The smooth return of your leased equipment is important to us. At the same time, the security of your data is our top priority. However, active locks and security measures such as BIOS passwords or MDM software can negatively affect our processes, the refurbishment, and the remarketing of devices. Therefore, we reserve the right to charge €35 per locked device delivered as compensation. To ensure the smooth return of your leased equipment and safe and efficient remarketing, and to avoid unnecessary costs, you will find here an overview of common security measures and instructions for removing locks. In this way, we aim to support you in minimizing risks, avoiding negative impacts, and ensuring the reusability of the devices. The removal of any locks and passwords remains your responsibility. We do not assume liability for the completeness or accuracy of the information provided.
BIOS/UEFI password
A BIOS password can be set up to restrict access to a computer's Basic Input/Output System (BIOS) to prevent unauthorized changes to system settings.
BIOS/UEFI Administrator Password
BIOS/UEFI Administrator Password protects the BIOS/UEFI from unauthorized access. It is needed to change settings such as boot order or secure boot.
Disk Password
Hard drives (HDD) and solid-state drives (SSD) can be temporarily or permanently locked or unlocked with a password.
Housing lock
A physical lock attached to the device or an integrated deadbolt with a locking mechanism protects against unauthorized access to the hardware components.
Network Operating Systems
Network devices (e.g., routers, switches) typically have proprietary operating systems that are secured by a username and password combination.
Absolute Software
Absolute Software is a security solution built into the BIOS that can locate, lock, and automatically recover devices after a reset.
DFCI Lock
DFCI (Device Firmware Configuration Interface) is an Intune feature that can be used to remotely lock or control BIOS/UEFI settings such as boot order or USB access.
Many wearable devices — such as smartwatches — are paired with a smartphone. To avoid activation lock or user lock-in, these devices must be unpaired before returning.
Apple ID
The Apple ID is a central user account that provides access to various Apple services such as the App Store, Apple Music, iCloud, iMessage, and FaceTime. With a single Apple ID and password, all services can be used.
Google ID
The Google ID is a user account that is used to authenticate to numerous Google services – comparable to the Apple ID or Samsung ID.
Activation Lock
This security feature protects against unauthorized use of lost or stolen devices. The device remains tied to the last user and can only be activated with their credentials.
Factory Reset Protection (FRP)
Factory reset protection is a security measure that prevents a device from being factory reset and reused without the consent of the previous user – especially in the event of loss or theft.
This is a special menu for maintenance and service activities, protected by a PIN or password.
Administrator / Superuser Password
A special administrator password can be set up to restrict access to sensitive areas of the printer menu, such as security features or network settings.
Integrated web server
The device settings can be accessed via a web browser by entering the IP address of the printer and using a corresponding password.
Security and card reader applications
Users authenticate themselves on the device with an RFID card and/or with a username and password or PIN.
When some devices – such as laptops – are booted up, a company logo or lettering is displayed. If this is not removed, the impression may arise that the device was not properly purchased or handed over.
Virtual reality (VR) glasses or headsets – such as Meta Quest, HTC Vive or Pico – can be linked to user accounts or mobile devices and managed via proprietary platforms or MDM systems. For a smooth return or reuse, all accounts, user data and management profiles must be removed. Factory reset should be done according to the official instructions, depending on the manufacturer.
Device Enrollment Program (DEP)
The Apple Device Enrollment Program is part of the company-wide deployment solutions and enables pre-configuration of iOS devices and Macs so that they can be seamlessly integrated into existing corporate structures.
Android Enterprise Enrollment
Android Enterprise Enrollment is a service from Google that helps companies pre-configure Android-based devices to enable fast and secure integration into the company's own IT infrastructure.
Microsoft Windows Autopilot
This is a collection of technologies for setting up and pre-configuring new Windows devices, including PCs and HoloLens 2.
Mobile Device Management (MDM)
Mobile Device Management is a central management system for mobile devices such as smartphones, notebooks, laptops, PDAs or tablets. MDM enables unified configuration, security, and control of all mobile devices in the enterprise.
Please note that the different types of device locks are often used in combination to increase both convenience and security.
