Posted on 01-07-2022 02:58 PM
How are folks handling activation lock on ARM based macs with Monterey?
I turn on Activation lock and find my mac. It asks me "Enter your Mac password". So, I enter my account password. It works and I'm n ow activation locked with find my mac.
I then boot the ARM computer into Options.
I go into Disk Utility and I erase the Volume.
Before the computer is activated, it finds my icloud information and tells me my icloud email address with the astericks (which I've removed from the attached screenshot). It then wants me to enter my email Apple ID and password.
But in this case, I'm testing that hey, I don't know this information. Say the Mac has been handed back to the department and the person who turned this activation lock isn't available.
So, I click Use Device Password.
From there, I'm told to Enter the Password that was previously used to unlock this Mac.
The only password it will take will be the initial password I entered earlier when setting it up back when it initially wanted my account password. It won't take any other administrative accounts on the computer. And yes they have secure tokens and all that. It's a one to one correlation to Enter the password that was previously used to unlock this mac is exactly the account used when setting up the icloud.
What if we don't know that?
JAMF caches an Activation lock code, but for Macs, I find this absolutely useless. Where am I supposed to enter that? If I enter it, I get told the activation server can't be found. I opened a ticket with Apple Enterprise support and was clearly told it wasn't the JAMF Activation Lock code.
On an iPad, I can just enter the activation lock code right in the password section. My experience, this works fine on iPads. On a mac, it want's that email address first and won't show a password field until you actually enter something in that block.
It's been my experience the JAMF Activation Lock code cannot be used in any manual way to unlock ARM based Monterey macs.
I am aware that JAMF can send a MDM command and remove this. This works if the volume hasn't already been deleted.
I am also aware that some erase and install commands can be manually entered in terminal but I'm going off the word of Apple that these erase and install commands actually remove the activation lock.
It's quite possible the only way to remove the activation lock is to either send a wipe command via JAMF which supposedly removes activation lock and then erases the machine or send the activation lock command removal via JAMF
It seems like Apple is getting away from being able to remove the volumes on ARM based macs. We do have an enterprise agreement and if we ever were to get a mac we couldn't unlock, with DEP, we can open a ticket directly with Apple.
So, what's the best practice method to erase these ARM macs that may or may not be activation locked?
We have technicians in a lot of places so many different people handle these macs when they are returned. What am I supposed to tell them?
I'm actually seriously considering just disabling activation lock in the prestage. I did think it was okay for a professor to use activation lock just in case the device is left somewhere. I figured it wouldn't hurt the professor to log into their icloud and just find it. But it hurts IT when the device comes back activation locked and a tech does what they normally do with macs which is a recovery utility volume deletion and reinstall of the OS and only then discover the device was activation locked.
Doug
Posted on 04-05-2022 12:32 PM
I had similar issue like this, and fortunately the employee is able to provide me with the Apple ID credentials.
I have heard there is a way to remove the activation code via Jamf, but I checked all documentation and could not find it anywhere.
Posted on 06-30-2022 09:04 AM
It's via mass action or through management commands.
Posted on 07-01-2022 08:48 AM
But if in Jamf Activation code was not retrieved by Jamf, we still have no way to unlock the MacBook, any suggestion for that?