Skip to content →

macOS Monterey Erase All Content and Settings for companies

Last updated on 15. November 2021

With the release of macOS Monterey, Apple has implemented a really helpful feature for me. Similar to iOS, Mac users can now reset their Mac themselves in the system preferences.

Open System Preferences -> Click on “System Preferences”

The disadvantage of this solution is that you as an administrator do not notice anything. Apple has unfortunately failed to implement a kind of postflight action for this process.If the user bypasses the DEP process after the reset (offline enrolment), we would only notice this because our device does not deliver an inventory or a checkin.

Of course, JAMF offers us a way to prevent this function. The only question is whether we want to deactivate this helpful feature, especially when many users are in the home office.

What can we do to ensure that an erase operation is logged in our client management system?

The idea is that I have a service (launchdaemon) that notices when I run the Erase Assistant and then updates a JAMF extension attribute I created. First I analysed what happens on the file level and which processes are called.

The application itself is located in the CoreServices folder: /System/Library/CoreServices/Erase\ Assistant.app/

I probably made the big breakthrough with a file that is created in the preboot volume shortly before the reboot.
/System/Volumes/Preboot/56657C10-E13A-47CB-BD85-DF60C2AA77D0/var/db/.com.apple.eacs
Now I was ready and could create a launchdaemon to monitor this file.

Since the erase process of macOS is processed very quickly, there is not enough time to execute a jamf policy and I had to switch to a somewhat dirty way.
I created a new JAMF Pro user that only has the following rights:
1. Update Computers
2. Update Computer Extension Attributes
3. Update Users

Now I have created a new extension Attributes as a text field.

Finally, we need a script that updates our extension attribute when it is called from launchd.

After the next erase, my extension attributes were updated and now I am able to monitor computers with this value.

Please have a look on this article before you deploy API Credentials on local machines. 
https://macnotes.wordpress.com/2021/11/15/stop-putting-jamf-pro-api-credentials-on-clients/

To make it easier to distribute this service I wrote an installer script that creates a launchd and a script. You can see the complete code in github.

https://github.com/macBerlin/macOS_eacs/blob/main/installer.sh

Disclaimer
The published information has been carefully compiled, but does not claim to be up-to-date, complete or correct. No liability is assumed for damages resulting from the use of this script or the information drawn from it. This also applies to third-party content accessible via this offer.

Published in Allgemein Monterey

2 Comments

    • Thanks i know about the risk but in this case its just an example. You can create a special handler on your webserver side to get this information.

Leave a Reply

Your email address will not be published.