It’s time for an adventure down the rabbit hole that is iCloud Activation Lock!
Apple’s iCloud Activation Lock feature is one of those features from Apple that is great for personal users and device security, but can be an absolute pain for admins.
I have spoken to many an admin who has a pile of MacBooks or iPads sitting in their office that are activation locked, sometimes with no method of recovery for getting back into those laptops. It’s such an issue that oftentimes perfect useable laptops have to be sold for parts because they cannot be re-used without the Activation Lock being removed from the device.
How do these devices get activation locked by users in the first place?
Keep in mind, there are two types of Activation Lock (device-based and user-based).
From Apple’s documentation:
There are two types of Activation Lock available to organizations: Device-based: Device-based Activation Lock requires Apple School Manager, Apple Business Manager, or Apple Business Essentials and is generally simpler to manage for organizations. It enables MDM to fully control enabling and disabling of Activation Lock through server-side interactions. User-based: User-based Activation Lock requires the user to have a personal iCloud account and for them to enable Find My. This method allows the user to lock an organization-owned device to their personal iCloud account if the MDM solution has allowed Activation Lock.
I will be focusing on user-based Activation Lock in this post (Device-based Activation Lock as of this writing, only applies to iPadOS and iOS).
I’m going to break this blog post into two sections: Steps you can take for devices that are already activation locked, and some thoughts on how to prevent Activation Lock in the first place.
Removing Activation Lock from an already locked (and wiped) device
An employee leaves, their device is returned to you, and you erase it so that you can re-use it for the next hire, only to be met with this screen:
This is an all-too-familiar and frustrating experience to many admins. So what are your options for disabling user-based Activation Lock on a device so it can be re-deployed at your company?
Option 1: Ask the user
If you’re able to contact the previous owner of the device, reach out to them and ask them to log into their iCloud account (icloud.com/find) and remove the device from their iCloud. Reference Apple’s documentation for more details.
Option 2: Activate with an escrowed MDM key.
If the MDM managed to hook into the system at any point while Find My Mac was disabled, then it may have a user-based Activation Lock bypass code escrowed into the MDM platform that you can use to unlock the device. If you do have an Activation Lock bypass code, then from the Activation Lock menu bar choose:
Recovery Assistant > Activate with MDM key.
Option 3: Contact Apple
Call Apple Enterprise (866.752.7753) if you have an AppleCare Enterprise Agreement! They have a support team there that is dedicated to activation unlock requests. Be prepared with the serial number and have a screenshot of the device from ABM and/or your MDM just in case.
Contact Apple Support. If you don’t have an AppleCare Enterprise Agreement, Contact Apple Support and ask for the business department. If you have proof of ownership, this process is fairly painless and will take about 1-2 weeks after submitting the request to Apple support.
Visit your local Apple Store with the locked device and speak to the business team there. They can help provide assistance unlocking the devices with proof of ownership.
Use the iCloud Unlock request form from Apple (My understanding is this is meant for retail consumers with personal devices, and any requests from a school or business may be denied. Use at your own risk)
Proof of Ownership
What counts as proof of ownership? With each of these, your mileage may vary depending on who you talk to at Apple, but I’ve seen the following work as proof of ownership among the mac admin community:
- Original Receipt (not a photocopy)
- A Screenshot of the device serial in your ABM instance (Apple may consider enrollment in ABM as Proof of Purchase)
- Cellphone Carrier bills associated with that device (in the case of cellular devices)
- Note: Apple may require additional documentation alongside any of the items listed above.
Preventing User-Based Activation Lock on Apple Devices
So you’re sick of the growing pile of activation-locked devices in your office. You have some tools listed above to make them useable again, but what about your currently deployed devices? How do you as the admin prevent Activation Lock from being enabled in the first place so that you don’t have to jump through hoops in order to get those devices unlocked once they’ve been erased and returned to you?
For new device enrollments, the answer is simple:
Use ADE (Automated Device Enrollment)
This can disallow user-based Activation Lock when that device is powered on and enrolled for the first time. You’ll of course need to make sure your devices are in ABM (Apple Business Manager) and that your MDM supports enrollment via ADE (most modern MDMs do).
Let’s step back a bit for a second and review this feature. It’s important to note that disallowing user-based Activation Lock is not a “feature” unique to ADE enrollment. It’s actually the default behavior for any MDM enrollment (if your MDM supports it). The reason that it is often associated with ADE is because during an ADE enrollment flow, the device becomes managed by the MDM before a user logs into iCloud and turns on Find My Mac.
In the majority of manual enrollment scenarios, users are logging into iCloud during those initial macOS Setup Screens, well before the device is manually enrolled into an MDM. Remember, the MDM can only disallow a user-based Activation Lock from occurring, it can’t undo one that is already in place.
NOTE: The ability to disallow User-Based Activation Lock requires device supervision. On the Mac, both ADE and manual enrollments result in a supervised device. This is NOT true of mobile devices (manually enrolled iPhones or iPads are considered unsupervised). Keep this in mind if you came here looking for for a way to prevent Activation Lock on manually enrolled iPhones/iPads.
Okay, so enrolling all my new devices through ADE solves for Activation Lock issues with my fleet moving forward, but what about my existing fleet of devices? Perhaps more than a handful of those devices were tied to someone’s AppleID before you even enrolled them into your MDM. What if you don’t have an MDM in place and then enroll a bunch of devices with Activation Lock enabled into a new MDM? How do you as the admin ensure that when that device is returned to you, it isn’t activation locked? (Assuming the user is unable/unwilling to disable Find My Mac before returning the device).
