Skip to main content
Solved

Disabling or bypassing iCloud Activation Lock

  • July 10, 2024
  • 15 replies
  • 323 views
I
Forum|alt.badge.img+3

Hello,

I've been testing how to recover a device in the case an employee logged into their iCloud account with their personal credentials on a supervised machine. I was able to successfully boot into recovery mode, erase the machine then after rebooting again use the MDM recovery key in JAMF to regain control over the machine.

 

However, I tried another scenario where I used the personal iCloud account to remotely lock the machine. I was not able to find a procedure to recover the machine in that case.

Is there a process for this, or is there a way to disable remote lock via iCloud in Jamf Now?

Best answer by micah.coyle

Hey Mike,

 

Just to further clarify, if the machine didn't come directly from Apple or an authorized retailer (e.g. with supervision out of the box) then I would need to disable iCloud entirely because those don't show in Apple Business Manager.

 

Is is possible to entirely disable all of iCloud in Jamf Now, or is that a Pro only feature? I don't see how to just turn it off entirely, just specific iCloud features.


You can retroactively add devices into Apple Business Manager with Apple Configurator (using either an iPhone or another Computer) which would be recommended, but this does also wipe the device so it might not be feasible to establish fleetwide for current devices: https://learn.jamf.com/en-US/bundle/jamf-now-documentation/page/Device_Preparation_for_Automated_Device_Enrollment_with_Apple_Configurator.html 

 

Otherwise in Jamf Now inside the Blueprint you would go to Restrictions > Privacy and Security > and check off "Prevent Changes to Accounts." That will prevent them from signing into an Apple ID, and if you partner that by skipping the Apple ID during enrollment (for Automated Device Enrollment) then they would never be prompted to sign in. If your devices are enrolling via Open Enrollment then this won't work, as devices won't be supervised, and that restriction does require supervision.  

    C

    15 replies

    micah.coyle
    Forum|alt.badge.img+6
    • micah.coyle
    • Employee
    • July 10, 2024

    If the devices are in Apple Business Manager then you can disable Activation Lock for organizational devices, whether the lock was placed via MDM or the user: https://support.apple.com/guide/apple-business-manager/turn-off-activation-lock-axm812df1dd8/web

    Otherwise you would need to disable using Apple ID's all together on devices. Apple is not too keen on preventing Activation Lock for Apple ID's, even on organizational devices, so it's basically an "All or Nothing" approach. You could use Managed Apple ID's but that also has it's own host of other issues related to the restrictions placed on those Apple ID's. 

    jamf-42
    Forum|alt.badge.img+17
    • jamf-42
    • Esteemed Contributor
    • July 10, 2024

    not tested as we disable as part of pre-stage, but this is new in ABM.. worth a go.. 

     

    I
    I
    Forum|alt.badge.img+3
    • ItManagerDude
    • Author
    • New Contributor
    • July 10, 2024

    If the devices are in Apple Business Manager then you can disable Activation Lock for organizational devices, whether the lock was placed via MDM or the user: https://support.apple.com/guide/apple-business-manager/turn-off-activation-lock-axm812df1dd8/web

    Otherwise you would need to disable using Apple ID's all together on devices. Apple is not too keen on preventing Activation Lock for Apple ID's, even on organizational devices, so it's basically an "All or Nothing" approach. You could use Managed Apple ID's but that also has it's own host of other issues related to the restrictions placed on those Apple ID's. 


    Hey Mike,

     

    Just to further clarify, if the machine didn't come directly from Apple or an authorized retailer (e.g. with supervision out of the box) then I would need to disable iCloud entirely because those don't show in Apple Business Manager.

     

    Is is possible to entirely disable all of iCloud in Jamf Now, or is that a Pro only feature? I don't see how to just turn it off entirely, just specific iCloud features.

    U
    Forum|alt.badge.img+3

    Hey @ItManagerDude 

    I am also trying to do the same , however after rebooting into recovery mode and erasing mac i dont see the option to activate with MDM recovery key , my machines go into infinite loop internet recovery mode after erasing and never land in activating screen , 
    Apologies to distract from your issue here, but i am desperately looking for solution as there are quite few laptops with personal icloud accounts and activation lock enabled that are sitting on shelf and i  want to try this option before opening a support case with apple. 

