With the release of AM-6618, we are adding new functionality to automatically enable MDM Activation Lock via Automated Device Enrollment and GoLive. Before getting started with enabling Activation Lock, we strongly recommend reviewing Apple's Activation Lock support article to learn more about this feature.


Areas Covered in this Article


Device and MDM Activation Lock

Device Activation Lock (also known as Device Activation Lock Bypass Code in Profile Manger or talked about as Allowing Activation Lock in other documentation) was the first version of Activation Lock to be leveraged by end users and MDM. Device Activation Lock is managed via a code that is escrowed by Addigy during enrollment and requires the device to be Supervised. These codes are only stored on a device for a short time (two weeks or less post setup) and are inaccessible after that period. With this version of Activation Lock, MDM stores the bypass code and can send a command that allows the device to Activation Lock if an end user enables the Find My feature on the device. Addigy is currently storing these codes and can be seen as Device Bypass Code within the Security tab of GoLive. We currently do not support sending this command to allow Device Activation Lock in the shipping product.


MDM Activation Lock (also known as Server Activation Lock Bypass code in Profile Manger or talked about as Enable / Disable Activation Lock in other documentation) is a newer version of the functionality described above without the same configuration or limitations. While MDM Activation Lock has the same requirements below, all bypass code generation and enablement is done between Addigy and Apple Business Manager or Apple School Manager. MDM Activation Lock bypass codes can be enabled post the two week window and be toggled on or off without the device being online. MDM Activation Lock does not require the end user to enable Find My on the device to enable. Addigy is currently storing these codes when they are generated under the Security tab in GoLive.


Warning Regarding Deleting Device Records

If you decide to enable Activation Lock, we strongly recommend that you do not delete the device from Addigy. By deleting the device record while Activation Lock is enabled, the device will be in a locked state the next time the operating system is installed. Without the bypass codes, the device will be unable to proceed in the Setup Assistant and will require contacting Apple. The process of unlocking a device without a bypass code is fairly long and requires several things to prove ownership of the device. If you need to delete a device from Addigy, we strongly recommend removing Activation Lock first (unless part of your workflow is to brick a lost or stolen device).


Requirements

  • iOS 7.1 or later
  • iPadOS 13 or later
  • macOS 10.15 or later with T2 chip
  • Enrolled and Supervised via Automated Device Enrollment
  • Device assigned to Automated Device Enrollment token within Addigy


Configuring MDM Activation Lock with Automated Device Enrollment

Enabling MDM Activation Lock during Automated Device Enrollment is as simple as flicking on a toggle switch. Addigy automatically stores the Device and MDM Activation Lock Bypass Codes during enrollment and can be viewed within GoLive. This switch will be disabled by default but can be enabled any existing integration.



Togging MDM Activation Lock in GoLive

Within GoLive for macOS, iOS, and iPadOS devices, Addigy administrators are able to view and toggle MDM Activation Lock. If a device joins Addigy via Automated Device Enrollment and has Enable Activation Lock checked, GoLive will also show checked once the initial audit of the device is complete. Both bypass codes are present in this view and toggling off Activation Lock will remove the lock from the device as well as remove the MDM Bypass Code from the UI. 



iOS and iPadOS Activation Lock Experience

The quickest way to get an iOS or iPadOS device to the Activation Lock screen is to Erase Device via the Options dropdown in GoLive. However, wiping the device via Apple Configurator, Apple Music, iTunes, or via the device itself also work.


With iOS and iPadOS devices, the MDM Bypass Code can be entered in two different ways. The end user can input the code directly on the device or the code can be copied and pasted into Apple Music / iTunes or via the Finder in Catalina. This code can be dropped into the password field without an Apple ID. The images below show how a couple of those scenarios look as of when this article was published. Additionally, if the bypass code was misplaced, the Managed Apple ID for the Automated Device Enrollment token can try and input their Managed Apple ID username and password to unlock the device.


iPhone
macOS Catalina Finder


macOS Activation Lock Experience

Currently, the only way for a macOS device to be taken to MDM Activation Lock is to use the Erase command via the Options dropdown in GoLive. Wiping the device manually via Restore partition or Internet Recovery will not work at the time of writing.


With macOS, similar functionality to iOS and iPadOS applies. However, the macOS UI for Activation Lock is a bit different. macOS will not allow for the MDM Activation Lock Bypass code to be input on the main screen when the macOS device reboots. The default Activation Lock screen will only allow Apple ID or Managed Apple ID email and password combinations. To gain access to MDM Activation Lock screen, the end user must click on Recovery Assistant  in the upper left hand corner and then select Activate with MDM Key. From here, the MDM Bypass Code can be typed into the device.


Image of Initial Activation Lock Screen


Image of Recovery Assistant Dropdown


Image of MDM Activation Lock Bypass Code Input