Lock Device and Erase Device

By David Marks

Learn more about the Lock Device and Erase Device commands and their expected behavior.

Lock Device

You can use the Lock Device command on both iOS and macOS. However, there are some important differences in how the command works between the two platforms.

Command Information 

  • Command Support:
    • iOS (4.0+)
    • macOS (10.7+)
    • Shared iPad
  • Command Requirements
    • The command does not require supervision

Command Behavior for iOS

For iOS devices, once the command is received, the screen will automatically be locked, and you can optionally specify a lock message. The device will be locked with the existing passcode.

Command Behavior for macOS

For macOS devices, the device will be locked with an EFI/Find My PIN code. There are some conditionals in which behavior is unique to the hardware and macOS version. These conditionals are outlined below. A 6 digit pin will automatically be generated and is available on the device record once the device receives the command. 

Mac computers with Apple silicon running macOS 11.5 or earlier.

  • Lock device PINs are not supported on Mac computers with Apple silicon prior to macOS 11.5.
  • The device will reboot to recoveryOS, where an admin will need to authenticate, and activation will be required.

Mac computers with Apple silicon running macOS11.5 or later.

  • The device will reboot and be locked with a randomly generated PIN once the device receives the command. 

Mac computers with Intel running any supported macOS version.

  • The device will reboot and be locked with a randomly generated PIN once the device receives the command.

Erase Device

You can use the Erase Device command on both iOS and macOS. However, there are some important differences in how the command works between the two platforms.

Command Information 

  • Command Support:
    • iOS (4.0+)
    • macOS (10.7+)
    • tvOS (10.2+)
    • Shared iPad
  • Command Requirements
    • The command does not require supervision

Command Behavior for iOS

For iOS devices, the device will initiate an Erase all Content and Settings. The device will reboot and will present the Setup Assistant. It is important to note that this is not a full system restore, and the device will not be updated to the latest iOS version.

  • When you use the Kandji web app to send the Erase Device command, the command automatically preserves any pre-existing eSIM-based cellular plans on iPhone or iPad devices with eSIM functionality.
  • When you use the Kandji API to send the Erase Device command, you can remove any pre-existing eSIM-based cellular plans on a device with eSIM functionality. To do so, set the PreserveDataPlan key to false. See this documentation.
iOS devices that are erased from Kandji will not automatically reinstall apps previously installed by Self Service. If a user erases their own iOS device using the Settings app, apps previously installed by Self Service will be automatically reinstalled once the device reenrolls into Kandji.

Command Behavior for macOS

Depending on the macOS version and hardware support, one of two actions will occur for macOS devices. There are multiple conditionals in which behavior is unique to the hardware and macOS version. These conditionals are outlined below. 

  • The device will have all data obliterated (Obliteration behavior) and locked with an EFI/Find My pin code.
  • If on supported hardware and a supported macOS version, the device will perform an Erase all Content and Settings (EACS). If an EACS fails, the device will revert to obliteration behavior. 
  • A 6 digit pin will automatically be generated and is available on the device record once the device receives the command. 

Mac computers with Apple silicon running a version earlier than macOS12.

  • The device will be erased (obliteration behavior), but a PIN will not be set.
    Erase device PINs are not supported on Mac computers with Apple silicon.

Mac computers with Apple silicon or Intel and T2 running macOS 12 or later. 

  • The device will perform an Erase All Content and Settings once the command is received.
  • If EACS fails, the device will fall back to obliteration behavior, and macOS will need to be reinstalled.

Mac computers with Intel and T1 or Intel and no security chip running macOS 12 or later. 

  • The device will be erased (obliteration behavior) and locked with a randomly generated PIN once the command is received.

Mac computers with Intel (T1/T2/No security chip) running a version earlier than macOS12.

  • The device will be erased (obliteration behavior) and locked with a randomly generated PIN once the command is received.
For Mac computers that support Erase All Content and Settings (EACS), it is recommended to send the Erase Device command from Kandji vs using the Erase Assistant locally on the device. Doing so ensures you don't need to know a local user's password, it will skip unnecessary Apple ID sign-outs, and it properly prepares a Mac to re-enroll using Auto Advance.