Managing Activation Lock lets your organization benefit from its theft-deterrent functionality while simultaneously providing you the ability to remove Activation Lock from devices your organization owns. Activation Lock management can be used on iPhone, iPad, iPod touch, and Mac computers that appear in Apple School Manager or Apple Business Manager and are enrolled in a mobile device management (MDM) solution.
Depending on the device, you can choose to enable or allow Activation Lock. Enabling Activation Lock means the MDM solution (not the user) contacts Apple servers to lock or unlock the device. In contrast, allowing Activation Lock lets users lock devices you own with their iCloud account.
Enable or disable Activation Lock on iPhone, iPad, and iPod touch
Activation Lock can be enabled by an MDM solution at any time for devices in Apple School Manager or Apple Business Manager without users being able to disable it or requiring users to enable Find My on their device.
This is especially helpful for users with Managed Apple IDs from Apple School Manager or Apple Business Manager, because Managed Apple IDs can’t use the Find My service. Once enabled, you use MDM to remotely remove the device from Activation Lock when desired, or, if you have physical possession of the device you can:
Enter the MDM Activation Lock bypass code on the Activation Lock screen (consult your MDM vendor’s documentation on where to locate the bypass code).
Enter the user name and password of the Device Manager from Apple School Manager or Apple Business Manager who created the device enrollment token that links the MDM solution to Apple School Manager or Apple Business Manager.
Allow Activation Lock on iPhone, iPad, iPod touch, and Mac
You can use an MDM solution to allow Activation Lock on a supervised device. This lets your organization benefit from its theft-deterrent functionality, while still letting you bypass the feature if a user is unable to authenticate with their Apple ID for any reason, including if they’ve left the organization.
Since Activation Lock is disallowed by default on supervised devices, the MDM solution can store a bypass code when Activation Lock is enabled. This bypass code can be used to clear Activation Lock automatically when the device needs to be erased and assigned to a new user. The MDM solution can retrieve a bypass code and allow the user to enable Activation Lock on the device based on the following:
If Find My is turned on when your MDM solution allows Activation Lock, Activation Lock is enabled at that time.
If Find My is turned off when your MDM solution allows Activation Lock, Activation Lock is enabled the next time the user activates Find My.
In iOS and iPadOS, the bypass codes are available for up to 15 days after the device is first supervised, or until an MDM solution has obtained—and then cleared—the code explicitly. If an MDM solution hasn’t retrieved the bypass code within 15 days, that bypass code is unretrievable.
Note: On Mac computers running macOS 10.15, you can’t enable Activation Lock using MDM, but you can prevent the user from enabling Activation Lock when they enable Find My. If Mac computers with an Apple T2 Security Chip are using User-approved MDM and are upgraded to macOS 10.15, Activation Lock is also disallowed by default. Managing Activation Lock on installations (not upgrades) of macOS 10.15 require the device to be added to Apple School Manager or Apple Business Manager and enrolled in MDM.
Bypass codes and recovery keys
The bypass codes and recovery keys that the MDM solution uses to manage Activation Lock are crucial to your ability to clear Activation Lock. These bypass codes and recovery keys should be secured and backed up regularly. If a change in MDM vendors is made, make sure that you are provided with a copy of those bypass codes and recovery keys, or that Activation Lock should be cleared for all enrolled devices.