    Thanks in advance

    jamf-42
    Forum|alt.badge.img+17
    • jamf-42
    • Esteemed Contributor
    • July 10, 2024

    Hey Mike,

     

    Just to further clarify, if the machine didn't come directly from Apple or an authorized retailer (e.g. with supervision out of the box) then I would need to disable iCloud entirely because those don't show in Apple Business Manager.

     

    Is is possible to entirely disable all of iCloud in Jamf Now, or is that a Pro only feature? I don't see how to just turn it off entirely, just specific iCloud features.


    all devices should be in ABM, add them via Configurator on iOS (unless its BYOD, but thats a whole other story) 

    I
    Forum|alt.badge.img+3
    • ItManagerDude
    • Author
    • New Contributor
    • July 10, 2024

    Hey @ItManagerDude 

    I am also trying to do the same , however after rebooting into recovery mode and erasing mac i dont see the option to activate with MDM recovery key , my machines go into infinite loop internet recovery mode after erasing and never land in activating screen , 
    Apologies to distract from your issue here, but i am desperately looking for solution as there are quite few laptops with personal icloud accounts and activation lock enabled that are sitting on shelf and i  want to try this option before opening a support case with apple. 

    Thanks in advance


    @user-toqGCATSsE I used this video as a guide. https://trainingcatalog.jamf.com/macos-activation-lock-bypass-with-jamf-now/1766263

    micah.coyle
    Forum|alt.badge.img+6
    • micah.coyle
    • Employee
    • Answer
    • July 10, 2024

    Hey Mike,

     

    Just to further clarify, if the machine didn't come directly from Apple or an authorized retailer (e.g. with supervision out of the box) then I would need to disable iCloud entirely because those don't show in Apple Business Manager.

     

    Is is possible to entirely disable all of iCloud in Jamf Now, or is that a Pro only feature? I don't see how to just turn it off entirely, just specific iCloud features.


    You can retroactively add devices into Apple Business Manager with Apple Configurator (using either an iPhone or another Computer) which would be recommended, but this does also wipe the device so it might not be feasible to establish fleetwide for current devices: https://learn.jamf.com/en-US/bundle/jamf-now-documentation/page/Device_Preparation_for_Automated_Device_Enrollment_with_Apple_Configurator.html 

     

    Otherwise in Jamf Now inside the Blueprint you would go to Restrictions > Privacy and Security > and check off "Prevent Changes to Accounts." That will prevent them from signing into an Apple ID, and if you partner that by skipping the Apple ID during enrollment (for Automated Device Enrollment) then they would never be prompted to sign in. If your devices are enrolling via Open Enrollment then this won't work, as devices won't be supervised, and that restriction does require supervision.  

    Boogietr0n
    I
    micah.coyle
    Forum|alt.badge.img+6
    • micah.coyle
    • Employee
    • July 10, 2024

    Hey @ItManagerDude 

    I am also trying to do the same , however after rebooting into recovery mode and erasing mac i dont see the option to activate with MDM recovery key , my machines go into infinite loop internet recovery mode after erasing and never land in activating screen , 
    Apologies to distract from your issue here, but i am desperately looking for solution as there are quite few laptops with personal icloud accounts and activation lock enabled that are sitting on shelf and i  want to try this option before opening a support case with apple. 

    Thanks in advance


    When it loops to recovery mode do you see "Recovery Assistant" at the top left? If so click on that then choose > Active with MDM Key. Sometimes computers don't land on a splash screen to enter the bypass code.  

