Mobile Device Management (MDM) commands let you remotely execute certain management commands on devices that use MDM. These commands help you remotely control macOS, iOS, and iPadOS devices. Admins with the requisite permission level can run these MDM commands from the JumpCloud Admin Portal:
Command | MacOS Device Enrollment (supported for all enrollment types) | Device-Enrolled iOS/iPadOS (Corporate devices) | User-Enrolled iOS/iPadOS (Personal devices) |
---|---|---|---|
Lock | ✔ | ✔ | ✔ |
Restart | ✔ | Not supported | Not supported |
Shut down | ✔ | Not supported | Not supported |
Erase | ✔ | ✔ | Not supported |
Unenroll device | Supported only via API | Supported only via API | ✔ |
Delete Device Passcode | N/A | ✔ | ✔ |
Delete Screen Time Passcode | N/A | ✔ | ✔ |
Occasionally, some devices running older versions of macOS will fail to erase. If the device cannot be erased, it will be locked.
Prerequisites:
- MDM is configured for your organization.
- See Set up Apple MDM.
- Admins require command running permissions to run MDM Commands.
- See Admin Portal Roles for more information.
Considerations:
- MDM commands appear in Directory Insights under the event type mdm_command_result. The specific command is detailed in the request_type field, such as clear_passcode.
Verify a Device Can Be Managed Using MDM Commands
Before proceeding, verify that a device can be managed using MDM commands:
- Log in to the JumpCloud Admin Portal.
- Go to DEVICE MANAGEMENT > Devices.
- Select the Devices tab, select the device, then select the MDM tab.
- Verify that this device is enrolled in MDM.
You can filter the devices list to show only the devices that are enrolled in MDM by clicking filter by and selecting MDM status - enrolled with JumpCloud.
Lock a macOS Device
To remotely lock a lost device, you must set a PIN. The device remains locked until the user enters the PIN. The user cannot log in until the PIN is entered.
- Log in to the JumpCloud Admin Portal.
- Go to DEVICE MANAGEMENT > Devices.
- Select the Devices tab, then find the macOS device.
- In the device row, click Actions > Lock Device.
- In the Lock This Device dialog box, enter a six-digit PIN. Use a number that’s easy to remember, or save it in a safe place, as JumpCloud does not save this information. This is the PIN that the user will need to enter to unlock the device.
- Click yes, lock. The device immediately restarts and displays a screen to enter the PIN to unlock the device. Allow 5-10 minutes for the device’s status to change in the JumpCloud Admin Portal.
Restart a macOS Device
Send the restart command to immediately restart the device. Any unsaved work on the device is lost. If the device restarts quickly, the device’s status in the JumpCloud Admin Portal might not change.
- Log in to the JumpCloud Admin Portal.
- Go to DEVICE MANAGEMENT > Devices.
- Select the Devices tab, then find the macOS device.
- In the device row, click Actions > Restart Device.
- In the Restart This Device dialog box, click yes, restart.
Shut Down a macOS Device
Send the shut down command to immediately shut down the device. Any unsaved work on the device is lost. If the device restarts quickly, the device’s status in the JumpCloud Admin Portal might not change.
- Log in to the JumpCloud Admin Portal.
- Go to DEVICE MANAGEMENT > Devices.
- Select the Devices tab, then find the macOS device.
- In the device row, click Actions > Shut Down.
- In the Shut Down This Device dialog box, click yes, shut down.
Erase a macOS Device
Send the erase command to immediately erase the hard drive on the macOS device, even if the device is locked. Everything on the hard drive, including macOS software, is removed. The user is not warned of this action. See Apple's Developer Documentation.
- In macOS Monterey 12 and later, the erase command uses Erase All Content and Settings (EACS) on devices with Apple silicon or the Apple T2 Security Chip. EACS removes all user data and lets you quickly restore a macOS device to the Setup Assistant. If EACS can’t run on a macOS 12+ device, the device falls back on Apple’s obliteration behavior (macOS Big Sur 11 and prior).
- Apple Silicon devices don't prompt for a PIN after issuing the erase command whereas Intel-based devices do. To enable a PIN on Apple Silicon devices, first issue the lock command followed by the erase command. Once the device is unlocked using the PIN set during the lock command, the device receives the erase command and erases as expected.