For example, an iPhone can be simultaneously enrolled in the Device Enrollment Program (DEP), managed by an MDM solution, and additionally linked to an Apple ID.
Therefore, it is especially important to remove all locks completely, in the right order, and at the right time to avoid complications when returning or reusing!
General Notice
The above list of possible blocks is not exhaustive and serves only as a possible assistance / check list.
iPhone & iPad
Procedure:
1. Open Settings > General > Transfer or Reset [Device]
2. Tap on "Erase All Content and Settings"
3. Enter the device passcode or Apple ID if necessary
4. Wait for the deletion process to complete
MacBook & iMac & Mac mini & Mac Studio
Procedure:
1. On your Mac, go to:
Apple menu > System Preferences > General > Erase all content and settings
2. Follow the wizard and enter the user password if necessary
3. All data, user accounts, and Apple services will be removed
4. Check if Find My Mac / Activation Lock is disabled
Apple Watch
Procedure:
1. Remove Apple Pay cards (if you have one)
2. Unpair via iPhone (recommended):
3. If there is no more pairing (reset manually):
Activation Lock Review & Removal via iCloud (optional, recommended):
Procedure:
Step 1: Login to ABM/ASM
1. Open the corresponding website:
🔗 Apple Business Manager: https://business.apple.com/
🔗 Apple School Manager: https://school.apple.com/
2. Log in with your administrator account.
Step 2: Search & Select Device
1. Go to "Devices" in the left menu.
2. Enter the serial number or IMEI of the device in the search.
3. Select the appropriate device(s) by checking the box.
Step 3: Remove device(s) from the organization
1. Click on "Remove Devices" in the top right corner
(English: "Release Devices" or "Remove Devices").
2. Confirm the selection in the dialog box.
Step 4: Check & Unassign MDM
1. If the device is still assigned to an MDM server:
2. In the device view, select the device → select "Remove MDM Server".
Step 5: Reset your device
Important notes:
Procedure (may vary slightly depending on the device):
1. Open the Settings app
2. Go to: Settings > Accounts > Remove Google > Account
3. Go to: Settings > Accounts > Remove Manufacturer Account > Account
4. Go to: Settings > Accounts > Microsoft (if any) Remove > account
5. Go to Reset System > Options > Factory Reset
6. Confirm with your device passcode or Google account
Note on Google FRP
To ensure that the device does not remain locked after the reset, the Google account and the manufacturer's account must be removed beforehand.
Procedure:
Step 1: Log in to Samsung Knox
1. Open the website: https://central.samsungknox.com/login-navigator
2. Log in with your admin account .
Step 2: Find device(s)
1. Go to "Devices" in the main menu.
2. Search for the corresponding device using the serial number or IMEI .
3. Select the device(s) by checking the box.
Step 3: Remove device(s) from Knox
1. Click on " Remove Devices" in the top menu.
2. Confirm the selection in the dialog box.
Step 4: Check assignment to profiles (optional)
1. If the device is still assigned to a KME profile :
2. Remove it from the profile under:
Remove Profile Management → Device List → Device
Step 5: Reset your device
Important notes
Procedure:
Step 1: Login to the Zero-Touch Portal
1. Open the website:
🔗 https://partner.android.com/zerotouch
2. Sign in to Zero-Touch with your Google Account (Gmail or Google Business Account).
Step 2: Find device(s)
1. Click on "Devices" in the left menu.
2. Use the search box to search by IMEI, serial number, or username .
3. Select the desired device(s) by checking the box.
Step 3: Remove Device from Zero-Touch
1. Click "Remove" at the top.
2. Confirm the selection in the confirmation dialog.
Important:
Step 4: Check Assignment to Configuration Profile (Optional)
1. If the device is assigned to a configuration profile:
2. Remove it under:
Select configurations → profile → Edit devices → remove devices
Step 5: Reset your device
Hints
Devices assigned via zero-touch cannot be manually removed by users – only by administrators or through the reseller
Procedure:
Step 1: Sign in to the Intune admin center
1. Open the website:
🔗 https://intune.microsoft.com
2. Sign in with your Microsoft administrator account .
Step 2: Find your device
1. Navigate to:
Device Management → All Devices (Devices → All devices)
2. Search for the device via:
3. Select the appropriate device from the list.
Step 3: Remove DFCI Profiles (If Any)
1. In the left navigation, navigate to:
Device configuration → profiles
2. Locate the DFCI profile(s) (e.g. "DFCI - BIOS Lockdown")
→ These are configuration profiles that set UEFI/BIOS settings.