    I
    Forum|alt.badge.img+3
    • ItManagerDude
    • Author
    • New Contributor
    • July 10, 2024

    You can retroactively add devices into Apple Business Manager with Apple Configurator (using either an iPhone or another Computer) which would be recommended, but this does also wipe the device so it might not be feasible to establish fleetwide for current devices: https://learn.jamf.com/en-US/bundle/jamf-now-documentation/page/Device_Preparation_for_Automated_Device_Enrollment_with_Apple_Configurator.html 

     

    Otherwise in Jamf Now inside the Blueprint you would go to Restrictions > Privacy and Security > and check off "Prevent Changes to Accounts." That will prevent them from signing into an Apple ID, and if you partner that by skipping the Apple ID during enrollment (for Automated Device Enrollment) then they would never be prompted to sign in. If your devices are enrolling via Open Enrollment then this won't work, as devices won't be supervised, and that restriction does require supervision.  


    Exactly the info I needed, thanks for explaining. Jamf just earned a new customer.

    Boogietr0n
    micah.coyle
    U
    Forum|alt.badge.img+3

    @micah.coyle It does display recovery assistance at top left but then no option to activate with MDM key . I have tried multiple times to erase the laptop but no dice. 

    AJPinto
    Forum|alt.badge.img+26
    • AJPinto
    • Legendary Contributor
    • July 10, 2024

    Hey Mike,

     

    Just to further clarify, if the machine didn't come directly from Apple or an authorized retailer (e.g. with supervision out of the box) then I would need to disable iCloud entirely because those don't show in Apple Business Manager.

     

    Is is possible to entirely disable all of iCloud in Jamf Now, or is that a Pro only feature? I don't see how to just turn it off entirely, just specific iCloud features.


    If the Mac is not in Apple Business Manager, then it is not supervised by Jamf Now or Pro, and they will not have the Activation Lock Bypass codes. You will need to contact Apple, and provide proof of purchase, and they will provide you with the Activation Lock Bypass code. Many things in Apples MDM framework are locked behind device supervision, Activation Lock is one of them.

     

    iOS 7.1 adds support for bypassing Activation Lock. This allows organizations to remove the Activation Lock from supervised devices prior to device activation without knowing the userʼs personal Apple ID and password. Use this command to retrieve the device’s bypass code.

    Get the Bypass Code for Activation Lock | Apple Developer Documentation

     

     

    Boogietr0n
    Forum|alt.badge.img+1
    • Boogietr0n
    • Employee
    • July 10, 2024

    Exactly the info I needed, thanks for explaining. Jamf just earned a new customer.


    We suggest taking a look through our documentation:
    https://learn.jamf.com/bundle/jamf-now-documentation/page/Jamf_Now_Documentation.html
    We also have training catalog videos available:
    https://trainingcatalog.jamf.com/page/jamf-now
    Last but not least, we also have some YouTube videos available:
    https://www.youtube.com/playlist?list=PLWs1qukS_mcYQgv8Te1Z806K1k86ksDR4

    micah.coyle
    Forum|alt.badge.img+6
    • micah.coyle
    • Employee
    • July 10, 2024

    If the Mac is not in Apple Business Manager, then it is not supervised by Jamf Now or Pro, and they will not have the Activation Lock Bypass codes. You will need to contact Apple, and provide proof of purchase, and they will provide you with the Activation Lock Bypass code. Many things in Apples MDM framework are locked behind device supervision, Activation Lock is one of them.

     

    iOS 7.1 adds support for bypassing Activation Lock. This allows organizations to remove the Activation Lock from supervised devices prior to device activation without knowing the userʼs personal Apple ID and password. Use this command to retrieve the device’s bypass code.

    Get the Bypass Code for Activation Lock | Apple Developer Documentation

     

     


    Devices can be manually supervised using Apple Configurator without preparing it fully and adding it to Apple Business Manager, but that's a very slim percentage of enrolled devices and rarely used. 

     

    A
    Forum|alt.badge.img+5

    not tested as we disable as part of pre-stage, but this is new in ABM.. worth a go.. 

     


    I didn't have this third option, only edit and release.

    C
    Forum|alt.badge.img
    • Carol_8888
    • New Contributor
    • January 7, 2025

    I have the same issue and found many different third-party activation unlocker tools, like TunesKit Activation unlocker, and Magfone. Are these tools safe to use? Can anyone share the experience?

    Terms & ConditionsCookie settingsAccessibility statement