Help Center Home > Troubleshooting KB > Troubleshoot: Understand Erase Device Command for Macs

Troubleshoot: Understand Erase Device Command for Macs

When managing a fleet of Macs, understanding the behavior of the Erase Device command, especially in relation to security features like PIN and Activation Lock, is crucial. A common scenario involves erasing a Mac and expecting it to prompt for a PIN upon setup. However, this does not always occur as anticipated, especially with newer devices.

Symptoms

For devices with Apple Silicon that have a PIN set, the device erases successfully but does not prompt for the PIN.

Explanation - Legacy vs. Modern Security Protocols:

  • Older Devices (No T2 or Apple Silicon): PIN codes are used as a security measure.
  • Newer Devices (T2 Chip or Apple Silicon): These devices utilize the more advanced Activation Lock protocol. The PIN feature is not used with the erase command because Activation Lock provides robust security.

The PIN safeguard remains in place primarily for legacy systems that lack the T2 chip, ensuring security across diverse environments where older devices might still be in use.

Causes

Issue: After issuing the Erase Device command and activating the PIN on a Mac, the device proceeds to set up without requesting the PIN.

Expected Behavior: The device should prompt for the PIN during the setup process post-erasure.

Exceptions

Intel-based Macs with T2 Security Coprocessor or Apple Silicon – macOS 11 and Earlier:

  • Action: The Erase Device command results in an “obliteration” of the system and user data volumes.
  • Outcome: A full reinstallation of macOS is required. The PIN payload is ignored, with the device relying on Activation Lock for added security.

Intel-based Macs with T2 Security Coprocessor or Apple Silicon – macOS 12 and Later:

  • Action: The Erase Device command triggers an Erase All Contents and Settings (EACS), with a fallback to “obliteration” in case of failure.
  • Outcome: Only the user-data volume is erased, providing an "out-of-box" experience and preventing the need for macOS reinstallation. The PIN payload is ignored, relying instead on Activation Lock for security.

Resolution

Understanding these nuances helps in managing expectations and troubleshooting effectively when dealing with the Erase Device command on Macs with varying hardware specifications.

Back to Top

Still Have Questions?

If you cannot find an answer to your question in our FAQ, you can always contact us.

Submit a Case