--eraseinstall and DEP PreStage Enrollments not compatible??

wds
New Contributor II

I have an iMac lab, all the machines of which were purchased through DEP. They were prepped before we had Jamf, and we're now getting around to wiping them and taking advantage of PreStage Enrollment. I used startosinstall and --eraseinstall to wipe these, and it worked great. Additionally, all the machines have been PreStaged.

However, to my horror, I'm finding that PreStage Enrollments do not appear to be possible with my method of --eraseinstall. I know this because I've clicked through a number of them without seeing my beloved "Remote Management" step. Then I booted one into Recovery, wiped it manually, and—voilà—there's the "Remote Management" step.

Any ideas on why --eraseinstall wouldn't erase a partition thoroughly enough to allow a PreStage Enrollment to occur? Below is the exact command used. The only thing I can think of is that I used a USB installer instead of an /Applications installer, but I'm not sure how that would initiate a less complete erase.

"/Volumes/Install macOS Mojave/Install macOS Mojave.app/Contents/Resources/startosinstall"
--eraseinstall --newvolumename "Macintosh HD" --agreetolicense

16 REPLIES 16

mconners
Valued Contributor

Hello @wds do you know if your volumes are HFS+ or APFS? The steps you mentioned, I also do, but I had to make sure all the computers were formatted as APFS. I did that last summer as part of our move to High Sierra. Moving to Mojave was a breeze after that.

wds
New Contributor II

@mconners Good question. Unfortunately, I've manually re-erased and restored all of them, and I neglected to check the file system on any of them before doing so. The file system was whatever startosinstall installed by default. I believe before the initial erase, they were running APFS High Sierra. (These are SSDs, if that makes any difference.)

Seems like --eraseinstall would do APFS by default on SSDs.

mconners
Valued Contributor

@wds your command might be a bit off. The erase install is used the context such as:

OSInstaller/Contents/Resources/startosinstall" --eraseinstall --agreetolicense --nointeraction

I see you called it starttoinstall but it should be startosinstall.

marklamont
Contributor III

this is pretty good and easy to use and tweak. works a treat for me.

wds
New Contributor II

@mconners Thanks for the pointing that out. That was just a typo here in the thread. The command itself was input correctly. Again, the issue is not that the command didn't work. Quite the contrary—it was easy and worked as expected. The only hurdle has been that DEP doesn't talk to these machines after they've been erased and restored via startosinstall/--eraseinstall, and that seems like a big flaw with DEP (assuming I'm not doing something wrong, of course).

mconners
Valued Contributor

Hello @wds I can reassure you that the DEP and prestage enrollment process works great. We have been doing this over a year and with our hundreds of Macs being wiped and reset in the method you are attempting to do, it works. In fact, several colleagues of mine were surprised at how smoothly things have went this summer. I'm waiting for faculty and students to return to verify all is well, but our summer classes were here and everything seems to be working. We did nearly 800 Macs in a matter of two weeks with me a student helper periodically.

With all that being said, I suspect you have already scoped in the prestage enrollment section. Also, are the computers assigned in the DEP management settings?

The other thing I followed for our workflow was this. I modified it so I can use it whenever needed. Whether from Jamf Remote or a policy where we recover the OS overnight and the next morning, we simply click through those first three windows to get the computer re-enrolled again.

marcusbjerknes
New Contributor II

@mconners I'm keen to know when and how the computer does the reregistration, after it being eraseinstalled. Normally it is done when running the setup assistant, but that is not doable in a computer lab environment where we want everything done automatically. So, can you elaborate?

Look
Valued Contributor III

Like @mconners said, I to can assure that when set up properly DEP and prestage work after --eraseinstall.
However there is no simple way to remove the Setup assistant part of the process as DEP does not start without it.
There are a few people working on various methods, as you can specify an after OS install pkg to be deployed, but personally we found it simply not worth it as the devices need to be visited once or twice anyway just to confirm things are as expected.

larry_barrett
Valued Contributor

Question: Are you erasing the record in JAMF during the eraseinstall process?

thebrucecarter
Contributor II

We did this over the summer and did not have an issue. We did a two-stage upgrade, because most of the labs were still on Sierra (not even High Sierra, just Sierra). Stage 1 upgraded them in place to Mojave so that we would have the --eraseinstall feature, and stage 2 did a nuke and pave to get them into DEP registered status.

The only time I saw a system bypass the Remote Management screen was when one got left out of Apple School Manager via a typo in the serial number.

Sorry that's not of more help...

mconners
Valued Contributor

@marcusbjerknes and @Look in our workflow, we simply provide the correct name and all is tied together. We don't erase anything from the JSS until the computer is officially retired and recycled.

The computers will re-register or re-enroll when the acceptance of the remote management screen is clicked through. We have scripts to name the computer after re-enrolling. If you would like to more details, I would be happy to share a couple of my documents with you. My email is mconners@madisoncollege.edu.

I have one document that provides an overview of the process and another with much greater detail on each script, policy and smart group we use.

Look
Valued Contributor III

@mconners We had a similar setup.
The devices enroll automatically using DEP during Setup Assistant, after enrollment they automatically renamed themselves from an asset database, this puts them into a variety of smart groups for room specific deployments.
Yes you still have to click through the start of Setup Assistant, but it was fast and accurate and wiping a machine meant it just came back exactly how it was meant to be in fairly short order.
Well worth the time and effort to get sorted!

thebrucecarter
Contributor II

We do essentially what @Look just described, using ServiceNow as the authoritative source. We had to write a few shim scripts using both APIs, but it works pretty well.

mconners
Valued Contributor

@Look you used the phrase, "had." Are you doing something different now? I am curious what your process changed to. I have spent nearly 2 years getting our workflow setup this way and it has been a wonderful change from where we were once. I am awaiting for the time when something changes on Apple's or Jamf's end causing me to make massive adjustments.

talkingmoose
Moderator
Moderator

DEP enrollment and using the --eraseinstall option with the startosinstall command should be completely unrelated.

If the management screen isn't appearing during enrollment, then your Mac is not accessing Apple or the PreStage Enrollment you've stored with Apple after saving in Jamf Pro doesn't think your Mac is scoped. Remember that you should wait about 10 minutes after making a change to your PreStage Enrollment in Jamf Pro to allow time for it to sync with Apple.

If there's no issue with the PreStage syncing with Apple then test connectivity during the Setup Assistant. When you see the second or third screen of the Setup Assistant, press Control Option Command + t and wait a few seconds. This should open the Terminal app.

Test connectivity to Apple using /usr/bin/nc -z courier.push.apple.com 443. You want to see a response that looks like Connection to courier.push.apple.com port 443 [tcp/*] succeeded!. If that works, proceed with enrollment and see what happens.

Look
Valued Contributor III

@mconners Sorry for the late reply, the "had" was in a personal context, it was in my previous work place (who I am now contracting back to). The system is still currently like that and it works very well, I can't see it being changed until as you say Apple cahnge something.
I hit every Apple rep I meet anywhere with the "please make DEP for macOS start automatically like it does in TVOS" stick..