What is an activation lock?
Resources
An activation lock is a security feature designed to prevent unauthorized access to a device such as a smartphone, tablet, or computer. It is commonly found on Apple devices and is also known as the "Find My" activation lock.
When the activation lock is enabled, the device is tied to the owner's Apple ID, and to use the device, the user must enter the correct Apple ID and password. This prevents thieves or unauthorized users from resetting or erasing the device and using it without permission.
The activation lock is activated when the "Find My" feature is turned on. This feature allows the owner of the device to locate and remotely lock or erase the device if it is lost or stolen. If the owner forgets their Apple ID or password, they can use Apple's account recovery process to regain access to their device.
Enroll macOS, iOS, and iPadOS in MDM before putting it to use. It disables the activation lock unless the MDM explicitly permits it. So it is always easier if you can put devices under management as early as possible.
Overall, the activation lock is an important security feature that helps to protect personal data and prevent theft of electronic devices.
How does the activation lock turn on:
When a device is wiped clean, it will "check-in" or communicate with Apple. Apple's servers will then decide whether the device can be activated again or not.
If Apple's servers don't allow activation, the device is considered "Activation Locked." This means that if you're using an iPhone or iPad, the device will ask for the iCloud login details of the person who set up Activation Lock.
For Mac computers, if Activation Lock is on, the computer will ask for the iCloud login details when you try to start it in recovery mode.
In both cases, you can't use the device until the Activation Lock is cleared. This means that you can't complete the setup process on an iPhone or iPad, and a Mac won't start up properly.
Activation Lock and Managed Devices
Let's talk about how Activation Lock works on devices that are supervised or managed by an organization. It's important to note that Activation Lock and Find My are not the same on these devices.
For devices that are supervised and managed by a company, Activation Lock is a separate feature from Find My, iCloud, or individual Apple IDs. When a supervised device is first set up and enrolled in a system, the Activation Lock is usually turned off by default in iOS, iPadOS, and macOS. Unless you change these defaults using the Swif policy, users can use iCloud and Find My on newly set-up supervised devices without tying the device to their personal Apple IDs. This is the simplest way for organizations to handle Activation Lock: by not managing it at all.
How to manage the activation lock with supervised devices
Activation Lock is a feature provided by Apple that prevents anyone else from using your device in case it gets lost or stolen. It is linked with the "Find My" feature and requires your Apple ID and password to turn off the feature or erase the device.
In a managed environment like a business or school, Mobile Device Management (MDM) solutions can manage Activation Lock in two ways: user-based Activation Lock and device-based Activation Lock.
In user-based Activation Lock, MDM communicates with the device to get an Activation Lock Bypass Code (ALBC). This code can be used later to bypass the Activation Lock if necessary. Once the ALBC is received, MDM then allows the device to be locked. If an Apple ID is already signed into the device with the 'Find My' feature turned on, the device will be linked to the user's Apple ID.
In device-based Activation Lock, which is only for iOS and iPadOS devices in Apple Business Manager, MDM doesn't communicate with the device but instead directly with Apple's servers. MDM generates its bypass code and lock data and sends an instruction to Apple's servers to turn on the Activation Lock for that device. The device becomes locked, not to a user's Apple ID, but to the organization itself.
This device-based method was introduced in iOS 9.3 with the introduction of Shared iPad. This allowed organizations to lock iPads that multiple users use to the organization instead of a specific user.
With either method, the ALBC can be used to unlock the device instead of a user's password. MDM can also directly communicate with Apple's servers, sending the bypass code to turn off the Activation Lock.
Using Activation Lock with Swif
For a Swif-managed device, you can find the bypass code in the Device details > Security tab. You'll need this to turn off Activation Lock if a user leaves your organization without signing out of iCloud. You can also clear the user-based activation lock at Device details > Security tab > Clear button next to Activation Lock. For more details on clearing the activation lock, see here.
For device-based Activation Lock, Swif doesn't support turning off Activation Lock directly with Apple. Instead, you can always enter the bypass code in the Apple ID password field during setup on iOS or iPad OS devices, or in recoveryOS on Mac computers. For more details on how to bypass, see here.
For device-based Activation Lock on iOS and iPad, you can also enter the Managed Apple ID credentials for the account that generated the MDM server token in Apple Business Manager at the Activation Lock screen. You'll know it's a device-based Activation Lock if both the username and domain suffix are hidden on the Activation Lock screen. For user-based Activation Lock, only the username is hidden and the domain remains visible.
Simplifying Activation Lock Management: Key Points to Remember
When managing Activation Lock in a business setting, there are several points to keep in mind:
A device can only have one type of Activation Lock at a time. If you try to activate both user-based and device-based locks, the first one will take precedence.
The bypass code for the user-based Activation Lock, requested by MDM from the device, is only retrievable for the first 14 days after the request is made. This is crucial when migrating from one MDM to another, as a device with Activation Lock enabled in MDM A will not automatically unlock by enrolling in MDM B, and the bypass code won't be available to MDM B. Therefore, it's advised to keep a copy of the previous bypass codes during an MDM migration.
Mac computers that are enrolled in MDM using device enrollment become supervised automatically. This is a significant difference from iOS/iPad devices. If a Mac was unmanaged before enrollment and a user had signed into iCloud with Find My activated, the Activation Lock would be on. The bypass code given to MDM would not turn it off; it would only work for the next time the device is activated locked. Hence, when enrolling previously unmanaged Macs into MDM, it's crucial to ask users to turn off Find My Mac before enrolling. Therefore, the Swif installer asks the device user to turn off Find My before continuing the enrollment process.
AppleCare Enterprise Support can help organizations to disable Activation Lock. For more details, check here.
The best way to control the Activation Lock is to have MDM in place and supervise the device from the start. This means making use of Apple Business Manager and Automated Device Enrollment whenever possible, and thoroughly checking the settings configured in your MDM solution to manage Activation Lock effectively.
With careful planning, Activation Lock can either serve as a valuable theft deterrent feature for your organization’s devices, which can be easily deactivated if needed, or it can be something you don't have to worry about at all. The choice is yours. Let's explore more about it.