Device Action: Lock device

The Lock action remotely and immediately locks a device, requiring the user to enter their passcode or password to regain access. This is commonly used to secure a lost or unattended device. Optionally, a message and phone number can be displayed on the lock screen to help facilitate the device's return.

Apple documentation for the DeviceLock command can be found here:

• Apple Platform Deployment Guide - Lock and locate Apple devices
• Apple Developer Documentation - DeviceLock MDM Command

Supported platforms

The Lock action is available for iOS, iPadOS, and macOS devices. It is not available for tvOS or visionOS devices in SimpleMDM.

How to lock a device

1. In SimpleMDM, navigate to the device's Device Details page.
2. Click the "Actions" menu.
3. Select "Lock".
4. Configure the lock options as needed (see settings explained below).
5. Click "Lock Device" to send the lock command to the device.

Once the command is acknowledged, the device will lock immediately.

Lock settings explained

The options displayed on the Lock screen vary depending on the device's operating system. Not all options appear for every device.

iOS / iPadOS options

• Phone Number: A phone number to display on the device's lock screen. This can be used to provide a contact number for returning a lost device. Requires iOS 7 or later.
• Message: A text message to display on the device's lock screen (up to 645 characters). Requires iOS 7 or later.

Note: The message and phone number will only be displayed if the device has a passcode set. If no passcode is configured on the device, SimpleMDM will display a warning when sending the lock command. These fields are also ignored on Shared iPad devices.

macOS options

• PIN: A 6-digit numeric PIN used for Find My recovery. This PIN is required for Intel Macs without a T2 security chip — it must be entered at the device to unlock it after the lock. For Macs with a T2 chip or Apple Silicon, the PIN is not used.
• Message: A text message to display on the lock screen (up to 645 characters). Requires macOS 10.14 or later.

Note: On macOS, the lock command uses the Find My framework to lock the device. The command will fail if the Mac does not have a recovery partition.

Important Note: Sending the Lock command to a Mac with Apple Silicon running a version of macOS before 11.5 will deactivate the Mac. To reactivate, the Mac will need a network connection and authentication by a local administrator with Secure Token enabled.

Notes

• The device must be online and connected to receive the lock command. If the device is offline, the command will be queued and executed the next time the device checks in.
• User Enrollment devices on iOS/iPadOS can also be locked, but macOS User Enrollment devices cannot.