Home > Mac administration, macOS > Disabling the Erase All Contents and Settings function on macOS Monterey

Disabling the Erase All Contents and Settings function on macOS Monterey

October 25, 2021 Leave a comment Go to comments

As part of macOS Monterey, Apple has introduced the Erase All Contents and Settings function to macOS for Apple Silicon Macs. In my Monterey testing, this setting was very useful because it enabled me to reset my Mac to a factory default condition without having to spend extra time wiping the drive and installing a fresh copy of macOS.

Screen Shot 2021 10 14 at 9 46 35 AM

However, having this functionality available may not desired in all environments. For Mac admins supporting these environments, Apple has provided a new profile management option, as part of the Restrictions payload, which disables the Erase All Contents and Settings functionality on Apple Silicon Macs.

Screen Shot 2021 10 14 at 10 14 39 AM

For more details, please see below the jump.

I’ve written a profile to disable Erase All Contents and Settings functionality which does the following:

1. Removes the Erase All Contents and Settings… menu option from the System Preferences option.

Screen Shot 2021 10 14 at 9 47 17 AM

2. Blocks the Erase Assistant app from running.

Note: When the profile is installed, the Erase Assistant app will show the following message:

Erase Assistant is not supported on this Mac.

Screen Shot 2021 10 14 at 9 56 16 AM

In order to apply this profile, there are some pre-requisites:

  • User Approved Mobile Device Management (UAMDM) must be enabled on the target Mac.
  • Profile must be installed by an MDM server.

Those pre-requisites also apply to deploying this profile, which is available via the link below:

https://github.com/rtrouton/profiles/tree/main/DisableEraseAllContentsAndSettings

When deployed, the profile should appear similar to this in System Preference’s Profiles preference pane.

Screen Shot 2021 10 14 at 9 49 29 AM

Categories: Mac administration, macOS
  1. damacguy
    October 25, 2021 at 11:12 pm
    Reply

    When uploading this mobileconfig to Jamf… what Preference domain should be used? I’m guessing com.apple.systempreferences ?

    • ScottB
      November 4, 2021 at 6:10 pm
      Reply

      Hi @damacguy – we are using ‘com.apple.applicationaccess’
      HTH

  2. NIcole
    October 26, 2021 at 4:52 pm
    Reply

    It’s not only available for Silicon Devices but also for Apple T2 Security Chip https://support.apple.com/en-us/HT212749

  3. Michael Rieder
    November 4, 2021 at 8:14 am
    Reply
    • ScottB
      November 4, 2021 at 6:46 pm
      Reply

      I suppose it’s also possible to block this app: /System/Library/CoreServices/Erase\ Assistant.app/
      Wondering if that is a better way (using Jamf)?

  4. Larry towers
    November 7, 2021 at 11:28 pm
    Reply

    Is I my default an admin only presence. Any way to limit to a group?

  5. Bruce Carter
    November 10, 2021 at 2:30 pm
    Reply

    Hey Rich! When you create these, do you use a tool, or do you just go raw text and randomly generate the ID strings on the fly, like with uuidgen or something like that?

  6. steven
    December 16, 2022 at 11:58 pm
    Reply

    So how do you remove this when you’re ready to use the erase assistant?

  1. No trackbacks yet.

Leave a comment