Activation Lock

By David Marks

Learn how to manage Activation Lock

User-based Activation Lock

User-based Activation Lock is enabled by a device user signing into a personal Apple ID and enabling Find My Device. User-based Activation Lock is sometimes referred to as iCloud Activation Lock.

How can I prevent user-based Activation Lock?

By default, user-based Activation Lock is not allowed on supervised devices. iOS, iPadOS, or macOS devices enrolling into Kandji via Automated Device Enrollment will have the Activation Lock Allowed While Supervised MDM option set to false. You can optionally allow user-based Activation Lock by modifying the Automated Device Enrollment configuration before device enrollment. 

User-based Activation Lock and previously configured Mac computers enrolling through a Device Enrollment notification or via the web enrollment portal

Mac computers that may have already been set up and enrolled into Kandji through a Device Enrollment notification (sometimes referred to as a DEP nag) or those enrolled through the web enrollment portal running macOS 11+ have special considerations. 

  • If a user enabled user-based Activation Lock before enrollment, Activation Lock would remain enabled.
    • If the Mac has not been supervised by an MDM previously, a user-based Activation Lock bypass code will be generated by the Mac and retrieved by Kandji. However, this bypass code cannot be used retroactively to turn off the existing user-based Activation Lock previously initiated by the user when they turned on Find My Mac. If the user turns off Find My Mac and later turns it back on, that is when the bypass code would be able to be used to turn off Activation Lock. For this reason, when migrating previously unmanaged devices into Kandji, if your users are currently signed in to Find My Mac, we recommend they turn it off before enrolling into Kandji. Once enrolled, they can turn it back on.
    • If the Mac is migrating from one MDM to Kandji, the Activation Lock bypass code will likely have already expired, and Kandji will not be able to retrieve the Activation Lock bypass code.
      • Activation Lock bypass codes can only be retrieved from the Mac up to 30 days after the device is supervised. 
    • If another MDM currently manages your Mac computers, we strongly encourage you to retrieve your activation lock bypass codes from your previous MDM solution before migration.
  • If a user has not enabled user-based Activation Lock before enrollment, enabling Activation Lock will be prohibited once the device is enrolled unless otherwise configured in the Automated Device Enrollment Configuration.

User-based Activation Lock bypass code

If you choose to allow user-based Activation Lock and need to disable Activation Lock on the device, you have the following options. 

  • Access the user-based Activation Lock bypass code from the device action menu
    • The user-based Activation Lock bypass code will be available for all supervised iOS, iPadOS, and macOS devices (Mac computers with T2 or Apple silicon)
      • The user-based Activation Lock bypass code may not be available if another MDM solution previously supervised the Mac computer before enrollment into Kandji. 
    • You can use the user-based Activation Lock bypass code by entering it in the password field on the Activation Lock screen on the device during Setup Assistant.
      • You can also connect the device to a Mac and enter the bypass code in the password field in Finder. (iOS/iPadOS only)
    • You can use the user-base Activation Lock bypass code from macOS Recovery at the Activation Lock screen by selecting Activate with MDM Key... from the Recovery Assistant menu (macOS Only).

Device-based Activation Lock

Device-based Activation Lock is enabled by an MDM solution submitting an API request to Apple's Device Assignment Service API. Device-based Activation Lock is sometimes referred to as MDM or organization-based Activation Lock. Device-based Activation Lock is currently only supported by Apple on iOS and iPadOS devices.

How can I enable device-based Activation Lock?

Device-based activation lock can be enabled by modifying the Automated Device Enrollment configuration before device enrollment. You will need to enable device-based Activation Lock for the iPhone and iPad Automated Device Enrollment configuration sections separately.

Device-based Activation Lock bypass code

If you choose to enable device-based Activation Lock and need to disable Activation Lock on the device, you have the following options.

  • Access the device-based Activation Lock bypass code from the device action menu.
  • Sign in with the Managed Apple ID of the Apple Business Manager or Apple School Manager user that created the Automated Device Enrollment token.

How to clear Activation Lock when the bypass code is not available

If the Activation Lock bypass code is unavailable, such as when another MDM previously supervised the Mac, you can contact AppleCare Enterprise Support to remove Activation Lock.