There is a great new feature in Monterey to erase a Mac, very similar to iOS, you can read all about it on Apple’s site here:
https://support.apple.com/en-us/HT212749
A good post on krcs.co.uk prompted me to write this article on how you can control showing the Erase All Content and Settings Menu item via Jamf to have it show when you want by who you want as you may not want it to be accessible by your end-users. Jamf has added this already directly into the Jamf UI so it is as simple as ticking a box in Profile.
So lets start with creating a new Profile
Profile Setup
Create a new Profile in Jamf
Add the Restrictions payload
Select the Functionality section and scroll down
You will see the item and by default its unticked meaning, if you scope this to your target Mac’s the Erase All Content and Settings menu item won’t be shown.
Ticking it will allow the item to be shown.
Scenario
Let’s say you scope this so the menu item is hidden but you want your IT Technicians to have access to it when they need to erase a Mac but without asking you as a Jamf Admin to change the Profile scoping adhoc per Mac, but how?…A Self Service “switch” is the answer.
Solution
A “switch” is possible by using two Profiles one with the item ticked, one unticked plus a Smart Group and a Policy that sets a Receipt for your on “switch” and you can have an “off” switch.
The Policy performs a Touch which writes a Receipt on the Mac and also must be set to do an Inventory Update (recon) which will update a Smart Group. The criteria of the Smart Group is looking for the Receipt and the scoping of the Profiles is set to the Smart group so if the Receipt is found the unticked Profile is removed and add the ticked Profile is added and therefore the menu item will be available!
The policy can be run via Self Service and you can control access to the Policy item to just your IT admins via scoping it to a User Group. When the Self Service item is run the menu item will be shown.
How To
Create a Profile and name accordingly and ensure the item is ticked, add any other Profile settings you require, leave un-scoped for now and save the Profile.
Now duplicate the Profile and name accordingly.
In this duplicate make sure the item is unticked. Again don’t scope yet and save the Profile.
Now create a new Policy
Add a Files and Process payload and in Execute Command field add a Touch command to add a Receipt to the Mac in the form of a .pkg
The touch command is the part in bold is the actual Receipt name and we add this to the Jamf Receipts folder.
touch /Library/Application\ Support/JAMF/Receipts/Restrictions_Allow_Erase_Reset.pkg
Now add a Maintenance payload to the policy and tick the Update Inventory box. This is required so the Mac can report back to Jamf the Restrictions_Allow_Erase_Reset.pkg is in place.
Make this Policy a Self-Service item, give it a nice icon a few instructions and drop in a category like IT Admin and Scope to only those you want to allow access to run it, like your IT Techs.
Now let’s Create the Smart Group
Name it how you want that’s relevant…like Mac’s with Restrictions_Allow_Erase_Reset.pkg
In Criteria find the item Packages Installed By Casper (I like Jamf keeping the old school name here!)
In the Criteria, setting ensure the Operator is has and the Value is the name of your Receipt pkg, so in this example Restrictions_Allow_Erase_Reset.pkg
Finally, save your Smart Group
Ok, so we have our Policy setting the Receipt and we have our Smart Group looking for Macs with the Receipt.
Let’s go back to our Profiles.
Our default position in this example is for the end user not to see the Erase All Content and Settings menu item so in the unticked Profile scope set the Target to be All Computers (assuming all your Mac’s are on Monterey) and set the Exclusion to be the Smart Group you just created.
So, all Mac’s will get the setting not to see the menu item but Mac’s with the Receipt will be excluded from getting this Profile.
Save the Profile and let it hit your Monterey Mac’s.
Now open the ticked Profile, go to Scope and select Specific Computers.
Click Add and this time your Deployment Target is going to be Computer Groups then select your Smart Group you created earlier that is looking for the Receipt.
So Mac’s in the Smart Group that is looking for a Receipt that is dropped in place by your Self Service Policy will now get this Profile when the unticked Profile is removed.
On a target Mac check it has your unticked Profile and check it’s doing its thing and the Erase All Content and Settings menu item is not showing in System Preferences.
Now open Self Service, find your Policy that will run the Touch command, which sets the Receipt, does an Inventory update and therefore based on our scoping will remove our unticked Profile and add our ticked Profile.
Run the item, allow it to complete which will take about 30 or more seconds as we have set it to do an inventory update. You then should notice the Dock open and Close as the Profiles are changed.
Now open System Preferences (Hint: if it’s still open close and re-open) and you will now see the Erase All Content and Settings menu item and the IT Tech can do the erase!
Of course, you may want to revert and hide the menu item. To achieve this is again really simple. All we need to do is create another policy to delete the Receipt we set with the Touch command and do an Inventory Update and add to Self Service. A simple rm of the pkg using the Execute Command in a Files and Process payload….don’t forgot to add a Maintenance payload to the policy and tick the Update Inventory box.
This policy when run from Self Service will move the Mac out of the Smart Group and therefore switch the Profiles back and hide the menu item.
Near the start of this article, I referred to it as a “switch” having both Policies is like an on/off switch, the one we use to write the Receipt is our On switch and one to remove the Receipt is our Off switch.
My guess is there are other ways to achive this, but this is my preferred, tested solution.
Hope that helps.
