Disable and prevent activation lock command does not disable an enabled activation lock (macOS)

ostrowsp
Contributor

If I run the command disable and prevent activation lock on a system that has activation lock enabled it does not disable it. Is this normal?

If I run it on a system with out activation lock enabled it does prevent the user from enabling it. But would like to also disable activation lock on systems that people have logged into their apple id and enabled find my mac. 

12 REPLIES 12

dmccluskey
New Contributor III

plist

com.apple.icloud.managed
<dict>
<key>DisableFMMiCloudSetting</key>
<true/>
</dict>
</plist>

Thanks. Where is this file located?

dmccluskey
New Contributor III

its a plist config you will have deploy

ok. so the JAMF command disable and prevent activation lock does not disable activation lock if its enabled?

Also I am not trying to disable find my mac, I am trying to disable activation lock. Per apple you can have find my mac on and have activation lock disabled. 

dmccluskey
New Contributor III

you do this at the prestage before it becomes a problem later.

 

2022-10-14_15-12-26.jpg

Yes that is ideal, and we have changed our prestage to enabled the block but that is not what happened originally so we have quite a bit of systems that activation lock is now enable because users logged in with their apple id and we want to disable it on those systems (along with preventing users on other systems from enabling it.)

 

dmccluskey
New Contributor III

Your going to have to open a ticket with apple to remove activation lock. Then wipe and re-enroll macs via prestage with prevent turned on.

Thanks, The users are still working here so we can get them to logout. I noticed the disable and prevent Jamf command and was hoping to use that with out having to get the users to log out but  that does not seem to be the case. I really wish there was a way to tell if a device had prevent user activation lock, but that does not seem to be able to be queried.

bmcdade
Contributor

I'm running into the same issue, it seems that once a user has Activated the devices on their personal account it's locked to it even when I tried to remove the Lock by reseting the values.  I even tried using the Activation Lock Bypass but that doesn't seem to work.  I get the following message "This Apple ID is either not valid or not supported" then an operations error "This operation could not be completed (AKAuthenticationError -7003.)". 

Our Apple rep told me that Jamf needs to fix this, as the Activation lock stuff gets managed via the MDM and Apple takes the MDM requests for removal/deactivation as priority over a users personal icloud setup.

Anyone else have any other idea howe to clear a device attached to Find My?

If its an iPad or iPhone you can wipe and then use the account that you used the assign the device in Apple School manager to your MDM to to unlock it.

On the mac there is no device activation lock only personal so you cant unlock it with out the user logging in and turning off find my mac or getting apple support to unlock it.

We ended up setting the prestage to prevent activation lock and also sent out the prevent & disable activation lock command to all our mac's (some were enrolled before we changed the prestage). This will prevent ones that have not enabled find my mac from enabling activation lock (they can still enabled find my mac but it wont activation lock it)

bmcdade
Contributor

Thanks.. we have now set pre-stage enrollment as well to disable the activation lock too, thanks for the tip to send the prevent and disable to all the other devices, so if someone hasn't yet done it, they won't be able to.  We do not provide or really have much need for apple id's and we don't recommend that users use their personal ones on company hardware, however some do anyways.