Manage Activation Lock with a device management service
Managing Activation Lock with a device management service lets your organization benefit from its theft-deterrent functionality while simultaneously providing you the ability to turn off Activation Lock for devices your organization owns. Activation Lock works even if you’ve erased the device remotely.
If Activation Lock is managed by a device management service, you need a bypass code from that service to disable Activation Lock, or you can use Apple School Manager or Apple Business Manager to turn off Activation Lock for organization-owned devices.
There are two types of Activation Lock available:
Organization-linked: This method requires Apple School Manager or Apple Business Manager and is generally simpler to manage for organizations. It allows a device management service to fully control turning Activation Lock on and off through server-side interactions.
User-linked: This method requires the user to have an unmanaged Apple Account (not a Managed Apple Account) and for them to turn on Find My. It allows the user to lock an organization-linked device to their unmanaged Apple Account if the device management service allows Activation Lock.
Note: Some device management services support both Activation Lock methods; when attempting to use both, the first successful Activation Lock event takes precedence.
Turn off Activation Lock
A device management administrator or a help desk advisor with the role of Administrator or Device Enrollment Manager in Apple School Manager or Apple Business Manager can turn off Activation Lock on iPhone, iPad, and Mac. The device must appear in Apple School Manager or Apple Business Manager but the device doesn’t have to be enrolled in a device management service.
Organization-linked Activation Lock for iPhone and iPad
Allowing organization-linked Activation Lock means the device management service (not the user) contacts Apple servers directly to lock or unlock the device. Because this happens entirely server-side, there are no dependencies on user actions or the state of their device. The device management service creates its own bypass code, and sends it to Apple servers when it needs to turn on or turn off Activation Lock for the device.
If your device management service is unsuccessful in removing Activation Lock, on the Activation Lock screen, enter the user name and password of the account that created the device management service token that links the device management service to Apple School Manager or Apple Business Manager. This is an account with the role of Administrator, Site Manager (Apple School Manager only), or Device Enrollment Manager.
User-linked Activation Lock
In contrast with organization-linked Activation Lock, user-linked Activation Lock lets users lock devices your organization owns with their personal iCloud account.
In this case, device management services can allow users to turn on Activation Lock on an organization-linked supervised device. Because Activation Lock is disallowed by default on supervised devices, the device management service needs to fetch a bypass code that the device creates and store it before allowing the user to turn on Activation Lock. If the user is unable to authenticate with their Apple Account for any reason, including if they leave the organization, you can use the bypass code to turn off Activation Lock remotely with a device management service, or directly on the device.
On iPhone and iPad, bypass codes are available for up to 15 days after the device is first supervised, or until a device management service obtains—and then clears—the code explicitly. If a device management service doesn’t retrieve the bypass code within 15 days, that bypass code is unretrievable.
Mac computers require Apple silicon or the Apple T2 Security Chip to be eligible to use Activation Lock. If an eligible Mac computer is using Device Enrollment and you update or upgrade it to macOS 10.15 or later, Activation Lock is disallowed by default, but you can optionally allow it. Managing Activation Lock on installations (not upgrades) of macOS 10.15 or later requires the device to be supervised. For a Mac with macOS 11 or later, if it’s supervised using Device Enrollment, you can’t manage Activation Lock until you enroll the device in a device management service. That means it may be possible for Activation Lock to already be turned on when the Mac enrolls in a device management service and becomes supervised. In that case, you can’t turn it off using a device management service and macOS can’t disallow it by default until the user turns it off.
If you have physical possession of the device, on an iPhone or iPad, enter the device management service Activation Lock bypass code on the Activation Lock screen in the Apple Account password field, and leave the user name field blank. On a Mac, you can enter the bypass code by clicking Recovery Assistant in the menu bar and selecting the “Activate with MDM key” option. Consult your device management service developer’s documentation on where to locate the bypass code.
When a device management service allows user-linked Activation Lock, the following occurs:
If Find My is on when your device management service allows Activation Lock, Activation Lock turns on at that time.
