The Erase Device command is available as a JumpCloud Security Command for MDM Enrolled macOS and Device MDM Enrolled iOS devices. See MDM Commands to learn more about these commands.
This command can be used in the event of loss or theft of a device to securely erase its contents and ensure they are unrecoverable. Due to the severity of this command, you must enter a PIN as part of the process for macOS devices.
JumpCloud doesn't retain the PIN used to erase macOS devices and cannot recover it. It is critical that you record the PIN used to erase the macOS device. If you don't have the PIN, you won't be able to unlock the device and will need to contact Apple for service to unlock it.
macOS Devices
When you run the erase device command on a macOS device, the expected result depends on the type of device being erased (Intel-based or Apple Silicon Mac), and the version of macOS installed on the device.
Intel-based without a T2 security coprocessor
The Erase Device command performs an “obliteration” of the current system and user data volumes, requiring a full reinstallation of macOS. The command PIN code is used as a security measure along with erasing the device. It places a device-lock on the target device which requires clearing two PIN prompts: a “firmware” style lock, and a “device lock” style screen. Both screens are cleared using the PIN provided by the Erase command.
“Firmware” style lock (1st Screen):
Device lock (2nd Screen):
Intel-based with T2 security coprocessor, or Apple Silicon – macOS 11 and earlier
The Erase Device command performs an “obliteration” of the current system and user data volumes, requiring a full reinstallation of the macOS. The PIN portion of the payload is ignored, with the device relying on Activation Lock for additional security.
Intel-based with T2 security coprocessor, or Apple Silicon – macOS 12 and later
The Erase Device command performs an Erase All Contents and Settings (EACS), and fall back to “obliteration” if it encounters a failure. EACS only erases the user-data volume, returning the device to an "out-of-box" experience. This prevents the need a reinstalling macOS on the device. The PIN portion of the payload is ignored, relying instead on Activation Lock for additional security.
iOS Devices
Using the Erase Device command on iOS devices doesn't prompt for a PIN as it isn't used on the device. A random PIN is supplied due to MDM command requirements, so a PIN hash is found in the MDM command history but it is always ignored by iOS devices.
The device performs an EACS process, returning it to an “out-of-box” experience. Any eSIM configurations are wiped once the device clears activation with Apple, unless a specific payload to preserve the eSIM has been deployed (requires iOS 17.3 and ADE enrollment/supervision state).