Activation Lock on Apple devices
When a user turns on Activation Lock, it’s difficult for someone else to use or sell an iPhone, iPad, Mac, or Apple Watch if it’s ever lost or stolen. If you use a device management service that supports Activation Lock, you can manage it for devices your organization owns.
There are two types of Activation Lock available:
Organization-linked: Organization-linked Activation Lock requires Apple School Manager or Apple Business Manager and is generally simpler to manage for organizations. It allows a device management service to fully control turning Activation Lock on and off through server-side interactions.
User-linked: User-linked Activation Lock requires the user to have a personal Apple Account (not a Managed Apple Account) and for them to turn on Find My. This method allows the user to lock an organization-linked device to their personal Apple Account if the device management service allows Activation Lock.
Note: Some device management services support both Activation Lock methods; when attempting to use both, the first successful Activation Lock event takes precedence.
Turn off Activation Lock
In Apple School Manager or Apple Business Manager, a user with Manage Device privileges can turn off organization-linked and user-linked Activation Lock for an iPhone, iPad, Mac, Apple Watch, or Apple Vision Pro that their organization owns. You need to add the device to Apple School Manager or Apple Business Manager before enabling Activation Lock. Additionally, you can’t have released the device, but you don’t need to assign it to a device management service.
For more information, see:
Apple School Manager User Guide: Turn off Activation Lock
Apple Business Manager User Guide: Turn off Activation Lock
Organization-linked Activation Lock for iPhone and iPad
Allowing organization-linked Activation Lock means the device management service (not the user) contacts Apple servers directly to lock or unlock the device. Because this happens entirely server-side, there are no dependencies on user actions or the state of their device. The device management service creates its own bypass code, and sends it to Apple servers when it needs to turn on or turn off Activation Lock for the device.
If your device management service is unsuccessful in removing Activation Lock, on the Activation Lock screen, enter the user name and password of the account that created the device management service token that links the device management service to Apple School Manager or Apple Business Manager. This is an account with the role of Administrator, Site Manager (Apple School Manager only), or Device Enrollment Manager.
Important: If you assign your devices to a device management service that links to Apple School Manager or Apple Business Manager, use this method.
User-linked Activation Lock
In contrast with organization-linked Activation Lock, user-linked Activation Lock lets users lock devices your organization owns with their personal iCloud account.
In this case, device management services can allow users to turn on Activation Lock on an organization-linked supervised device. Because Activation Lock is disallowed by default on supervised devices, the device management service needs to fetch a bypass code that the device creates and store it before allowing the user to turn on Activation Lock. If the user is unable to authenticate with their Apple Account for any reason, including if they leave the organization, you can use the bypass code to turn off Activation Lock remotely with a device management service, or directly on the device, when you need to erase the device and assign it to a new user.
On iPhone and iPad, the bypass codes are available for up to 15 days after the device is first supervised, or until a device management service obtains—and then clears—the code explicitly. If a device management service doesn’t retrieve the bypass code within 15 days, that bypass code is unretrievable.
Mac computers require Apple silicon or the Apple T2 Security Chip to be eligible to use Activation Lock. If an eligible Mac computer is using Device Enrollment and you update or upgrade it to macOS 10.15 or later, Activation Lock is disallowed by default, but you can optionally allow it. Managing Activation Lock on installations (not upgrades) of macOS 10.15 or later requires the device to be supervised. For a Mac with macOS 11 or later, if it’s supervised using Device Enrollment, you can’t manage Activation Lock until you enroll the device in a device management service. That means it may be possible for Activation Lock to already be turned on when the Mac enrolls in a device management service and becomes supervised. In that case, you can’t turn it off using a device management service and the macOS can’t disallow it by default until the user turns it off.
If you have physical possession of the device, on an iPhone or iPad, enter the device management service Activation Lock bypass code on the Activation Lock screen in the Apple Account password field, and leave the user name field blank. On a Mac, you can enter the bypass code by clicking Recovery Assistant in the menu bar and selecting the “Activate with MDM key” option. Consult your device management service’s developer’s documentation on where to locate the bypass code.
When a device management service allows user-linked Activation Lock, the following occurs:
If Find My is on when your device management service allows Activation Lock, Activation Lock turns on at that time.
If Find My is off when your device management service allows Activation Lock, Activation Lock turns on the next time the user turns on Find My.
Using bypass codes to clear Activation Lock
To manage Activation Lock, your device management service needs to store two bypass codes:
The device-generated bypass code. The device management service retains this code until it receives a different, nonempty code from the device.
The bypass code the server creates when initiating Activation Lock through the device management service.
The bypass codes that the device management service uses to manage Activation Lock are crucial to your ability to clear Activation Lock. Be sure to secure the bypass codes and back them up on a regular basis. If you change to a different device management service, ensure that you receive a copy of those bypass codes, or that the device management service clears Activation Lock for all enrolled devices.
To clear the Activation Lock on Apple devices that support dual SIMs, the device management service needs to include both IMEI (International Mobile Equipment Identity) values in the request. For device management service developers, see Creating and Using Bypass Codes on the Apple Developer website.
If your device management service is unable to remove Activation Lock, contact your device management service developer support resources, or see the Apple Support article How to remove Activation Lock.