Lock and wipe guide: add iOS/iPadOS best practice (#25311)

Addresses this issue: #23495
fleetdm · Jan 10, 2025 · 15198bb · 15198bb
1 parent 9c2d68c
commit 15198bb
Showing 1 changed file with 8 additions and 11 deletions.
diff --git a/articles/lock-wipe-hosts.md b/articles/lock-wipe-hosts.md
@@ -4,10 +4,9 @@
 
 _Available in Fleet Premium_
 
-In Fleet, you can lock and wipe macOS, Windows, and Linux hosts remotely. This allows you to easily deal with situations
-where a host might have been lost or stolen, or to remotely prepare a device to be re-deployed to another end user.
+In Fleet, you can lock and wipe macOS, Windows, and Linux hosts remotely when a host might have been lost or stolen, or to remotely prepare a device to be re-deployed to another end user.
 
-**Note**: lock/unlock and wipe commands are queued and will run when the device next comes online.
+iOS and iPadOS hosts can be wiped. Restricting wipe to only company-owned iPhones and iPads is coming soon.
 
 ## Lock a host
 
@@ -16,25 +15,23 @@ where a host might have been lost or stolen, or to remotely prepare a device to
 3. Click the **Actions** dropdown, then click  **Lock**.
 4. A confirmation dialog will appear. Confirm that you want to lock the device. The host will now be marked with a "Lock pending" badge. Once the lock command is acknowledged by the host, the badge will update to "Locked".*
 
+Currently, there's no **Lock** button for iOS and iPadOS. If an iOS or iPadOS host is lost/stolen, the best practice is to send the [`EnableLostMode`](https://developer.apple.com/documentation/devicemanagement/enable_lost_mode) and [`DisableLostMode`](https://developer.apple.com/documentation/devicemanagement/disable_lost_mode) commands using a [custom command](https://fleetdm.com/guides/mdm-commands). If the host's owner (employee) is leaving the company and keeping a company-owned iOS or iPadOS host, the best practice is to wipe it.
+
 ## Wipe a host
 
 1. Navigate to the **Hosts** page by clicking the "Hosts" tab in the main navigation header. Find the device you want to wipe. You can search by name, hostname, UUID, serial number, or private IP address in the search box in the upper right corner.
 2. Click the host to open the **Host Overview** page.
 3. Click the **Actions** dropdown, then click  **Wipe**.
 4. Confirm that you want to wipe the device in the dialog. The host will now be marked with a "Wipe pending" badge. Once the wipe command is acknowledged by the host, the badge will update to "Wiped".
 
-## Unlocking a host
-
-**Note**: When a macOS host is locked, Fleet generates a 6 digit security PIN. This PIN must be physically input into the host in order to unlock it.
-
-To unlock a locked host:
+## Unlock a host
 
 1. Navigate to the **Hosts** page by clicking the "Hosts" tab in the main navigation header. Find the device you want to unlock. You can search by name, hostname, UUID, serial number, or private IP address in the search box in the upper right corner.
 2. Click the host to open the **Host Overview** page.
 3. Click the **Actions** menu, then click **Unlock**.
     - **macOS**: A dialog with the PIN will appear. Type the PIN into the device to unlock it.
     - **Windows and Linux**: The command to unlock the host will be queued and the host will unlock once it receives the command (no PIN needed).*
-5. When you click **Unlock**, Windows and Linux hosts will be marked with an "Unlock pending" badge. Once the host is unlocked and checks back in with Fleet, the "Unlock pending" badge will be removed. macOS hosts do not have an "Unlock pending" badge as they cannot be remotely unlocked (the PIN has to be typed into the device).
+4. When you click **Unlock**, Windows and Linux hosts will be marked with an "Unlock pending" badge. Once the host is unlocked and checks back in with Fleet, the "Unlock pending" badge will be removed. macOS hosts do not have an "Unlock pending" badge as they cannot be remotely unlocked (the PIN has to be typed into the device).
 
 
 ## Lock and wipe using `fleetctl`
@@ -57,9 +54,9 @@ fleetctl mdm wipe --host $HOST_IDENTIFIER
 
 Add the `--help` flag to any command to learn more about how to use it.
 
-**Note**: for macOS hosts, the `mdm unlock` command will return the security PIN, which must be typed into the device in order to finish unlocking it. 
+For macOS hosts, the `mdm unlock` command will return the six-digit PIN, which must be typed into the device in order to finish unlocking it. 
 
-*For Windows and Linux hosts, a script will run as part of the lock and unlock actions. Details for each script can be found in GitHub for [Windows](https://github.com/fleetdm/fleet/blob/337d4955a060854fddcb1dcf35ff0aad679c04eb/scripts/mdm/windows/windows-unlock.ps1) and [Linux](https://github.com/fleetdm/fleet/blob/337d4955a060854fddcb1dcf35ff0aad679c04eb/scripts/mdm/linux/linux-lock.sh) hosts.
+*For Windows and Linux hosts, a script will run as part of the lock and unlock actions. Details for each script can be found in GitHub for [Windows](https://github.com/fleetdm/fleet/tree/main/scripts/mdm/windows) and [Linux](https://github.com/fleetdm/fleet/tree/main/scripts/mdm/linux) hosts.
 
 <meta name="articleTitle" value="Lock and wipe hosts">
 <meta name="authorFullName" value="JD Strong">