Leveraging Apple’s Activation Lock Feature with Jamf Pro

You can leverage Apple's Activation Lock feature in your environment using Jamf Pro. Activation Lock ensures that only those authorized to lock a compatible computer or mobile device can do so, even if the device has been wiped. Jamf Pro collects an Activation Lock bypass code in the event that a device has Activation Lock enabled and you need to clear Activation Lock to set up the device for a new user.

For more information about Activation Lock, see the following article from Apple's support website: http://support.apple.com/kb/PH13695

This article describes the following ways you can use Jamf Pro to leverage Activation Lock:
  • Enable Activation Lock

  • Collect Activation Lock information

  • Clear Activation Lock using a bypass code

  • Disable and prevent Activation Lock

Enable Activation Lock

Jamf Pro allows you to enable Activation Lock on devices in the following ways:
Allow an end user to enable Activation Lock (supervised devices)

Without applying management settings, a compatible computer or mobile device automatically enables Activation Lock when an end user logs in to an iCloud account using their Apple ID. Activation Lock status in the device's inventory will display as "Not enabled" until the next inventory update, which is daily by default. After the inventory update, the status will display as "Enabled". To update inventory immediately, use the Update Inventory command. This command can be sent to a single device using a remote command or to multiple devices using a mass action.

To allow an end user to enable Activation Lock on their device, you need the following:

Device TypeJamf Pro VersionDevice Requirements
Computer10.20.0 or later
  • Compatible computers with macOS 10.15 or later
  • Apple School Manager or Apple Business Manage
Mobile Device10.7.0 or later
  • iOS 7 or later
  • Supervised
  • Apple School Manager or Apple Business Manager

For more information about turning on the Find My feature, see the following article from Apple: https://support.apple.com/HT210400#enablefindmy

For more information on macOS compatibility, see Apple support documentation: https://support.apple.com/HT208987

Enable Activation Lock for a mobile device in Apple Business Manager or Apple School Manager during enrollment with Jamf Pro

You can use Jamf Pro 10.7.0 or later to enable Activation Lock for a device in Apple Business Manager or Apple School Manager without requiring end user interaction. This option is available when configuring a PreStage enrollment in Jamf Pro. When the device is enrolled with Jamf Pro, Activation Lock is automatically enabled. Activation Lock status in the device's inventory will display as "Not enabled" until the next inventory update, which is daily by default. After the inventory update, the status will display as "Enabled". To update inventory immediately, use the Update Inventory command. This command can be sent to a single device using a remote command or to multiple devices using a mass action.

Enable Activation Lock for currently enrolled mobile devices in Apple Business Manager or Apple School Manager
You can use Jamf Pro 10.8.0 or later to enable Activation Lock for a device that is in Apple Business Manager or Apple School Manager and currently enrolled with Jamf Pro. The Set Activation Lock command allows you to enable Activation Lock on a currently enrolled device. This command can be sent to a single device using a remote command or to multiple devices using a mass action. Activation Lock status in the device's inventory will display as "Not enabled".
Note:

Activation Lock status in the device's inventory will display as "Enabled" only for personal Apple IDs.

Allow an end user to enable Activation Lock on currently enrolled computer and mobile devices

You can allow an end user to enable Activation Lock on their own computer or mobile device using the Set Activation Lock command if the device is currently enrolled with Jamf Pro. This command can be sent to a single device using a remote command or to multiple devices using a mass action. When the command is sent to the device, Activation Lock becomes enabled when the user turns on the Find My feature. If the Find My feature is enabled prior to the command being sent to the device, Activation Lock is immediately enabled.

To allow an end user to enable Activation Lock on their device, you need the following:

Device TypeJamf Pro VersionDevice Requirements
Computer10.20.0 or later
  • Compatible computers with macOS 10.15 or later
  • Apple School Manager or Apple Business Manager
Mobile Device10.19.0 or later
  • iOS 7 or later
  • Supervised
  • Apple School Manager or Apple Business Manager

For more information on macOS compatibility, see Apple support documentation: https://support.apple.com/HT208987

Collect Activation Lock Information

Jamf Pro collects the following information about Activation Lock:
Activation Lock status

You can view the status of Activation Lock in a device's inventory information. The Activation Lock status is displayed in the device's inventory information with a value of "Enabled" or "Not enabled". The device's status will show as "Not enabled" if Activation Lock was configured for the device in Apple Business Manager or Apple School Manager during enrollment. If an end user signs into an iCloud account, Activation Lock status in the device's inventory will display as "Not enabled" until the next inventory update, which is daily by default. After the inventory update, the status will display as "Enabled". To update inventory immediately, use the Update Inventory command. This command can be sent to a single device using a remote command or to multiple devices using a mass action.

