Activation Lock on Apple devices
When Activation Lock is turned on, it’s difficult for anyone else to use or sell a person’s iPhone, iPad, Mac, or Apple Watch. Managing Activation Lock with an MDM solution lets your organization benefit from its theft-deterrent functionality while simultaneously providing you the ability to turn off Activation Lock for devices your organization owns.
There are two types of Activation Lock available:
-
Organization-linked: Organization-linked Activation Lock requires Apple School Manager, Apple Business Manager, or Apple Business Essentials and is generally simpler to manage for organizations. It allows an MDM solution to fully control turning Activation Lock on and off through server-side interactions.
User-linked: User-linked Activation Lock requires the user to have a personal Apple Account (not a Managed Apple Account) and for them to turn on Find My. This method allows the user to lock an organization-linked device to their personal Apple Account if the MDM solution has allowed Activation Lock.
Note: Some MDM solutions support both Activation Lock methods; if an attempt is made to use both, the first successful Activation Lock event takes precedence.
Turn off Activation Lock
In Apple School Manager, Apple Business Manager, or Apple Business Essentials, a user with Manage Device privileges can turn off organization-linked and user-linked Activation Lock for an iPhone, iPad, Mac, Apple Watch, or Apple Vision Pro that their organization owns. The device must appear in Apple School Manager, Apple Business Manager, or Apple Business Essentials; however, it doesn’t need to be assigned to an MDM server.
For more information, see:
Apple School Manager User Guide: Turn off Activation Lock
Apple Business Manager User Guide: Turn off Activation Lock
Apple Business Essentials User Guide: Turn off Activation Lock
Organization-linked Activation Lock for iPhone and iPad
Allowing organization-linked Activation Lock means the MDM solution (not the user) contacts Apple servers directly to lock or unlock the device. Since this is done entirely server-side, there are no dependencies on user actions or the state of their device. The MDM solution creates its own bypass code, and sends it to Apple servers when it needs to turn on or turn off Activation Lock for the device.
Suppose that your MDM solution is unsuccessful in removing Activation Lock. Then on the Activation Lock Screen, enter the user name and password of the account that created the MDM server token that links the MDM solution to Apple School Manager, Apple Business Manager, or Apple Business Essentials. This is an account with the role of Administrator, Site Manager (Apple School Manager only), or Device Enrollment Manager.
Important: If your devices are assigned to an MDM solution linked to Apple School Manager, Apple Business Manager, or Apple Business Essentials, you should use this method.
User-linked Activation Lock
In contrast with organization-linked Activation Lock, user-linked Activation Lock lets users lock devices your organization owns with their personal iCloud account.
In this case, MDM solutions can allow users to turn on Activation Lock on an organization-linked supervised device. Because Activation Lock is disallowed by default on supervised devices, the MDM solution should fetch a bypass code created by the device and store it before allowing the user to turn on Activation Lock. In case the user is unable to authenticate with their Apple Account for any reason, including if they’ve left the organization, this bypass code can be used to turn off Activation Lock remotely with MDM, or directly on the device, when the device needs to be erased and assigned to a new user.
On iPhone and iPad, the bypass codes are available for up to 15 days after the device is first supervised, or until an MDM solution has obtained—and then cleared—the code explicitly. If an MDM solution hasn’t retrieved the bypass code within 15 days, that bypass code is unretrievable.
Mac computers require Apple silicon or the Apple T2 Security Chip to be eligible to use Activation Lock. If an eligible Mac computer is using Device Enrollment and is upgraded to macOS 10.15 or later, Activation Lock is disallowed by default and can optionally be allowed. Managing Activation Lock on installations (not upgrades) of macOS 10.15 or later require the device to be supervised. In macOS 11 or later, if a device is supervised using Device Enrollment, Activation Lock can’t be managed until the point at which the device is enrolled into MDM. That means it may be possible for Activation Lock to already be turned on when the device is enrolled in MDM and becomes supervised. In that case, it can’t be turned off using MDM and won’t be disallowed by default until it is first turned off by the user.
If you have physical possession of the device, on an iPhone or iPad, enter the MDM Activation Lock bypass code on the Activation Lock Screen in the Apple Account password field, and leave the user name field blank. On a Mac, the bypass code can be entered by clicking Recovery Assistant in the menu bar and selecting the “Activate with MDM key” option. Consult your MDM vendor’s documentation on where to locate the bypass code.
When MDM allows user-linked Activation Lock, the following occurs:
If Find My is on when your MDM solution allows Activation Lock, Activation Lock is turned on at that time.
If Find My is off when your MDM solution allows Activation Lock, Activation Lock is turned on the next time the user turns on Find My.
Using bypass codes to clear Activation Lock
To manage Activation Lock, your MDM solution must store two bypass codes:
The device-generated bypass code. The MDM solution retains this code until it receives a different, nonempty code from the device. For more information, see the Get the Bypass Code for Activation Lock query.
The bypass code the server creates when initiating Activation Lock through MDM.
The bypass codes that the MDM solution uses to manage Activation Lock are crucial to your ability to clear Activation Lock. These bypass codes should be secured and backed up regularly. If a change in MDM vendors is made, make sure that you’re provided with a copy of those bypass codes, or that Activation Lock is cleared for all enrolled devices.
To clear the Activation Lock on Apple devices that support dual SIMs, the MDM solution must include both IMEI (International Mobile Equipment Identity) values in the request. For MDM vendors, see Creating and Using Bypass Codes on the Apple Developer website.
If your MDM solution is unable to remove Activation Lock, contact your MDM vendor support resources or see the Apple Support article How to remove Activation Lock.