Lock and wipe hosts

Available in Fleet Premium

In Fleet, you can lock and wipe macOS, Windows, Linux, iOS and iPadOS hosts remotely when a host might have been lost or stolen, or to remotely prepare a device to be re-deployed to another end user.

Restricting wipe for iPhones and iPads to only company-owned iPhones and iPads is coming soon.

Lock a host

1. Navigate to the Hosts page by clicking the "Hosts" tab in the main navigation header. Find the device you want to lock. You can search by name, hostname, UUID, serial number, or private IP address in the search box in the upper right corner.
2. Click the host to open the Host Overview page.
3. Click the Actions dropdown, then click Lock.
4. A confirmation dialog will appear. Confirm that you want to lock the device. The host will now be marked with a "Lock pending" badge. Once the lock command is acknowledged by the host, the badge will update to "Locked".*

Currently, for Windows hosts that are Microsoft Entra joined, the best practice is to disable the end user's account in Entra and then lock the host in Fleet. This applies to all Windows hosts that automatically enroll. These hosts are Entra joined.

iOS and iPadOS: Lock action is only available for company-owned (supervised) hosts.

Linux hosts: The system may automatically reboot after approximately 10 seconds to complete the lock process.

Get location of locked iOS/iPadOS host

To obtain the location of a locked iOS or iPadOS host, send the DeviceLocation command using a custom command. This command will only work if the device is locked and in Lost Mode.

To view the location on Google Maps, use the latitude and longitude values from the command response in the following URL: https://google.com/maps?q={latitude},{longitude}

Example response:

  <key>Latitude</key>
  <real>37.33385013244351</real>
  <key>Longitude</key>
  <real>-122.01079213269968</real>

Example URL: https://google.com/maps?q=37.33385013244351,-122.01079213269968

Wipe a host

1. Navigate to the Hosts page by clicking the "Hosts" tab in the main navigation header. Find the device you want to wipe. You can search by name, hostname, UUID, serial number, or private IP address in the search box in the upper right corner.
2. Click the host to open the Host Overview page.
3. Click the Actions dropdown, then click Wipe.
4. Confirm that you want to wipe the device in the dialog. The host will now be marked with a "Wipe pending" badge. Once the wipe command is acknowledged by the host, the badge will update to "Wiped".

Important When wiping and re-installing the operating system (OS) on a host, delete the host from Fleet before you re-enroll it. If you re-enroll without deleting, Fleet won't escrow a new disk encryption key.

Windows hosts Fleet uses the doWipeProtected command. According to Microsoft, this leaves the host unable to boot.

Unlock a host

1. Navigate to the Hosts page by clicking the "Hosts" tab in the main navigation header. Find the device you want to unlock. You can search by name, hostname, UUID, serial number, or private IP address in the search box in the upper right corner.
2. Click the host to open the Host Overview page.
3. Click the Actions menu, then click Unlock.
   • macOS: A dialog with the PIN will appear. Type the PIN into the device to unlock it.
   • Windows, Linux, iOS and iPadOS: The command to unlock the host will be queued and the host will unlock once it receives the command (no PIN needed).*
4. When you click Unlock, Windows, Linux, iOS and iPadOS hosts will be marked with an "Unlock pending" badge. Once the host is unlocked and checks back in with Fleet, the "Unlock pending" badge will be removed. macOS hosts do not have an "Unlock pending" badge as they cannot be remotely unlocked (the PIN has to be typed into the device).

Linux hosts: The system will automatically reboot after approximately 10 seconds to complete the unlock process and ensure the user interface is properly restored. If the host loses connection to Fleet, the unlock process may run again, causing the host to reboot again.

Lock and wipe using fleetctl

You can lock, unlock, and wipe hosts using Fleet's command-line tool fleetctl:

fleetctl mdm lock --host $HOST_IDENTIFIER

fleetctl mdm unlock --host $HOST_IDENTIFIER

fleetctl mdm wipe --host $HOST_IDENTIFIER

$HOST_IDENTIFIER can be any of the host identifiers: hostname, UUID, or serial number.

Add the --help flag to any command to learn more about how to use it.

For macOS hosts, the mdm unlock command will return the six-digit PIN, which must be typed into the device in order to finish unlocking it.

*For Windows and Linux hosts, a script will run as part of the lock and unlock actions. Details for each script can be found in GitHub for Windows and Linux hosts.

** Fleet is currently tracking a known Apple bug, which results in Lost mode being cleared after reboot on iOS/iPadOS 26.