Help Center Home > MDM Enrollment for Apple > MDM Commands

MDM Commands

Mobile Device Management (MDM) commands let you remotely execute certain management commands on devices that use MDM. These commands help you remotely control macOS, iOS, and iPadOS devices. You can run these MDM commands from the JumpCloud Admin Portal: 

Command MacOS Device Enrollment (supported for all enrollment types) Device-Enrolled iOS/iPadOS (Corporate devices) User-Enrolled iOS/iPadOS (Personal devices) 
Lock
Restart Not supported  Not supported 
Shut down Not supported Not supported 
Erase Not supported 
Unenroll device Supported only via API Supported only via API

Important:

Occasionally, some devices running older versions of macOS will fail to erase. If the device cannot be erased, it will be locked.

Prerequisites:

Verify a Device Can Be Managed Using MDM Commands

Before proceeding, you must verify that a device can be managed using MDM commands:

  1. Log in to the JumpCloud Admin Portal.
  2. Go to DEVICE MANAGEMENT > Devices.
  3. Select the Devices tab, select the device, then select the MDM tab.
  4. Verify that this device is enrolled in MDM.

Tip:

Security Commands can now be executed directly from the Devices list using the Action menu.

Lock a macOS Device

To remotely lock a lost device, you must set a PIN. The device remains locked until the user enters the PIN. The user cannot log in until the PIN is entered.

  1. Log in to the JumpCloud Admin Portal.
  2. Go to DEVICE MANAGEMENT > Devices.
  3. Select the Devices tab, then select the macOS device.
  4. Click lock device.
  5. In the Remotely lock this device dialog box, enter a six-digit PIN. Use a number that’s easy to remember or save it in a safe place as JumpCloud does not save this information. This is the PIN that the user will need to enter to unlock the device.
  6. Click Lock Device. The device immediately restarts and displays a screen to enter the PIN to unlock the device. You’ll need to allow 5-10 minutes for the device’s status to change in the JumpCloud Admin Portal.

Restart a macOS Device

Send the restart command to immediately restart the device. Any unsaved work on the device is lost. If the device restarts quickly, the device’s status in the JumpCloud Administrator Portal might not change.

  1. Log in to the JumpCloud Admin Portal.
  2. Go to DEVICE MANAGEMENT > Devices.
  3. Select the Devices tab, then select the macOS device.
  4. Click restart device.
  5. In the Restart this Device dialog box, click yes, restart.

Shut Down a macOS Device

Send the shut down command to immediately shut down the device. Any unsaved work on the device is lost. If the device restarts quickly, the device’s status in the JumpCloud Admin Portal might not change.

  1. Log in to the JumpCloud Admin Portal.
  2. Go to DEVICE MANAGEMENT > Devices.
  3. Select the Devices tab, then select the macOS device.
  4. Click shut down device.
  5. In the Shut Down This Device dialog box, click yes, shut down.

Erase a macOS Device

Send the erase command to immediately erase the hard drive on the macOS device, even if the device is locked. Everything on the hard drive, including macOS software, is removed. The user is not warned of this action.

Note:

In macOS Monterey 12 and later, the erase command uses Erase All Content and Settings (EACS) on Monterey computers with Apple silicon or the Apple T2 Security Chip. EACS lets you quickly restore a properly-equipped Monterey computer to the Setup Assistant, and removes all user data. If EACS can’t run on a Monterey computer, the device uses Apple’s obliteration behavior (macOS Big Sur 11.x). 

  1. Log in to the JumpCloud Admin Portal..
  2. Go to DEVICE MANAGEMENT > Devices.
  3. Select the Devices tab, then select the macOS device.
  4. Click erase device.
  5. In the Erase this Device dialog box, enter or paste in a six-digit PIN. Use a number  that’s easy to remember or save it in a safe place as JumpCloud does not save this information.
  6. Click yes, erase. If an error displays when you run the erase command on a Monterey device, the device still erases (which conforms with Apple’s Big Sur obliteration behavior). 

Lock an iOS or iPadOS Device

When you remotely lock a lost iOS or iPadOS device, the device remains locked until the user enters the iPhone’s passcode. 

  1. Log in to the JumpCloud Admin Portal.
  2. Go to DEVICE MANAGEMENT > Devices.
  3. Select the Devices tab, then select the iOS device.
  4. Click lock device.
  5. In the Lock This Device dialog box, click yes, lock. The iOS device is immediately locked and displays a lock screen.

Note:

Users have a variety of ways to lock their iPhones and should consult their Apple iPhone documentation.

Erase a Corporate-Owned iOS or iPadOS Device

Send the erase command to immediately remove all data from a corporate-owned device, even if the device is locked. The user is not warned of this action. The user can't access this device until you unlock it and complete the setup. For more information on remote wipe, see Apple’s documentation

  1. Log in to the JumpCloud Admin Portal.
  2. Go to DEVICE MANAGEMENT > Devices.
  3. Select the Devices tab, then select the iOS device.
  4. Click erase device.
  5. In the Erase this Device dialog box, click yes, erase.

Tip:

If you prefer to remove just the individual profile for iOS or iPadOS, you can remotely unenroll the device through the API and all the other profiles will leave with it. If the profile was installed through a policy, unbinding the policy from the device uninstalls the profile.

Unenroll a Personal iOS or iPadOS Device

Removing an iOS device from MDM enrollment can only be done for personal devices. The user is not warned of this action. The device will be unenrolled from MDM and all of the data and apps allowed by MDM will be removed when the partition is deleted. You cannot unenroll a corporate device through the Admin Portal; that can be done only through the API.

  1. Log in to the JumpCloud Admin Portal.
  2. Go to DEVICE MANAGEMENT > Devices.
  3. Select the Devices tab, then select the iOS device.
  4. Click unenroll device to remove a user-enrolled iOS device from MDM.
  5. Click yes, unenroll.
  6. To verify the unenrollment, click MDM. The device’s MDM Enrolled Status will change from yes to no. Unenrolling a device does not remove the device from the Devices List.

Tip:

If you delete a personal or corporate-owned device from the Devices List in the Admin Portal, the device will also unenroll from MDM.

Back to Top

List IconIn this Article

Notebook IconLearn More

Set Up Apple MDM

Choose an MDM Enrollment Method

Add Company-Owned Apple Devices to MDM with Device Enrollment

Users: Enroll Your Personal iOS Device

Use Windows and Linux Security Commands

Still Have Questions?

If you cannot find an answer to your question in our FAQ, you can always contact us.

Submit a Case