Recent Searches

No recent searches

    Popular Articles

      Articles
      View all
        Topics
        View all
          Tickets
          View all
            no results

            Sorry! nothing found for

            Activation Lock

            By David Marks

            Learn what Activation Lock is and how to manage it

            What is Activation Lock?

            Activation Lock is a security feature developed by Apple to help prevent unauthorized use of Apple devices if they are lost or stolen. This feature is part of the "Find My" service and is designed to deter theft by making it difficult for anyone other than the owner to use or sell the device.

            How Activation Lock Works

            Activation Lock is automatically enabled when a user sets up the "Find My" feature on their device. Here’s how it functions:

            1. When "Find My" is turned on, the user's Apple ID is securely stored on Apple’s activation servers and linked to their device.
            2. Each time the device is activated or recovered, it contacts Apple to check if Activation Lock is enabled.
            3. To turn off "Find My," erase the device, or reactivate it, the user must supply the Apple ID password.

            For corporate-owned devices, Kandji can be used to manage Activation Lock. Upon enrollment, a bypass code can be generated to unlock devices without the Apple ID and password, which is useful when reassigning devices to new users.  In addition, devices that belong to Apple Business Manager or Apple School Manager can also have Activation Lock disabled remotely by ABM/ASM admins with the Device Manager role.

            User-based Activation Lock

            User-based Activation Lock is activated when a device user signs in with their personal Apple ID and enables Find My Device. This feature is also known as iCloud Activation Lock.

            How to Prevent User-based Activation Lock

            By default, user-based Activation Lock is not allowed on supervised devices. When iOS, iPadOS, or macOS devices are enrolled into Kandji via Automated Device Enrollment, the Activation Lock Allowed While Supervised MDM option is set to false. However, you can modify the Automated Device Enrollment configuration before enrolling the device if you wish to allow user-based Activation Lock.

            Although Activation Lock is tied to "Find My", preventing Activation Lock will not prevent users from logging into "Find My".

            Special Considerations for Mac Computers

            For Mac computers that are already set up and enrolled in Kandji there are a few things to consider:

            • Pre-enrollment Activation Lock - If a user enabled user-based Activation Lock before enrollment, it will remain enabled.
            • Bypass Code Generation - If the Mac was not previously supervised by an MDM, Kandji will generate and retrieve a bypass code. However, this code cannot retroactively disable an existing user-based Activation Lock. For the bypass code to be effective, the user must turn off Find My Mac and then turn it back on.
            • Migration from Another MDM - If a Mac is migrating from one MDM to Kandji, the existing Activation Lock bypass code may have expired, and Kandji will not be able to retrieve it. Bypass codes can only be retrieved within 30 days after the device is supervised. Therefore, it is recommended to retrieve these codes from the previous MDM before migration.

            User-based Activation Lock Bypass Code

            If you allow user-based Activation Lock and need to disable it, you have several options:

            1. Device Action Menu - Access the bypass code from the device action menu for all supervised iOS, iPadOS, and macOS devices (Mac computers with T2 or Apple silicon).
            2. Setup Assistant - Enter the bypass code in the password field on the Activation Lock screen during Setup Assistant.
            3. Finder - Connect the device to a Mac and enter the bypass code in the password field in Finder (iOS/iPadOS only).
            4. macOS Recovery - Use the bypass code from macOS Recovery by selecting "Activate with MDM Key..." from the Recovery Assistant menu (macOS only).

            Device-based Activation Lock

            Device-based Activation Lock is enabled by an MDM solution submitting an API request to Apple's Device Assignment Service API. This feature is sometimes referred to as MDM or organization-based Activation Lock and is currently supported only on iOS and iPadOS devices.

            How to Enable Device-based Activation Lock

            To enable device-based Activation Lock, you need to modify the Automated Device Enrollment configuration before enrolling the device. Ensure you enable this setting separately for the iPhone and iPad sections within the Automated Device Enrollment configuration.

            Device-based Activation Lock Bypass Code

            If you enable device-based Activation Lock and need to disable it, you have the following options:

            • Access the Bypass Code - Retrieve the device-based Activation Lock bypass code from the device action menu
            • Sign in with Managed Apple ID - Use the Managed Apple ID of the Apple Business Manager or Apple School Manager user who created the Automated Device Enrollment token

            Removing Activation Lock using Apple Business Manager or Apple School Manager

            In Apple Business Manager or Apple School Manager, you have the option to disable Activation Lock for devices owned by your organization. The device must be listed in Apple Business Manager or Apple School Manager, but it doesn’t need to be associated with an MDM server.  For more information on removing Activation Lock via Apple Business Manager or Apple School Manager, please see the following Apple Support Guides:

            If the Activation Lock bypass code is unavailable and Activation Lock cannot be removed using Apple Business Manager or Apple School Manager, you can contact AppleCare Enterprise Support for further assistance.

            Preview
            0 of 0