![](\"\/wp-content\/themes\/jumpcloud\/assets\/images\/gutenberg-blocks\/warning-icon.png\"){kind=icon}
<\/p><\/div>
Occasionally, some devices running older versions of macOS will fail to erase. If the device cannot be erased, it will be locked.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n
Prerequisites<\/strong>:<\/p>\n\n\n\n
- \n
- Mobile Device Management (MDM) is configured for your organization. See Set Up Apple MDM<\/a>. <\/li>\n\n\n\n
- (Optional): Apple\u2019s Automated Device Enrollment (ADE) is configured for your organization. See Configure ADE<\/a>.<\/li>\n\n\n\n
- The macOS or iOS managed device is enrolled in MDM and Supervised<\/strong>, either through Device Enrollment (DE) or Automated Device Enrollment (ADE). See Choose an MDM Enrollment Method<\/a>.<\/li>\n\n\n\n
- Each device must meet these requirements to be eligible to enable Activation Lock:\n
- \n
- If a macOS device, it must run macOS Big Sur <\/a>or later.<\/li>\n\n\n\n
- If an iOS device, it must run iOS 7.0 or later.<\/li>\n\n\n\n
- If an iPadOS device, it must run iPadOS 13.0 or later.<\/li>\n\n\n\n
- The device must use the Apple T2 Security Chip<\/a> or Apple silicon.<\/li>\n\n\n\n
- The user\u2019s Apple ID must have two-factor authentication enabled.<\/li>\n\n\n\n
- Secure Boot<\/a> is enabled on its default setting (Full Security) with Disallow booting from external media selected<\/strong> under External Boot<\/strong>.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n
Considerations<\/strong>:<\/p>\n\n\n\n
- \n
- Devices enrolled via Automated Device Enrollment that have the Activation Lock policy applied to them will require the end-user to sign into an Apple ID via System Settings and toggle Find My to ON<\/strong> in order for \u201cclear activation lock\u201d and \u201cretrieve bypass code\u201d to work properly.<\/li>\n\n\n\n
- For Device Enrolled devices where the Activation Lock policy was applied, and where Find My is not enabled yet, the end-user must sign into an Apple ID in System Settings and toggle Find My to ON <\/strong>in order for \u201cclear activation lock\u201d and \u201cretrieve bypass code\u201d to work properly.<\/li>\n\n\n\n
- For Device Enrolled devices where the Activation Lock policy was applied, and Find My was already enabled prior to enrollment<\/strong>, then the end-user must go into the Apple ID Settings in System Settings and toggle Find My to OFF<\/strong> and then back ON<\/strong> in order for \u201cclear activation lock\u201d and \u201cretrieve bypass code\u201d to work properly.\n
- \n
- This must be done so MDM can gain jurisdiction over Activation Lock.<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Important<\/strong>: If an Admin clicks \u201cclear activation lock\u201d and an error message appears, then the Admin should verify locally on the device that the activation lock screen was actually cleared.\n
- \n
- This is expected behavior if the activation had already been successfully cleared.<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- \u200b\u200b\u200b\u200b\u200b\u200b\u200bUpon collection of a valid Activation Lock bypass code, the Clear Activation Lock<\/strong> button for the device will not<\/strong> function until Apple processes this code on their service. This may take several hours. The code may be used locally on the device during this time.<\/li>\n<\/ul>\n\n\n\n
Creating a Policy to Allow Activation Lock<\/h2>\n\n\n\n
You can create an Allow Activation Lock policy and apply it to a group of devices or a single device that will be allowed to enable Activation Lock.<\/p>\n\n\n\n
To create a policy to allow Activation Lock<\/strong>:<\/p>\n\n\n\n
- \n
- Log in to the JumpCloud Admin Portal: https:\/\/console.jumpcloud.com\/login<\/a>.<\/li>\n\n\n\n
- Go to DEVICE MANAGEMENT > Policy Management<\/strong>.<\/li>\n\n\n\n
- Click (+<\/strong>). If your policy is for macOS devices, select Mac<\/strong>. If your policy is for iOS, select iOS<\/strong>.<\/li>\n\n\n\n
- Locate the Allow Activation Lock<\/strong> policy, then click configure<\/strong>.<\/li>\n\n\n\n
- (Optional) On the New Policy<\/strong> panel, enter a new, unique name for the policy or keep the default.<\/li>\n<\/ol>\n\n\n\n
![\"\"](\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2023\/05\/allow-activation-lock-policy-1024x568.png\")
