How to wipe MacBooks and what to be aware of

Returned MacBook? What to do?

12/22/20252 min read

How to identify and handle the two biggest blockers when wiping a
returned corporate MacBook

When a MacBook is returned to IT, the goal is simple: wipe it and redeploy it.

In practice, two Apple security features often stand in the way — FileVault and Activation Lock.

They work at different layers, require different solutions, and behave differently on supervised devices in MDM.

This guide will help you identify which blocker you’re facing and take the right action.

1. FileVault — Data Encryption Roadblock

What it does:

FileVault encrypts the entire SSD with XTS-AES-128 and a 256-bit key, protecting the data from anyone without:

  • The login password, or

  • The FileVault recovery key (often escrowed in MDM).

When it blocks you:

  • You can’t unlock the disk from internal Recovery without one of those credentials.

  • If the recovery key isn’t in MDM and the user is gone, you must boot from an external macOS installer and erase the disk completely — destroying the data but removing encryption.

2. Activation Lock — Device Ownership Roadblock

What it does:

Activation Lock is tied to Find My Mac.

When enabled, Apple’s servers link the Mac’s serial number to an Apple ID.

When it blocks you:

  • After erase/reinstall, Setup Assistant checks with Apple.

  • If linked to an Apple ID, the device prompts for that Apple ID and password.

  • Without them, you can’t complete setup.

3. How Supervision and MDM Change the Rules

When a Mac is:

  • In Apple Business Manager or Apple School Manager, and

  • Assigned to an MDM server (e.g., Intune, Jamf), and

  • Marked as supervised

…the MDM gets an Activation Lock bypass key from Apple.

Result:

  • Even if the user enabled Find My Mac, MDM can clear Activation Lock after erase.

  • However, MDM cannot “bypass” FileVault — you still need the recovery key or must erase externally.

4. Common Return Scenarios

Scenario 1 – FileVault key available

  • Unlock from Recovery.

  • Erase normally.

  • If supervised → Activation Lock bypasses automatically.

Scenario 2 – FileVault key missing

  • Boot from external macOS installer.

  • Erase the SSD (data gone).

  • If supervised → Activation Lock bypass still works.

  • If removed from ABM → Apple ID prompt may appear.

Scenario 3 – Removed from ABM

  • No MDM bypass.

  • If Find My Mac is on → Apple ID required post-erase.

Best Practices to Avoid Blockers

  1. Always escrow FileVault keys in MDM — configure policies to rotate and store them.

  2. Keep Macs in ABM until decommissioned — this preserves Activation Lock bypass.

  3. Test your bypass — verify on a spare supervised Mac every few months.

  4. Maintain bootable macOS installers — so you can erase without internal unlock.

  5. Audit Find My Mac status — disable if policy forbids it.

Quick Identification Checklist

  • Pre-erase:

    • Can you log in or unlock FileVault with a recovery key?

      • No → External erase required.

  • Post-erase:

    • Is the Mac still in ABM and supervised?

      • Yes → Activation Lock bypass works.

      • No → Apple ID required if Find My Mac was on.

    Last resort

    If you still have the receipt, then you can contact Apple and provide the proof of purchase, and the can remove activation lock. However, Apple cannot bypass FileVault encryption.