How to Erase "Apple Disk Image Media" or "Base System" During Install with Bootable Media?

[Valdaquendë]

I have a 2019 iMac I purchased at a surplus property sale at a local academic institution (if you are looking for a good used Mac at a very reasonable price, surplus property sales at your local university, college or community college can be an excellent place to find one).

I got it back to my workbench, reset the PRAM and proceeded to reformat its SSD and do a clean install Ventura (the max MacOS for this model; which had been on it when I bought it). When the MacOS Install utility ran, it installed, asked me for language and input defaults, whether I wanted to send app data to Apple, etc.

Then, seemingly out of nowhere, it installed a remote management program linked to the university's IT resource management server and began connecting to the server. Obviously not desirable in this situation. I aborted, erased the SSD again, reinstalled and managed to bypass installation (perhaps) and set up of the remote management tool by performing the install without connecting to the internet. I connected to the internet after the install and saw no sign of a remote access install.

I would guess that the university must have modified the Base System volume to automatically install this management tool upon OS install, since all other volumes on the SSD had been erased. If so, it may still be there, waiting for the next OS reinstall to set itself up and connect. The first logical alternative that occurs to me is to delete the "MacOS Base System" volume; again, it seems the only place where this utility could have been installed and set up to run.

Look as I might, however, I can find no way to remove this volume; attempts to do so result in a "volume in use" message. Is there a way to reformat the entire SSD, including the Base System? A subsequent reinstall, on a completely-erased volume, should then create a new Base System volume.

Thanks for reading and considering this question; any thoughts you have will be appreciated and carefully considered.

 

[Bigwaff]

The "Base System" is the Sealed System Volume (SSV) of macOS operating system files. This volume is cryptographically "sealed" so no system files can be modified or deleted. You can't access this volume. The SSV is a security measure and is a normal part of installing macOS.

Your iMac is attempting to retrieve a system profile from the university's MDM (Mobile Device Management) server. You need to reach out to the university and have them remove your iMac from their MDM solution.

 

[DeltaMac]

You can't remove a volume that you are booted from.
The volume called "Base System" is the system that you are booted from when booted to the installer.
Or, Base System is the system that you are booted to when booting to Internet Recovery.
Internet Recovery is a remote server boot from Apple.
You can't erase the installer system while you are booted to the installer.
The drive name "Base System" is not a drive that you can do anything, except boot to it. You have no control over THAT system, AFAIK.
How to do the full wipe of the SSD? Make sure that you choose "Show All Devices" from the View menu in Disk Utility.
Then, choose the top item in the list of drives. That should show you the model identification for the internal drive.
Erase THAT device, which should clear everything on the internal drive.
Name the volume something that you like. Use THAT new volume as the destination for your system install.

If the "remote management" immediately takes over your system after doing the best erase that you can do, then you can assume that the university has added a profile, and it is installed (embedded) in the firmware of your iMac (and, they forgot to delete it before the sale) That will NOT be removed, even if you replace the internal drive (both internal drives if your iMac has a Fusion drive). You cannot remove a firmware-embedded profile, unless you have both the software that was used to install that profile, AND the authentication (like account name and password) info. You will need to contact the university IT department. MAYBE they can help you by removing their profile... Good luck on that...

 

[gilby101]

If the "remote management" immediately takes over your system after doing the best erase that you can do, then you can assume that the university has added a profile, and it is installed (embedded) in the firmware of your iMac (and, they forgot to delete it before the sale) That will NOT be removed, even if you replace the internal drive (both internal drives if your iMac has a Fusion drive)

My understanding is that it is/maybe a network connection which retrieves any MDM enrolment.

Then, seemingly out of nowhere, it installed a remote management program linked to the university's IT resource management server and began connecting to the server.

There is a 23 step solution here: https://www.reddit.com/r/mac/comments/pi9beh for Sonoma. Should be a little bit easier with Ventura.

Better to follow @Bigwaff 's advice and talk to the institution's IT.

if you are looking for a good used Mac at a very reasonable price, surplus property sales at your local university, college or community college can be an excellent place to find one

Or not, if it has not been removed from their MDM solution.

 

[Valdaquendë]

Thanks to all of you.

Thanks for the cogent explanation of the SSV, Bigwaff. (By the way, if "Waff" stands for waffle, I am a kindred spirit and a proud member of the National Waffle Association.)

DeltaMac, I had been installing from a USB boot volume, thinking that that would allow me to do a full erase of the SSD; it did but, as you pointed out, the problem lay elsewhere. I wondered how they had gotten the remote management tool to auto-launch during install; I thought they must have altered the Base System. I didn't imagine that they would have modified the firmware, though it should probably have occurred to me.

Contacting the university is a good idea and one I will follow up on today.

gilby101, I read the reddit post thoroughly. In it, numerous contributors state the an internet connection is mandatory when installing Ventura; I did not find this to be the case. I was able to bypass the MDM connection by not connecting to the internet during install.
This ONLY worked if the system was disconnected from the network when booting to the installer; in this case the enrollment dialog was not presented and, after the install completed and the system was connected, I was not presented with any subsequent notifications, over the next few days, asking me to connect or login to the MDM.
If, on the other hand, the system WAS connected to the network at boot and then manually disconnected during the install (as is done during Windows installs to defeat the "connect to MS account" requirement), it did present the enrollment dialog and demanded an internet connection in order to proceed.

If my grasp of this is correct, having the university remove the system from their MDM system will stop the enrollment from taking place during install but will leave the firmware modified and attempting to do so during any reinstall. Unfortunately, the only solution I can see for that would be to disassemble the iMac, download its firmware, have tsialex rebuild it and flash the system's SPI with the corrected firmware, which would hardly be worth the effort.

Again, thanks to you all; I appreciate your advice and insight.

 

[gilby101]

If my grasp of this is correct, having the university remove the system from their MDM system will stop the enrollment from taking place during install but will leave the firmware modified and attempting to do so during any reinstall.

I am not convinced that MDM systems modify firmware.

 

[chrfr]

Contacting the university is a good idea and one I will follow up on today.
If my grasp of this is correct, having the university remove the system from their MDM system will stop the enrollment from taking place during install but will leave the firmware modified and attempting to do so during any reinstall. Unfortunately, the only solution I can see for that would be to disassemble the iMac, download its firmware, have tsialex rebuild it and flash the system's SPI with the corrected firmware, which would hardly be worth the effort.

Again, thanks to you all; I appreciate your advice and insight.

MDM enrollment does not change the firmware on the computer; there is nothing you can do to prevent the computer from enrolling into the management system as this comes from Apple’s servers when the computer is connected to the internet. What you need to do is to contact the university and ask them to remove the computer from their management systems. They will need the serial number for this, and they should have no objection to doing so if the computer was sold by them. In fact, it’s part of the terms of Apple School Manager (the back end tool to manage these computers) that they be removed before selling them but sometimes computers get missed.
The computer will eventually prompt to enroll so you should definitely contact the university soon- macOS Sonoma, in particular, is especially aggressive about this. Once the computer’s been removed from School Manager, it cannot be re-added by Apple or the university so once this is done the computer will never prompt you for MDM enrollment again.

 

[Valdaquendë]

Thanks, chrfr, that clarifies things completely. I emailed the university this morning, citing the sale inventory number and the serial number (thinking that would be necessary on their end) but have not yet heard back.

Again, thanks; I'm glad to understand what was going on there and how it worked. I thought it odd that the firmware or the Base System would have been modified but I could think of no other explanation. Apple code, built into the installer, explains it perfectly.