Managing Activation Lock lets an organization benefit from its theft-deterrent functionality while simultaneously providing them the ability to remove Activation Lock from devices their organization owns. Activation Lock management can be used on iPhone, iPad, iPod touch, and Mac computers that appear in Apple School Manager or Apple Business Manager and are enrolled in a mobile device management (MDM) solution.
Depending on the device, an organization can choose to enable or allow Activation Lock. Enabling Activation Lock means the MDM solution (not the user) contacts Apple servers to lock or unlock the device. In contrast, allowing Activation Lock lets users lock devices the organization owns with their iCloud account.
Enable or disable Activation Lock on iPhone, iPad, and iPod touch
Activation Lock can be enabled by an MDM solution at any time for devices in Apple School Manager or Apple Business Manager without users being able to disable it or requiring users to enable Find My on their device.
This is especially helpful for users with Managed Apple IDs from Apple School Manager or Apple Business Manager, because Managed Apple IDs can’t use the Find My service. Once enabled, MDM is used to remotely remove the device from Activation Lock when desired, or, if the organization has physical possession of the device they can:
Enter the MDM Activation Lock bypass code on the Activation Lock screen.
Enter the user name and password of the Device Manager from Apple School Manager or Apple Business Manager who created the device enrollment token that links the MDM solution to Apple School Manager or Apple Business Manager.
Allow Activation Lock on iPhone, iPad, iPod touch, and Mac
Organizations can use an MDM solution to allow Activation Lock on a supervised device. This lets them benefit from its theft-deterrent functionality, while still letting them bypass the feature if a user is unable to authenticate with their Apple ID for any reason, including if they’ve left the organization.
Since Activation Lock is disallowed by default on supervised devices, the MDM solution can store a bypass code when Activation Lock is enabled. This bypass code can be used to clear Activation Lock automatically when the device needs to be erased and assigned to a new user. The MDM solution can retrieve a bypass code and allow the user to enable Activation Lock on the device based on the following:
If Find My is turned on when the MDM solution allows Activation Lock, Activation Lock is enabled at that time.
If Find My is turned off when the MDM solution allows Activation Lock, Activation Lock is enabled the next time the user activates Find My.
In iOS and iPadOS, the bypass codes are available for up to 15 days after the device is first supervised, or until an MDM solution has obtained—and then cleared—the code explicitly. If an MDM solution hasn’t retrieved the bypass code within 15 days, that bypass code is unretrievable.
Note: On Mac computers running macOS 10.15, Activation Lock can’t be enabled using MDM, but the user can be prevented from enabling Activation Lock when they enable Find My. If Mac computers with an Apple T2 Security Chip are using user-approved MDM and are upgraded to macOS 10.15, Activation Lock is also disallowed by default. Managing Activation Lock on installations (not upgrades) of macOS 10.15 require the device to be added to Apple School Manager or Apple Business Manager and enrolled in MDM.
Bypass codes and recovery keys
The bypass codes and recovery keys that the MDM solution uses to manage Activation Lock are crucial to the ability to clear Activation Lock. These bypass codes and recovery keys should be secured and backed up regularly. If a change in MDM vendors is made, it is critical to keep a copy of bypass codes and recovery keys or to clear Activation Lock for all enrolled devices.