Activation Lock with mac deleted from JSS

shurkin18
Contributor

Hi,

I have reviewed a bunch of Activation Lock docs and posts, but still could not find a definitive answer... So the machine is enrolled via DEP, has a new Apple M1 chip and Activation Lock is enabled. What if the machine is deleted from JSS  and then is fully erased to be re-imaged? Isn't it going to ask for the Activation Lock Bypass code, which by now will be gone since the machine was deleted from JSS?

Also, what if such machine is released from Apple Business Manager - will that clear the Activation Lock?

 

5 REPLIES 5

junjishimazaki
Contributor II

Since Activation Lock is enabled when a user logs into the icloud on the Mac and enables Findmymac so if you factory reset the Mac without removing the device from the user's icloud account then activation lock kicks in. So, by deleting the record in Jamf there is no way to bypass it. Best approach is to have user log into icloud and from https://appleid.apple.com/ and delete the device before factory reset it. 

Ah, so since we have iCloud login disabled via the Configuration Profile - the Activation Lock will never activate? We did not yet have to re-image the M1 macs, so in terms of experience - we did not have to deal with this, but I am just looking ahead.

As long as you disabled iCloud login before the user got the machine, you should be fine. However, if the user was already logged in before you pushed the restriction, they don't get logged out. 

 

If you use ADE for deployment, turn on the option to Prevent Users for activating Activation Lock in your Prestage. 

sdagley
Honored Contributor II

@shurkin18 Yes, deleting a Mac from your JSS before re-imaging is complete if Activation Lock is enabled is not recommended. Releasing the Mac from ABM will not clear Activation Lock. And you really do _not_ want to release it from your ABM account if you are trying to get Apple to remove the lock because a screen shot of the computer record in your ABM account will provide the required proof of ownership for Apple to do that.

MrRoboto
Contributor II

When using ADE in the Prestage Enrollment settings you can 'Prevent users from enabling Activation Lock'. This setting takes effect for future enrolments and is not retroactive.

 

In a scenario where a device is ADE enrolled, user enabled AL, the computer record is deleted from JSS, computer is wipe and now activation locked... if the user is not available to remove the computer from their iCloud account, instead you can contact Apple Enterprise support and request to disable AL. They will need proof of purchase, however the serial number being in your ABM/ASM account is good enough.