3 Best Practices for Wiping and Locking macOS Devices
Best practices for wiping and locking macOS devices: take care with irreversible actions, disable Activation Lock before off-boarding, and prepare in advance.
March 14, 2023
Wiping and locking corporate devices is a regular part of managing an enterprise fleet. As employees come and go or devices get lost or stolen, employers must be ready to wipe and lock devices in different contexts. While these may be standard compliance actions, they come with risks, including accidental deletions or getting a device into an irrecoverable state. In this post, we’ll discuss some things we can do to mitigate these risks and accelerate action within device wipe and lock workflows with a focus on macOS computers.
Best Practice 1: Take extra care with irreversible actions
Locking and wiping are two examples of actions that can be irreversible without physical possession of the device. As organizations continue to become more distributed, it’s more and more likely that the device we’re interacting with is not nearby. While there are measures we can take to de-risk the deployment of most controls (e.g., Staged Rollouts, Communication + Expectation Setting), locking and wiping are discrete actions for which a remote administrator doesn’t have the same recourse.
With this in mind, we should be extra careful when taking irreversible actions and make sure the actor understands the consequences of what they’re about to do. Before submitting a lock or wipe command, we should take care to:
Confirm the action we’re about to take with the employee’s manager as well as others on our team to be sure nobody else will be executing the same action. Validate that we’re taking action on the correct device — ensure that the device name and users of that device are what we would expect. Ensure the device is connected to the network to guarantee the action will be executed immediately. After taking action, broadcast an update to relevant teammates to confirm completion.
Best Practice 2: Disable Activation Lock before off-boarding employees
The most typical use case for wiping a device is when we’re off-boarding an employee. Apple introduced a control called Activation Lock on iOS 7 but more recently shipped it to macOS devices with the Apple silicon or T2 security chip. The release to macOS has been met with criticism from the device management community, where a significant number of otherwise fine MacBooks are now headed to landfills. We should make a point to disable the activation lock before departing employees are out of reach to ensure we can recover their computers after wiping them.
Best Practice 3: Prepare in advance for critical situations with Runbooks or SOPs
Locking or wiping a device may be done as part of a typical off-boarding process, but these actions could also be called for in a high-stress situation. If an employee just reported a device lost or stolen, time is of the essence, and we need to act fast. By documenting how we should respond to events like this in the context of our MDM tools, we can avoid potential mistakes when moving quickly.
One of the first questions we should answer to prepare for devices being lost is how much of a threat it is to our business if the encrypted hard drive is never wiped or recovered. This is important because when a device is locked, it’s disconnected from the network, so we won’t be able to execute a subsequent wipe command until it’s unlocked.
If it’s critical to our business that no data, even if encrypted in FileVault, remains in the wild, we should immediately wipe the device. If Activation Lock is enabled on the device, we’d recommend leaving that as-is, and then we can attempt to locate and recover the device with Find My.
If we’re more accepting of a situation where the encrypted drive is never wiped, we might lock the device and include a message with contact information to the locked computer. If it was left in a cafe or on an airplane, there’s a chance we could get it back this way. Note that if we’re taking this action in Jamf, they’ll ask us to generate a passcode that will be required to unlock the device. As a part of our SOP, we should have a process for generating random passcodes to avoid anyone just entering “123456”.
There are a number of different use cases for wiping or locking a device, and this post only scratches the surface of how we can best situate ourselves for success. We hope these practices resonate and can help improve some of your workflows. If you have questions or want to connect, please reach out!
Subscribe to our newsletter
Stay up to date with the latest and greatest in MDM, EDR, and more. Be the first to receive our newest blog posts and product updates.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.