Activation Lock is a feature that allows device owners to lock their devices if they are misplaced or stolen. Activation Lock is available on macOS (with Apple Silicon or a T2 Security Chip), iOS, and iPadOS. This article references Apple's documentation on Activation Lock.
Requirements for Activation Lock
- iOS 7.1 or later
- iPadOS 13 or later
- macOS 10.15 or later with T2 chip or Apple Silicon
- Enrolled and Supervised via Automated Device Enrollment
- Device assigned to Automated Device Enrollment token within Addigy
There are two types of Activation Lock for MDM-enrolled devices: User-based Activation Lock and Device-based Activation Lock.
Where do I find the MDM Bypass or Device Bypass Codes?
In Addigy the MDM Bypass or Device Bypass Codes can be found in two locations:
-
Devices > Tools: > Bulk Actions > Device Codes
Then input the full Serial Number of the device in question that you need codes for.
- On an individual device's GoLive Page > Security (tab)
For steps on how to use this MDM Bypass Code on a device, please reference the relevant articles below:
Activation Lock - macOS Experience
Activation Lock - iOS/iPadOS Experience
Notes:
- This option requires the "Edit Policies" and "View Devices" role permissions in Addigy, which the default admin and owner roles contain.
- This tool is capable of retrieving bypass codes of devices that have been deleted from Addigy.
Deactivating Activation Lock via Apple Business/School Manager
Apple has released a new tool inside of Apple Business/School Manager that enables the ability to disable Activation Lock for managed devices without having to enter any codes. This can be a great alternative to entering the codes manually on the device or if a user ever enabled iCloud/FindMy Activation Lock.
To leverage this feature, navigate to your ABM/ASM portal and find the device you wish to disable Activation Lock on. In the top-right, select the 3 dots and choose "Turn Off Activation Lock".
Some notes:
- MDM does not need to be actively communicating for Activation Lock to be disabled via this workflow
- This can unlock a device if it is currently at the Activation Lock screen (will require a device restart to apply if already at the Activation Lock screen)
- As per Apple, this can disable user-linked Activation Lock
Configuring Managed (MDM) Activation Lock
Automated Device Enrollment
Enabling MDM Activation Lock during Automated Device Enrollment is as simple as flicking on a toggle switch. Addigy automatically stores the Device and MDM Activation Lock Bypass Codes during enrollment and can be viewed within GoLive. This switch will be disabled by default but can be enabled by any existing integration.
Note: Current functionality is to only send the MDM command to collect the Device bypass code to devices enrolled via Automated Device Enrollment, with Supervision >> Activation Lock enabled. Prior enrollments sent this command to any device enrolled via MDM; however, devices, where Activation Lock was not enabled via Automated Device Enrollment, will not need this code.
GoLive
Within GoLive for macOS, iOS, and iPadOS devices, Addigy administrators are able to view and toggle MDM Activation Lock. If a device joins Addigy via Automated Device Enrollment and has Enable Activation Lock toggled on, GoLive will also show it as enabled once the initial audit of the device is complete. Both bypass codes are present in this view and toggling off Activation Lock will remove the lock from the device and remove the MDM Bypass Code from the UI.
About each type of code:
User-based Activation Lock
User-based Activation Lock (also known as Device Activation Lock Bypass Code in Profile Manager or known as Allowing Activation Lock in other documentation) was the first version of Activation Lock to be leveraged by end-users and MDM. Device Activation Lock is managed via a code escrowed by Addigy during enrollment and requires the device to be Supervised.
These codes are only stored on a device for a short time (two weeks or less post-setup) and are inaccessible after that period. With this version of Activation Lock, MDM stores the bypass code and can send a command that allows the device to Activation Lock if an end-user enables the Find My feature on the device.
Addigy does not support User-based Activation Lock, however, we currently store these codes as Device Bypass Codes within the Security tab of GoLive.
Device-based Activation Lock
Device-based Activation Lock (also known as Server Activation Lock Bypass code in Profile Manager or mentioned as Enable / Disable Activation Lock in other documentation) is a newer version of the functionality described above without the same configuration or limitations. While MDM Activation Lock has the same requirements below, all bypass code generation and enablement are done between Addigy and Apple Business Manager or Apple School Manager. MDM Activation Lock bypass codes can be enabled post the two-week window and be toggled on or off without the device being online. MDM Activation Lock does not require the end-user to enable Find My on the device.
Addigy is currently storing these codes as MDM Bypass code within the Security tab of GoLive. You can use this MDM Bypass Code to unlock Device-based Activation Lock devices.