Learn more about the Erase Device command and its expected behavior
- How to Erase a Mac
- How to Erase an iPhone or iPad
- Command Behavior for macOS
- Command Behavior for iOS and iPadOS
- Command Behavior for tvOS
- Erase Device Considerations
Erase Device
You can use the Erase Device command on macOS, iOS, iPadOS, and tvOS. This command does not require supervision.
A locked device cannot recieve an Erase Device MDM command. For more information on locking a device, see our Lock a Device support article.
How to Erase a Mac
- Navigate to the Device Record.
- Open the Device Action Menu.
- Select Erase Device.
- Type ERASE to erase the device.
- Click the Erase Device button.
How to Erase an iPhone or iPad
- Navigate to the Device Record.
- Open the Device Action Menu.
- Select Erase Device.
- Select whether you want to use Return to Service, and provide a valid WiFi profile if so.
- Type ERASE
- Click Erase Device.
Command Behavior for macOS
Depending on the macOS version and hardware support, one of two actions will occur for macOS devices. There are multiple conditionals in which behavior is unique to the hardware and macOS version. These conditionals are outlined below.
- The device will have all data obliterated (Obliteration behavior) and locked with an EFI/Find My pin code.
- If on supported hardware and a supported macOS version, the device will perform an Erase all Content and Settings (EACS). If an EACS fails, the device will revert to obliteration behavior.
- A 6-digit pin will automatically be generated and will be available on the device record once the device receives the command.
Mac computers with Apple silicon running a version earlier than macOS 12.
- The device will be erased (obliteration behavior), but a PIN will not be set.
Erase device PINs are not supported on Mac computers with Apple silicon.
Mac computers with Apple silicon or Intel and T2 running macOS 12 or later.
- The device will perform an Erase All Content and Settings once the command is received.
- If EACS fails, the device will fall back to obliteration behavior, and macOS must be reinstalled.
Mac computers with Intel and T1 or Intel and no security chip running macOS 12 or later.
- The device will be erased (obliteration behavior) and locked with a randomly generated PIN once the command is received.
Mac computers with Intel (T1/No security chip) running a version earlier than macOS 12.
- The device will be erased (obliteration behavior) and locked with a randomly generated PIN once the command is received.
Command Behavior for iOS and iPadOS
iOS and iPadOS devices will initiate an Erase all Content and Settings. The device will restart and will present the Setup Assistant. It is important to note that this is not a full system restore, and the device will not be updated to the latest version.
- When you use the Kandji web app to send the Erase Device command, the command automatically preserves any pre-existing eSIM-based cellular plans on iPhone or iPad devices with eSIM functionality.
- When you use the Kandji API to send the Erase Device command, you can remove any pre-existing eSIM-based cellular plans on a device with eSIM functionality. To do so, set the PreserveDataPlan key to false. See this documentation.
iOS and iPadOS 17 introduce a new feature called Return to Service. When erasing a device running these OS versions, an option is shown in the confirmation dialog where "Use Return to Service" can be selected:
When this option is selected, the device proceeds all the way through Setup Assistant to the home screen without any user intervention. The device automatically joins a Wi-Fi network configured from your selected Library Item after erasure and automatically re-enrolls into Kandji. For devices using a tethered Ethernet connection, such as kiosks, you can use Return to Service without selecting a Library Item at all. The dialog allows selecting any Wi-Fi Library Item or a Custom Profile Library Item containing a Wi-Fi configuration; be sure to select a Library Item that will properly configure the device to be able to rejoin a network after erasure, or "None" only if Ethernet is available. Otherwise, the device will require manual intervention to re-enroll. For more details, see the Apple WWDC 2023 video, "What's new in managing Apple devices".
Return to Service Considerations
- Please be aware that as the device is activated before Remote Management takes action, if an iPhone or iPad is Activation Locked, that lock will need to be removed prior to issuing an RtS command. This can delay Return to Service actions as it does require manual intervention.
- When erasing a device that has User-based Activation Lock enabled, the device will prompt for the Apple ID credentials when next attempting to activate. If this is a supervised device you will be able to use an Activation Lock bypass code to progress through this prompt. Devices that are erased from Kandji will not automatically reinstall apps previously installed by Self Service. If a user erases their own device using the Settings app, apps previously installed by Self Service will be automatically reinstalled once the device reenrolls into Kandji.
- A Library Item that configures an EAP-TLS 802.1X network with a SCEP client identity should not be selected.
- Return to Service will not work when using an Automated Device Enrollment Library Item that requires authentication.
Command Behavior for tvOS
For tvOS, the device will initiate a Reset. The device will reboot and will present the Setup Assistant. It is important to note that this is not a full system restore, and the device will not be updated to the latest version.
Other Considerations
- For Mac computers that support Erase All Content and Settings (EACS), it is recommended to send the Erase Device command from Kandji rather than using the Erase Assistant locally on the device. Doing so ensures you don't need to know a local user's password, will skip unnecessary Apple ID sign-outs, and properly prepares a Mac to re-enroll using Auto Advance.
- For Mac computers that support Erase All Content and Settings (EACS), the erase command will fail if there is no bootstrap token escrowed.
- In macOS Monterey, Intel-based Mac computers with the Apple T2 Security Chip will perform an Erase All Content and Settings (EACS) when receiving an Erase Device command from Kandji. If a legacy firmware password is still present on the device when it receives the command, it will instead completely erase and require reinstallation of macOS, as in macOS 11. To preserve the EACS behavior on an Intel-based Mac, move it to a Blueprint without a Recovery Password library item before sending the Erase Device command first. This step is not required for Mac computers with Apple silicon.