There’s a lot of information available in the Apple admin community about the best ways to onboard devices and deploy them to users. We’ve got Automated Device Enrollment, zero-touch deployment, and other workflows that help at the beginning of a device’s lifetime. But what about the other end of the device lifecycle, when you’re ready to move devices out of your organization? Offboarding workflows don't get as much attention.
There are several common reasons you might want to “end-of-life” a device. Maybe you’re trying (finally) to migrate all devices to Apple silicon. Or you want to standardize on one operating system that older devices don’t support. Perhaps you have a fractional replacement policy: You automatically replace some proportion of your devices every year as they age, to keep your fleet generally up to date.
Whatever the reason you’re moving devices out of the organization, here are some of the things you should be thinking about as you plan for their end-of-life and some generalized workflows for getting those devices ready for their next steps.
Goals of the Offboarding Process
Regardless of why you’re removing a device from inventory, there are three main goals for an offboarding process.
First, you need to protect company data. You want to be sure that, when a device leaves your organization, it isn’t taking any of your data with it. In this case, “data” is defined broadly: It could include things like asset tags or other physical evidence that ties that device to your organization. Delaying the offboarding process can itself be a security risk: A closet full of unused computers is a lure for thieves. Better to get those devices safely out of the building.
Second, you want to preserve as much of the device’s residual value as you can. As noted above, that may mean moving it along well before it’s stopped being useful. When calculating residual value, take into account the costs of offboarding itself. If, for example, selling old devices yourself incurs a labor cost (because your IT team takes time to prepare devices and fulfill sales), you need to account for that in your calculations.
Third, you need to consider your legal, accounting, and compliance obligations. You may need to prove the chain of custody for a device as it leaves your organization. If you're getting rid of devices used by employees who have left the organization, you may need to keep them in storage for a period of time in case of legal action. If you’re accountable for carbon offsets, you’ll need to have proof devices have been recycled. In many jurisdictions, it’s illegal to send old hardware to the dump; even if it’s legal, we’d argue that it isn’t responsible.
Alternatives for Offboarding Apple Devices
So, with those goals in mind, you’ve got several options when it comes to offboarding a device, depending on how valuable it still is.
If the device has no real residual value at all, you have two alternatives: You could donate it to another organization—typically a school or a nonprofit. Or you could take it to an electronics recycler. As we just said, sending it to landfill isn’t an option.
Return or Trade-in
If the device still has some residual value, you’ve got several other paths to consider.
One is Apple itself. Some enterprise customers in the U.S. can work with their Apple account teams and Apple Financial Services on returning used devices and possibly getting credit for them. Apple refurbishes those devices that are in good condition and recycles the rest.
However, this route is generally an option only for organizations with large budgets and buying volumes. If you don’t qualify, you might consider Apple Trade-In for Business; you can reach out to your Apple Authorized Reseller for details on that.
There’s also the option of selling old devices yourself.
As we noted above, selling it on the open market can provide a good return as long as the time and resources required don’t offset it. But unless you already have the infrastructure (an online sales outlet and in-house shipping facilities, among other things), selling used Apple devices yourself can be a losing proposition. If your business doesn't routinely sell and ship physical goods, if it would take your team a day or more to prep devices for sale on a site like eBay and then fulfill those sales, you might want to consider a less labor-intensive path. (And don't forget to consider the possible tax implications of such sales.)
There are, however, companies that will do the selling for you. One good example: Kandji partner Diamond Assets. Their goal is to make the offboarding process as efficient and effortless for you as possible.
They actually send out their own employees to pick up equipment and transport it back to their facilities; you don’t have to mail them anywhere. Diamond Assets documents the chain of custody, which may be required by some sellers.
Diamond then collects information about each device—specifications, serial number, and so on—and communicates that back to clients, who can use it to update their asset-management records and ensure those devices are removed from what Diamond Assets calls “encumbrances”—which we’ll get to in a moment.
Some customers find this data useful in managing users, too: If a given employee is responsible for an unusually large number of damaged devices, this is a good time to find out and a good opportunity for some end-user education. (Diamond Assets has found that the condition of devices often maps to the company department. Engineers, it turns out, are really hard on their hardware.)
After collecting that information, Diamond Assets evaluates and grades the devices, looking for defects, Those grades ultimately determine the offer they’ll make. Devices that can’t be resold are recycled responsibly.
Regardless of which path a device takes, Diamond Assets will ensure that it’s fully erased to preserve data security. It will also remove asset tags, stickers, and other identifiers that could connect the device to your organization.
Preparing Devices for Offboarding
Whichever path you choose, it makes sense to prepare your devices for offboarding before they leave your organization.
Wherever you’re sending a device, there are some steps you need to take to prepare it for its journey. It’s better to do it yourself than to rely on whoever is taking it off your hands because then you know (a) it’s really been done and (b) it’s been done to your specific requirements. The good news is that your MDM solution can help with almost everything short of cleaning off stickers.
