Hi there,
Last year we introduced Google Workspace Federated Managed Apple IDs into our environment to negate the use of personal Apple IDs. Dealing with activation locks were particularly tedious on those personal Apple ID linked devices so we opted for making use of Managed Apple IDs since they do not have Find My functionality associated with them. Logically this should resolve the activation lock issue and also allow users to make use of some iCloud related functions.
The behaviour we saw as a result was a 70% uptick of devices triggering activation lock that when formatted both through Jamf Pro or directly in-OS using the erase or format functions. The difference with these activation locks is that they ask for the last iCloud signin used but do not have the hint i.e "s*****z@icloud.com" and since Managed Apple IDs don't support Find My the devices cannot be unlocked even if we use the Managed Apple ID credentials.
Most logical response then would be to use the activation lock bypass code. Problem is our environment was migrated from Meraki using the Jamf migration toolset so majority of devices in the environment are UIE devices so activation lock bypass is not possible.
Currently the wiping process is entirely RNG on whether or not it triggers activation lock. Yes, we've signed out of the Managed Apple IDs before wipes, it doesn't make a difference. We have thought of signing into an I.T controlled personal Apple ID and intentionally triggering the activation lock and making this our process for all future wipes that is obviously not the most elegant solution so I was hoping anyone else is able to give input on this matter.
Here is an example of a scenario where a user signed out of their Managed Apple ID prior to formatting and yet it triggered activation lock. Keeping in mind that Managed Apple IDs dont have Find My yet somehow causes activation lock but you are not able to successfully authentication to pass this point even with the correct credentials.
Contact AppleCare. With a list of affected devices, they should be able to clear Activation Lock in bulk. Assuming the device serial numbers are all in your ASM/ABM org, that should suffice for proof of ownership.
Contact AppleCare. With a list of affected devices, they should be able to clear Activation Lock in bulk. Assuming the device serial numbers are all in your ASM/ABM org, that should suffice for proof of ownership.
Yes, this is what we're doing already. I'm more asking about how to avoid this all together in the methodology.
Gotcha. The best way to avoid this in the future is to enable the "Prevent user from enabling Activation Lock" option in the PreStage enrollment.
Gotcha. The best way to avoid this in the future is to enable the "Prevent user from enabling Activation Lock" option in the PreStage enrollment.
This is also already the case. The devices we are having issues with are UIE migrated devices.
This is also already the case. The devices we are having issues with are UIE migrated devices.
Understood. Activation lock can only be suppressed for Supervised devices which required ADE.
Reply
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.