Help

Apple id on company managed Mac's

YLIL
New Contributor III

Sunday

Hi All,

We have an issue with employees who are offboarded. When they return their Mac's, sometimes we find their Apple id's block us from wiping the computer and giving it to the next user.

When this happens, we need to find the original invoice, send it to apple with a request and then they can unlock the Mac.

I am wondering what companies do to circumvent this issue. We use Jamf but we do not provide company Apple id's. We dont mind if users connect their private Apple id's to the computer as it helps with the Apple ecosystem.

Any suggestions would be greatly appreciated

0 Kudos
Reply
6 REPLIES 6

agungsujiwo
Contributor II

Sunday - last edited Sunday

Hi @YLIL ,

1. We apply the rule when restoring a Mac you must log out of iCloud and find my Mac,
2. Disable iCloud find my Mac from Jamf configuration profile , to prevent User from activating Find My Mac .
Disable Allow iCloud Find My Mac.png

3. If your Mac is locked with Find My Mac/iCloud, you can unlock it with the activation code from Jamf.
Find the activation code in:
Mobile Device > Management > Activation Lock Bypass Code

agungsujiwo_0-1742736285753.png

 

Note: Supervised: Yes – If the device is not supervised, the Activation Lock Bypass Code will not be available.

agungsujiwo_1-1742736285603.png

 

 

For devices locked with Find My, first, restore the device. In the password section, copy and paste the activation code (ensure the device is connected to the internet).

Here are some references you can read before proceeding with the restore process.
https://learn.jamf.com/en-US/bundle/jamf-now-documentation/page/Using_Activation_Lock_Bypass.html
https://it-training.apple.com/tutorials/deployment/dm265/

4. If your country supports Apple Business Manager and Apple School Manager, here's how to get the activation code.

Turn off Activation Lock

  1. In Apple Business Manager 

    agungsujiwo_2-1742736614706.png

    , sign in with a user that has a role with Manage Device privileges.

  2. Select Devices 

    agungsujiwo_3-1742736614707.png

     in the sidebar, search for a device in the search field, then select the device from the list. See How to search.

  3. Under Details, confirm that Activation Lock is on.

    It was turned on by an MDM server linked to Apple Business Manager or by the user.

  4. Select the More button 

    agungsujiwo_4-1742736614710.png

    , then select Turn Off Activation Lock.

  5. Carefully read the dialog, check the box “I understand that this cannot be undone,” then select Confirm.

    Note: The device may still indicate that Activation Lock is on when you either use Erase All Content and Settings or use Apple Configurator to erase the device, but you can still set up the device without authenticating as the previous user.



Reply

sdagley
Esteemed Contributor II

Sunday

@YLIL In addition to the suggestions from @agungsujiwo you should also make sure that you have the "Prevent user from enabling Activation Lock" option enabled in your PreStage enrollment. That only applies if you're using Automated Device Enrollment to enroll your Macs in Jamf Pro, and if you're not you really should look into it.

0 Kudos
Reply

YLIL
New Contributor III

yesterday

Thanks for the suggestions.

I was wondering if this may be an option.

 

We would create an admin account on the mac which would be controlled by our IT. Then create a second account (regular or admin) for the employee. When the employee leaves we would then delete the employee account via the IT controlled admin account. Would this remove the users Apple id and allow us full control of the mac?

 

0 Kudos
Reply

agungsujiwo
Contributor II
In response to YLIL

yesterday

I have tried the following:

If an employee is using their personal Apple ID on a Mac (e.g., for iCloud and Find My Mac), deleting their user account from macOS via an admin account will not remove their Apple ID.

Remove the Apple ID Before Deleting the User Account
If you delete the user account while Find My Mac is still enabled, the Mac will remain linked to their Apple ID.

As a result, you won’t be able to fully erase or reactivate the Mac without their Apple ID credentials. In this case, the Mac will require an activation code to be used again.

0 Kudos
Reply

YLIL
New Contributor III
In response to agungsujiwo

yesterday

Thanks for this
I wonder if this may be a solution. If I have an IT managed admin user
account and in that account I set up an Apple ID and find my ID which will
be a business Apple ID. Then create a second user and have the employee
sign in with their Apple ID there.. essentially having two Apple IDs on one
computer. Then I would delete the user's user. Would that work?
0 Kudos
Reply

sdagley
Esteemed Contributor II
In response to YLIL

yesterday

@YLIL Are you using ADE to enroll these Macs? If so simply enabling the "Prevent user from enabling Activation Lock" option in your PreStage will prevent this problem.

0 Kudos
Reply