If Find My is off when your device management service allows Activation Lock, Activation Lock turns on the next time the user turns on Find My.
Use bypass codes to clear Activation Lock
To manage Activation Lock, your device management service needs to store two bypass codes:
The device-generated bypass code, which the device management service retains this code until it receives a different, nonempty code from the device.
The bypass code the server creates when initiating Activation Lock through the device management service.
The bypass codes that the device management service uses to manage Activation Lock are crucial to your ability to clear Activation Lock. Be sure to secure the bypass codes and back them up regularly. If you change to a different device management service, ensure that you receive a copy of the previous bypass codes, or that the device management service clears Activation Lock for all enrolled devices.
To clear Activation Lock on Apple devices that support dual SIMs, the device management service needs to include both International Mobile Equipment Identity (IMEI) values in the request.
If your device management service is unable to remove Activation Lock, contact your device management service developer support resources.
If iPhone, iPad or Mac is locked with Activation Lock
What to look for:
After erasing or during Setup Assistant, the device shows an Activation Lock message such as:
“iPhone Locked to Owner”
“iPad Locked to Owner”
“This Mac is linked to an Apple Account. Sign in to the account that was previously used with this Mac.”
The device can’t complete setup without the Apple Account credentials.
What’s happening:
Activation Lock is turned on. The device is linked either to your organization (organization-linked) or to an unmanaged Apple Account (user-linked).
If an unmanaged Apple Account was used to set up Find My, the Activation Lock screen shows several characters from that Apple Account to help identify which credentials are needed.
Steps to take:
Confirm ownership in Apple School Manager or Apple Business Manager.
For organization-owned devices using organization-linked Activation Lock, remove Activation Lock by doing one of the following:
Use Apple School Manager or Apple Business Manager.
Use the device management service to remove Activation Lock.
For organization-owned devices using user-linked Activation Lock, remove Activation Lock by doing one of the following:
Ask the user to enter their unmanaged Apple Account email address and password.
Use Apple School Manager or Apple Business Manager.
Use the stored bypass code from the device management service.
For user-owned devices, ask the user to enter their unmanaged Apple Account email address and password.
If a device management service can’t clear Activation Lock
What to look for:
The device management service reports an error when sending the clear Activation Lock command.
The device stays locked even after a clear request.
What’s happening:
The bypass code wasn’t retrieved or stored by the device management service.
For dual SIM devices, the clear request may be missing one of the IMEIs.
User-linked Activation Lock may already have been enabled before the device was supervised.
Steps to take:
Check that your service retrieved and stored both bypass codes.
For dual SIM devices, confirm that both IMEIs are included in the request.
If bypass codes are missing or invalid, use the Apple Account credentials that created the device management service token in Apple School Manager or Apple Business Manager.
If still unsuccessful, escalate to your device management service developer.
If a user can’t remove Activation Lock on a personal device
What to look for:
A user can’t set up their iPhone, iPad, or Mac after erasing it.
The user doesn’t know or can’t remember their unmanaged Apple Account email address and password.
What’s happening:
Activation Lock is user-linked and requires the unmanaged Apple Account email address and password.
Without their unmanaged Apple Account email address and password, Activation Lock prevents setup.
Steps to take:
Ask the user to enter their unmanaged Apple Account email address and password used to turn on Find My.
If they forgot their unmanaged Apple Account email address and password, guide them to Apple’s password recovery process at iforgot.apple.com.
If they can’t recover their account, advise them to contact Apple Support and provide proof of purchase.
If you can’t remove Activation Lock from an organization-owned Mac
What to look for:
The device management service reports it can’t remove Activation Lock.
Apple School Manager or Apple Business Manager can’t remove Activation Lock.
What’s happening:
Activation Lock may have been turned on before the Mac became supervised.
The device management service can’t remove Activation Lock.
Steps to take:
If you have physical access, start the Mac in macOS Recovery.
From the menu bar, choose Recovery Assistant > Activate with MDM key.
Enter the stored bypass code.
If bypass codes aren’t available, escalate to the device management service developer or contact Apple Support with proof of purchase.