"This account cannot be used to perform the installation" - M1 + Standard user + Jamf self service

[romnation1]

Trying to use erase-install via jamf self service on and M1 mac with STANDARD user privileges. Upon clicking it in self service I get a popup with "This account cannot be used to perform the installation" Here is the log from erase-install.

Result of command:
[erase-install] v25.0 script execution started: Wed Feb 2 18:50:51 EST 2022
[erase-install] Caffeinating this script (pid=4908)
[check_free_space] OK - 435 GB free/purgeable disk space detected
[erase-install] Looking for existing installer app or pkg
[find_existing_installer] No valid installer found.
Unable to find the user record
[get_user_details] usersaccountnamehere account cannot be found!
button returned:OK
[erase-install] 'caffeinate' ended
/Library/Management/erase-install/erase-install.sh: line 945: 4920 Terminated: 15 /usr/bin/caffeinate -dimsu -w $pid

[warmsoda]

This has to do with Secure Tokens and Bootstrap Tokens on M1 computers. A Secure Token user (or Volume Owner) is required to use the startosinstall command.

https://support.apple.com/guide/deployment/use-secure-and-bootstrap-tokens-dep24dbdcf9e/web
"In macOS 11 or later, the bootstrap token may also be used for more than just granting secure token to user accounts. On a Mac computer with Apple silicon, the bootstrap token, if available, can be used to authorize the installation of both kernel extensions and software updates when managed using MDM"

Also, look into JAMF escrowing the bootstrap token. https://docs.jamf.com/technical-articles/Manually_Leveraging_Apples_Bootstrap_Token_Functionality.html

What I do is make two Extension Attributes that check if the user has a Secure Token and if the Bootstrap Token is Escrowed in JAMF.

There's a flowchart here that I think would also be helpful - https://travellingtechguy.blog/filevault-securetoken-and-bootstrap-in-macos-11-0-1-big-sur/