Activation Lock not clearing with Wipe command on iPads

Jay_007
New Contributor III

When wiping iPads and selecting the option to clear the Activation Lock on ADE iPads, the device wipes as normal, but then users are prompted to enter the organization's Apple ID to unlock the device. The recorded bypass code in Jamf Pro still works, but I cannot figure out why it keeps failing to clear it. 

Server logs show this error message (serial has been removed): 

 

 

2022-08-29 02:59:03,208 [ERROR] [ina-exec-45] [ActivationLockService    ] - Failed to clear activation lock for (SERIAL). ActivationLockResponse [status=404, message=Device not found or activation lock bypass is invalid.]

 

 

Is anyone else experiencing this problem or know what could be causing it? It's happening on multiple iPads.

1 ACCEPTED SOLUTION

Jay_007
New Contributor III

Not the outcome I was hoping for, but Jamf support (who were fantastic BTW) have found these lines in the debug logs, which show the command fail (device details removed):

2022-09-20 22:32:44,299 [DEBUG] [lina-exec-1] [ActivationLockService ] - Attempting to clear device based activation lock for [REMOVED]
2022-09-20 22:32:44,300 [DEBUG] [lina-exec-1] [ActivationLockService ] - Send clear activation lock: https://deviceservices-external.apple.com/deviceservicesworkers/escrowKeyUnlock?serial=[REMOVED]&productType=iPad11,7&imei=[REMOVED]&imei2=[REMOVED]

2022-09-20 22:32:45,331 [ERROR] [lina-exec-1] [ActivationLockService ] - Failed to clear activation lock for [REMOVED]. ActivationLockResponse [status=404, message=Device not found or activation lock bypass is invalid.]

 

So it looks like it could possibly be on Apple's end. There is also a known issue related to this (PI110085) - "In Jamf Pro 10.37.2 or later, Activation Lock is not removed when you send the Wipe Device remote command with the clear Activation Lock option to a mobile device."

 

So basically, you have two options:

Option 1: Enter the bypass code on iPads after a wipe.

Option 2: Create a sperate PreStage with Activation Lock disabled and manually assign iPad's to this PreStage.

 

View solution in original post

9 REPLIES 9

Allamer11
New Contributor

Running into the same exact issue. Just starting to investigate this. Any updates on your end?

Jay_007
New Contributor III

I have a support ticket open with Jamf, but it seems to have gone nowhere. I was told that it's not an issue that they're aware of. I manage multiple Jamf Pro instances and I haven't gone back to this particular one to see if the issue still exists, but I will do so in the next few days and ask support for an update if it's still there. I've just disabled enabling Activation Lock for now.  

Jay_007
New Contributor III

I'm interested if others are also having the same issue? It's a problem in the two separate Jamf Pro environments I manage and is starting to become frustrating, as I have to keep giving out bypass codes to users. It only appears to be affecting iPads and not iPhones. It would be good if others could come forward if you're seeing this issue too, so Jamf escalate the problem.

Allamer11
New Contributor

@Jay_007 Just updating this post that my case with Jamf is being escalated. Currently our environment has disabled Activation Lock as well. The Apple ID that you had to provide to unlock the devices. Was this the ID that you used to configure ADE token between ABM and Jamf? I would have to look back but I believe I found some reference that tied the Apple ID that setup the token connection as being the ID locked to the devices.

Jay_007
New Contributor III

You have disabled Activation Lock and devices are still locking themselves to an Apple ID? If so, this is a different issue to what I'm experiencing. Or you have just disabled it because you're not sure what Apple ID they're locked to? 

 

Yes, that is exactly what enabling this setting does. It locks devices to the organisation's Apple ID (the one that was used to link ADE with Apple Business Manager using the server token). This is expected behaviour. 

 

Jay_007_0-1663881355983.png

My issue is, Activation Lock is failing to clear when selecting this setting during wipe:

Jay_007_1-1663881607128.png

I have supplied Jamf support with some logs and they're investigating. I'll share any updates I get.

Allamer11
New Contributor

Sorry for the confusion, we are on the same boat. We have disabled Activation Lock in order to not experience the device lock issue when attempting to wipe an ADE iPad that is set to clear activation. What you have highlighted is the same experience for us. Will provide updates as well.

Jay_007
New Contributor III

Ah ok, thanks for the clarification. It's nice to know that I'm not the only one out there with this issue. I guess we'll have to wait and see what Jamf support can find out. 

Jay_007
New Contributor III

Not the outcome I was hoping for, but Jamf support (who were fantastic BTW) have found these lines in the debug logs, which show the command fail (device details removed):

2022-09-20 22:32:44,299 [DEBUG] [lina-exec-1] [ActivationLockService ] - Attempting to clear device based activation lock for [REMOVED]
2022-09-20 22:32:44,300 [DEBUG] [lina-exec-1] [ActivationLockService ] - Send clear activation lock: https://deviceservices-external.apple.com/deviceservicesworkers/escrowKeyUnlock?serial=[REMOVED]&productType=iPad11,7&imei=[REMOVED]&imei2=[REMOVED]

2022-09-20 22:32:45,331 [ERROR] [lina-exec-1] [ActivationLockService ] - Failed to clear activation lock for [REMOVED]. ActivationLockResponse [status=404, message=Device not found or activation lock bypass is invalid.]

 

So it looks like it could possibly be on Apple's end. There is also a known issue related to this (PI110085) - "In Jamf Pro 10.37.2 or later, Activation Lock is not removed when you send the Wipe Device remote command with the clear Activation Lock option to a mobile device."

 

So basically, you have two options:

Option 1: Enter the bypass code on iPads after a wipe.

Option 2: Create a sperate PreStage with Activation Lock disabled and manually assign iPad's to this PreStage.

 

I too got the same two options provided as a solution to my case. The case was added to PI110085 which may be resolved in a future Jamf product release.