Depending on how strictly you’ve been managing the devices you’re trying to clear out, you may need to first disconnect them from personal accounts for services such as iCloud. Even if you wipe the device later, that won’t delete its record on the service side.
Your users are in the best position to take care of that. Apple has general guidelines for removing devices associated with a given Apple ID, as well as more specific steps for doing so in iCloud, Find My, and Apple Music. If they’ve paired an Apple Watch with a company iPhone, they’ll need to unpair them.
Ideally, you’d provide them with a checklist of steps to take in disconnecting the device from personal accounts. To encourage their cooperation, you can remind them about the limits on the number of devices that can be associated with a given Apple ID. If they don’t remove the outgoing device from their list, they could eventually run out.
You’ll also want to remove the devices from any per-device software licenses you might have. Your MDM solution can help here: If you’ve been using it to distribute apps you bought through Apple Business Manager, you can remove those apps from those devices via MDM. (For instructions on how to do so in Kandji, see our support article “Configure Apps and Books.”)
You also need to remove the device from Apple Business Manager. Apple outlines that process here.
Finally, if you have a backup program for devices, you’ll want to do one final backup before moving the device on to its next step.
You also need to remove any encumbrances, such as Activation Lock, that might prevent the next owner from accessing the device. (You’ll wipe out user passwords in the next step.) Fortunately, MDM can help here.
If you’ve managed to get your users to turn off Find My before they hand over the device, you’re in luck because that means Activation Lock is already turned off. But if you weren’t that lucky, you may still be able to use MDM to turn it off. We say “may” because it depends on how Activation Lock was initially enabled.
Device-based Activation Lock means the MDM solution (not the user) contacts Apple servers to lock or unlock the device. The MDM solution creates its own escrow key and sends it to Apple servers when it needs to enable or disable Activation Lock for the device.
User-linked Activation Lock, on the other hand, relies on the user’s personal iCloud account to lock and unlock the device. In this case, the MDM solution can fetch the bypass code created by the device and store it before allowing Activation Lock to be turned on. If the user can’t authenticate with their personal Apple ID—if, for example, they’ve left the organization—this bypass code can be used to turn off Activation Lock remotely via MDM.
If your MDM solution can’t remove Activation Lock, don’t despair: There are still ways you may be able to remove it. If you do pass a device along to a reseller such as Diamond Assets, they’ll work with you to remove it.
The other encumbrance you need to clear is the firmware lock if one has been enabled. (They're an option only on Mac computers with Intel processors.) If you pass such a device to another party without the firmware password, it won’t boot any internal or external storage device other than the selected startup disk. (That password also blocks most startup key combinations.)
Fortunately, you can use MDM to turn off the firmware lock. Here, for example, is how to do it in Kandji.
Erase the Contents
With the encumbrances cleared, the next step is to erase all the data. This will clear out any data that you don’t want anybody else to see, including user accounts and credentials.
Fortunately, MDM can help here, too. If you’re erasing iPhone or iPad devices, or Mac computers with Apple silicon or the Apple T2 Security Chip using macOS 12.0.1 or later, your MDM solution should be able to send an
Erase All Content and Settings command. Doing so initiates a cryptographic erase thorough enough to meet NIST standards.
EraseDevice command via MDM to older Mac computers will erase not only content and settings but also the operating system itself (a behavior accurately labeled “obliteration”). That makes it unbootable until an OS is reinstalled.
When you erase an iPhone or iPad, Find My and Activation Lock are automatically turned off as part of the bargain.
Remove the Device from MDM
All that done, you can remove the device from MDM and from Apple Business Manager. Here, for example, is how to remove a device from Kandji. And here are Apple’s instructions on taking care of that second task.
Clean the Device
Before the device leaves your physical control, you would maximize its value by removing any stickers or other identifying marks. This isn’t just about aesthetics. Important data is not just on the hard drive. Asset tags, corporate stickers, and engravings could also be potential security gaps. Clear off anything you can. Again, some resale services may do this for you; check out that option before you send out a well-stickered notebook.
How MDM Can Help in the Offboarding Process
The goal in all of this is peace of mind: You should be able to say goodbye to the device without any lingering doubts or worries. Your MDM solution can play a big part in giving you that peace of mind—and make the whole process easier.
If your practice is particularly mature—if, say, you’ve integrated MDM with your identity management or asset management tools—you might be able to trigger these workflows by, say, marking a device inactive in the asset manager. However it works for you, the more you can automate the process of offboarding an Apple device, the more comfortable you’ll be when it finally goes out the door.
Kandji is the Apple device management and security platform that empowers secure and productive global work. With Kandji, Apple devices transform themselves into enterprise-ready endpoints with all the right apps, settings, and security systems in place. Through advanced automation and thoughtful experiences, we’re bringing much-needed harmony to the way IT, InfoSec, and Apple device users work today and tomorrow.