In my organization, students are often unaware that they need to release devices from their iCloud accounts. Because of this, we experience a fair amount of Activation Lock Errors. Previously, when using the bypass codes provided for each user in JAMF, they worked consistently. Recently (over the past 6 months) I have noticed that there are an increasing number of codes that are not working ot remove Activation Lock from the devices. Currently I am attempting to contact each of the students with directions on how to release the activation lock, however, they are no longer students of the university, so often times, they are not checking their university email, so a better solution is preferable.
Has anyone else experienced this? Whether you have or have not had these same issues, can anyone offer a better solution?
I don’t have an easy solution as I suffer from the same problem you have occasionally. I’ve sometimes seen your issue occur to us. Three things to try (two are more preventative then cure)
Connect the device to iTunes and put in the bypass code without dashes when it comes up in iTunes asking to unlock activation lock. (This sometimes works.)
Distribute your apps via device based app assignment and lock out iCloud (not feasible on the surface but with MDM you can still locate a missing device.
Wipe the device with a ‘clear activation lock’ before students turn in.
As a last ditch, Apple will clear so long as you call and prove ownership, but it’s a slow process.
I honestly wish Jamf would provide some means of blocking activation lock from being turned on in the first place, but I don’t know if they even could implement that.
I have also been experiencing the same issue recently.
Another thing that has recently stopped working when I try to 'clear activation lock' is the error : 'Activation Lock could not be cleared> 404- Device not found or activation lock bypass is invalid.'
JAMF support informed me there is nothing they can do about it, that is an Apple iOS 11 issue.
Like what @blackholemac said, we have often run into the same issue. When we do the device return at the end of the year from our students, we have them show us that icloud had indeed been signed out. Failing that we try the wipe and remove activation lock from the JSS but this has been hit or miss (more miss recently). After that, i gather up all the devices with activation lock and fill out my template to Apple's unlock team with all the effected devices. 3-4 day later they've been unlocked and im good to go again.
In talking with my apple rep, the only Apple approved way to get around this is to use a managed Apple-ID for each user. We just haven't gone down that road yet for a few reasons.
since commerce is disabled for managed apple IDs (MAIDs), if you have the App Store enabled (or Books, Music, anything you can sign in to to access other purchased content, etc.), the MAID doesn't actually solve the problem. we use MAIDs for iCloud and no matter how many times you say "sign in to iCloud using your MAID - if you want to access purchased or personal content, you can sign out of iTunes and App Store and in with a personal account there," we're always running across devices in which students are signed in using personal accounts. It doesn't help that when setting up the device, on the Apple ID screen it asks you to enter your email address - which our MAIDs are NOT. i have feedback in with Apple to correct this issue, hopefully before our next deployment...for now we have disabled "erase all content and settings" on the device with a config profile, as students were handing in devices that they'd wiped thinking that they were saving us a step, only to later find out it was activation locked...now the only way to wipe is with the remote command, which has helped a lot.
there are many, many, many discussions on this and everyone is asking the same question. the more people are commenting and keeping these at the top of the discussions list/in the feed, hopefully if there are 4 about the SAME THING someone at jamf will GET ON THE BALL. especially since i don't see ANY MENTION of activation lock in the list of known issues. this is apparently a known issue to everyone but jamf...
Our renewal is coming up in May and I am definitely considering ending our relationship with Jamf because of this issue. Our activation locked iPads are really starting to pile up...
Just upgraded to Jamf Pro today hoping that it’d fix the issue. Nope!
Get with the program, Jamf!
If Apple EDU Support has Activation Lock issues on their MAIN support tree, and they also have a mass activation lock clearing system built into their Apple Care OS Preferred Support Plan, you might be barking up the wrong tree.
Also, according to our rollout demo (we got the 1 yr support plan tossed in with 3000 new iPads) you can send a spreadsheet with thousands of devices and they will be cleared in a day or two. I have not put this to the test yet.
I'm finding that the JAMF JSS-generated unlock codes rarely work anymore. I'm sending my unlock requests to Apple: firstname.lastname@example.org. I usually get these resolved the same day.
With iPads on DEP, no proof of purchase is needed, but older iPads do require receipts.
Here's the format I use:
Requestor Name: John Doe
Phone Number: 654-123-4567
Street Address: 6000 Smith Street City/State: Anytown, CA
Postal Code: 98765
Email Address: email@example.com
Product Serial Numbers:
Product IMEI/MEID: (if SN isn’t provided)
Product Description: iPad Pro
Was the device used by an employee?: YES
Why is the institution unable to remove Find My iPhone Activation Lock?: Activation Lock Bypass Code generated by JAMF Pro JSS ) does not unlock device.
Unlock Authorization Statement: I John Doe, representing State University, authorize Apple, Inc. to unlock the devices listed.
I normally try to avoid necromancy of old posts but I wanted to voice what I've observed regarding this issue... Our environment had a couple hundred iPads that were originally deployed to High School students and then re-distributed to staff and faculty about a year later. We have had numerous issues of Activation Lock Bypass codes failing to work with these iPads; seemingly moreso than other iPads that have remained in their original deployments.
My hypothesis for at least a piece of this is that the activation lock code was regenerated for the iPad at some point; possibly during an iOS update or a wipe/redeploy or when a new person signed into iCloud and re-enabled Activation Lock after wiping, and JAMF didn't update the Bypass record for that device properly.
Theory TL;DR - Perhaps the bypass code was regenerated for the iPad at some point but JAMF didn't record it because it already had Activation Lock Bypass enabled with a code on file.
I've also noticed that in later versions of the JSS there is an iPad management command for "Set Activation Lock" available, but it seems that this is also thwarted by the bypass code being invalidated. If I attempt to enable Activation Lock through Apple School Manager, the command immediately jumps to "Failed" status. The command that fails is "DisableActivationLock" which I'm guessing is the first of a few commands to carry out the full payload. Looking through the server logs I found an entry claiming that "Failed to clear activation lock for <Serial Number>. ActivationLockResponse [status=404, message=Device not found or activation lock bypass is invalid.]"
Apologies if I'm just beating a dead horse by necro-ing this thread, but this issue has been an irritation for 2-3 years now and it hasn't seen any improvement from later iOS/JSS updates.
Thanks for listening 😜
i've had @gdpatrick's theory rattling around in my head for the past couple of weeks, so today i tested it out. had an ipad that i know has been enrolled before, wiped it and...the activation lock was cleared. right afterwards i went to inventory/security to confirm that it had, in fact, been enabled beforehand. i then re-enrolled with a different user/apple id and tried the same workflow again, and it worked. the device is at 12.1.1 and we're cloud hosted running 10.9.0-t1544463445. is this a turning point? or are there others at the same jss version that aren't able to wipe/clear devices at 12.1.1?
I have been working hard with my techs to have them always WIPE from the jamf server if possible.
This helps with reducing commands queuing up on devices that are not managed by jamf thinks they still are.
Another benefit is that the device record is wiped of management items and ready to be re-enrolled.
I have 4500 iPads and am rarely running into activation lock issues anymore, hadn't really thought about it much.
I have the Bulk Activation Lock Removal Request form and the turnaround time for any I send is super fast (next day)
We are running JP 10.9
Can you see my angry eyes? I have a stack on my desk right now. I let them build up and do one form at a time.
I will vouch for the system that apple has in place for this works, granted it has changed almost yearly. BUT it does work. The form posted earlier doesn't work anymore.
AppleCare Account Security:
Education: 800-800-2775 (Option 3,1,2)
After calling, you will get an email with a form to fill out. You can put multiple iPads per form.
@bvondeylen Yes that works for devices built/enrolled after it was implemented in JAMF 10.7.0. It won't work for devices that predate this functionality in JAMF.
Just an aside - submitting to this email address "firstname.lastname@example.org" only works if you have an Apple Enterprise Technical Support contract. If you don't have a support contract you can call AppleCare and request activation lock removal.
Just wanted to put an update with what i learned here. So after having a few devices with this problem and spending hours with apple on the phone, i finally talked to someone useful. They are able to reset activation locks in between 2-10 days. You want to be talking to "apple care account security". The number above is correct 800-800-2775.
Ok so thats fine, they send me a one use internet form and i filled it out last week and they were able to unlock it for me this morning. All works. You dont need a proof of purchase if your ipad is in DEP, which this one was.
I asked as well, why does this happen? And she told me that this is 100% caused by the "find my ipad" feature. If we didn't use that feature, then this wouldn't be a problem. WOW i said, and sure enough, our student configuration profile is set to enforce find my ipad to 'allowed'. I changed it now to "restricted" in jamf configuration profile and we will see if that helps going forward. I am not sure if this prevents the geolocation of ipads. I had always turned it on when i used meraki for management, because then you could see the ipad on a map. JAMF does not seem to have a map interface that i can see, so the utility of this would be limited in the jamf implementation anyway. Cant think of any other reason why this would be turned on for all students. But the previous admin is no longer here to ask about why he did that initially. I don't think location services are disabled completely by this change, and hopefully its just that one feature that i have disabled.
I am still pretty new to this, so we will see if i have to roll this back if it causes some other issues. I will post back if that is the case. Hope it helps someone.
EDIT: i should also add that all my prestage enrollment has to disable "activation lock" yet still they were getting it on there i would assume, after the fact.
I will say that recently, when we get an activation locked iPad, we have had excellent luck with doing a restore from a Mac computer (Catalina or newer I think). https://support.apple.com/en-us/HT201263
After it restores, keep it plugged in an it will activate and show the Apple ID that it is locked to with the black dots. We pull the Activation Code from the jamf device record and paste the code right into both blanks. Hs worked on any we've tried in the last 2 years
Yes that usually works. For this device it did not. I tried the unlock code (Manually typing in the long thing like 10 times incase i made a typo). Never went through.
Plugging into the PC just popped up the same activation lock, and yeah you can paste the unlock code in there, so you dont have to manually type it in, but it still didnt work. So with this device it was the only way.