Activation Lock

Learn how to manage user-based and device-based Activation Lock.

User-based Activation Lock 

User-based Activation Lock is enabled by a device user signing into a personal Apple ID and enabling Find My. User-based Activation Lock is sometimes referred to as iCloud Activation Lock. 

How can I prevent user-based Activation Lock?

By default, user-based Activation Lock is not allowed on supervised devices. iOS, iPadOS, or macOS devices enrolling into Kandji via Automated Device Enrollment will have the Activation Lock Allowed While Supervised MDM option set to false. You can optionally allow user-based Activation Lock by modifying the Automated Device Enrollment configuration before device enrollment. 

User-based Activation Lock and previously configured Mac computers enrolling through a Device Enrollment notification. 

Mac computers that may have already been set up and enroll into Kandji through a Device Enrollment notification (sometimes referred to as a DEP NAG) have special considerations. 

  • If a user enabled user-based Activation Lock before enrollment, Activation Lock would remain enabled. 
    • If the Mac has not been supervised by an MDM previously, the user-based Activation Lock bypass code will be generated by the Mac and retrieved by Kandji. 
    • If the Mac is migrating from one MDM to Kandji, the Activation Lock bypass code will likely have already expired, and Kandji will not be able to retrieve the Activation Lock bypass code. 
      • Activation Lock bypass codes can only be retrieved from the Mac up to 30 days after the device is supervised. 
    • If another MDM currently manages your Mac computers, we strongly encourage you to retrieve your activation lock bypass codes from your previous MDM solution before migration. 
  • If a user has not enabled user-based Activation Lock before enrollment, enabling Activation Lock will be prohibited once the device is enrolled unless otherwise configured in the Automated Device Enrollment Configuration. 

User-based Activation Lock bypass code

If you choose to allow user-based Activation Lock and need to disable Activation Lock on the device, you have the following options. 

  • Access the user-based Activation Lock bypass code from the device action menu 
    • The user-based Activation Lock bypass code will be available for all supervised iOS, iPadOS, and macOS devices (Mac computers with T2 or Apple silicon) 
      • The user-based Activation Lock bypass code may not be available if another MDM solution previously supervised the Mac computer before enrollment into Kandji. 
    • You can use the user-based Activation Lock bypass code by entering it in the password field on the Activation Lock screen on the device during Setup Assistant. 
      • You can also connect the device to a Mac and entering the bypass code in the password field in Finder. (iOS/iPadOS only) 

Device-based Activation Lock 

Device-based Activation Lock is enabled by an MDM solution submitting an API request to Apple's Device Assignment Service API. Device-based Activation Lock is sometimes referred to as MDM or organization-based Activation Lock. Device-based Activation Lock is currently only supported on iOS and iPadOS devices.

How can I enable device-based Activation Lock?

Device-based activation lock can be enabled by modifying the Automated Device Enrollment configuration before device enrollment. You will need to enable device-based Activation Lock for the iPhone and iPad Automated Device Enrollment configuration sections. 

 

CleanShot 2021-08-25 at 00.29.30@2x

Device-based Activation Lock bypass code

If you choose to allow user-based Activation Lock and need to disable Activation Lock on the device, you have the following options.

  • Access the device-based Activation Lock bypass code from the device action menu 
    • The device-based activation lock bypass code will be available in an imminent release of Kandji. Currently, only the user-based Activation Lock bypass code is available from the device action menu. Contact support for additional details
  • Sign in with the Managed Apple ID of the Apple Business Manager or Apple School Manager user who assigned the device to the MDM server.

How to clear Activation Lock when the bypass code is not available 

If the Activation Lock bypass code is not available such as when another MDM previously supervised the Mac. You can contact AppleCare Enterprise support to remove Activation Lock.