Jamf Nation Community

Hey Larry -

Just wanted to add that if these devices are supervised, you're able to wipe them via the JSS without receiving the iCloud prompt upon first boot. Supervision is currently Apple's cue that the device is institutionally owned and (hopefully) has an MDM in place. You'll still see the normal behavior if you manually try to reset the device though.

Thanks Rob. Nice feature but I can see the headaches coming from this. If the phone was not lost and I had to wipe it do to the employee no longer being with our organization, I'm sure they'll just turn over their AppleID password to me so I can reactivate the phone.

I really was hoping iOS7 and MDM improvements meant the end of Configurator.

@Larry.Hunt, that was my thought as well. I can see some ugly scenarios where Employee X has an institutionally owned iOS device, sets up iCloud activation lock, then leaves/gets canned, and the device can no longer be wiped and activated by IT without asking the user to disable it or supply the iCloud account.
I'm talking about normally enrolled devices, not supervised, since the latter model only works in specific organization types.

At this time we can not supervise our IOS devices either. I guess I could create an AppleID using their company email address and configure Find My iPhone. Then hope that they never change the primary email address for that AppleID. Then I could request a password reset of that AppleID and hope that I'll be able to activate the device with the newly created password for that AppleID. Just sounds like a lot of work.

I have reached out to the Apple Engineer who I work with to address this issue. We need to be able to override the device lock as an institution for all institutionally owned devices. I'll report back anything I am allowed to.

I too am facing a situation where i already have managed but unsupervised iPads already deployed so this issue is a big headache for me. In this type of situation is it best to reach out to our respective apple engineers to generate enough buzz about the problem so that it will be solved quicker? I am already imagining situations where iPads are broken and replaced resulting in our organization being unable to use the repaired ones because of not being able to have access to the apple id password.

I'm pretty sure the WWDC info is still under NDA, however, there could be functionality coming out for institutions which could address this. I wish Apple would just release it already... or at least lift the NDA so we could talk about specifics.

While being mindful of the NDA in place, here's a public site listing the iOS7 features:

http://www.apple.com/ios/education/

For the issue of having non-supervised devices already in the wild, the 'Steamlined MDM Enrollment' section does mention that the ability will be there to supervise devices wirelessly. We can't really discuss specifics, but it does appear that Apple has a plan of attack in place for resolving this issue.

A plan of attack under NDA after the public release .. typical.

Just like the yet to be publicly announced VPP changes.

I bet we will be lucky to see the new functionality released before Christmas.

We manage a large number of student iPads using JAMF and Apple configurator and really struggled through this issue, with the Activation lock and managed iPads. I know that I read above, if the device is supervised by a machine you can erase the iPad and still manage it, but we found that to not be true. If that iPad's UDID is associated with an iCloud account, it cannot be removed from that iCloud account unless you know that apple id and password of the iCloud account that specifically activated the FindMyiPad on the device. When trying to update the iPad to iOS 7 you will run into an "unable to verify activation" warning on the iPad until the iPad is fully removed from that account. Thankfully we were doing this with only a handful of students and were able to find a work around.

For now, I am downloading the ipsw file and storing that on my computer that I use to manage my devices. I then back up the student iPad to iTunes on that computer, chose to update from the correct iOS 7 ipsw file and am able then to maintain my supervision profiles and my mdm profiles while updating the device to iOS 7.

I also had to make sure I turned off the option to Update iOS when an update is available. I accidentally connected an iPad to my machine with configurator open and lost all of the student's data.

From our Apple SE…

"Over the next few weeks and months further information will be coming on features such as Streamlined MDM enrollment, App Store license management, Caching Server 2 and Under 13 Apple ID’s."

So our plan to handle this issue moving forward was to provision new devices with a supervision profile; however, it appears that the supervision profile is getting wiped if the user elects to restore from an iCloud backup.

Is there any new information on an official way to block this on company owned devices?

Hi jbrummer,

There is no way to block it currently, but with proper proof of ownership, i.e. the purchase order number & serial number, i have heard confirmation that apple will help you in releasing the iPad from its activation lock. I would reach out to an apple systems engineer for that.

We had our Apple Education rep and engineer in here last week and they kept saying January as the target date for these new features.