Activation Lock is a theft-deterrent feature that makes it difficult for anyone else to use your lost or stolen macOS or iOS device. You can create a JumpCloud policy that allows Activation Lock on your organization’s managed and enrolled devices and have your users turn on Find My in their iCloud configuration to enable Activation Lock. You can use a bypass code to get by the Activation Lock to unlock a device to recover the data, without having access to the user’s Apple ID. You can also clear an Activation Lock.
Here’s how Activation Lock works:
- IT Admin creates a policy - You create a JumpCloud policy that allows Activation Lock through MDM. An Allow Activation Lock policy does not enforce a set of rules, but simply allows Activation Lock on a user’s device. See Create a Policy to Allow Activation Lock below.
- User enables Activation Lock - When a user sets up Find My through an iCloud account and the IT Admin has allowed Activation Lock through a policy, then Activation Lock becomes enabled. The user’s macOS or iOS device must have an Apple T2 security chip. See Users: Enable Activation Lock. Activation Lock can deter anyone from reactivating a device without the user’s permission. The user must keep Find My turned on and remember the Apple ID and password.
- IT Admin bypasses Activation Lock in an emergency - If an employee leaves the company and you no longer have access to the user’s Apple ID, you can use a bypass code from MDM to get past the Activation Lock. If a user’s managed macOS or iOS device is lost, you would ask the user to use the Find My app to locate the device. In the previous two scenarios, the user must have turned on Find My through the user’s iCloud account to enable Activation Lock. If the device was stolen, you can simply erase the device.
Occasionally, some devices running older versions of macOS will fail to erase. If the device cannot be erased, it will be locked.
Prerequisites:
- Mobile Device Management (MDM) is configured for your organization. See Set Up Apple MDM.
- (Optional): Apple’s Automated Device Enrollment (ADE) is configured for your organization. See Configure ADE.
- The macOS or iOS managed device is enrolled in MDM and Supervised, either through Device Enrollment (DE) or Automated Device Enrollment (ADE). See Choose an MDM Enrollment Method.
- Each device must meet these requirements to be eligible to enable Activation Lock:
- If a macOS device, it must run macOS Big Sur or later.
- If an iOS device, it must run iOS 7.0 or later.
- If an iPadOS device, it must run iPadOS 13.0 or later.
- The device must use the Apple T2 Security Chip or Apple silicon.
- The user’s Apple ID must have two-factor authentication enabled.
- Secure Boot is enabled on its default setting (Full Security) with Disallow booting from external media selected under External Boot.
Considerations:
- Devices enrolled via Automated Device Enrollment that have the Activation Lock policy applied to them will require the end-user to sign into an Apple ID via System Settings and toggle Find My to ON in order for “clear activation lock” and “retrieve bypass code” to work properly.
- For Device Enrolled devices where the Activation Lock policy was applied, and where Find My is not enabled yet, the end-user must sign into an Apple ID in System Settings and toggle Find My to ON in order for “clear activation lock” and “retrieve bypass code” to work properly.
- For Device Enrolled devices where the Activation Lock policy was applied, and Find My was already enabled prior to enrollment, then the end-user must go into the Apple ID Settings in System Settings and toggle Find My to OFF and then back ON in order for “clear activation lock” and “retrieve bypass code” to work properly.
- This must be done so MDM can gain jurisdiction over Activation Lock.
- Important: If an Admin clicks “clear activation lock” and an error message appears, then the Admin should verify locally on the device that the activation lock screen was actually cleared.
- This is expected behavior if the activation had already been successfully cleared.
- Upon collection of a valid Activation Lock bypass code, the Clear Activation Lock button for the device will not function until Apple processes this code on their service. This may take several hours. The code may be used locally on the device during this time.
Creating a Policy to Allow Activation Lock
You can create an Allow Activation Lock policy and apply it to a group of devices or a single device that will be allowed to enable Activation Lock.
To create a policy to allow Activation Lock:
- Log in to the JumpCloud Admin Portal: https://console.jumpcloud.com/login.
- Go to DEVICE MANAGEMENT > Policy Management.
- Click (+). If your policy is for macOS devices, select Mac. If your policy is for iOS, select iOS.
- Locate the Allow Activation Lock policy, then click configure.
- (Optional) On the New Policy panel, enter a new, unique name for the policy or keep the default.
Only one Activation Lock policy is allowed.
- Select the Device Groups tab, then select one or more device groups that will be affected by this policy. If you don’t want to apply the policy to a device group, you can apply it to individual devices.
