If the corporate or the personal devices used for work got lost or stolen, you could not risk a corporate data leak. Locking the device is a solution, but what if they cracked the password? So, completely wiping the device might be the only option to protect such sensitive data.
You can either perform a corporate or a complete wipe. A corporate wipe is usually recommended if you are wiping a BYO Device. This ensures that the personal data in the device will be left untouched. Use a complete wipe to wipe a corporate-owned device.
Note:
- The Wipe Device action is supported on the following platforms:
- Android
- ChromeOS
- Windows
- iOS 4.0 and above
- macOS 10.7 and above. For macOS 12.0.1 and above, the Wipe Device action will erase all content and settings (EACS) instead of completely resetting the device.
- tvOS 10.2 and above
- Fire OS 6.0 and above
- The device management of a wiped device can only be retained in some types of Android and iOS device enrollments.
Warnings:
1. The wipe action cannot be stopped halfway. Once initiated, the process stops only after the device is wiped completely.
2. If a device is wiped, all corporate, as well as personal data including files, contacts, calendars, apps, certificates, and settings, will be deleted.
3. Hexnode UEM no longer manages a standard/rooted Android, unsupervised iPhone/iPad, Windows or Mac once it is wiped. Such devices need to be re-enrolled manually. The device details in the Hexnode UEM portal will stay as they are.
- Android devices enrolled via Samsung Knox, Zero-touch, Android ROM/OEM enrollment, devices with Hexnode MDM as a system app and devices with Hexnode System Agent app as a privileged app will re-enroll in Hexnode UEM automatically once the device is turned on and connected to the internet after wiping.
- For supervised iOS,
- If the device is enrolled via Apple Configurator, it won’t be connected with Hexnode after a complete wipe, they have to be enrolled again.
- If the device is enrolled via DEP, it will be re-enrolled to Hexnode even after a complete wipe.
- If the iOS devices are added to DEP via Apple Configurator, users can opt out of MDM management by wiping the device to its factory settings during the 30-day provisional period. On activating the device after the wipe, the user will be asked to activate remote management, click on Leave Remote Management at the bottom of the screen to disable MDM administration. However, after the initial 30 days of the device deployment, this option will be disabled on the device.
To wipe a device completely,
- Login to your Hexnode portal.
- Navigate to the Manage tab.
- Click on the device you wish to wipe or select the devices.
- From the Actions drop-down, select Wipe Device.
- If you are remotely wiping a device running macOS 10.8 or above, enter your Find My Mac PIN.
- If required, enable Clear Factory Reset Protection/Activation Lock.
- In case the attempt to Erase All Content and Settings fails in macOS 12.0+ devices, the device falls back to a behavior termed Fallback behavior. Select your Mac’s fallback behavior from the below options:
- Complete Wipe: The device gets wiped completely and requires manual re-installation of OS before the device can be used again.
- Do not wipe: No attempt is made to wipe the device completely.
- Enable Retain eSIM Configuration to preserve the data plans of eSIMs on iOS 11+ devices.
- Click Wipe, in the confirmation dialog.
- Enter the password of your Hexnode UEM portal and click Confirm to initiate the device wipe.
Notes:
- Enabling the option Clear Factory Reset Protection/Activation Lock clears the Activation Lock on:
- supervised iOS devices, and
- Macs, with T2 security chip and enrolled via ABM/ASM or devices running macOS 10.5+ devices with Apple silicon chip.
The option will disable Factory Reset Protection on Android devices enrolled as Device Owner in the Android Enterprise program.
- If a DEP-enrolled device is wiped, and the DEP policy associated with the DEP account has the option “Enroll devices in MDM” enabled, the device will be automatically re-enrolled in MDM.
- If the “Wipe Device” action is initiated on non-DEP enrollment devices, it is necessary to re-enroll the devices manually to resume device management.
- For macOS 12.0+ devices, the result of the wipe action varies depending on the processor:
- Intel Macs without T2 security chip: The device will get remotely locked with the Find My Mac PIN.
- Silicon Macs without T2 security chip: If the bootstrap token is deployed, all content and settings get erased. Otherwise, the device undergoes fallback behavior.
- Macs with T2 security chip: All content and settings get erased provided the following conditions are met:
Intel:
- The device must be in Full Security mode.
- The device must not have an EFI Firmware Password set.
Silicon chip:
- The device must be started from the first partition if there are multiple partitions.
- The device must have a sealed system volume.
- The device must not be started from an external volume.
If any of these conditions fail to be satisfied, the device goes into fallback behavior.
- For Windows devices, the Wipe Device action will automatically reinstall the Windows OS.
Exception: Depending on some device configurations, the wipe action may leave the device unable to boot and Windows OS will have to be manually installed on the device.
- For ChromeOS devices, you can clear data from a device by deleting all user accounts or restoring it to its factory settings, without disenrolling the device from the portal. Select either Remove User Profiles or Factory Reset based on your preferences.
To wipe a single device:
To wipe multiple devices:
Automatic device wipe using Hexnode UEM
A device can be set up to get completely wiped automatically if the user enters an incorrect password for a specific number of times. This feature is available only on iOS, Android and Windows devices. To set up,
- Go to Policies and create a new policy or continue with an existing one.
- Go to iOS > Passcode/ Android > Device Password/ Android > Work Profile Password/ Windows > Password.
- Set a value for Failed Attempts/Failed attempts before wipe.
To associate this policy with targets before saving,
- Go to the Policy Targets tab from the policy set-up screen.
- Add devices, users, device groups, user groups or domains.
- Now, save the policy.
To associate the policy after saving the policy,
- Go to Policies and select the required policy.
- Click on Manage > Associate Targets.
- Click on Device/User/Device Group/User Group/Domain.
- Select the required targets and click on Associate.