- See Understand the Erase Device MDM Command to learn more.
- Log in to the JumpCloud Admin Portal..
- Go to DEVICE MANAGEMENT > Devices.
- Select the Devices tab, then select the device.
- From the device page, click Actions > Erase Device.
- In the Erase This Device dialog box, enter or paste in a six-digit PIN. Use a number that’s easy to remember, or save it in a safe place, as JumpCloud does not save this information.
- Click yes, erase. If an error displays when you run the erase command on a Monterey device, the device still erases (which conforms with Apple's Big Sur obliteration behavior).
Lock an iOS or iPadOS Device
When you remotely lock a lost iOS or iPadOS device, the device remains locked until the user enters the iPhone’s passcode.
- Log in to the JumpCloud Admin Portal.
- Go to DEVICE MANAGEMENT > Devices.
- Select the Devices tab, then find the iOS device.
- In the device row, click Actions > Lock Device.
- In the Lock This Device dialog box, click yes, lock. The iOS device is immediately locked and displays a lock screen.
Users have a variety of ways to lock their iPhones and should consult their Apple iPhone documentation.
Erase a Corporate-Owned iOS or iPadOS Device
Send the erase command to immediately remove all data from a corporate-owned device, even if the device is locked. The user is not warned of this action. The user can't access this device until you unlock it and complete the setup. For more information on remote wipe, see Apple’s documentation.
- Log in to the JumpCloud Admin Portal.
- Go to DEVICE MANAGEMENT > Devices.
- Select the Devices tab, then select the iOS device.
- From the device page, click Actions > Erase Device.
- In the Erase This Device dialog box, click yes, erase.
If you prefer to remove just the individual profile for iOS or iPadOS, you can remotely unenroll the device through the API and all the other profiles will leave with it. If the profile was installed through a policy, unbinding the policy from the device uninstalls the profile.
Unenroll a Personal iOS or iPadOS Device
Removing an iOS device from MDM enrollment can only be done for personal devices. The user is not warned of this action. The device will be unenrolled from MDM and all of the data and apps allowed by MDM will be removed when the partition is deleted. You cannot unenroll a corporate device through the Admin Portal; that can be done only through the API.
- Log in to the JumpCloud Admin Portal.
- Go to DEVICE MANAGEMENT > Devices.
- Select the Devices tab, then select the iOS device.
- From the Actions menu, click Unenroll Device to remove a user-enrolled iOS device from MDM.
- Click yes, unenroll.
- To verify the unenrollment, click the MDM tab. The MDM Enrolled status will now be No. Note that unenrolling a device does not remove the device from the Devices List.
If you delete a personal or corporate-owned device from the Devices List in the Admin Portal, the device will also unenroll from MDM.
Delete an iOS or iPadOS Device Passcode
This command is applicable for the following devices:
- iOS 4.0+
- iPadOS 4.0+
Deleting a device passcode unlocks the device for the end user, allowing anyone to access the device without entering the passcode on the lock screen.
See Apple's documentation for more information on Passcodes: Set a passcode on iPhone.
To clear the device password:
- Log in to the JumpCloud Admin Portal.
- Go to DEVICE MANAGEMENT > Devices.
- Select the Devices tab, then select the iOS or iPadOS device.
- From the Actions menu, click Delete Device Passcode.
- On the confirmation, click yes, clear.
Delete an iOS or iPadOS Screen Time Passcode
This command is applicable for the following devices:
- Supervised iOS 8.0+
- Supervised iPadOS 8.0+
Deleting this clears the passcode on the device's Screen Time settings to unlock them, and removes any restrictions that have been set within Settings > Screen Time.
See Apple's documentation for more information about these settings: Set up Screen Time on iPhone.
To clear the Screen Time Passcode:
- Log in to the JumpCloud Admin Portal.
- Go to DEVICE MANAGEMENT > Devices.
- Select the Devices tab, then select the iOS or iPadOS device.
- From the Actions menu, click Delete Screen Time Passcode.
- On the confirmation, click Delete.