- Select the Devices tab, then select one or more devices that will be affected by this policy. If you don’t want to apply a policy to an individual device, you can apply it to multiple devices in a device group.
- Click save.
- Click save again to confirm. The new policy appears on the Policies page in approximately one minute.
The Allow Activation Lock policy takes effect immediately, and an Apple MDM command is sent to the device immediately or as soon as the device comes online again. After the Allow Activation Lock Policy is applied, user action is required to turn on Find My in order to enable Activation Lock for the device.
This Apple MDM command allows Activation Lock on the device. If activation lock is already active on a device when this policy is applied, the Find My service must be deactivated by the user and then reactivated (toggled) for any collected override codes to be usable or for “Clear Activation Lock” commands to function.
Removing the policy does not disable activation lock. However, if the policy is removed and the user then disables activation lock, the user will not be able to enable activation lock again.
What’s Next?
After you create a policy to allow Activation Lock and the user turns on Find My in iCloud, Activation Lock is enabled. For user instructions, see Users: Enable Activation Lock. Users that have Managed Apple IDs cannot turn on Find My. See the Apple documentation.
Viewing Activation Lock Information
To view additional information related to the Activation Lock feature, perform the following steps:
- Log in to the JumpCloud Admin Portal: https://console.jumpcloud.com/login.
- Go to DEVICE MANAGEMENT > Devices.
- Select the device and select the MDM tab.
- Under Activation Lock Manageable, a value of yes indicates that this device is enrolled in MDM:
For macOS 11.x (Big Sur) and later - This device is enrolled in MDM (it doesn’t matter how the device was enrolled in MDM).
If a device is user-enrolled, then the Activation Lock Manageable field displays no. For more information about user enrollment, see Enroll MacOS Devices with User Approval.
- Under Activation Lock Allowed While Supervised, yes indicates that JumpCloud is applying the Activation Lock policy to allow Activation Lock for the device.
If you want to disable or prevent Activation Lock, you need to remove the policy from the device so that the Allow Activation Lock policy is no longer used.
For more information, see Create a Policy to Allow Activation Lock and Users: Enable Activation Lock.
Retrieving a Bypass Code
MDM can provide a bypass code to clear an Activation Lock.
To retrieve a bypass code:
- Log in to the JumpCloud Admin Portal: https://console.jumpcloud.com/login.
- Go to DEVICE MANAGEMENT > Devices.
- Select the device and select the MDM tab.
- Under Activation Lock, determine if an MDM bypass code is available by clicking retrieve bypass code. The bypass code and date appear.
- If you already retrieved the bypass code but haven’t yet used it, the code and its retrieval date are displayed.
- If the bypass code is not retrievable, Unavailable is displayed in this field.
- For macOS devices that were not enrolled with Automated Device Enrollment, you cannot get a bypass code. Consider upgrading to macOS 11 Big Sur or later. In some cases, a macOS 11.Big Sur and later device can have Find My turned on and Activation Lock enabled before the device is enrolled in MDM and you will not be able to retrieve a bypass code.
- For iOS devices that were not enrolled with Automated Device Enrollment, you cannot get a bypass code. Consider a supervised enrollment using Apple Configurator 2 to use this feature.
- Click Refresh to retrieve new information from the device. New data may not be available until the device is contacted again.
Reloading the screen will always display the most recent data that was reported. Bypass codes and recovery keys should be secured and backed up regularly.
Clearing Activation Lock
If you clear the Activation Lock, the macOS device no longer has Activation Lock enabled. Clearing the Activation Lock removes all Activation Lock protection for this device and lets you bypass the Activation Lock screen. If an employee enabled Activation Lock on a device and later left the company, you can disable Activation Lock so that you can reformat the device for a new employee.
To clear an activation lock:
- Log in to the JumpCloud Admin Portal: https://console.jumpcloud.com/login.
- Go to DEVICE MANAGEMENT > Devices.
- Select the device and select the MDM tab.
- Under Activation Lock, click clear activation lock to return the device to a status of disabled.
- In the dialog, confirm the action by clicking Clear Activation Lock. Activation Lock is no longer enabled and the button is grayed out.
When the "Clear Activation Lock" button is clicked, the bypass code will be sent to Apple to clear the activation lock but the Status field will not change to "disabled." Sending additional requests to clear the activation lock on a particular device may cause a failure message in JumpCloud as the activate lock may already be cleared on a device.
Changes may take several minutes to update on the device.
Troubleshooting
See Troubleshoot: macOS or iOS Activation Lock Policy.