3. Remove the assignment of these profiles from the device:
Step 4: Remove device from Intune
1. Click on "..." (More options) or on "Delete" at the top.
2. Confirm the deletion process in the dialog box.
Important:
Step 5: Check and unmap Azure AD
1. Open the Microsoft Entra admin center (formerly Azure AD):
🔗 https://entra.microsoft.com
2. Jump to:
Identities → Devices → All Devices
3. Search for the device and select "Delete" to remove it from Azure AD as well.
Step 6: Remove device from Windows Autopilot (if enrolled)
1. In the Intune admin center, go to:
Devices → Windows → Windows Deployment (Windows enrollment)
2. Select Devices under Windows Autopilot Deployment Program.
3. Search for the device (e.g. by serial number).
4. Check the box and click "Delete".
Important: OEM devices and tenant lock
Step 7: Reset your device
Further information
VMware Workspace ONE (AirWatch)
Procedure:
Step 1: Registration
1. Open your Workspace ONE console
2. Log in with your admin account
Step 2: Find your device
1. Navigation: Devices → List View
2. Search by device name, user, or serial number
3. Click on the affected device
Step 3: Erase Device
1. Click on "More Actions" → "Delete Device" in the top right corner
2. Optional before: "Enterprise Wipe" to delete only the MDM profile
3. Confirm the selection
Step 4: Reset your device
Manually factory reset on the device
After that, there is no MDM assignment
MobileIron / Ivanti Neurons for MDM
Procedure:
Step 1: Registration
1. Log in to Ivanti as an admin
Step 2: Find your device
1. Menu: Devices → Search
2. Find the device you want by name, user, IMEI, etc.
Step 3: Erase Device
1. Select Device → Actions → Retire (for Soft Removal)
or
→ Delete (for complete deletion)
Step 4: Factory reset
Cisco Meraki Systems Manager
Procedure:
Step 1: Registration
1. Log in to the Meraki Dashboard
2. Choose your network / location
Step 2: Find your device
1. Menu: Systems Manager → Monitor → Clients
2. Search by serial number, device name or user
Step 3: Remove Device
1. Select Device → Click on Trash Icon (Delete)
or: More → Remove from Network
Step 4: Reset
SOTI MobiControl
Procedure:
Step 1: Registration
1. Log in to the SOTI console
Step 2: Find your device
1. Devices → search by serial number, IMEI or user
Step 3: Erase Device
1. Right-click on Device → Delete
2. Alternative: Unenroll Device
Step 4: Reset your device
Jamf Cloud MDM
Procedure:
Step 1: Sign in to Jamf
1. Open the Jamf Web Console in your browser
2. Log in with your administrator account.
Step 2: Find your device
1. In the menu, go to Devices or Computers (depending on the device type).
2. Search for the device you want to remove, such as:
Step 3: Select Device
1. Click on the device name to open the detail view.
Step 4: Remove Device (Unenroll)
Option A: Erase the device remotely
1. Click on Management or Management Commands.
2. Select Erase Device or Remove MDM Profile (depending on your platform and available commands).
3. Confirm the command.
The device resets and removes itself from Jamf management.
Step 5: Review
Important notes:
General Notice
The information contained in this guide is based on the currently valid specifications and processes, including the requirements of the respective manufacturers. Please note that the specifications and information provided by the manufacturers can change at any time. CHG-MERIDIAN does not assume any liability for the completeness or up-to-dateness of the information provided, as changes and/or additions by the manufacturers may not be immediately reflected in these instructions. We recommend that our customers contact us or the manufacturer directly if they have specific questions or uncertainties.