Understanding the new erase and install process in macOS Monterey

macOS Monterey, the successor to Big Sur, has been generally available since the end of October 2021. With the latest update emerging last month, getting it onto Apple hardware (particularly M1 kit) will be a priority for administrators who have not yet made the move – particularly since this release has an update to tickle the fancy of anyone responsible for managing a fleet of Macs, namely ‘Erase All Content and Settings’.

Sure, iOS and iPadOS have both had the ability to wipe content and settings without requiring a full reinstall for a while now. Macs, however, have not been so lucky. Stripping out all user data and apps from a Mac has usually required a time consuming reinstall of macOS. Not so with Monterey, so long as your Mac is running on Apple silicon or is Intel-based with a T2 chip.

Naturally, we would recommend the former, since the benefits to enterprises and users of M1 hardware are too numerous to mention. Erase All Content and Settings is simply another sweetener. And goodness, it is a tasty one.

From a user perspective, the process makes passing a Mac onto another user considerably simpler. Just choose Erase All Contents and Settings from the System Preferences menu and all settings, data and apps can be securely wiped. 

From an administrator’s perspective, this is a potential lifesaver when it comes to offboarding users as well as validating enrolment workflows. 

So how does it work? 

For starters, it no longer matters which Apple device you wish to wipe (be it iOS, iPadOS or macOS-based) a remote wipe command can be initiated through Mobile Device Management (MDM.) The device sends back an acknowledgement to the MDM platform and the wipe is performed. According to Apple, “wiping obliterates all the keys in effaceable storage and renders all user data cryptographically inaccessible.”

There are a few wrinkles with macOS. Sending an EraseDevice command to a Mac that does not support it will result in a fallback to the behaviour of macOS 11, which is ‘obliteration’ and requires a time-consuming reinstall of macOS before the hardware can be used.

Helpfully, there are some settings that can be used to govern this fallback behaviour via the ObliterationBehaviour key. Going for Default means the device will respond with an error status or no status and then attempt obliteration. ObliterateWithWarning will also attempt obliteration, except with an acknowledgement or warning status. DoNotObliterate will respond with an error and not attempt an obliteration.

However, with macOS Monterey and the appropriate hardware – ideally Apple silicon, or Intel-based with a T2 chip – the much more straightforward Erase All Content and Settings action is performed, all traces of the user are removed and the device rebooted back to the Setup Assistant, ready for setting up as a new device.

What to look out for

Other considerations for enabling remote wipe are a bootstrap token from an MDM. Otherwise things get a bit more complicated, with requirements for a start from the first partition (not an external volume) and the presence of a sealed system volume. If there is only an Apple T2 chip rather than full on Apple silicon, then there must not be an EFI Firmware Password set and the device must be in Full Security mode.

However, if you are reading this, then a bootstrap from an MDM is unlikely to hold much fear. Particularly if you are making the move to Apple silicon.

Overall, of all the many useful features of macOS Monterey, this is the most time-saving, be it for administrators trying out upgrades and patches prior to roll-out (making life easier for end users) or remotely preparing a Mac for another user. One more reason to get that Apple silicon kit rolling out to users.

Oh, and one more thing. Do not forget to pop allowEraseContentAndSettings into your MDM payload and set it to False. One would not want one’s macOS users stumbling over the menu item and inadvertently testing your organisation’s recovery strategy.

Although we have got your back there too.