Device Action: Wipe command

The Wipe action remotely erases a device, removing all data, apps, and settings. This is commonly used for decommissioning devices, preparing them for reuse, or responding to a lost or stolen device. Depending on the platform and device capabilities, additional options are available to control the behavior of the wipe, including Return to Service for automated re-enrollment.

Apple documentation for erasing devices can be found here:

Supported platforms

The Wipe action is available for iOS, iPadOS, macOS, tvOS, and visionOS devices that are enrolled via device enrollment (not User Enrollment).

How to wipe a device

In SimpleMDM, navigate to the device's Device Details page.
Click the "Actions" button on the Device Details page.
Click "Wipe Device".
Enter the device's serial number in the confirmation field. This must match the serial number shown on the device record exactly.
Configure the wipe options as needed (see settings explained below).
Click "Wipe" to send the erase command to the device.

Once the command is acknowledged by the device, the device will be erased and unenrolled from SimpleMDM.

Wipe settings explained

The options displayed on the Wipe screen vary depending on the device's operating system, hardware, and enrollment type. Not all options appear for every device.

All platforms

Serial Number: Required confirmation field. Enter the device's serial number to confirm the wipe. The command will not be sent if the serial number does not match.
Disable Activation Lock: When set to "Yes", SimpleMDM will attempt to disable Activation Lock on the device before erasing it. This prevents the device from being locked to the previous user's Apple Account after the wipe. This option is only available if the device has Activation Lock bypass codes stored in SimpleMDM.
Clear Custom Attributes: When set to "Yes", all custom attribute values stored on the device record in SimpleMDM will be cleared.
Unassign Directly Assigned Profiles: When set to "Yes", any profiles that were assigned directly to the device (rather than through a group) will be unassigned. This prevents those profiles from being automatically re-applied if the device re-enrolls.

iOS / iPadOS / visionOS options

Preserve Data Plan: When set to "Yes", the device's eSIM data plan will be preserved through the wipe. Set this to "Yes" if the device has a cellular data plan that you want to keep active after the erase.
Disallow Proximity Setup: When set to "Yes", the device will not display the Proximity Setup option during the post-wipe Setup Assistant. This prevents nearby devices from offering to transfer settings.

macOS options

PIN: A 6-digit PIN used to unlock the device after it is erased. This is required for Intel Macs without a T2 security chip — the PIN must be entered at the device to proceed past the firmware lock after the wipe. For Macs with a T2 chip or Apple Silicon, the PIN is not used (based on Apple's design).
Erase All Content and Settings (EACS) Fallback: This option appears for Macs running macOS 12+ with a T2 chip or Apple Silicon. It controls what happens if the Erase All Content and Settings method is not available on the device:
- Erase entire drive if EACS not available (default): Falls back to a full disk obliteration if EACS cannot be performed.
- Do not erase if EACS not available: Takes no action if EACS is not available, leaving the device untouched.

Return to Service (iOS 17+, tvOS 18+)

Return to Service allows a device to automatically reconnect to a specified WiFi network, re-enroll in SimpleMDM, and skip Setup Assistant after being wiped. This is useful for shared devices, kiosks, or any workflow where a device needs to be erased and put back into service without manual intervention.

Return to Service: When set to "Yes", the following additional options appear:
- WiFi Profile: Select an assigned WiFi profile for the device to connect to after the wipe. The device will use this network to re-enroll automatically.

When Return to Service is enabled, the Disable Activation Lock option is automatically set to "Yes" and cannot be changed.

For more information on Return to Service, see Apple's documentation on returning managed devices to service.

Preserve Managed Applications (iOS 26+, visionOS 26+)

This option is available when Return to Service is enabled and the device is enrolled via Automated Enrollment (DEP) with a bootstrap token stored in SimpleMDM.

Preserve Managed Applications: When set to "Yes", apps that were installed by MDM at the time of the wipe will be preserved on the device. After the device completes Return to Service and re-enrolls, these apps will still be present without needing to be re-downloaded and reinstalled.
- For managed app preservation to work, the "Return to Service" to setting must be enabled in the DEP Settings tab of the Automated Enrollment used to enroll the device.

Notes

The Wipe action is irreversible. All data on the device will be permanently deleted.
The device must be online and connected to receive the erase command. If the device is offline, the command will be queued and executed the next time the device checks in.
After the wipe command is acknowledged, the device is automatically unenrolled from SimpleMDM. If a device is registered in Apple Business Manager or Apple School Manager, assigned to an MDM server in ABM/ASM connected to SimpleMDM, and has synced with SimpleMDM (appearing in the "DEP Devices" list for that enrollment), it will automatically re-enroll during Setup Assistant after connecting to the internet.
For macOS devices with a T2 chip or Apple Silicon, the default PIN "000000" is used. Admins do not need to remember or enter a PIN at the device after the wipe.
Return to Service is not available for macOS devices.
The Preserve Managed Applications feature requires Automated Enrollment (DEP) and a bootstrap token to be present on the device.

Eric McCann

Updated June 06, 2026 00:42