Lock Device and Erase Device

By Declan Alleyne

Learn more about the Lock Device and Erase Device commands and their expected behaviors

Lock Device

You can use the Lock Device command on iOS, iPadOS and macOS. This command does not require supervision. However, there are some important differences in how the command works between the two platforms.

Command Behavior for iOS & iPadOS

For iOS devices, once the command is received, the screen will automatically be locked, and you can optionally specify a lock message. The device will be locked with the existing passcode.

Command Behavior for macOS

For macOS devices, the device will be locked with an EFI/Find My PIN code. There are some conditionals in which behavior is unique to the hardware and macOS version. These conditionals are outlined below. A 6 digit pin will automatically be generated and is available on the device record once the device receives the command. 

Mac computers with Apple silicon running macOS 11.5 or earlier.

  • Lock device PINs are not supported on Mac computers with Apple silicon prior to macOS 11.5.
  • The device will reboot to recoveryOS, where an admin will need to authenticate, and activation will be required.

Mac computers with Apple silicon running macOS 11.5 or later.

  • The device will reboot and be locked with a randomly generated PIN once the device receives the command. 

Mac computers with Intel running any supported macOS version.

  • The device will reboot and be locked with a randomly generated PIN once the device receives the command.

Erase Device

You can use the Erase Device command on iOS, iPadOS, tvOS and macOS. This command does not require supervision. However, there are some important differences in how the command works between the platforms.

Command Behavior for iOS & iPadOS

For iOS and iPadOS devices, the device will initiate an Erase all Content and Settings. The device will reboot and will present the Setup Assistant. It is important to note that this is not a full system restore, and the device will not be updated to the latest version.

  • When you use the Kandji web app to send the Erase Device command, the command automatically preserves any pre-existing eSIM-based cellular plans on iPhone or iPad devices with eSIM functionality.
  • When you use the Kandji API to send the Erase Device command, you can remove any pre-existing eSIM-based cellular plans on a device with eSIM functionality. To do so, set the PreserveDataPlan key to false. See this documentation.

iOS and iPadOS 17 introduce a new feature called Return to Service. When erasing a device running these OS versions, an option is shown in the confirmation dialog where "Use Return to Service" can be selected:

V0arGjHjqHjVm3GFeZILJXLIBmkFlk27rA

When this option is selected, the device proceeds all the way through Setup Assistant to the home screen without any user intervention. The device automatically joins a Wi-Fi network configured from your selected Library Item after erasure and automatically re-enrolls into Kandji. For devices using a tethered Ethernet connection, such as kiosks, you can use Return to Service without selecting a Library Item at all. The dialog allows selecting any Wi-Fi Library Item or a Custom Profile Library Item containing a Wi-Fi configuration; be sure to select a Library Item that will properly configure the device to be able to rejoin a network after erasure, or "None" only if Ethernet is available. Otherwise, the device will require manual intervention to re-enroll. For more details, see the Apple WWDC 2023 video, "What's new in managing Apple devices". 

Return to Service Considerations

  • Please be aware that as activation of the device happens before Remote Management takes action, if an iPhone or iPad is Activation Locked that lock will need to be removed prior to issuing a RtS command. This can delay Return to Service actions as it does require manual intervention.
  • When erasing a device that has User-based Activation Lock enabled, the device will prompt for the Apple ID credentials when next attempting to activate. If this is a supervised device you will be able to use an Activation Lock bypass code to progress through this prompt. Devices that are erased from Kandji will not automatically reinstall apps previously installed by Self Service. If a user erases their own device using the Settings app, apps previously installed by Self Service will be automatically reinstalled once the device reenrolls into Kandji.
  • A Library Item that configures an EAP-TLS 802.1X network with a SCEP client identity should not be selected.

Command Behavior for tvOS

For tvOS, the device will initiate a Reset. The device will reboot and will present the Setup Assistant. It is important to note that this is not a full system restore, and the device will not be updated to the latest version.

Command Behavior for macOS

Depending on the macOS version and hardware support, one of two actions will occur for macOS devices. There are multiple conditionals in which behavior is unique to the hardware and macOS version. These conditionals are outlined below. 

  • The device will have all data obliterated (Obliteration behavior) and locked with an EFI/Find My pin code.
  • If on supported hardware and a supported macOS version, the device will perform an Erase all Content and Settings (EACS). If an EACS fails, the device will revert to obliteration behavior. 
  • A 6 digit pin will automatically be generated and is available on the device record once the device receives the command. 

Mac computers with Apple silicon running a version earlier than macOS 12.

  • The device will be erased (obliteration behavior), but a PIN will not be set.

    Erase device PINs are not supported on Mac computers with Apple silicon.

Mac computers with Apple silicon or Intel and T2 running macOS 12 or later. 

  • The device will perform an Erase All Content and Settings once the command is received.
  • If EACS fails, the device will fall back to obliteration behavior, and macOS must be reinstalled.

Mac computers with Intel and T1 or Intel and no security chip running macOS 12 or later. 

  • The device will be erased (obliteration behavior) and locked with a randomly generated PIN once the command is received.

Mac computers with Intel (T1/No security chip) running a version earlier than macOS 12.

  • The device will be erased (obliteration behavior) and locked with a randomly generated PIN once the command is received.

Erase Device Considerations

  • For Mac computers that support Erase All Content and Settings (EACS), it is recommended to send the Erase Device command from Kandji rather than using the Erase Assistant locally on the device. Doing so ensures you don't need to know a local user's password, will skip unnecessary Apple ID sign-outs, and properly prepares a Mac to re-enroll using Auto Advance. 
  • For Mac computers that support Erase All Content and Settings (EACS), the erase command will fail if there is no bootstrap token escrowed. 
  • In macOS Monterey, Intel-based Mac computers with the Apple T2 Security Chip will perform an Erase All Content and Settings (EACS) when receiving an Erase Device command from Kandji. If a legacy firmware password is still present on the device when it receives the command, it will instead completely erase and require reinstallation of macOS, as in macOS 11. To preserve the EACS behavior on an Intel-based Mac, move it to a Blueprint without a Recovery Password library item before sending the Erase Device command first. This step is not required for Mac computers with Apple silicon.