Using Activation Lock for Apple devices
Activation Lock makes it difficult for someone else to use or sell an iPhone, iPod touch, iPad, Mac, or Apple Watch. Managing Activation Lock lets your organization benefit from its theft-deterrent functionality while simultaneously providing you the ability to turn off Activation Lock from devices your organization owns.
Depending on the device, you can choose to enable or allow Activation Lock. Enabling Activation Lock means the MDM solution (not the user) contacts Apple servers to lock or unlock the device. In contrast, allowing Activation Lock lets users lock devices you own with their iCloud account. Some MDM solutions support both allowing Activation Lock and directly enabling it; in the case where both are attempted to be used, the first Activation Lock event that enables Activation Lock takes precedence.
Enabling Activation Lock on iPhone or iPad
Activation Lock can be enabled by an MDM solution at any time for iOS and iPadOS devices in Apple School Manager or Apple Business Manager without users being able to disable it or requiring users to enable Find My on their device.
This is especially helpful for users with Managed Apple IDs from Apple School Manager or Apple Business Manager, as Managed Apple IDs can’t use Find My.
Allowing Activation Lock on iPhone, iPad, and Mac
You can use an MDM solution to allow Activation Lock on a supervised device. This lets your organization benefit from the theft-deterrent functionality of Activation Lock, while still letting you turn it off if a user is unable to authenticate with their Apple ID for any reason, including if they’ve left the organization.
Since Activation Lock is disallowed by default on supervised devices, the MDM solution can store a bypass code before allowing it. This bypass code can be used to turn off Activation Lock automatically when the device needs to be erased and assigned to a new user. When MDM allows Activation Lock, the following occurs:
If Find My is on when your MDM solution allows Activation Lock, Activation Lock is enabled at that time.
If Find My is off when your MDM solution allows Activation Lock, Activation Lock is enabled the next time the user turns on Find My.
In iOS and iPadOS, the bypass codes are available for up to 15 days after the device is first supervised, or until an MDM solution has obtained—and then cleared—the code explicitly. If an MDM solution hasn’t retrieved the bypass code within 15 days, that bypass code is unretrievable.
Note: Mac computers require the Apple T2 Security Chip to be eligible to use Activation Lock. If an eligible Mac computer is using user-approved MDM and is upgraded to macOS 10.15 or later, Activation Lock is disallowed by default and can optionally be allowed. Managing Activation Lock on installations (not upgrades) of macOS 10.15 or later require the device to be supervised. In macOS 11, if a device is supervised using a device enrollment (previously known as user-approved MDM), Activation Lock can’t be managed until the point at which the device is enrolled into MDM. That means it may be possible for Activation Lock to already be enabled when the device is enrolled in MDM and becomes supervised. In that case, it can’t be turned off using MDM and won’t be disallowed by default until it is first turned off by the user.
Disabling Activation Lock
After Activation Lock is on, whether it was allowed or directly enabled by MDM, you can use MDM to remotely turn it off when desired, or if you have physical possession of the device, you can:
For iOS and iPadOS devices where Activation Lock was enabled: On the Activation Lock screen, enter the user name and password of the Device Enrollment Manager from Apple School Manager or Apple Business Manager who created the device enrollment token that links the MDM solution to Apple School Manager or Apple Business Manager.
For devices where Activation Lock was allowed: On iOS and iPadOS, enter the MDM Activation Lock bypass code on the Activation Lock screen in the Apple ID password field, and leave the username field blank. On macOS, the bypass code can be entered by clicking on Recovery Assistant in the menu bar and selecting the Activate with MDM key option. Consult your MDM vendor’s documentation on where to locate the bypass code.
Note: To clear the Activation Lock on Apple devices which support dual SIMs, the MDM solution must include both IMEI values in the request. For MDM vendors, see the Apple Developer documentation Creating and Using Bypass Codes.
Bypass codes and recovery keys
The bypass codes and recovery keys that the MDM solution uses to manage Activation Lock are crucial to your ability to clear Activation Lock. These bypass codes and recovery keys should be secured and backed up regularly. If a change in MDM vendors is made, make sure that you are provided with a copy of those bypass codes and recovery keys, or that Activation Lock should be cleared for all enrolled devices.