Activation Lock settings with Profile Manager on Mac
A device with Activation Lock on it is difficult for someone else to use or sell. With Activation Lock, the user’s Apple ID password is required before anyone can turn off Find My iPhone on the device, erase the device, or reactivate it. When Find My iPhone is enabled on unsupervised devices, Activation Lock is automatically disabled. To learn how Activation Lock can be enabled or allowed, consult your mobile device management (MDM) solution’s documentation.
Additional Activation Lock features:
MDM solutions can generate a bypass code and lock a device remotely.
Activation Lock management can be enabled by an MDM solution at any time, as long as the device is not currently under Activation Lock by the user.
The user can’t disable Activation Lock, because it doesn’t require the user’s Apple ID. You must use the MDM bypass code to disable Activation Lock.
If the devices are in Apple School Manager, are supervised, and enrolled in an MDM solution, you can enable or allow Activation Lock. You can’t choose both Enable Activation Lock and Allow Activation Lock; you must select one or the other. If you select Allow Activation Lock, you can also allow the bypass code if it’s available.
Enabling Activation Lock
When you enable Activation Lock, your organization benefits from its theft-deterrent functionality without users being able to disable it. On a supervised device, it happens without requiring the user to sign in to their iCloud account with their Apple ID on the device, so they can’t disable it. You must use the MDM bypass code to remove the device from Activation Lock.
Allowing Activation Lock
You can use an MDM solution to allow Activation Lock on a supervised device. This lets your organization benefit from its theft-deterrent functionality, while still letting you bypass the feature if a user is unable to authenticate with their Apple ID.
Your MDM solution can retrieve a bypass code and permit the user to enable Activation Lock on the device based on the following:
If Find My iPhone is turned on when your MDM solution allows Activation Lock, Activation Lock is enabled at that point.
If My iPhone is turned off when your MDM solution allows Activation Lock, Activation Lock is enabled the next time the user activates Find My iPhone.
Set Activation Lock during enrollment
You can configure Profile Manager to automatically send certain Activation Lock commands to a device after it has been enrolled. By default, the command is only sent when a bypass code has been obtained from the device. You can perform these steps for any user or group.
In the Profile Manager
sidebar, select Groups.Select Everyone, then click the Settings tab.
Allow Activation Lock is a group setting because it lets an organization capture all users with supervised devices that configure Find My iPhone with their Apple ID. There is no “All devices” group. The Everyone group in Profile Manager is used to cover all authenticated user enrollments.
Click Save.
Allow Activation Lock
You can configure a device to allow Activation Lock outside of Enrollment Settings on a user or group by using the Allow Activation Lock command.
In the Profile Manager
sidebar, select Groups.Select Everyone, then click the About tab.
After devices are enrolled, you can choose the Allow Activation Lock command from the Action pop-up menu
to allow Activation Lock on the devices.Select the devices you want from the dialog that appears, then click Allow Activation Lock.
Use Activation Lock bypass code
You can use the Activation Lock bypass code in place of a password to unlock a device and erase it.
In the Profile Manager
sidebar, click Devices.Select a device, click the About tab, then click the Security triangle, and locate the activation lock bypass code.
Enter the bypass code in the password field of the Apple ID on the device you want to erase. Leave the Apple ID user name blank.
The device is erased and can be set up again. You must set up Activation Lock again and generate a new code.
Clear Activation Lock
You can clear the Activation Lock. You should do this only on a device, not on a user or group.
In the Profile Manager
sidebar, click Devices.Select a device, then select Clear Activation Lock from the Action pop-up menu
.The Activation Lock is cleared on the device.