Additionally, you can create a smart group based on the Activation Lock status. When creating the group, use the Activation Lock criterion with a value of "Yes" or "No".

To collect the Activation Lock status, you need the following:

Device TypeJamf Pro VersionDevice Requirements
Computer10.20.0 or later
  • Compatible computers with macOS 10.15 or later
  • Apple School Manager or Apple Business Manager
Mobile Device10.7.0 or later
  • iOS 12 or later
  • Supervised
  • Apple School Manager or Apple Business Manager
Activation Lock bypass code (supervised devices only)

The Activation Lock bypass code is collected after enabling Activation Lock and updating inventory with Jamf Pro. After the code is collected, it is deleted from the device but remains available in the management information for the device in Jamf Pro. Jamf Pro collects an updated code each time the device is wiped and re-enrolled. This updated code replaces the existing code in the management information for the device. Jamf Pro also has customizable privileges that can be set to ensure only approved administrators can view the code.

Depending on how Activation Lock was enabled on the device, Jamf Pro collects the following types of Activation Lock bypass codes:
  • Bypass code to use when Activation Lock is enabled on the device—This bypass code is collected if Activation Lock was enabled directly on the device using Jamf Pro. This is only available for mobile devices.

  • Bypass code to use when Activation Lock is enabled by the user—This bypass code is collected if the device supports Activation Lock and the end user has enabled it.

To collect the Activation Lock bypass codes, you need the following:
Device TypeJamf Pro VersionDevice Requirements
Bypass code to use when Activation Lock is enabled on the device
Mobile Device10.7.0 or later
  • iOS 12 or later
  • Supervised
  • Apple School Manager or Apple Business Manager
Bypass code available when Activation Lock is enabled by the user
Computer10.20.0 or later
  • Compatible computers with macOS 10.15 or later
  • Apple School Manager or Apple Business Manager
Mobile Device10.7.0 or later
  • iOS 12 or later
  • Supervised
  • Apple School Manager or Apple Business Manager
Both bypass codes are stored and displayed in the device's inventory information in Jamf Pro.
Note:

The bypass code to use when Activation Lock is enabled on the device is available in Jamf Pro 10.7.0 or later, and only available for supervised devices with iOS 12 or later in Apple Business Manager or Apple School Manager.

Clear Activation Lock

The Activation Lock bypass codes that are collected and stored in a device's inventory information can be used to clear Activation Lock on devices. Clearing Activation Lock can be completed in the following ways:
Jamf Pro can automatically clear Activation Lock on devices using a bypass code
You can clear Activation Lock when sending a Wipe Device remote command. Jamf Pro automatically clears Activation Lock using the bypass codes stored in the device's inventory information. The Wipe Device command can be sent to a single device using a remote command or to multiple devices using a mass action.

To automatically clear Activation Lock when sending the Wipe Device remote command, you need the following:

Device TypeJamf Pro VersionDevice Requirements
Computer10.20.0 or later
  • Compatible computers with macOS 10.15 or later
  • Apple School Manager or Apple Business Manager
Mobile Device10.7.0 or later
  • OS 7 or later
  • Supervised
  • Apple School Manager or Apple Business Manager
The Activation Lock bypass code can be entered during device setup
You can manually enter the Activation Lock bypass code on the device during device setup. The bypass code can be entered in the password field on the Activation Lock screen in the Setup Assistant to bypass the Activation Lock step.
Note:

A different bypass code to clear Activation Lock is available depending on how Activation Lock was enabled on the device. Both bypass codes are stored and displayed in the device's inventory information in Jamf Pro.

Disable and Prevent Activation Lock

You can use Jamf Pro 10.8.0 or later to disable and prevent Activation Lock for a device. Jamf Pro disables Activation Lock using the bypass codes stored in the device's inventory information. Unlike clearing Activation Lock by sending a Wipe Device command, disabling and preventing Activation Lock disables Activation Lock without wiping the device and prevents an end user from re-enabling Activation Lock. The Set Activation Lock command allows you to disable and prevent Activation Lock. This command can be sent to a single device using a remote command or to multiple devices using a mass action. Alternatively, you can use Jamf Pro 10.8.0 or later to prevent Activation Lock for devices during Automated Device Enrollment by selecting Prevent user from enabling Activation Lock in a PreStage enrollment.

To disable and prevent Activation Lock directly on a device, you need the following:

Device TypeJamf Pro VersionDevice Requirements
Computer10.20.0 or later
  • Compatible computers with macOS 10.15 or later
  • Apple School Manager or Apple Business Manager
Mobile Device10.8.0 or later
  • iOS 7 or later
  • Supervised
  • Apple School Manager or Apple Business Manager