Posted on 07-10-2024 06:00 AM
Hello,
I've been testing how to recover a device in the case an employee logged into their iCloud account with their personal credentials on a supervised machine. I was able to successfully boot into recovery mode, erase the machine then after rebooting again use the MDM recovery key in JAMF to regain control over the machine.
However, I tried another scenario where I used the personal iCloud account to remotely lock the machine. I was not able to find a procedure to recover the machine in that case.
Is there a process for this, or is there a way to disable remote lock via iCloud in Jamf Now?
Solved! Go to Solution.
Posted on 07-10-2024 10:29 AM
You can retroactively add devices into Apple Business Manager with Apple Configurator (using either an iPhone or another Computer) which would be recommended, but this does also wipe the device so it might not be feasible to establish fleetwide for current devices: https://learn.jamf.com/en-US/bundle/jamf-now-documentation/page/Device_Preparation_for_Automated_Dev...
Otherwise in Jamf Now inside the Blueprint you would go to Restrictions > Privacy and Security > and check off "Prevent Changes to Accounts." That will prevent them from signing into an Apple ID, and if you partner that by skipping the Apple ID during enrollment (for Automated Device Enrollment) then they would never be prompted to sign in. If your devices are enrolling via Open Enrollment then this won't work, as devices won't be supervised, and that restriction does require supervision.
Posted on 07-10-2024 06:43 AM
If the devices are in Apple Business Manager then you can disable Activation Lock for organizational devices, whether the lock was placed via MDM or the user: https://support.apple.com/guide/apple-business-manager/turn-off-activation-lock-axm812df1dd8/web
Otherwise you would need to disable using Apple ID's all together on devices. Apple is not too keen on preventing Activation Lock for Apple ID's, even on organizational devices, so it's basically an "All or Nothing" approach. You could use Managed Apple ID's but that also has it's own host of other issues related to the restrictions placed on those Apple ID's.
Posted on 07-10-2024 07:53 AM
Hey Mike,
Just to further clarify, if the machine didn't come directly from Apple or an authorized retailer (e.g. with supervision out of the box) then I would need to disable iCloud entirely because those don't show in Apple Business Manager.
Is is possible to entirely disable all of iCloud in Jamf Now, or is that a Pro only feature? I don't see how to just turn it off entirely, just specific iCloud features.
Posted on 07-10-2024 09:17 AM
all devices should be in ABM, add them via Configurator on iOS (unless its BYOD, but thats a whole other story)
Posted on 07-10-2024 10:29 AM
You can retroactively add devices into Apple Business Manager with Apple Configurator (using either an iPhone or another Computer) which would be recommended, but this does also wipe the device so it might not be feasible to establish fleetwide for current devices: https://learn.jamf.com/en-US/bundle/jamf-now-documentation/page/Device_Preparation_for_Automated_Dev...
Otherwise in Jamf Now inside the Blueprint you would go to Restrictions > Privacy and Security > and check off "Prevent Changes to Accounts." That will prevent them from signing into an Apple ID, and if you partner that by skipping the Apple ID during enrollment (for Automated Device Enrollment) then they would never be prompted to sign in. If your devices are enrolling via Open Enrollment then this won't work, as devices won't be supervised, and that restriction does require supervision.
Posted on 07-10-2024 10:36 AM
Exactly the info I needed, thanks for explaining. Jamf just earned a new customer.
Posted on 07-10-2024 10:51 AM
We suggest taking a look through our documentation:
https://learn.jamf.com/bundle/jamf-now-documentation/page/Jamf_Now_Documentation.html
We also have training catalog videos available:
https://trainingcatalog.jamf.com/page/jamf-now
Last but not least, we also have some YouTube videos available:
https://www.youtube.com/playlist?list=PLWs1qukS_mcYQgv8Te1Z806K1k86ksDR4
Posted on 07-10-2024 10:47 AM
If the Mac is not in Apple Business Manager, then it is not supervised by Jamf Now or Pro, and they will not have the Activation Lock Bypass codes. You will need to contact Apple, and provide proof of purchase, and they will provide you with the Activation Lock Bypass code. Many things in Apples MDM framework are locked behind device supervision, Activation Lock is one of them.
iOS 7.1 adds support for bypassing Activation Lock. This allows organizations to remove the Activation Lock from supervised devices prior to device activation without knowing the userʼs personal Apple ID and password. Use this command to retrieve the device’s bypass code.
Get the Bypass Code for Activation Lock | Apple Developer Documentation
Posted on 07-10-2024 10:53 AM
Devices can be manually supervised using Apple Configurator without preparing it fully and adding it to Apple Business Manager, but that's a very slim percentage of enrolled devices and rarely used.
Posted on 07-10-2024 07:06 AM
not tested as we disable as part of pre-stage, but this is new in ABM.. worth a go..
Posted on 07-18-2024 04:37 AM
I didn't have this third option, only edit and release.
Posted on 07-10-2024 09:00 AM
Hey @ItManagerDude
I am also trying to do the same , however after rebooting into recovery mode and erasing mac i dont see the option to activate with MDM recovery key , my machines go into infinite loop internet recovery mode after erasing and never land in activating screen ,
Apologies to distract from your issue here, but i am desperately looking for solution as there are quite few laptops with personal icloud accounts and activation lock enabled that are sitting on shelf and i want to try this option before opening a support case with apple.
Thanks in advance
Posted on 07-10-2024 10:22 AM
@user-toqGCATSsE I used this video as a guide. https://trainingcatalog.jamf.com/macos-activation-lock-bypass-with-jamf-now/1766263
Posted on 07-10-2024 10:32 AM
When it loops to recovery mode do you see "Recovery Assistant" at the top left? If so click on that then choose > Active with MDM Key. Sometimes computers don't land on a splash screen to enter the bypass code.
Posted on 07-10-2024 10:39 AM
@MikeTheTech It does display recovery assistance at top left but then no option to activate with MDM key . I have tried multiple times to erase the laptop but no dice.