- Jamf Nation Community
- Products
- Jamf Pro
- Re: Mac Hardware Refresh
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Mac Hardware Refresh
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-23-2025 10:14 AM
Hello Everyone,
Just wondering how you guys perform your Mac hardware refreshes currently?
We have filevault enabled for all of our end users, but the difficulty we are facing right now is that when an offboarded employee returns their computer. We need to use the recovery key to get past the filevault screen, otherwise there is no way to wipe the computer.
Another option we are exploring is to create a new local standard account that can be used to bypass the filevault screen, but enabling filevault for this account via JAMF Pro seems quite complicated to do.
Any insights would be greatly appreciated. Thank you.
10 REPLIES 10
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-23-2025 10:23 AM
A option, if you have a “M” device (Apple Silicon), try using Apple Configurator. You can restore a device to factory with the “Erase All Contents and Settings”. Just plug a USB-C cable to the far back ports on two device, one is running Apple Configurator, and the other is getting restored. A good app to get the device to be seen with Configurator, is DFU Blaster by Two Canoes. If you have any trouble reach back.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-23-2025 10:29 AM
Mr. Macintosh has a great write-up on using DFU to restore a Mac, and he has the IPSW files for Apple Silicon devices. As @Revolution mentioned, put the device in DFU, connect to another Mac with Apple Configurator 2 running, drop the IPSW file on the Mac that shows up in AC2, and within 5 to 8 minutes the device will be restored with a fresh macOS install.
Reply
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-23-2025 10:38 AM
What I found works well is a wipe and restore policy in Jamf. When offboarding the users, you can add their machine to the policy and let it take over. All they need to do is be logged in to let it start the process. Part of offboarding, should also make sure the device has had FindMy disabled under their user account, especially if you're not otherwise using a managed AppleID for their machine.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-23-2025 10:39 AM
@stevewood - Great resource Mr. Macintosh site!!
Another clean way of getting IPSW (as well as App Installers) using a GUI, is Mist ( macOS Installer Super Tool) that you can decide what macOS you want in versioning and builds. Link for Mist.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-23-2025 10:41 AM
Thanks everyone, I'll definitely look into these alternative options you've provided for me.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-23-2025 10:45 AM
Adding this after seeing Apple Configurator responses, which are totally valid and helpful!
The next thing that comes to mind, assuming they're managed with JAMF, is to simply issue a wipe computer remote command. Or, you could boot into recovery mode and erase the Mac from there. You would not get any data off it, but I am basing this on your request to erase more easily.
In any event, Erase All Content and Settings is by far the fastest way to go. On our loaner devices (DEP), the first hidden Admin user (which also enables FV2) creates a local IT admin account (Also VolumeOwner/FV2 user) so we can quickly log in and select the "Erase all Content and Settings" from the reset menu in System Settings.
As always, this will depend on what type of Mac, what type of enrollment, and what type of ownership.
Reply
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-23-2025 12:29 PM
For us, we just use the recovery partition if the user has powered off the device already and turned it in. We retain a copy of the data for a bit via our cloud backup solution, but for the system itself, I just boot to recovery, opt to erase the mac when it asks for FV creds, then reinstall the OS (if it's an intel system).
If the user hasn't powered down, then I like using the Jamf wipe commands, but it's fine either way. Configurator is a good option for M series devices that you also want to load up with the latest OS version.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-23-2025 01:35 PM
You could boot in to recovery, open disk utility and erase the disk then use internet recovery to reinstall the OS. This still accomplishes cryptographic erasure, and does not need the recovery key.
Reply
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-26-2025 01:22 AM
you don't need recovery key to wipe the Mac, you can do it from Recovery HD. Select the Recovery Assistant menu and select Erase Mac.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-26-2025 04:53 AM
ChatGPT said:
Use JAMF Pro to escrow and retrieve FileVault personal recovery keys for device unlocks.
Alternatively, create a local IT admin account and enable FileVault access using SecureToken scripting.
Avoid institutional keys unless absolutely necessary due to security concerns.
Escrowed PRKs or an IT admin account offer the most efficient hardware refresh workflow.
Reply
