Skip to main content
Jamf Nation, hosted by Jamf, is the largest Apple IT management community in the world. Dialog with your fellow IT professionals, gain insight about Apple device deployments, share best practices and bounce ideas off each other. Join the conversation.

Leveraging Apple’s Activation Lock Feature with Jamf Pro

Overview

You can leverage Apple's Activation Lock feature in your environment using Jamf Pro. Activation Lock ensures that only those authorized to unlock a mobile device can do so, even if the device has been wiped. Jamf Pro provides an Activation Lock bypass code in the event that a device has Activation Lock enabled and you need to clear Activation Lock to set up the device for a new user.

For more information about Activation Lock, see the following article from Apple: http://support.apple.com/kb/PH13695

This article describes the following ways you can use Jamf Pro to leverage Activation Lock:

  • Enable Activation Lock
  • Collect Activation Lock information
  • Clear Activation Lock using a bypass code
  • Disable and prevent Activation Lock

Enable Activation Lock

Jamf Pro allows you to enable Activation Lock on devices in the following ways:

  • Allow an end user to enable Activation Lock (supervised devices)
    An end user can automatically enable Activation Lock on their own device when they install Find My iPhone or turn the Find My iPhone feature on in the Privacy settings on their device at any time. When the device is enrolled with Jamf Pro, Jamf Pro sends an MDM command to the device allowing an end user to enable Activation Lock. This command is sent to any supervised device for which an Activation Lock bypass code is stored. After the MDM command is sent to the device, the end user must tap Find my iPhone in the Privacy settings to enable Activation Lock.

  • Enable Activation Lock directly on the device during enrollment (supervised devices with in Apple School Manager or Apple Business Manager)
    You can use Jamf Pro 10.7.0 or later to enable Activation Lock directly on a device without requiring end user interaction. This option is available when configuring a PreStage enrollment in Jamf Pro. When the device is enrolled with Jamf Pro, Activation Lock is automatically enabled.
    See Mobile Device PreStage Enrollments in the Jamf Pro Administrator's Guide for more information.

  • Enable Activation Lock directly on a device that is currently enrolled with Jamf Pro (supervised devices in Apple School Manager or Apple Business Manager) You can use Jamf Pro 10.8.0 or later to enable Activation Lock directly on a device that is currently enrolled with Jamf Pro. This option is available as a remote command and as a mass action.
    For more information, see the following sections in the Jamf Pro Administrator's Guide:

  • Remote Commands for Mobile Devices
    Learn how to clear Activation Lock for a device.

  • Performing Mass Actions for Mobile Devices
    Learn how to clear Activation Lock for multiple devices.

Collect Activation Lock Information

Jamf Pro collects the following information about Activation Lock:

  • Activation Lock status
    You can view the status of Activation Lock in a device's inventory information. The Activation Lock status is displayed in the device's inventory information with a value of "Enabled" or "Disabled". For more information about where in Jamf Pro you can view the Activation Lock status of a device, see Viewing and Editing Inventory Information for a Mobile Device in the Jamf Pro Administrator's Guide.
    In addition, you can create smart or static groups based on the status. When creating smart or static mobile device groups based on the status of Activation Lock, you can choose to base the group on the Activation Lock status of "Enabled" or "Disabled". For more information about smart or static groups, see the following sections in the Jamf Pro Administrator's Guide:

  • Static Device Groups Learn how to create a mobile device group that can contain all devices with a specific Activation Lock status.

  • Smart Device Groups
    Learn how to create a mobile device group that can be based on the Activation Lock status and has dynamic membership.

  • Activation Lock bypass code (supervised devices only)
    The Activation Lock bypass code is collected automatically. After the code is collected, it is deleted from the device but remains available in the management information for the device in Jamf Pro. Jamf Pro collects an updated code each time the device is reactivated and re-enrolled. This updated code replaces the existing code in the management information for the device. Jamf Pro also has customizable privileges that can be set to ensure only approved administrators can view the code. A different bypass code to clear Activation Lock is available depending on how Activation Lock was enabled on the device. Both bypass codes are stored and displayed in the device's inventory information in Jamf Pro.

Note: The bypass code to use when Activation Lock is enabled on the device is available in Jamf Pro 10.7.0 or later, and only available for supervised devices with iOS 12 or later in Apple School Manager or Apple Business Manager.
For more information about how to view the Activation Lock bypass code for a device, see the “Viewing the Activation Lock Bypass Code for a Mobile Device” section in Viewing Management Information for a Mobile Device of the Jamf Pro Administrator's Guide.

Clear Activation Lock

The Activation Lock bypass codes that are collected and stored in a device's inventory information can be used to clear Activation Lock on devices. Clearing Activation Lock can be completed in the following ways:

  • Jamf Pro can automatically clear Activation Lock on devices using a bypass code You can clear Activation Lock when sending a Wipe Device remote command. Jamf Pro automatically clears Activation Lock using the bypass codes stored in the device's inventory information. This option is available as a remote command and as a mass action.

For more information, see the following sections in the Jamf Pro Administrator's Guide:

  • Remote Commands for Mobile Devices
    Learn how to clear Activation Lock for a device.

  • Performing Mass Actions for Mobile Devices
    Learn how to clear Activation Lock for multiple devices.

  • The Activation Lock bypass code can be entered during device setup You can manually enter the Activation Lock bypass code on the device during device setup. The bypass code can be entered in the password field on the Activation Lock screen in the Setup Assistant to bypass the Activation Lock step. Note: A different bypass code to clear Activation Lock is available depending on how Activation Lock was enabled on the device. Both bypass codes are stored and displayed in the device's inventory information in Jamf Pro.

Disable and Prevent Activation Lock

You can use Jamf Pro 10.8.0 or later to disable and prevent Activation Lock directly on a device. Jamf Pro automatically disables Activation Lock using the bypass codes stored in the device's inventory information. Unlike clearing Activation Lock, disabling and preventing Activation Lock disables Activation Lock without wiping the device and prevents an end user from re-enabling Activation Lock. This option is available as a remote command and as a mass action.

For more information, see the following sections in the Jamf Pro Administrator's Guide:

Like Comment
Order by:
SOLVED Posted: by cdenesha

As of 6/8, the table is not displaying as a table..

Like
SOLVED Posted: by krispayne

The title of the KB is Leveraging Apple’s Activation Lock Feature with the Casper Suite

Why doesn't the article have the information on how to Leverage Activation Lock? From what I can tell it just points you to the Admin Guide? I'm probably lost.

Like
SOLVED Posted: by jyergatian

Reading this leads me to believe the following:
- Prevent user from enabling Activation Lock will prevent the end user from utilizing the lock function with Find my Device.
- Enable Activation Lock on the device will instantly lock the device, just like Find my Device would do.

If the above is correct, I'm curious to know when the latter would be implemented. The only use case I can think of is having a PreStage for lost or stolen devices with this setting enabled. Enabling Activation Lock on the device across all PreStages seems like it would kill the advertised "there is no step 3" experience Jamf touts so often.

Is my train of thought correct or have I misread the article?

Like
SOLVED Posted: by pwildemann

@jyergatian Any new insights on this?

Like

Jamf wants to hear your feedback around Jamf Pro: LDAP Servers and Reports!