Addigy MDM offers the capability to push a Remote Lock or Remote Wipe (aka MDM Lock and MDM Wipe) command from within the Addigy Console. For the latest updates, please take a look at Apple's Documentation. Functionality differs from macOS version and macOS Architecture (Intel and Apple Silicon).
Table of Contents
Prerequisites
MDM Profile assigned to the device. For more information on MDM Profiles, see MDM Overview article. The device does not require assignment to a specific policy but must have an MDM Profile to receive the command.
Note: On a Mac with Apple silicon (M1 Chip), the device reboots into the recoveryOS (Pre 11.5), where the only options are to restart, shutdown, activate, or erase the Mac. To activate the Mac, select an administrator user and provide the password. This activation step requires an internet connection.
Lock Device
1. Navigate to the Devices page, expand the Device Actions section by clicking the ">" and click on Lock Device under the Device Actions column
2. Set the 6-digit passcode to unlock the device and add a message to be displayed on the locked device
Note: The 6-digit passcode is added to the "Executed" log record. Log records are stored for 90 days. Should you need to find the passcode you can search the Event log for the devices records and Receiver Name that contains "DeviceLock" or "EraseDevice".
Additional Note: If the Device is using macOS Monterey with a T2 Chip or M1 Chip, we will show the ability to Erase All Content and Settings in the Erase Device option:
3. Click Lock Device. The device must be on and connected to a network for the command to be received and applied.
Viewing the enforced pin
The 6-digit pin that was set when locking the device is logged via our Events page.
NOTE: Only the most recent 90 days of events are stored. If you locked a device more than 90 days ago, it will not be in the UI. If this is the case for a device of yours, please reach out to our support team for further assistance with retrieving the pin (be sure to mention it was performed more than 90 days ago).
GoLive > Events
If the device is still in Addigy, you can navigate to GoLive > Events and use the following search parameters to view device lock events:
Dashboard > Events
If the device has been removed from Addigy or you cannot find the device in the Devices page, you can also search for the pin via Dashboard > Events. Be sure to configure the time range as shown in the screenshot.
Remotely Wiping a Device
Note: macOS Monterey introduces a change in "Erase Device" behavior. Devices running macOS Monterey or higher that have a T2 chip or are Apple Silicon will Erase all Content and Settings (EACS).
Selecting the Erase Data option will prompt you to enter a 6-digit passcode that will be used to unlock the device. Once this is entered, click Erase Device.
Once the wipe is initiated, the device will immediately erase itself including the Addigy agent (if macOS). No warning will be given to the user before the device is wiped. Additionally, this command is performed immediately even if the device is locked.
To wipe the device:
1. Navigate to the Devices page and click GoLive on the device you are looking to wipe.
2. Open Device Commands and click on Erase Device
3. Set the 6-digit passcode if macOS. The passcode will not be requested on macOS Monterey devices with an Apple Silicon processor or T2 chip. For iOS/iPadOS devices, you do not need to set a passcode.
Note: The 6-digit passcode is added to the "Executed" log record. Log records are stored for 90 days. Should you need to find the passcode you can search the Event log for the devices records and Receiver Name that contains "DeviceLock" or "EraseDevice".
4. For devices with a cellular data plan, you can choose to preserve the plan following the Wipe.
5. Choose to allow or disallow device in close proximity from sharing setup data such as Wifi access.
Additional Note: If the Device is using macOS Monterey with a T2 Chip or M1 Chip, we will show the ability to Erase All Content and Settings in the Erase Device option:
Additional Information
- Device Lock and Device Wipe will require the six-digit passcode to unlock the device.
- The Devices must have an MDM Profile installed to perform either the lock or wipe action.
- Devices configured to enroll through Apple Business Manager or Apple School Manager will go back through that enrollment process when they start the setup process following the wipe or Erase all Content and Settings commands.
- Device Wipe: Upon receiving this command, the device immediately erases itself. No warning is given to the user. This command is performed immediately even if the device is locked.
- Device Lock: If a passcode has been set on the device, the device is locked with the "
DeviceLock"
command. The device returns a status of"Acknowledged"
and a messageresult
of"Success"
. If a passcode has not been set on the device, the device is locked but the message and phone number are not displayed on the screen. The device returns a status of"Acknowledged"
and a message result of"NoPasscodeSet"
. - Device Lock for iOS devices will force the device to the lock screen.
- Remote Device Wipe pre-macOS Monterey will erase the entire disk, this includes the Recovery Partition and any other partitions on the device. Monterey Erase behavior has changed. On Monterey, the Operating system is not wiped, only the User Content and Settings are wiped from the machine. However, the machine is in a state for fresh setup.
-
When an incorrect passcode is entered on the wiped/locked macOS Device multiple times, it will cause the device to enter a disabled state with a timer. The timer's interval will increase with each incorrect attempt. Because of this, we recommend you limit the incorrect attempts to 3 while testing.