Disable and prevent activation lock command does not disable an enabled activation lock (macOS)

BCPeteo
Contributor II

If I run the command disable and prevent activation lock on a system that has activation lock enabled it does not disable it. Is this normal?

If I run it on a system with out activation lock enabled it does prevent the user from enabling it. But would like to also disable activation lock on systems that people have logged into their apple id and enabled find my mac. 

15 REPLIES 15

dmccluskey
Contributor

plist

com.apple.icloud.managed
<dict>
<key>DisableFMMiCloudSetting</key>
<true/>
</dict>
</plist>

Thanks. Where is this file located?

dmccluskey
Contributor

its a plist config you will have deploy

ok. so the JAMF command disable and prevent activation lock does not disable activation lock if its enabled?

Also I am not trying to disable find my mac, I am trying to disable activation lock. Per apple you can have find my mac on and have activation lock disabled. 

dmccluskey
Contributor

you do this at the prestage before it becomes a problem later.

 

2022-10-14_15-12-26.jpg

Yes that is ideal, and we have changed our prestage to enabled the block but that is not what happened originally so we have quite a bit of systems that activation lock is now enable because users logged in with their apple id and we want to disable it on those systems (along with preventing users on other systems from enabling it.)

 

dmccluskey
Contributor

Your going to have to open a ticket with apple to remove activation lock. Then wipe and re-enroll macs via prestage with prevent turned on.

Thanks, The users are still working here so we can get them to logout. I noticed the disable and prevent Jamf command and was hoping to use that with out having to get the users to log out but  that does not seem to be the case. I really wish there was a way to tell if a device had prevent user activation lock, but that does not seem to be able to be queried.

bmcdade
Contributor

I'm running into the same issue, it seems that once a user has Activated the devices on their personal account it's locked to it even when I tried to remove the Lock by reseting the values.  I even tried using the Activation Lock Bypass but that doesn't seem to work.  I get the following message "This Apple ID is either not valid or not supported" then an operations error "This operation could not be completed (AKAuthenticationError -7003.)". 

Our Apple rep told me that Jamf needs to fix this, as the Activation lock stuff gets managed via the MDM and Apple takes the MDM requests for removal/deactivation as priority over a users personal icloud setup.

Anyone else have any other idea howe to clear a device attached to Find My?

If its an iPad or iPhone you can wipe and then use the account that you used the assign the device in Apple School manager to your MDM to to unlock it.

On the mac there is no device activation lock only personal so you cant unlock it with out the user logging in and turning off find my mac or getting apple support to unlock it.

We ended up setting the prestage to prevent activation lock and also sent out the prevent & disable activation lock command to all our mac's (some were enrolled before we changed the prestage). This will prevent ones that have not enabled find my mac from enabling activation lock (they can still enabled find my mac but it wont activation lock it)

bmcdade
Contributor

Thanks.. we have now set pre-stage enrollment as well to disable the activation lock too, thanks for the tip to send the prevent and disable to all the other devices, so if someone hasn't yet done it, they won't be able to.  We do not provide or really have much need for apple id's and we don't recommend that users use their personal ones on company hardware, however some do anyways.

amarab
New Contributor

Hello

Were you able to disable the activation lock on systems where it's enabled?

Hi amarab,

No, it seems that this is not possible.  It must be removed by the user who activated it. We have a smart group that we check if Activation lock is enabled when recovering or upgrading hardware, and ask the user to do it.  I do have a device which is locked to a user, though I'm told from Apple that you can and have to call the support line and have them remove it provided that it's in your MDM account.  It's not possible to use the automated system it seems since it will just get rejected, not sure why that should be the case, if the company owns the computer should be able to request an activation lock removal automated, but that's Apple for you, wanting to get people to call into support.

As Bmcdade said, there is no way to disable activation after the user has enabled it. If you can not get ahold of the person who has it activated to their apple ID you can try contacting apple support. Its a long process and sometimes they will not unlock. The way to prevent users from enabling activation lock is to use the PreStage setting: Prevent user from enabling Activation Lock,  that disables activation lock from turning on when a user signs in with their apple ID on the new/wiped device.

After you make the PreStage change, for existing systems you should create a computer search that checks for activation lock (Activation Lock Status enabled). Run a Jamf action against it: Send Remote Commands > Set Activation Lock (Supervised or enrolled via a PreStage enrollment) > Disable and prevent Activation Lock. This will prevent future activation locks (but not disable the current one). Then contact the user of each device and ask them to sign out of their Apple ID (in system preferences) Once signed out, the can sign back in. The Disable and prevent activation Lock will stop activation lock from re-activating.