Addigy MDM offers the capability to push a Remote Lock or Remote Wipe (aka MDM Lock and MDM Wipe) command from within the Addigy Console. For the latest updates, please take a look at Apple's Documentation. Functionality differs from macOS version and macOS architecture (Intel and Apple Silicon).
Table of Contents
Prerequisites
MDM Profile assigned to the device. For more information on MDM Profiles, see MDM Overview article. The device does not require assignment to a specific policy but must have an MDM Profile to receive the command.
Note: On a Mac with Apple silicon (M1 Chip), the device reboots into the recoveryOS (Pre 11.5), where the only options are to restart, shutdown, activate, or erase the Mac. To activate the Mac, select an administrator user and provide the password. This activation step requires an internet connection.
Lock Device
Note: On iOS and iPadOS devices, performing this lock will place the device at the lock screen and will not be considered as a special lock. If you are looking to lock a device and prevent anyone from accessing it, even those who know the passcode, we recommend leveraging Managed Lost Mode.
To lock a device:
1. Navigate to the Devices page, expand the Device Actions section by clicking the ">" and click on Lock Device under the Device Actions column
2. Set the 6-digit passcode to unlock the device and add a message to be displayed on the locked device
Note: The 6-digit passcode is added to the "Executed" log record. Log records are stored for 90 days. Should you need to find the passcode you can search the Event log for the device records and Receiver Name that contains "DeviceLock" or "EraseDevice". The 6-digit passcode option will only be available for macOS devices.
3. Click Lock Device. The device must be on and connected to a network for the command to be received and applied.
Viewing the enforced pin
To view the enforced pin, navigate to the Devices page, expand the Tools dropdown, and select "Device Codes" at the bottom of the list:
In the window that pops up, click the "Lock Codes" tab and enter the device serial number in the search bar. After clicking the Add button, it will display any available lock codes.
Remotely Wiping a Device
Note: macOS Monterey introduces a change in "Erase Device" behavior. Devices running macOS Monterey or higher that have a T2 chip or are Apple Silicon will Erase all Content and Settings (EACS).
Selecting the Erase Data option will prompt you to enter a 6-digit passcode that will be used to unlock the device. Once this is entered, click Erase Device.
Once the wipe is initiated, the device will immediately erase itself including the Addigy agent (if macOS). No warning will be given to the user before the device is wiped. Additionally, this command is performed immediately even if the device is locked.
To wipe the device:
1. Navigate to the Devices page and click GoLive on the device you are looking to wipe.
2. Open Device Commands and click on Erase Device
3. Set the 6-digit passcode if macOS. The passcode will not be requested on macOS Monterey devices with an Apple Silicon processor or T2 chip. For iOS/iPadOS devices, you do not need to set a passcode.
Note: The 6-digit passcode is added to the "Executed" log record. Log records are stored for 90 days. Should you need to find the passcode you can search the Event log for the devices records and Receiver Name that contains "DeviceLock" or "EraseDevice".
4. For devices with a cellular data plan, you can choose to preserve the plan following the Wipe.
5. Choose to allow or disallow devices in close proximity from sharing setup data such as Wifi access.
Additional Note: If the Device is using macOS Monterey with a T2 Chip or M1 Chip, we will show the ability to Erase All Content and Settings in the Erase Device option:
Additional Information
- Device Lock and Device Wipe will require the six-digit passcode to unlock the device.
- The Devices must have an MDM Profile installed to perform either the lock or wipe action.
- Devices configured to enroll through Apple Business Manager or Apple School Manager will go back through that enrollment process when they start the setup process following the wipe or Erase all Content and Settings commands.
- Device Wipe: Upon receiving this command, the device immediately erases itself. No warning is given to the user. This command is performed immediately even if the device is locked.
- Device Lock: If a passcode has been set on the device, the device is locked with the "
DeviceLock"
command. The device returns a status of"Acknowledged"
and a messageresult
of"Success"
. If a passcode has not been set on the device, the device is locked but the message and phone number are not displayed on the screen. The device returns a status of"Acknowledged"
and a message result of"NoPasscodeSet"
. - Device Lock for iOS devices will force the device to the lock screen.
- Remote Device Wipe pre-macOS Monterey will erase the entire disk, this includes the Recovery Partition and any other partitions on the device. Monterey Erase behavior has changed. On Monterey, the Operating system is not wiped, only the User Content and Settings are wiped from the machine. However, the machine is in a state for fresh setup.
-
When an incorrect passcode is entered on the wiped/locked macOS Device multiple times, it will cause the device to enter a disabled state with a timer. The timer's interval will increase with each incorrect attempt. Because of this, we recommend you limit the incorrect attempts to 3 while testing.