Use Return to Service for Apple devices
Return to Service makes the process of resetting and reenrolling iPhone, iPad, Apple TV, and Apple Vision Pro fully automated. It allows you to prepare a device for the next user without manual setup. After securely erasing the device, it automatically enrolls in a device management service and configures itself with the appropriate settings, making it ready for the next user quickly and securely.
Initiate Return to Service
On iPhone, iPad, Apple TV, and Apple Vision Pro, Return to Service is initiated by sending the command to erase a managed device. The command can provide the Wi-Fi details and define which device management service to enroll the device in.
The Wi-Fi profile is required to activate the device, unless it has other means of connecting to the internet (such as a tethered connection).
If the device is registered in Apple School Manager or Apple Business Manager, you can omit the device management service configuration. This alerts the device to check for an enrollment profile during activation. You can also use the enrollment profile in situations where the Automated Device Enrollment might otherwise require user interaction, for example to authenticate the enrollment.
Using the provided information, the device erases all data and automatically proceeds to the Home Screen, ready to be used. As part of this process, the previously selected language and region are applied. Whether an existing eSIM is preserved depends on the setting of the PreserveDataPlan key. Supervision status manually set by Apple Configurator is also retained.
On Apple Vision Pro, Return to Service is also available for the user to trigger from the Lock Screen or the Control Center. Using the SharedDeviceConfiguration.TemporarySessionTimeout key in the Settings command, you can also configure Return to Service to automatically launch after a set period of inactivity (in seconds). In either case, Apple Vision Pro checks in with the device management system to ask for Return to Service to be triggered using the erase command.
Preserve apps with Return to Service
On devices with iOS 26, iPadOS 26, and visionOS 26, Return to Service can also preserve Managed Apps. It securely erases user data, but app binaries remain to make the process even faster.
To enable Return to Service with app preservation, you need to follow the following process:
Join the device to a Wi-Fi network.
Upon activation, the device receives a management configuration specifying the following:
Setup Assistant panes to skip during the initial setup.
The
is_return_to_servicekey which indicates using Return to Service for the device.The
await_device_configuredflag.
If necessary, you can enforce a software update as part of the enrollment.
The device enrolls in a device management service.
The device creates a bootstrap token and sends it to the device management service (similar to macOS). The bootstrap token in iOS, iPadOS, and visionOS is required to authenticate subsequent Return to Service operations.
Important: The device sends it only during the initial setup.
The operating system installs and preserves Managed Apps during Return to Service.
The device management service sends the
DeviceConfiguredcommand to release the device from the Remote Management Setup Assistant pane.A file system snapshot is taken.
Note: You can deliver declarations and profiles during the awaiting configuration state, but the operating system doesn’t preserve them. Also, apps deployed after the snapshot is taken aren’t preserved.
Device reset
Your device management service triggers Return to Service and includes the following:
The configuration required for Wi-Fi connectivity.
The escrowed bootstrap token.
If necessary, the enrollment profile for the device management service. If you don’t specify one, the device queries Apple School Manager or Apple Business Manager.
The reset process works like this:
The operating system securely erases the previous user’s data from the device.
The device restarts.
The device reverts to the file system snapshot.
The device joins the Wi-Fi network that Return to Service specifies.
If necessary, you can enforce a software update as part of the enrollment.
The device enrolls in a device management service.
The operating system installs Managed Apps and configurations. If the Managed App was installed previously, the device preserves the app from the snapshot.
The device management service sends the
DeviceConfiguredcommand to release the device from the Remote Management Setup Assistant pane.
Allow Apple Vision Pro to join Wi-Fi on restart
When a user finishes using an Apple Vision Pro, the device is often shutdown or disconnected from its power source. When the next user picks up the device, it powers on and remains locked to the previous user. In order for the new user to trigger the Return to Service flow from the Lock Screen, the device needs to be on a Wi-Fi network so it can send requests to the device management service.
To ensure Wi-Fi connectivity after a restart, the device management service can install a Wi-Fi configuration, and set the AllowJoinBeforeFirstUnlock key to true. This key is supported only when using Return to Service with app preservation and allows the device to join that Wi-Fi network automatically after a restart.
The following conditions apply when the AllowJoinBeforeFirstUnlock key is used:
Only a single Wi-Fi configuration can contain this key.
The Wi-Fi configuration:
Needs to be installed in each Return to Service cycle.
Have the
IsHotspotkey set tofalseor not be present.Have the
ProxyTypekey set toNoneor not be present.Can’t include the
EAPClientConfigurationkey.Can’t include the
QoSMarkingPolicykey.