Skip to main content
This guide applies to all device platforms

About Device Erase

You can use the Erase Device command on macOS, iOS, iPadOS, tvOS, visionOS, Windows, and Android devices. For Apple devices, this command doesn’t require supervision.

How It Works

The Erase Device command permanently removes all data and settings from a device, returning it to factory defaults. The command is delivered through the platform’s MDM framework and executes when the device is online or queued for offline devices.
A locked Apple device cannot receive an Erase Device MDM command. For more information on locking a device, see our Lock a Device support article.

Platform-Specific Erase Procedures

  • Apple Devices
  • Windows
  • Android

Erase Apple Devices

1

Navigate to Device Record

Navigate to the Device Record in the Iru Web App.
2

Open Device Action Menu

Open the Device Action Menu (three-dot menu).
3

Select Erase Device

Select Erase Device.
4

Configure Erase Options

In the confirmation dialog, review the erase details. For iOS and iPadOS 17+ devices, you can select Return to Service and provide a valid WiFi profile if desired.
5

Confirm Erase

Type ERASE in the confirmation field and click Erase Device to send the command.
The erase command will remove all data and settings from the device, returning it to factory defaults.

Apple Device Considerations

  • Supervision not required - Erase commands work on both supervised and unsupervised devices
  • Immediate execution - Commands are sent via MDM and execute when the device is online
  • Data recovery - All data will be permanently deleted and cannot be recovered
  • eSIM preservation - eSIM-based cellular plans are automatically preserved when using the Iru Web App

Platform-Specific Erase Behavior

  • Apple Devices
  • Windows
  • Android

macOS Erase Behavior

Depending on the macOS version and hardware support, different erase behaviors will occur:

Erase All Content and Settings (EACS)

  • Apple Silicon Macs (macOS 12+): Performs EACS
  • Intel Macs with T2 (macOS 12+): Performs EACS
  • Fallback: If EACS fails, device reverts to obliteration behavior

Obliteration Behavior

  • Apple Silicon Macs (macOS 11 and earlier): Obliteration without PIN
  • Intel Macs with T1/No security chip (macOS 12+): Obliteration with 6-digit PIN
  • Intel Macs with T1/No security chip (macOS 11 and earlier): Obliteration with 6-digit PIN
A 6-digit PIN is automatically generated and available on the device record once the device receives the command. Erase device PINs are not supported on Mac computers with Apple silicon.

iOS and iPadOS Erase Behavior

  • Erase All Content and Settings: Device restarts and presents Setup Assistant
  • Not a full system restore: Device will not be updated to the latest version
  • eSIM preservation: Cellular plans are automatically preserved when using the Iru Web App

Return to Service (iOS/iPadOS 17+)

When erasing iOS or iPadOS 17+ devices, you can select Return to Service which:
  • Automatic setup: Device proceeds through Setup Assistant to home screen without user intervention
  • Auto re-enrollment: Device automatically re-enrolls into Iru after erasure
  • WiFi configuration: Automatically joins WiFi network from selected Library Item
  • Ethernet support: Works with tethered Ethernet connections (kiosks) without WiFi profile
Return to Service Considerations:
  • Activation Lock must be removed before issuing Return to Service command
  • Do not select Library Items with EAP-TLS 802.1X networks with SCEP client identity
  • Return to Service will not work with Automated Device Enrollment that requires authentication
  • Self Service apps will not automatically reinstall when erased from Iru (unlike user-initiated erases)

tvOS and visionOS Erase Behavior

  • tvOS: Initiates a Reset, device reboots and presents Setup Assistant
  • visionOS: Initiates Erase All Contents and Settings

EACS Requirements

  • Bootstrap token required: EACS will fail if no bootstrap token is escrowed
  • Recommended method: Use Iru Web App rather than local Erase Assistant for better results
  • Auto Advance preparation: Properly prepares Mac for re-enrollment using Auto Advance

Legacy Firmware Passwords

In macOS Monterey, Intel-based Macs with T2 Security Chip will perform EACS when receiving an Erase Device command from Iru. However, if a legacy firmware password is present, the device will completely erase and require macOS reinstallation. To preserve EACS behavior, move the device to a Blueprint without a Recovery Password library item before sending the Erase Device command.

Before Erasing a Device

Important: Erasing a device will permanently delete all data and cannot be undone. Ensure you have backed up any important data before proceeding.

Pre-Erase Checklist

1

Backup important data

Ensure any important user data has been backed up before erasing the device.
2

Verify device ownership

Confirm that the device belongs to your organization and you have authority to erase it.
3

Notify the user

If possible, inform the device user that the device will be erased and data will be lost.
4

Check device status

Verify the device is online and can receive the erase command.

Erase Command Execution

Command Delivery

  • MDM Channel: Erase commands are delivered through the platform’s MDM framework
  • Immediate Delivery: Commands are sent immediately when the device is online
  • Queue for Offline Devices: Commands are queued and delivered when the device comes online

Execution Timeline

Online Devices

Commands execute within minutes of being sent for devices that are currently online.

Offline Devices

Commands are queued and will execute when the device next connects to the internet.

Troubleshooting

Possible causes:
  • Device is offline or not connected to the internet
  • Device is locked (Apple devices)
  • MDM enrollment issues
Solutions:
  • Check device connectivity and online status
  • For Apple devices, ensure the device is not locked
  • Verify MDM enrollment is active and functioning
Possible causes:
  • Insufficient storage space
  • Corrupted recovery partition
  • Hardware issues
Solutions:
  • Check device storage space
  • Try a different erase type (Local vs Cloud for Windows)
  • Contact device manufacturer for hardware issues
Possible causes:
  • Erase process still in progress
  • Device needs manual intervention
  • Hardware failure
Solutions:
  • Wait for the erase process to complete (can take 30-60 minutes)
  • Check device status in Iru
  • Contact device manufacturer if hardware issues are suspected

Security Considerations

Data Protection

  • Complete Data Removal: Erase commands remove all user data, applications, and settings
  • Secure Erase: Modern devices use secure erase methods that make data recovery extremely difficult
  • Compliance: Erase commands help meet data protection and compliance requirements

Best Practices

1

Document the erase

Keep records of when and why devices were erased for audit purposes.
2

Verify completion

Confirm the erase was successful by checking device status in Iru.
3

Update inventory

Update your device inventory to reflect the erased device status.