Erase Apple devices
If you’re an administrator or user, you can locally or remotely erase an iPhone, iPad, and Mac—in most cases using the option Erase All Content and Settings. On the device, erasing (or wiping) obliterates all the keys in effaceable storage and renders all user data cryptographically inaccessible.
Erase all content and settings
Mac computers with Apple silicon or with the Apple T2 Security Chip using macOS 12.0.1 or later allow a local administrator—or, if enrolled in MDM, an MDM administrator—to perform an Erase All Content and Settings, similar to behavior permitted on iPhone, iPad, Apple TV, and Apple Watch devices. All user data is erased, along with any additional volumes on the Mac. For a Mac with Apple silicon, the security settings are also reset to their default state (Full Security). An MDM solution:
Can use a restriction to prevent erasing all content and settings on a Mac (this feature already exists for iPhone and iPad devices)
Can use the existing
EraseDevicecommand to erase all content and settings
Ways to initiate a remote wipe command
No matter which Apple device you want to wipe (iPhone, iPad, or Mac), you can initiate a remote wipe command through mobile device management (MDM), iCloud, or Microsoft Exchange ActiveSync. When you initiate a remote wipe command through MDM, the Apple device sends an acknowledgment back to the MDM solution and performs the wipe. For more information, see Remote wipe.
When you initiate a remote wipe through Microsoft Exchange ActiveSync (iPhone and iPad only), the device checks in with the Microsoft Exchange Server before performing the wipe. You can perform the remote wipe using the Exchange Management Console, Outlook Web Access, or the Exchange ActiveSync Mobile Administration Web Tool.
Remote wipe in iOS and iPadOS
For iPhone and iPad, the Erase All Content and Settings option is located in the Settings app. Remote wipe using Erase All Content and Settings isnʼt possible for the following kinds of accounts:
Accounts using User Enrollment
Accounts using Microsoft Exchange ActiveSync when the account that was installed with User Enrollment
Accounts using Microsoft Exchange ActiveSync if the device is supervised
Note: Besides using the option Erase All Content and Settings, MDM solutions and users can also set an iPhone and iPad to automatically wipe after a series of failed passcode attempts.
Return to Service for iPhone and iPad
Return to Service allows the process of resetting and reenrolling iPhone and iPad devices to be fully automated and much faster. When the MDM solution sends the command to erase a managed device, it can provide the Wi-Fi details and define which MDM solution to enroll the device in.
The Wi-Fi profile is required to activate the device, unless it has other means of connecting to the internet (such as a tethered connection).
If the device is registered in Apple School Manager or Apple Business Manager, the MDM configuration can be omitted. This alerts the device to check for an enrollment profile during activation. When provided, it can be used, for example, in situations where the Automated Device Enrollment would have otherwise required interactive authentication.
Using the provided information, the device erases all data and automatically proceeds to the Home Screen, ready to be used. As part of this process, the previously selected language and region are applied. Whether an existing eSIM is preserved depends on the setting of the
PreserveDataPlan key. Supervision status manually set by Apple Configurator is also retained.
Remote wipe in macOS with MDM
In macOS 12.0.1 or later, MDM initiates a remote wipe by default with the option Erase All Content and Settings, which you can also find in the following locations:
macOS 13 or later: Apple menu > System Settings > General > Transfer or Reset Erase All Content and Settings.
macOS 12.0.1 or earlier: Apple menu > System Preferences, then in the menu bar, System Preferences > Erase All Content and Settings.
MDM initiates a remote wipe on Mac computers with Apple silicon and those with the Apple T2 Security Chip.
Using an MDM solution, depending on which Mac model you have, you can trigger the Erase All Content and Settings option by sending an
EraseDevice command to the Mac. To receive this command, the Mac must meet the requirements listed below.
Minimum supported operating system
Requirement for enabling remote wipe
macOS 12.0.1 or later
With Apple silicon
macOS 12.0.1 or later
With Apple silicon or with the Apple T2 Security Chip
macOS 12.0.1 or later
With the Apple T2 Security Chip
If one or more of the above conditions arenʼt met when receiving an
EraseDevice command, a Mac by default falls back to using a macOS 11 behavior called obliteration. After a device is erased with obliteration, you must reinstall macOS before the Mac can be used.
You can manage the obliteration fallback behavior for erasing a Mac in the
ObliterationBehavior key. If Erase All Content and Settings fails, you use this key (which has no effect on machines prior to the T2 chip) to specify a Mac’s fallback behavior by choosing one of the following values:
Default (or missing key): The device responds to the server with an
Errorstatus or no status, and then attempts obliteration.
DoNotObliterate: The device responds with an
Errorstatus, and no obliteration occurs.
ObliterateWithWarning: The device responds with an
Warningstatus, and then attempts obliteration.
In addition, an
EACSPreflight check can determine the behavior ahead of time and returns Success, Not supported, or Unknown failure with data on why it may have failed. This allows organizations and MDM solutions to determine the most suitable way to proceed prior sending the
Important: Mac computers enrolled in an MDM solution can be inadvertently erased if the Mac has FileVault turned on and it doesn’t support Erase All Content and Settings. The behavior is similar to obliteration, and a full reinstall of macOS is required.