Activation Lock security
Activation Lock helps to prevent unauthorized users from reactivating an iPhone, iPad, Mac, Apple Watch, and Apple Vision Pro if it’s lost or stolen. It remains enabled even if the device is erased. This makes it more difficult for someone to use or sell a missing device. How Apple enforces Activation Lock varies depending on the device.
Activation Lock on iPhone parts
Apple is extending Activation Lock for iPhone to cover individual parts to help deter stolen parts from entering the market. During a repair, if an iPhone detects that a supported part came from another iPhone with Activation Lock or Lost Mode turned on, calibration is restricted for that part. This enhancement to the Activation Lock feature further extends Apple’s commitment to protecting users while increasing consumer choice when it comes to repairs.
Behavior on iPhone, iPad, and Apple Vision Pro
On an unsupervised iPhone, iPad, and Apple Vision Pro, Activation Lock is enabled automatically when the user signs in to their Apple Account and turns on Find My.
On a supervised device, Activation Lock is disallowed by default, but a mobile device management (MDM) solution can allow the user to enable it. This allows the MDM solution to escrow a bypass code from the device. That bypass code can then be used to disable Activation Lock at a later time. A device generates a new bypass code when:
Setting up the device the first time
Setting up the device after an erase and not restoring the device from a backup of that same device
Setting up the device after an erase and restoring the device from a backup of a different device
Alternatively, for managed and supervised devices, an MDM solution can contact Apple servers directly to enable Activation Lock. This is done entirely server-side and has no dependencies on user actions or the state of the device. The MDM solution must create a 31-byte bypass code, then send it to Apple servers when it wants to enable Activation Lock for the device. The MDM solution’s bypass code should be randomly created and unique for each device.
Activation Lock is enforced through the activation process after the Wi-Fi selection screen in Setup Assistant. When a device indicates that it’s activating, it sends a request to the activation server to get an activation certificate.
Unsupervised iPhone, iPad, and Apple Vision Pro devices that are locked with Activation Lock can be unlocked by:
The credentials of the personal Apple Account used to enable Activation Lock
The previously used device passcode
Supervised iPhone, iPad, and Apple Vision Pro devices that are locked with Activation Lock can be unlocked by:
The credentials of the personal Apple Account used to enable Activation Lock
The credentials of the Managed Apple Account used to link the MDM solution with Apple School Manager or Apple Business Manager
The bypass code escrowed by the MDM solution
The MDM solution making a server-side call to Apple servers with the same bypass code it used to enable Activation Lock
Note: The Setup Assistant in iOS, iPadOS, and visionOS won’t progress unless a valid certificate can be obtained.
Behavior on Apple Watch
Activation Lock on an unsupervised Apple Watch is related to the Activation Lock status of the paired iPhone. If the iPhone has Activation Lock enabled, the Apple Watch is instructed to contact Apple servers at the end of the pairing process to turn on Activation Lock. If Activation Lock isn’t enabled on the iPhone at the time of pairing, but enabled at a later time, the iPhone:
Prompts all paired Apple Watch devices to contact Apple servers
Can enable Activation Lock on the Apple Watch
As part of the initial pairing process, the iPhone sends a request to the activation server to get an activation certificate for the Apple Watch
If the Apple Watch is locked with Activation Lock, the user is prompted for the credentials of the Apple Account which was used to enable Activation Lock at that time to unpair, erase, or reactivate an Apple Watch.
Note: Pairing can’t be completed unless a valid certificate can be obtained.
Behavior on Mac
On an unsupervised Mac, Activation Lock is enabled automatically when the user signs in with their Apple Account and turns on Find My. For a Mac that’s supervised, Activation Lock is disallowed by default, but an MDM solution can allow the user to enable it. This allows the MDM solution to escrow a bypass code from the device. That bypass code can then be used to disable Activation Lock at a later time. A device generates a new bypass code when:
Setting up the device the first time
Setting up the device after an erase
Additional behavior on a Mac with Apple silicon
On a Mac with Apple silicon, the Low Level Bootloader (LLB) verifies that a valid LocalPolicy for the device exists and that the LocalPolicy policy anti-replay values match the values stored in the Secure Storage Component. The LLB boots to recoveryOS if:
There is no LocalPolicy for the current macOS
The LocalPolicy is invalid for that version of macOS
The LocalPolicy anti-replay value hash values don’t match the hashes of values stored in the Secure Storage Component
recoveryOS detects that the Mac isn’t activated and contacts the activation server to get an activation certificate.
If the device is locked using Activation Lock while in recoveryOS, Activation Lock can be unlocked by:
The credentials of the personal Apple Account used to enable Activation Lock
The previously used device password of the local user who enabled Activation Lock
The bypass code escrowed by the MDM solution
After a valid activation certificate is obtained, that activation certificate key is used to obtain a RemotePolicy certificate. The Mac uses the LocalPolicy key and RemotePolicy certificate to produce a valid LocalPolicy.
Note: The LLB won’t allow booting of macOS unless a valid LocalPolicy is present.
Additional behavior on a Mac with the T2 chip
On a Mac with the T2 chip, the T2 chip firmware verifies that a valid activation certificate is present before allowing the computer to boot to macOS. UEFI firmware loaded by the T2 chip is responsible for querying the activation status of the device from the T2 chip. The Mac boots to recoveryOS if:
A valid activation certificate isn’t present
recoveryOS detects that the Mac isn’t activated and contacts the activation server to get an activation certificate.
If the Mac is locked using Activation Lock while in recoveryOS, Activation Lock can be unlocked by:
The credentials of the personal Apple Account used to enable Activation Lock
The previously used device password of the local user who enabled Activation Lock
The bypass code escrowed by the MDM solution
Note: UEFI firmware won’t allow macOS to boot unless a valid activation certificate is present.
Managing Activation Lock in Apple School Manager or Apple Business Manager
If an Apple device is registered with an Apple School Manager or Apple Business Manager organization, users with a role that has Manage Device privileges can turn off Activation Lock for organization-owned devices. This option is available only for devices registered with the organization before Activation Lock was enabled and that haven’t been released. Because Activation Lock is disabled using server-side calls, a device doesn’t need to be managed by an MDM solution.
Note: Devices that are currently locked with Activation Lock can’t be added to an Apple School Manager or Apple Business Manager organization.