The wipe is a security action that allows the admin to remotely erase the data from a device via MDM. The feature helps to clear and reset the device with ease when required. This article briefly explains the wipe for macOS devices.
What is a wipe for macOS device
You can find the wipe action under the Security dropdown in the Devices list (Management > Devices) or on a single Device page. If needed, an article about remote wipe gives general information about the action and how to follow its progress.
When you wipe a Mac
Depending on the device's macOS version and hardware support, the wipe process differentiates.
- For older Macs, the wipe PIN code is generated, and wiping all the user data and apps requires also the reinstalling of macOS. These are approximately all Intel-based Mac models older than 2018 and not equipped with a T2 security chip, or the device is running macOS 10.14 or earlier. This PIN code is required for taking the device into use after the wipe.
- The devices with newer macOS versions, all Intel-based Macs with a T2 security chip or all Apple Silicon Macs, are performing an Erase all Content and Settings. This means that the content and settings are wiped without the need to fully reinstall the whole device.
- In addition, the Erase all Content and Settings requires that the bootstrap token is escrowed for the device (see the paragraph Additional information of this article). If the bootstrap token is missing, the full wipe is processed for the device.
- For these devices, the PIN code isn't generated and the use of it is deprecated.
The full list of the Mac models with T2 can be found in the Apple support article.
The authentication pattern, the Bootstrap Token feature, is used for supervised devices running macOS 10.15 or later. The feature is used to grant a secure token to the user logged in to the device and performing certain operations on a device. For example, the wipe for devices with a bootstrap token is processed as Erase all Content and Settings.
The bootstrap token is created when the device is enrolled or when the secure token enabled user logs in to the device. You can check if the bootstrap token is escrowed on the MDM server from the Device page (Management > Devices > Device).
For further information please see Apple documentation.