<\/figure>\n\n\n\n![](\"\/wp-content\/themes\/jumpcloud\/assets\/images\/gutenberg-blocks\/tip-icon.png\")
<\/p><\/div>Tip:<\/strong> \nOnly one Activation Lock policy is allowed.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n
- \n
- Select the Device Groups<\/strong> tab, then select one or more device groups that will be affected by this policy. If you don\u2019t want to apply the policy to a device group, you can apply it to individual devices.<\/li>\n\n\n\n
- Select the Devices<\/strong> tab, then select one or more devices that will be affected by this policy. If you don\u2019t want to apply a policy to an individual device, you can apply it to multiple devices in a device group.<\/li>\n\n\n\n
- Click save<\/strong>.<\/li>\n\n\n\n
- Click save<\/strong> again to confirm. The new policy appears on the Policies page in approximately one minute.<\/li>\n<\/ol>\n\n\n\n
The Allow Activation Lock policy takes effect immediately, and an Apple MDM command is sent to the device immediately or as soon as the device comes online again. After the Allow Activation Lock Policy is applied, user action is required to turn on Find My in order to enable Activation Lock for the device. <\/p>\n\n\n\n
This Apple MDM command allows Activation Lock on the device. If activation lock is already active on a device when this policy is applied, the Find My service must be deactivated by the user and then reactivated (toggled) for any collected override codes to be usable or for \u201cClear Activation Lock\u201d commands to function.<\/p>\n\n\n\n
<\/p><\/div>Tip:<\/strong> \nRemoving the policy does not disable activation lock. However, if the policy is removed and the user then disables activation lock, the user will not be able to enable activation lock again.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n
What\u2019s Next?<\/strong><\/h3>\n\n\n\n
After you create a policy to allow Activation Lock and the user turns on Find My in iCloud, Activation Lock is enabled. For user instructions, see Users: Enable Activation Lock<\/a>. Users that have Managed Apple IDs cannot turn on Find My. See the Apple documentation<\/a>.<\/p>\n\n\n\n
Viewing Activation Lock Information<\/h2>\n\n\n\n
To view additional information related to the Activation Lock feature, perform the following steps:<\/p>\n\n\n\n
- \n
- Log in to the JumpCloud Admin Portal<\/a>.<\/li>\n\n\n\n
- Go to DEVICE MANAGEMENT > Devices<\/strong>.<\/li>\n\n\n\n
- Select the device and select the MDM <\/strong>tab.<\/li>\n\n\n\n
- Under Activation Lock Manageable, a value of yes <\/strong>indicates that this device is enrolled in MDM:<\/li>\n<\/ol>\n\n\n\n
![](\"\/wp-content\/themes\/jumpcloud\/assets\/images\/gutenberg-blocks\/note-icon.png\")
<\/p><\/div>Note:<\/strong> \nFor macOS 11.x (Big Sur) and later – <\/strong>This device is enrolled in MDM (it doesn\u2019t matter how the device was enrolled in MDM). <\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n
If a device is user-enrolled, then the Activation Lock Manageable field displays no<\/strong>. For more information about user enrollment, see Enroll MacOS Devices with User Approval<\/a>.<\/p>\n\n\n\n
- \n
- Under Activation Lock Allowed While Supervised, yes<\/strong> indicates that JumpCloud is applying the Activation Lock policy to allow Activation Lock for the device. <\/li>\n<\/ol>\n\n\n\n<\/p><\/div>Note:<\/strong> \n
If you want to disable or prevent Activation Lock, you need to remove the policy from the device so that the Allow Activation Lock policy is no longer used.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n
For more information, see Create a Policy to Allow Activation Lock<\/a> and Users: Enable Activation Lock<\/a>.<\/p>\n\n\n\n
Retrieving a Bypass Code<\/h2>\n\n\n\n
MDM can provide a bypass code to clear an Activation Lock. <\/p>\n\n\n\n
To retrieve a bypass code<\/strong>:<\/p>\n\n\n\n
- \n
- Log in to the JumpCloud Admin Portal<\/a>.<\/li>\n\n\n\n
- Go to DEVICE MANAGEMENT > Devices<\/strong>.<\/li>\n\n\n\n
- Select the device and select the MDM<\/strong> tab.<\/li>\n\n\n\n
- Under Activation Lock<\/strong>, determine if an MDM bypass code is available by clicking retrieve bypass code<\/strong>. The bypass code and date appear.
