Locking Apple devices
Locking a Mac with Apple silicon
In macOS 11.5 or later, mobile device management (MDM) administrators can lock a Mac with Apple silicon with a six-digit PIN (and include a short message). After the command has been sent to the device, the device restarts and the user can see the message and optional phone number. The user can’t restart into macOS until the PIN has been entered and validated by the Mac.
In macOS 11.5 or later, MDM administrators can set (using the new SetRecoveryLock command) a password that must be entered before a user can restart a Mac with Apple silicon into the recoveryOS. For example, the user won’t be able to modify security settings or erase the Mac. This password can be set only by the MDM solution; it can be removed by the MDM solution, unenrolling in MDM, or if the Mac is erased. MDM administrators can also verify a recoveryOS password is set by using the new VerifyRecoveryLock command.
Activation Lock overview
Activation Lock makes it difficult for someone else to use or sell an iPhone, iPod touch, iPad, Mac, or Apple Watch. Managing Activation Lock with a mobile device management (MDM) solution lets your organization benefit from its theft-deterrent functionality while simultaneously providing you the ability to turn off Activation Lock from devices your organization owns.
Depending on the device, you can choose to enable or allow Activation Lock. Enabling Activation Lock means the MDM solution (not the user) contacts Apple servers to lock or unlock the device. In contrast, allowing Activation Lock lets users lock devices you own with their iCloud account. Some MDM solutions support both allowing Activation Lock and directly enabling it; if an attempt is made to use both, the first Activation Lock event that enables Activation Lock takes precedence.
Enabling Activation Lock on iPhone or iPad
Activation Lock can be enabled by an MDM solution at any time for iOS and iPadOS devices in Apple School Manager or Apple Business Manager without users being able to disable it or requiring users to enable Find My on their device.
This is especially helpful for users with Managed Apple IDs from Apple School Manager or Apple Business Manager, because Managed Apple IDs can’t use Find My.
Allowing Activation Lock on iPhone, iPad, and Mac
You can use an MDM solution to allow Activation Lock on a supervised device. This lets your organization benefit from the theft-deterrent functionality of Activation Lock, while still letting you turn it off if a user is unable to authenticate with their Apple ID for any reason, including if they’ve left the organization.
Because Activation Lock is disallowed by default on supervised devices, the MDM solution can store a bypass code before allowing it. This bypass code can be used to turn off Activation Lock automatically when the device needs to be erased and assigned to a new user. When MDM allows Activation Lock, the following occurs:
If Find My is on when your MDM solution allows Activation Lock, Activation Lock is enabled at that time.
If Find My is off when your MDM solution allows Activation Lock, Activation Lock is enabled the next time the user turns on Find My.
In iOS and iPadOS, the bypass codes are available for up to 15 days after the device is first supervised, or until an MDM solution has obtained—and then cleared—the code explicitly. If an MDM solution hasn’t retrieved the bypass code within 15 days, that bypass code is unretrievable.
Note: Mac computers require the Apple T2 Security Chip or Apple silicon to be eligible to use Activation Lock. If an eligible Mac computer is using user-approved MDM and is upgraded to macOS 10.15 or later, Activation Lock is disallowed by default and can optionally be allowed. Managing Activation Lock on installations (not upgrades) of macOS 10.15 or later require the device to be supervised. In macOS 11, if a device is supervised using a device enrollment (previously known as user-approved MDM), Activation Lock can’t be managed until the point at which the device is enrolled into MDM. That means it may be possible for Activation Lock to already be enabled when the device is enrolled in MDM and becomes supervised. In that case, it can’t be turned off using MDM and won’t be disallowed by default until it is first turned off by the user.
Disabling Activation Lock
After Activation Lock is on, whether it was allowed or directly enabled by MDM, you can use MDM to remotely turn it off when desired, or if you have physical possession of the device, you can:
For iOS and iPadOS devices where Activation Lock was enabled: On the Activation Lock screen, enter the user name and password of the Device Enrollment Manager from Apple School Manager or Apple Business Manager who created the device enrollment token that links the MDM solution to Apple School Manager or Apple Business Manager.
For devices where Activation Lock was allowed: On iOS and iPadOS, enter the MDM Activation Lock bypass code on the Activation Lock screen in the Apple ID password field, and leave the username field blank. On macOS, the bypass code can be entered by clicking on Recovery Assistant in the menu bar and selecting the Activate with MDM key option. Consult your MDM vendor’s documentation on where to locate the bypass code.
Note: To clear the Activation Lock on Apple devices which support dual SIMs, the MDM solution must include both IMEI values in the request. For MDM vendors, see the Apple Developer documentation Creating and Using Bypass Codes.
Bypass codes and recovery keys
The bypass codes and recovery keys that the MDM solution uses to manage Activation Lock are crucial to your ability to clear Activation Lock. These bypass codes and recovery keys should be secured and backed up regularly. If a change in MDM vendors is made, make sure that you’re provided with a copy of those bypass codes and recovery keys, or that Activation Lock should be cleared for all enrolled devices.