Addigy MDM offers the capability to push a Remote Lock or Remote Wipe command from within the Addigy Console. For the latest updates, please review Apple's Documentation. Functionality differs from macOS version and macOS Architecture (Intel and Apple Silicon).
Prerequisites
MDM Profile assigned to the device. For more information on MDM Profiles, see MDM Overview article. The device does not require assignment to a specific policy but must have an MDM Profile to receive the command.
Note: On a Mac with Apple silicon (M1 Chip), the device reboots into the recoveryOS (Pre 11.5), where the only options are to restart, shutdown, activate, or erase the Mac. To activate the Mac, select an administrator user and provide the password. This activation step requires an internet connection.
Lock Device
1. Navigate to the Devices page, expand the Device Actions section by clicking the ">" and click on Lock Device under the Device Actions column
2. Set the 6-digit passcode to unlock the device and add a message to be displayed on the locked device
Note: The 6-digit passcode is added to the "Executed" log record. Log records are stored for 90 days. Should you need to find the passcode you can search the Event log for the devices records and Receiver Name that contains "DeviceLock" or "EraseDevice".
Additional Note: If the Device is using macOS Monterey with a T2 Chip or M1 Chip, we will show the ability to Erase All Content and Settings in the Erase Device option:
3. Click Lock Device. The device must be on and connected to a network for the command to be received and applied.
Remotely Wiping a Device
Note: macOS Monterey introduces a change in "Erase Device" behavior. Devices running macOS Monterey that have a T2 chip or are Apple Silicon will Erase all Content and Settings instead of fully wiping a device.
Selecting the Erase Data option will prompt you to enter a 6-digit passcode that will be used to unlock the device. Once this is entered, click Erase Device.
Note: The device will immediately erase itself. No warning is given to the user. This command is performed immediately even if the device is locked. The device will be wiped including the Addigy agent. This will prevent your ability to manage it until Addigy is reinstalled.
1. Navigate to the Devices page and click either "GoLive" or the name of the device. The Erase command is found on the GoLive page.
2. Open "Device Status" and click on "Erase Device"
3. Set the 6-digit passcode. (The passcode will not be requested on macOS Monterey devices with an Apple Silicon processor or T2 chip)
Note: The 6-digit passcode is added to the "Executed" log record. Log records are stored for 90 days. Should you need to find the passcode you can search the Event log for the devices records and Receiver Name that contains "DeviceLock" or "EraseDevice".
4. For devices with a cellular data plan, you can choose to preserve the plan following the Wipe.
5. Choose to allow or disallow device in close proximity from sharing setup data such as Wifi access.
Additional Note: If the Device is using macOS Monterey with a T2 Chip or M1 Chip, we will show the ability to Erase All Content and Settings in the Erase Device option:
Additional Information
- Device Lock and Device Wipe will require the six-digit passcode to unlock the device.
- The Devices must have an MDM Profile installed to perform either the lock or wipe action.
- Devices configured to enroll through Apple Business Manager or Apple School Manager will go back through that enrollment process when they start the setup process following the wipe or Erase all Content and Settings commands.
- Device Wipe: Upon receiving this command, the device immediately erases itself. No warning is given to the user. This command is performed immediately even if the device is locked.
- Device Lock: If a passcode has been set on the device, the device is locked with the "
DeviceLock"command. The device returns a status of"Acknowledged"and a messageresultof"Success". If a passcode has not been set on the device, the device is locked but the message and phone number are not displayed on the screen. The device returns a status of"Acknowledged"and a message result of"NoPasscodeSet". - Device Lock for iOS devices will force the device to the lock screen.
- Remote Device Wipe pre-macOS Monterey will erase the entire disk, this includes the Recovery Partition and any other partitions on the device. Monterey Erase behavior has changed. On Monterey, the Operating system is not wiped, only the User Content and Settings are wiped from the machine. However, the machine is in a state for fresh setup.
- When an incorrect passcode is entered on the wiped/locked macOS Device multiple times, it will cause the device to enter a disabled state with a timer. The timer's interval will increase with each incorrect attempt. Because of this, we recommend you limit the incorrect attempts to 3 while testing.