![\"\"](\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2023\/06\/MacMDMBypassCode.png\")
\n- \n
- If you already retrieved the bypass code but haven\u2019t yet used it, the code and its retrieval date are displayed.<\/li>\n\n\n\n
- If the bypass code is not retrievable, Unavailable<\/strong> is displayed in this field.<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n<\/p><\/div>Note:<\/strong> \n
- \n
- For macOS devices that were not enrolled with Automated Device Enrollment, you cannot get a bypass code. Consider upgrading to macOS 11 Big Sur or later. In some cases, a macOS 11.Big Sur and later device can have Find My turned on and Activation Lock enabled before the device is enrolled in MDM and you will not be able to retrieve a bypass code.<\/li>\n\n\n\n
- For iOS devices that were not enrolled with Automated Device Enrollment, you cannot get a bypass code. Consider a supervised enrollment using Apple Configurator 2 to use this feature.<\/li>\n<\/ul>\n <\/div><\/div><\/div><\/div>\n\n\n\n
- \n
- Click Refresh<\/strong> to retrieve new information from the device. New data may not be available until the device is contacted again.<\/li>\n<\/ol>\n\n\n\n<\/p><\/div>Tip:<\/strong> \n
Reloading the screen will always display the most recent data that was reported. Bypass codes and recovery keys should be secured and backed up regularly. <\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n
To use a bypass code:<\/strong><\/p>\n\n\n\n
- \n
- Boot the affected device in recovery mode. <\/li>\n\n\n\n
- Click Recovery Assistant<\/strong>, then Activate with MDM key…<\/strong>.<\/li>\n\n\n\n
- Enter the same bypass key from the Admin Portal to activate the device.<\/li>\n<\/ol>\n\n\n\n
Clearing Activation Lock<\/h2>\n\n\n\n
If you clear the Activation Lock, the macOS device no longer has Activation Lock enabled. Clearing the Activation Lock removes all Activation Lock protection for this device and lets you bypass the Activation Lock screen. If an employee enabled Activation Lock on a device and later left the company, you can disable Activation Lock so that you can reformat the device for a new employee.<\/p>\n\n\n\n
To clear an activation lock<\/strong>:<\/p>\n\n\n\n
- \n
- Log in to the JumpCloud Admin Portal: https:\/\/console.jumpcloud.com\/login<\/a>.<\/li>\n\n\n\n
- Go to DEVICE MANAGEMENT > Devices<\/strong>.<\/li>\n\n\n\n
- Select the device and select the MDM<\/strong> tab.<\/li>\n\n\n\n
- Under Activation Lock, click clear activation lock<\/strong> to return the device to a status of disabled<\/em>.
![\"\"](\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2023\/06\/MacMDMClearActivationLock.png\")
<\/li>\n\n\n\n - In the dialog, confirm the action by clicking Clear Activation Lock<\/strong>. Activation Lock is no longer enabled and the button is grayed out.<\/li>\n<\/ol>\n\n\n\n<\/p><\/div>Note:<\/strong> \n
When the “Clear Activation Lock” button is clicked, the bypass code will be sent to Apple to clear the activation lock but the Status field will not change to “disabled.” Sending additional requests to clear the activation lock on a particular device may cause a failure message in JumpCloud as the activate lock may already be cleared on a device.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n
Changes may take several minutes to update on the device.<\/p>\n\n\n\n
Troubleshooting<\/h2>\n\n\n\n
See Troubleshoot: macOS or iOS Activation Lock Policy<\/a>. <\/p>\n","protected":false},"excerpt":{"rendered":"
- Click Refresh<\/strong> to retrieve new information from the device. New data may not be available until the device is contacted again.<\/li>\n<\/ol>\n\n\n\n
- Under Activation Lock Allowed While Supervised, yes<\/strong> indicates that JumpCloud is applying the Activation Lock policy to allow Activation Lock for the device. <\/li>\n<\/ol>\n\n\n\n