Before I dive into my solution, let’s talk briefly about an MDM’s ability to `Disallow User Activation Lock…
I want to clarify that the ability for an MDM to “disallow user-based Activation Lock” means it can prevent a device from being activation locked by a user, but it cannot automatically undo an existing user-based Activation Lock already in place. So if you have a device logged into iCloud/Find My Mac, and enroll it into an MDM where “disallow user-based Activation Lock” is set, that device will STILL be activation locked until Find My Mac is disabled, at which point the MDM will then be able to prevent the device from becoming activation locked.
Luckily, “disallow user-based Activation Lock” is typically the default behavior whenever a device is enrolled into an MDM, whether that be via Automated Device Enrollment (ADE) or manual enrollment. With that in mind, all we need to do is detect if a device is activation locked and if so, prompt the user to log out of Find My Mac so that the MDM hook can prevent that Activation Lock from being re-enabled.
The Script: iCloud Activation Unlock Prompt
With the above in mind, I designed a script to do just that, at least for Macs (you can’t deploy custom scripts to mobile devices). The script checks if an Activation Lock exists, and if so, checks to see if the currently logged in user is the one who enabled it. If so, it automatically brings up the iCloud Settings pane and prompts the user to disable Find My Mac. It loops and will continue to prompt every 40 seconds until Activation Lock has been disabled. If the currently logged in user is not the user associated with the Activation Lock, it will exit gracefully and trigger an exit 1 which you can use to alert you in your MDM of choice.
Here’s what the experience looks like to the end-user:
I hope that this script combined with all the tips and tricks mentioned at the top of this post can help you as an admin make Activation Lock issues a thing of the past at your company.
Happy adminning!
FAQ
- Does this work for both Manual and ADE enrollments?
- Yes, either way if your MDM supports it, the default MDM behavior should be to DISALLOW user-based Activation Lock. The important part to note here is that it prevents a device from becoming activation locked. It can’t undo an Activation Lock that is already in place. That’s why enrolling a device via ADE is the BEST way to ensure that the “disallow user-based Activation Lock” key is in place, since with Automated Device Enrollment, the device itself is managed by the MDM BEFORE the user can enter their iCloud account and/or turn on Find My Mac.
- Yes, either way if your MDM supports it, the default MDM behavior should be to DISALLOW user-based Activation Lock. The important part to note here is that it prevents a device from becoming activation locked. It can’t undo an Activation Lock that is already in place. That’s why enrolling a device via ADE is the BEST way to ensure that the “disallow user-based Activation Lock” key is in place, since with Automated Device Enrollment, the device itself is managed by the MDM BEFORE the user can enter their iCloud account and/or turn on Find My Mac.
- What happens if someone turns Find My Mac back on after disabling it?
- The device will continue to NOT be activation locked, assuming the MDM laid down the Disallow Activation Lock key.
- The device will continue to NOT be activation locked, assuming the MDM laid down the Disallow Activation Lock key.
- What if I have multiple local users on the Mac?
- The script accounts for that and reports which user caused the Activation Lock.
- The script accounts for that and reports which user caused the Activation Lock.
- Is there any way for a user to reactivate the Activation Lock after I’ve successfully disabled it?
- There are two scenarios that I can think of.
If the device was manually enrolled AND the user has admin rights, that user can remove the MDM management profile. If they did, Activation Lock would be reactivated once that MDM Profile is removed (either on the next reboot, or if the user toggles Find My Mac off and on again).
Alternatively, if you have configured your MDM toAllowed user-based Activation Lock, then Activation Lock will become active again once they turn Find My Mac back on.
- There are two scenarios that I can think of.
- Activation Lock is disabled but my device is still showing as locked when I boot to recovery.
- Did your current or previous MDM deploy a Recovery/Firmware Password profile to the device? If so, that may be what you’re seeing, unrelated to user-based Activation Lock.
- Did your current or previous MDM deploy a Recovery/Firmware Password profile to the device? If so, that may be what you’re seeing, unrelated to user-based Activation Lock.
- Wait a second.. if the device hasn’t been wiped yet, can I use a FV2 recovery key to generate a new password for the local device and then use “unlock with device password” at the activation screen?
- Nope, because after you set the new local user password, iCloud will prompt you to enter your iCloud credentials once you’re at the Desktop in order to escrow your new local account password to iCloud.
- Nope, because after you set the new local user password, iCloud will prompt you to enter your iCloud credentials once you’re at the Desktop in order to escrow your new local account password to iCloud.
- Why does System Settings open to the AppleID section rather than the iCloud section on macOS Ventura?
- As far as I’m aware Apple does not have a supported extension for that specific part of System Settings. The legacy Monterey command DOES still seem to work, so I’ll incorporate that into the next version.
- As far as I’m aware Apple does not have a supported extension for that specific part of System Settings. The legacy Monterey command DOES still seem to work, so I’ll incorporate that into the next version.
- Why didn’t you just use
nvram fmm-mobileme-token-FMMto determine activation lock status?- That reports on whether FindMy is enabled, regardless of actual activation lock status. The goal of this script is to ensure the Activation Lock is disabled, not prevent users from using Find My Mac (although I will incorporate that as an option into v2)
- That reports on whether FindMy is enabled, regardless of actual activation lock status. The goal of this script is to ensure the Activation Lock is disabled, not prevent users from using Find My Mac (although I will incorporate that as an option into v2)
- Okay, now do this, but for iPads!
- Sorry, this blog is macOS Adventures 😉
Apple mobile devices don’t have the benefit of being able to run custom scripts, but if I think of a way to solve for this issue on mobile devices, I’ll be sure to post it here.
- Sorry, this blog is macOS Adventures 😉
One thought on “A Guide to Disabling & Preventing iCloud Activation Lock”
Comments are closed.