MDM Commands

Mobile Device Management (MDM) commands let you remotely execute certain management commands on devices that use MDM. These commands help you remotely control macOS, iOS, and iPadOS devices. Admins with the requisite permission level can run these MDM commands from the JumpCloud Admin Portal: 

Command MacOS Device Enrollment (supported for all enrollment types) Device-Enrolled iOS/iPadOS (Corporate devices) User-Enrolled iOS/iPadOS (Personal devices) 
Lock
Restart Not supported  Not supported 
Shut down Not supported Not supported 
Erase Not supported 
Unenroll device Supported only via API Supported only via API

Important:

Occasionally, some devices running older versions of macOS will fail to erase. If the device cannot be erased, it will be locked.

Prerequisites:

  • MDM is configured for your organization. See Set up Apple MDM.
  • Admins require command running permissions to run MDM Commands. See Admin Portal Roles for more information.

Verify a Device Can Be Managed Using MDM Commands

Before proceeding, you must verify that a device can be managed using MDM commands:

  1. Log in to the JumpCloud Admin Portal.
  2. Go to DEVICE MANAGEMENT > Devices.
  3. Select the Devices tab, select the device, then select the MDM tab.
  4. Verify that this device is enrolled in MDM.
    The MDM Enrolled entry on the device's MDM tab shows whether the device is enrolled in mobile device management

Tip:

You can filter the devices list to show only the devices that are enrolled in MDM by clicking filter by and selecting MDM status - enrolled with JumpCloud.

Lock a macOS Device

To remotely lock a lost device, you must set a PIN. The device remains locked until the user enters the PIN. The user cannot log in until the PIN is entered.

  1. Log in to the JumpCloud Admin Portal.
  2. Go to DEVICE MANAGEMENT > Devices.
  3. Select the Devices tab, then find the macOS device.
  4. In the device row, click Actions > Lock Device.
  5. In the Lock This Device dialog box, enter a six-digit PIN. Use a number that’s easy to remember, or save it in a safe place, as JumpCloud does not save this information. This is the PIN that the user will need to enter to unlock the device.
  6. Click yes, lock. The device immediately restarts and displays a screen to enter the PIN to unlock the device. Allow 5-10 minutes for the device’s status to change in the JumpCloud Admin Portal.

Restart a macOS Device

Send the restart command to immediately restart the device. Any unsaved work on the device is lost. If the device restarts quickly, the device’s status in the JumpCloud Admin Portal might not change.

  1. Log in to the JumpCloud Admin Portal.
  2. Go to DEVICE MANAGEMENT > Devices.
  3. Select the Devices tab, then find the macOS device.
  4. In the device row, click Actions > Restart Device.
  5. In the Restart This Device dialog box, click yes, restart.

Shut Down a macOS Device

Send the shut down command to immediately shut down the device. Any unsaved work on the device is lost. If the device restarts quickly, the device’s status in the JumpCloud Admin Portal might not change.

  1. Log in to the JumpCloud Admin Portal.
  2. Go to DEVICE MANAGEMENT > Devices.
  3. Select the Devices tab, then find the macOS device.
  4. In the device row, click Actions > Shut Down.
  5. In the Shut Down This Device dialog box, click yes, shut down.

Erase a macOS Device

Send the erase command to immediately erase the hard drive on the macOS device, even if the device is locked. Everything on the hard drive, including macOS software, is removed. The user is not warned of this action.

Note:

In macOS Monterey 12 and later, the erase command uses Erase All Content and Settings (EACS) on Monterey computers with Apple silicon or the Apple T2 Security Chip. EACS lets you quickly restore a properly-equipped Monterey computer to the Setup Assistant, and removes all user data. If EACS can’t run on a Monterey computer, the device uses Apple’s obliteration behavior (macOS Big Sur 11.x). 

  1. Log in to the JumpCloud Admin Portal..
  2. Go to DEVICE MANAGEMENT > Devices.
  3. Select the Devices tab, then select the device.
  4. From the device page, click Actions > Erase Device.
  5. In the Erase This Device dialog box, enter or paste in a six-digit PIN. Use a number that’s easy to remember, or save it in a safe place, as JumpCloud does not save this information.
  6. Click yes, erase. If an error displays when you run the erase command on a Monterey device, the device still erases (which conforms with Apple’s Big Sur obliteration behavior). 

Lock an iOS or iPadOS Device

When you remotely lock a lost iOS or iPadOS device, the device remains locked until the user enters the iPhone’s passcode. 

  1. Log in to the JumpCloud Admin Portal.
  2. Go to DEVICE MANAGEMENT > Devices.
  3. Select the Devices tab, then find the iOS device.
  4. In the device row, click Actions > Lock Device.
    Use the actions menu to lick a device from the device list view
  5. In the Lock This Device dialog box, click yes, lock. The iOS device is immediately locked and displays a lock screen.

Note:

Users have a variety of ways to lock their iPhones and should consult their Apple iPhone documentation.

Erase a Corporate-Owned iOS or iPadOS Device

Send the erase command to immediately remove all data from a corporate-owned device, even if the device is locked. The user is not warned of this action. The user can't access this device until you unlock it and complete the setup. For more information on remote wipe, see Apple’s documentation

  1. Log in to the JumpCloud Admin Portal.
  2. Go to DEVICE MANAGEMENT > Devices.
  3. Select the Devices tab, then select the iOS device.
  4. From the device page, click Actions > Erase Device.
  5. In the Erase This Device dialog box, click yes, erase.

Tip:

If you prefer to remove just the individual profile for iOS or iPadOS, you can remotely unenroll the device through the API and all the other profiles will leave with it. If the profile was installed through a policy, unbinding the policy from the device uninstalls the profile.

Unenroll a Personal iOS or iPadOS Device

Removing an iOS device from MDM enrollment can only be done for personal devices. The user is not warned of this action. The device will be unenrolled from MDM and all of the data and apps allowed by MDM will be removed when the partition is deleted. You cannot unenroll a corporate device through the Admin Portal; that can be done only through the API.

  1. Log in to the JumpCloud Admin Portal.
  2. Go to DEVICE MANAGEMENT > Devices.
  3. Select the Devices tab, then select the iOS device.
  4. From the Actions menu, click Unenroll Device to remove a user-enrolled iOS device from MDM.
  5. Click yes, unenroll.
    From the device Actions menu, select Unenroll Device. Select yes, unenroll from the confirmation modal
  6. To verify the unenrollment, click the MDM tab. The MDM Enrolled status will now be No. Note that unenrolling a device does not remove the device from the Devices List.

Tip:

If you delete a personal or corporate-owned device from the Devices List in the Admin Portal, the device will also unenroll from MDM.

Still Have Questions?

If you cannot find an answer to your question in our FAQ, you can always contact us.

Submit a Case