Sending Return-to-Service Commands to iOS Devices with Workspace ONE UEM
With the release of iOS 17, Apple introduced a new MDM Return-to-Service functionality that gives IT admins the option to deploy a Wi-Fi profile with a command that will wipe the device, and then automatically activate and re-enroll the device in MDM. Once re-enrolled, the device returns to the Home Screen and is ready for use. This new MDM feature makes it easy for organizations to erase all user data from a managed iOS device and return it to service without IT admins ever needing to touch the device. This is an excellent option in the healthcare space when it comes to patient tablets or nurse devices. This feature could also be useful in the retail landscape for workers using a device during their shift and then returning it at the end of the day to be used by a different employee the next day. Any scenario when a device needs to be handed off and you need to ensure there is no personal information left on the device between users.
In Workspace ONE UEM, you can send this new command to iOS devices using the Custom Command feature in the console. There are a few important prerequisites that need to be configured prior to using this command. We’ll discuss those prerequisites, as well as the steps for pushing the Return-to-Service command to devices.
Apple’s Return-to-Service command consists of an XML-based set of parameters that erases the iOS device, and automatically re-enrolls the device in MDM using an encrypted Wi-Fi profile. Below is an example of the XML.
<data>base64-encoded profile string</data>
The Wi-Fi profile is a base64 encrypted key that contains all the required data to automatically join the device to a configured Wi-Fi network to allow for activation and re-enrollment. The
WiFiProfileData key is required for the Return-to-Service command to work.
iOS Device Requirements
To start, you need one or more iOS 17 devices enrolled in Workspace ONE UEM. The devices should be corporate-owned and enrolled through Apple Business Manager. This requirement is important because the device knows where/how to re-enroll due to the DEP profile assigned to the device in Workspace ONE.
Note: The Return-to-Service command is only available for devices running iOS 17 and up.
In Workspace ONE UEM, these devices should be assigned to a Device Enrollment Profile that has authentication disabled and the Staging Mode configured as a Single user device. A Default Staging User will also need to be configured in the Enrollment Profile.
Note: it is possible to use a DEP profile with authentication ON, but there will be additional steps for the user to complete upon device restart.
To make the user experience as seamless as possible, it is recommended that you disable all steps in the Setup Assistant in the device enrollment profile.
Note: Ensure that any activation locks are disabled on the iOS devices, otherwise the Return-to-Service command will fail to execute properly.
A Wi-Fi profile is required for the device to activate and re-enroll after it is erased. The profile is sent to the device as part of the XML that executes the command. This profile needs to be encrypted using base64. To start, you’ll need a mobileconfig file with the Wi-Fi profile. You can create this file in Apple Configurator 2 or export an unencrypted Wi-Fi profile from Workspace ONE UEM. To prepare the profile for insertion into the Return-to-Service XML, you can open Terminal.app and run the following command:
base64 -i /path/to/wifiprofile.mobileconfig
Make sure to replace
/path/to/wifiprofile.mobileconfig with the path to your mobileconfig file. Copy the output from this command into the XML under the
<data>base64-encoded profile string</data>
Sending the Return-to-Service Command to Devices
When you are ready to send the command to one or more iOS devices, log into the Workspace ONE UEM console, and navigate to the Devices List View. From the list of devices, place a checkmark next to every device to which you want to send the command. From the More Actions dropdown menu, select Custom Command. Copy the XML into the command window and click Send.
This will send the command to the selected devices and a device wipe will be initiated on each. Keep in mind, the end user will not receive any warning of the command’s pending execution and cannot defer the command for a later time. Any unsaved data or documents the user may have on the device will be lost.
The Return-to-Service command is yet another tool available to IT admins for managing their corporate-owned iOS devices. The command helps ensure that a device is wiped, enrolled, and ready for the next user without the need for IT to physically access the device. This can be extremely helpful for dedicated devices that are transferred between employees, or devices shared among shift workers.
For more information on using Automated Device Enrollment for iOS devices with Workspace ONE, check the following tutorial on EUC Tech Zone.