careful with this.

AJPinto_0-1657824591504.png

 

0 Kudos

Fluffy
Contributor III

Posted on ‎07-14-2022 06:58 AM

The thing that requires the password is Apple Silicon Macs. See erase-install documentation here. #JustAppleThings

If MDM update commands work for you, do as @AJPinto said.

0 Kudos

bzuidema
New Contributor II

Posted on ‎07-14-2022 12:31 PM

This is the documentation that I have been using and it has been working.
https://www.jamf.com/blog/reinstall-a-clean-macos-with-one-button/

I have a policy that runs this command in the "Execute Command" field on the Files and Processes page.

echo 'P@55w0rd' | '/Applications/Install macOS Monterey.app/Contents/Resources/startosinstall' --eraseinstall --agreetolicense --forcequitapps --newvolumename 'Macintosh HD' --user adminuser --stdinpass

Just replace the echo'ed  password at the beginning of the command set the username towards the end.

0 Kudos

Randydid
Contributor II

Posted on ‎07-14-2022 06:32 PM

We have a bit of a moving target as we have two accounts for different admin purposes. Not all of the macs have had either logged into them. Let's call them Admin-Mary and Admin-Bob. In some cases, Bob has logged in and in other instances, Mary has, and complicating things, there are some machines that neither of them has logged in nor do they show up in the Secure Token Users list in inventory. 

0 Kudos