You can wipe macOS devices using the Erase remote action in Microsoft Endpoint Manager, as explained in Erase all data from a macOS device. However, a remote wipe for Apple silicon-based devices running macOS 12.0.1 or later requires a bootstrap token issued by Microsoft Intune. For detailed requirements to remotely wipe macOS devices, go to Wipe Apple devices remotely - Apple Support.
On March 26th, as part of Intune’s 2203 service release, we will add support for bootstrap tokens (public preview). Once this feature is rolled out, a bootstrap token will be automatically generated and escrowed to Intune after a secure token user (usually an administrator account) signs in to the device. If your remote wipe fails due to a missing bootstrap token, continue reading to learn how to diagnose the issue and restore the device.
Note: Bootstrap tokens are not currently supported for Intune for Government or Intune operated by 21Vianet.
When you initiate the Erase remote action in Intune without the required bootstrap token, a failed wipe status is returned.
Screenshot of the Microsoft Endpoint Manager admin center showing a ‘Wipe: Failed’ status for a MacBook Pro device.
The device will still receive the Erase remote action but will use the macOS “obliteration behavior,” which is explained in the above Apple Support article. When this occurs, the device will be unable to boot and may show the following error screen.
Screenshot of a macOS black screen with a warning (!) icon and the text “support.apple.com/mac/restore".
If a device enters this state, you will need to use another macOS device running Apple Configurator 2 to restore it. Steps on how to restore mac devices are available at Revive or restore a Mac with Apple silicon using Apple Configurator 2 - Apple Support.
If you have any feedback or questions reply to this post or reach out to @IntuneSuppTeam on Twitter.
