Single Click MacOS Reimaging

With MacOS 10.13.4 came the addition of the -eraseinstall flag for the MacOS installer. Note that the following guide only pertains to machines on MacOS 10.13.4 or newer.

This flag allows us to mimic the Erase all content and settings option from iOS, saving us from having to reimage via Internet Recovery or a boot image, target disk mode, etc.

So first thing we need to do is ensure that all machines have the full MacOS High Sierra installer cached. So let’s download and package this for JSS.

Launch App store and download the MacOS High Sierra installer. (Be sure to do this from a machine running 10.13.4 or above.)

Note: I’ve noticed that in environments with internal update servers, the default behavior is to download a partial web installer. We definitely want the full installer so a workaround would be to clear your software catalog url to Apple’s defaults.

softwareupdate --clear-catalog

Once you have the Install MacOS High downloaded, create a package that places the .app in a folder of your choice. (Please take note of where this is.) Some folks prefer putting it in a hidden directory to prevent users from running it.

In JAMF, create a policy called “Cache 10.13.4” and scope it to a smart group of Managed Clients where Operating System Version is 10.13.4 or 10.13.5.

Set the trigger to “Recurring Check-In” and “Once per computer”

Create another Smart Group called “Install MacOS High Sierra Cached” with the following criteria.

Application Title is Install macOS High AND Application Version like 13.4 OR Application Version like 13.5

Finally, create a Policy scoped to this Smart Group called something like Erase and Install MacOS High Sierra

Leave the Trigger blank and set Execution Frequency to Ongoing Make the policy available in Self Service.

For payload, under Files and Processes add the Execute Command /Applications/Install\mac OS\ High\ --eraseinstall --newvolumename "Macintosh HD" --agreetolicense

This will run the install with the –eraseinstall flag.

You may want to add my unenrollment script to run before the reimage, it runs from the client and unenrolls the machine from JSS when you launch the policy. Link to script.

Also may be useful to add a script to remote the machine from Active Directory if applicable.