Skip to main content

Lock, Wipe, or Unenroll a Mac (Endpoint Management Tools - Mac)

This article applies to: Endpoint Management Tools

This page is intended for IT support professionals. End users should contact local IT support.

With JSS you can execute four commands to help you manage the security of managed computers: Lock Computer, Remove MDM Profile, Wipe Computer, or Send Blank Push.


If a computer that does not contain sensitive data becomes misplaced or stolen, you may elect to simply "Lock" the computer, which renders the computer unusable to a would-be thief or someone who may encounter the computer during their travels. This command will execute the next time the computer shows up on a network with internet access. If the computer is recovered, you can simply "Unlock" the computer with a passcode that you define.

Remove MDM Profile

If a computer no longer needs to be managed for whatever reason, you can choose to send an "Unenroll" command. This command breaks the relationship between the JSS server and the computer you wish to unenroll; it will execute the next time the computer is on network with internet access. Users of that computer will no longer be able to access Self-Service software, and Admins will no longer be able to assign policies or other management tasks to the computer. 


If a computer contains sensitive data and becomes misplaced or stolen (or you're unsure if it holds sensitive data), you may elect to send a "Wipe" command to the computer. This command wipes the contents of the computers hard drive rendering it un-usable; it executes the next time the computers shows up on a network with internet access. If the computer is recovered later it will need to be unlocked and re-imaged.

Send Blank Push

Sends a blank push notification, prompting the computer to check in with Apple Push Notification service (APNs).

  • None of these four commands remove the computer from the JSS inventory. 
  • The "Wipe" and "Lock" commands require that the machine has an OS X Recovery Partition. The OS X Recovery Partition is on all new Macs by default, and is created on older Macs when OS X 10.7+ is installed for the first time.
  1. Log into your JSS site at<JSSInstance>
    replacing <JSSInstance> with your instance's name.
    For example,
  2. Click Computers.
  3. If desired, enter a search string, then click Search.
  4. Find the computer you wish to run the remote command against.
  5. Click the name of the computer.
  6. Click the Management tab.
  7. Click the icon for the desired command.

Lock and Wipe will ask you to create a passcode, which you can use when the computer is recovered.

The next time the computer contacts the JSS, the command you specified will execute.

You can check the status of these remote commands on the computer's Details page, on the History panel. The Pending Commands tab allows you to cancel a remote command that has not yet run.

Was this page helpful?

Your feedback helps improve the site.