Home > Mac administration, macOS > Disabling the Erase All Contents and Settings function on macOS Monterey

Disabling the Erase All Contents and Settings function on macOS Monterey

As part of macOS Monterey, Apple has introduced the Erase All Contents and Settings function to macOS for Apple Silicon Macs. In my Monterey testing, this setting was very useful because it enabled me to reset my Mac to a factory default condition without having to spend extra time wiping the drive and installing a fresh copy of macOS.

Screen Shot 2021 10 14 at 9 46 35 AM

However, having this functionality available may not desired in all environments. For Mac admins supporting these environments, Apple has provided a new profile management option, as part of the Restrictions payload, which disables the Erase All Contents and Settings functionality on Apple Silicon Macs.

Screen Shot 2021 10 14 at 10 14 39 AM

For more details, please see below the jump.

I’ve written a profile to disable Erase All Contents and Settings functionality which does the following:

1. Removes the Erase All Contents and Settings… menu option from the System Preferences option.

Screen Shot 2021 10 14 at 9 47 17 AM

2. Blocks the Erase Assistant app from running.

Note: When the profile is installed, the Erase Assistant app will show the following message:

Erase Assistant is not supported on this Mac.

Screen Shot 2021 10 14 at 9 56 16 AM

In order to apply this profile, there are some pre-requisites:

  • User Approved Mobile Device Management (UAMDM) must be enabled on the target Mac.
  • Profile must be installed by an MDM server.

Those pre-requisites also apply to deploying this profile, which is available via the link below:

https://github.com/rtrouton/profiles/tree/main/DisableEraseAllContentsAndSettings

When deployed, the profile should appear similar to this in System Preference’s Profiles preference pane.

Screen Shot 2021 10 14 at 9 49 29 AM

Categories: Mac administration, macOS
  1. damacguy
    October 25, 2021 at 11:12 pm

    When uploading this mobileconfig to Jamf… what Preference domain should be used? I’m guessing com.apple.systempreferences ?

    • ScottB
      November 4, 2021 at 6:10 pm

      Hi @damacguy – we are using ‘com.apple.applicationaccess’
      HTH

  2. November 4, 2021 at 8:14 am
    • ScottB
      November 4, 2021 at 6:46 pm

      I suppose it’s also possible to block this app: /System/Library/CoreServices/Erase\ Assistant.app/
      Wondering if that is a better way (using Jamf)?

  3. Larry towers
    November 7, 2021 at 11:28 pm

    Is I my default an admin only presence. Any way to limit to a group?

  4. November 10, 2021 at 2:30 pm

    Hey Rich! When you create these, do you use a tool, or do you just go raw text and randomly generate the ID strings on the fly, like with uuidgen or something like that?

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: