Activation Lock not clearing with Wipe command on iPads

Jay_007
Contributor

When wiping iPads and selecting the option to clear the Activation Lock on ADE iPads, the device wipes as normal, but then users are prompted to enter the organization's Apple ID to unlock the device. The recorded bypass code in Jamf Pro still works, but I cannot figure out why it keeps failing to clear it. 

Server logs show this error message (serial has been removed): 

 

 

2022-08-29 02:59:03,208 [ERROR] [ina-exec-45] [ActivationLockService    ] - Failed to clear activation lock for (SERIAL). ActivationLockResponse [status=404, message=Device not found or activation lock bypass is invalid.]

 

 

Is anyone else experiencing this problem or know what could be causing it? It's happening on multiple iPads.

1 ACCEPTED SOLUTION

Jay_007
Contributor

Not the outcome I was hoping for, but Jamf support (who were fantastic BTW) have found these lines in the debug logs, which show the command fail (device details removed):

2022-09-20 22:32:44,299 [DEBUG] [lina-exec-1] [ActivationLockService ] - Attempting to clear device based activation lock for [REMOVED]
2022-09-20 22:32:44,300 [DEBUG] [lina-exec-1] [ActivationLockService ] - Send clear activation lock: https://deviceservices-external.apple.com/deviceservicesworkers/escrowKeyUnlock?serial=[REMOVED]&productType=iPad11,7&imei=[REMOVED]&imei2=[REMOVED]

2022-09-20 22:32:45,331 [ERROR] [lina-exec-1] [ActivationLockService ] - Failed to clear activation lock for [REMOVED]. ActivationLockResponse [status=404, message=Device not found or activation lock bypass is invalid.]

 

So it looks like it could possibly be on Apple's end. There is also a known issue related to this (PI110085) - "In Jamf Pro 10.37.2 or later, Activation Lock is not removed when you send the Wipe Device remote command with the clear Activation Lock option to a mobile device."

 

So basically, you have two options:

Option 1: Enter the bypass code on iPads after a wipe.

Option 2: Create a sperate PreStage with Activation Lock disabled and manually assign iPad's to this PreStage.

 

View solution in original post

12 REPLIES 12

Allamer11
New Contributor

Running into the same exact issue. Just starting to investigate this. Any updates on your end?

I have a support ticket open with Jamf, but it seems to have gone nowhere. I was told that it's not an issue that they're aware of. I manage multiple Jamf Pro instances and I haven't gone back to this particular one to see if the issue still exists, but I will do so in the next few days and ask support for an update if it's still there. I've just disabled enabling Activation Lock for now.  

Jay_007
Contributor

I'm interested if others are also having the same issue? It's a problem in the two separate Jamf Pro environments I manage and is starting to become frustrating, as I have to keep giving out bypass codes to users. It only appears to be affecting iPads and not iPhones. It would be good if others could come forward if you're seeing this issue too, so Jamf escalate the problem.

Allamer11
New Contributor

@Jay_007 Just updating this post that my case with Jamf is being escalated. Currently our environment has disabled Activation Lock as well. The Apple ID that you had to provide to unlock the devices. Was this the ID that you used to configure ADE token between ABM and Jamf? I would have to look back but I believe I found some reference that tied the Apple ID that setup the token connection as being the ID locked to the devices.

You have disabled Activation Lock and devices are still locking themselves to an Apple ID? If so, this is a different issue to what I'm experiencing. Or you have just disabled it because you're not sure what Apple ID they're locked to? 

 

Yes, that is exactly what enabling this setting does. It locks devices to the organisation's Apple ID (the one that was used to link ADE with Apple Business Manager using the server token). This is expected behaviour. 

 

Jay_007_0-1663881355983.png

My issue is, Activation Lock is failing to clear when selecting this setting during wipe:

Jay_007_1-1663881607128.png

I have supplied Jamf support with some logs and they're investigating. I'll share any updates I get.

Allamer11
New Contributor

Sorry for the confusion, we are on the same boat. We have disabled Activation Lock in order to not experience the device lock issue when attempting to wipe an ADE iPad that is set to clear activation. What you have highlighted is the same experience for us. Will provide updates as well.

Ah ok, thanks for the clarification. It's nice to know that I'm not the only one out there with this issue. I guess we'll have to wait and see what Jamf support can find out. 

Jay_007
Contributor

Not the outcome I was hoping for, but Jamf support (who were fantastic BTW) have found these lines in the debug logs, which show the command fail (device details removed):

2022-09-20 22:32:44,299 [DEBUG] [lina-exec-1] [ActivationLockService ] - Attempting to clear device based activation lock for [REMOVED]
2022-09-20 22:32:44,300 [DEBUG] [lina-exec-1] [ActivationLockService ] - Send clear activation lock: https://deviceservices-external.apple.com/deviceservicesworkers/escrowKeyUnlock?serial=[REMOVED]&productType=iPad11,7&imei=[REMOVED]&imei2=[REMOVED]

2022-09-20 22:32:45,331 [ERROR] [lina-exec-1] [ActivationLockService ] - Failed to clear activation lock for [REMOVED]. ActivationLockResponse [status=404, message=Device not found or activation lock bypass is invalid.]

 

So it looks like it could possibly be on Apple's end. There is also a known issue related to this (PI110085) - "In Jamf Pro 10.37.2 or later, Activation Lock is not removed when you send the Wipe Device remote command with the clear Activation Lock option to a mobile device."

 

So basically, you have two options:

Option 1: Enter the bypass code on iPads after a wipe.

Option 2: Create a sperate PreStage with Activation Lock disabled and manually assign iPad's to this PreStage.

 

I too got the same two options provided as a solution to my case. The case was added to PI110085 which may be resolved in a future Jamf product release. 

aram_manouk
New Contributor II

We are also experiencing the same issue. We only just realized this because we had to swap out some iPads this week.

 

Any updates or solutions yet?

We continue to enroll our iPads without Activation Lock enabled. My recommendation would be to create a case with Jamf so that more cases draw attention to PI110085.

MLBZ521
Contributor III

We've seen random issues with Activation Lock on devices.  Mainly iPads have been relayed to me, but there could be more that I'm not being informed of.

I've been meaning to investigate this more and wish I had so I could have added to this thread and to that PI.

I've felt for quite some time that Activation Lock was not being properly handled by Jamf Pro or something was going on that was not resulting in the expected out comes.....wait...you know what.....  I did open a case for Activation Lock issues....back on 04-15-2022......  And I had to argue (I'm not joking) with Jamf Support (with multiple engineers) regarding how Activation Lock works/doesn't work (siting Apple's own documentation).  For example, the device does not have to be wiped to clear Activation Lock.  Apple's EraseDevice MDM Command does not have any key/relation to Activation Lock, they're two separate commands.  In addition, the device does not have to be online to Clear Activation Lock.

This was affecting 250 devices that we sent the Wipe Device MDM Command too and they all had been wiped, without clearing Activation Lock.  We were running Jamf Pro v10.32.2 (released 9/22/2021) at the time, which is well before the v10.37.2 that was quoted.  I also asked if there was any logging that would show whether or not Jamf Pro was properly sending the commands to clear Activation Lock and I was simply told:


I am unsure if there is any logging we can gather for iOS devices


Because they weren't listening long enough that the issue was not on the device side.

They finally created PI110085 on 05-05-2022 after going back and forth with them multiple times and repeatedly showing them that I could re-produce this.....  And I apparently forgot to post this on MacAdmins Slack.....it was a (just another) frustrating experience with Jamf Support.

We're still experiencing this issue (and I apparently forgot about my own ticket...) and was looking into it again, which is why I found this thread, because I'm wanting to test Apple's Activation Lock API your Verbose Logging has information that matched a search I performed...  So, nice to know that exists with verbose logging...

 

Anyways, /rant aside, be on the look out for this PI to be fixed soon™.  😉

 

 

We've also seen an issue with a MacBook Pro becoming Activation Locked and the Bypass Code in Jamf Pro not working.....  In short this was the scenario:

  • Device was setup/enrolled/used/Activation Locked a couple years ago
  • Came in for re-provisioning
  • Tech wiped the device manually
  • Tech started walking through Setup Assistant Manually
    • Device apparently (as I was told at least) started to enroll into Jamf Pro (at least, it got to the Remote Management screen at minimum)
  • Activation Lock tripped on the device
  • The Mac's inventory record in Jamf Pro showed where it had started to re-enroll and one of the things that happened, was Jamf Pro escrowed a new Bypass Key

When I attempting to send the "Wipe Device" MDM Command with the "Clear Activation Lock" option, it would fail with the error:

404 Failure: device is not found, or escrowKey is invalid.

 

Looking at the Jamf Pro database, specifically at the device_activation_lock table, and the record for that device, I could see when that new Bypass Code was escrowed and entered based on the field date_entered_epoch.

To resolve, I ended up grabbing a copy of our database from before the above date, grep'ing out the value for that device from the .sql file, then updating the value in my Jamf Pro database.  Sent the "Wipe Device" MDM Command with the "Clear Activation Lock" option again, and Activation Lock was immediately cleared.

I plan to open a case with Jamf Support regarding this, but wanted to do some more testing and see if I could re-produce the scenario.