Posted on 10-09-2024 03:10 AM
Hello,
Using JamfNow, I am able to enrol a Mac purchased via Apple business. (i.e. device was automatically inserted into ABM on purchase of device by Apple).
I am able to use created blueprint within JamfNow to push the setup to the Mac.
I have 1 issue, the status screen for the device says that Activation lock is not activated, when I look on the Mac looking at System Information I can see that activation lock is not activated. I have tried the various combinations of activating Find My on the Mac, deactivating, wiping the Mac, reinstalling.
I have gone as far as wiping the Mac by erasing disk and reinstalling OS around 10 times trying the various combinations without luck.
I have even have gone as far as removing the Mac from JamfNow and ABM and trying to get activation lock to activate outside of the ABM without success.
My understanding is that while a user cannot remove the management profiles, they could wipe the Mac and reinstall using their own Apple ID or if stolen the same could happen if activation lock is not active.
I am using device level allocation of licenses etc and not per user, from what I can find in the help and 'Dr. Google' the implication is that activation lock is therefore handled by the MDM and not by the user setting Find My on or off.
I cannot find a way in JamfNow or see a setting that would say 'turn on activation lock', I can find text referring to this about JamfPro.
any ideas as to what may be the cause here as to;
-why it wont activate?
-should it be activating on enrolment?
-is this not available in JamfNow and only in JamfPro?
Solved! Go to Solution.
Posted on 10-09-2024 07:26 AM
There is nothing you can to do prevent a device from being wiped. Enabling things like the EFI Password (for Intel Macs) or Recovery Lock Password (for Apple Silicon Macs) will make the devices harder to wipe, but not impossible. Also disable Erase All Contents and Settings in MacOS Settings with a Configuration Profile. However, DFU restore of a Mac will remove the Recovery Lock Password allowing the user to wipe the OS and reinstall macOS.
Where I think you may be confused with Activation Lock.
MacOS Activation is where MDM comes in. If you have your devices in Apple Business Manager, and targeting a MDM like Jamf, you can configure the MDM to have Automated Device Enrollment enabled. When macOS tries to activate APNS will check or several things like Activation Lock or MDM Enrollment Profiles. If the device is in ABM, redirected to Jamf, and Jamf has a Prestage configured scoped to the device, then the user MUST enroll the device in Jamf to clear macOS Activation. If you have credentials required to enroll, and the user does not have the credentials then the device is stuck.
Apple has a fairly robust set of training documentation for device deployment and management, these sections go in to device enrollment and may clear some confusion up.
https://it-training.apple.com/tutorials/apt-deployment/#enabling-automated-device-enrollment
https://it-training.apple.com/tutorials/apt-deployment/#understanding-device-and-user-enrollment
Posted on 10-09-2024 05:44 AM
I think you may have a misunderstanding of what Activation Lock is, generally you want it "not activated".
Activation Lock is something a user enables, not a MDM. Activation Lock is enabled when you sign in to an Apple Account, it locks the device to your Apple Account and prevents the device from being activated by another Apple Account.
MDM can escrow an Activation Lock bypass code which would let you bypass the Activation Lock if enabled, MDM can also outright prevent the activation of Activation Lock.
Posted on 10-09-2024 06:55 AM
Hello AJPinto, thank you for reply. It may well be that I have misunderstood. To clarify my understanding;
I understand that activation lock will prevent someone from wiping the device and setting up as they (in case stolen maybe) unless they have the credentials of the apple account that was used to activate 'Find My' - or in the case an MDM - the MDM will activate and this wiping in case stolen cannot happen.
In this case I understood that a user should not/cannot do it - otherwise it is locked to their account. - which means when they leave the company - I then have to go long route to apple and ask them to remove after providing proof of purchase etc etc.
I understood - and this part may be where I had not understood correctly - that the MDM will activate the activation lock so it is locked to my organisation. Your answer suggests that the device will still be locked and cannot be wiped because the MDM is in place and the device is supervised? Did I understand you correctly?
Posted on 10-09-2024 07:26 AM
There is nothing you can to do prevent a device from being wiped. Enabling things like the EFI Password (for Intel Macs) or Recovery Lock Password (for Apple Silicon Macs) will make the devices harder to wipe, but not impossible. Also disable Erase All Contents and Settings in MacOS Settings with a Configuration Profile. However, DFU restore of a Mac will remove the Recovery Lock Password allowing the user to wipe the OS and reinstall macOS.
Where I think you may be confused with Activation Lock.
MacOS Activation is where MDM comes in. If you have your devices in Apple Business Manager, and targeting a MDM like Jamf, you can configure the MDM to have Automated Device Enrollment enabled. When macOS tries to activate APNS will check or several things like Activation Lock or MDM Enrollment Profiles. If the device is in ABM, redirected to Jamf, and Jamf has a Prestage configured scoped to the device, then the user MUST enroll the device in Jamf to clear macOS Activation. If you have credentials required to enroll, and the user does not have the credentials then the device is stuck.
Apple has a fairly robust set of training documentation for device deployment and management, these sections go in to device enrollment and may clear some confusion up.
https://it-training.apple.com/tutorials/apt-deployment/#enabling-automated-device-enrollment
https://it-training.apple.com/tutorials/apt-deployment/#understanding-device-and-user-enrollment
Posted on 10-09-2024 11:54 AM
AJPinto - thank you for that clarification. And also thank you for the suggestion to disable 'Erase All Contents and Settings' - I have added this to my Blueprint in Jamf. thank you for the assistance
Posted on 10-09-2024 12:29 PM
You are very welcome; I am happy to help anytime :).
Cheers!!!
10-09-2024 07:26 AM - edited 10-09-2024 07:27 AM
Replied out of thread, redacted and replied as an actual reply.
Posted on 10-09-2024 10:37 AM
I believe you are referring to the Mac activation process that occurs during the initial boot. If possible, please attempt to connect to a different Wi-Fi or Ethernet network. you can also try to review from DFU check the below link
https://support.apple.com/en-us/108900