Posted on 09-27-2021 11:46 AM
Before we were able to roll out a profile that prevents students from turning on "Find My Mac", it looks like we have some students that turned this on. I have 2 computers from students who recently left the school and I can't erase the hard drive. I tried from recovery mode and entered the bypass code stored in Jamf, doesn't work. Also tried to send a command from the Jamf pro server but get an error. Will attach the error messages if anyone can advise?
Solved! Go to Solution.
Posted on 09-28-2021 09:03 AM
A lot learned here in the last 24 hours on this topic, thx to all that joined in. I'll share my notes below, hopefully this can save someone time in the future.
As per an Apple Support supervisor, there are 2 levels of activation lock, the Apple server side and locally on the Mac. If Find My Mac is enabled, for various reasons it may never make it to the Apple servers. So if you request the owner of the Apple ID remove the device from their list of devices and they do so, yet the device still has activation lock set on it, it's time to focus on the device itself. Most times reaching out to the owner of the Apple ID is a waste of time and I recommend using the guideline below immediately:
If resetting the NVRAM doesn't work:
Boot into Internet Recovery > Click Utilities on the menu bar > Click Terminal > type resetpassword and press RETURN > Select the password reset window > Click Recovery Assistant on the menu bar > Click Erase Mac.
Wait for the computer to reboot (may take up to 5 mins) and then boot into Internet Recovery again > Disk Utility > Erase internal SSD > Reinstall Mac OS.
If all else fails, call Apple Enterprise 866.752.7753 and select option 1. Do not chat GSX help! They have a support Team there is dedicated to activation unlock requests. be prepared with the serial number and have a screenshot of this device from Apple School Manager and/or Jamf just in case.
Posted on 09-27-2021 12:48 PM
@TomDay Apple can unlock these devices for you as long as you have proof of purchase from your vendor. Get the purchase order from your vendor then reach out to Apple Enterprise Support.
Posted on 09-27-2021 12:51 PM
Hey Tom,
Tough position to be in, but the only way to remove activation lock from any device is to prove to Apple that you/your company has purchased the device. You'll need to go to the Genius Bar with a receipt or some proof of purchase with the Serial Number or Apple will not unlock the device--no exceptions. Since you're doing this for an organization and not a personal device, your name probably isn't on the receipt. In that case you'll need to show some form of employee ID or a way to prove you work for your school.
The key thing here is that Apple needs proof you are legitimately trying to unlock a device and it wasn't stolen.
Posted on 09-27-2021 02:04 PM
As long as the devices were purchased from Apple(the ecommerce store or from an account manager) and they're in ASM Apple already has the proof of purchase and won't ask for it or anything else.
Posted on 09-28-2021 04:06 AM
Thx I was hoping I wouldn't have to call or chat with GSX support. I'll do that today as these are in ASM of course, will update the thread with success hopefully later today.
Posted on 09-28-2021 07:04 AM
It's not hard to contact Apple about this. They set up a site for you to send in your documentation and then will unlock. It does some times takes a few days after submitting documents. but they will unlock. Just call in to Enterprise Support. They have a que for these issues and are pretty quick.
Posted on 09-28-2021 09:03 AM
A lot learned here in the last 24 hours on this topic, thx to all that joined in. I'll share my notes below, hopefully this can save someone time in the future.
As per an Apple Support supervisor, there are 2 levels of activation lock, the Apple server side and locally on the Mac. If Find My Mac is enabled, for various reasons it may never make it to the Apple servers. So if you request the owner of the Apple ID remove the device from their list of devices and they do so, yet the device still has activation lock set on it, it's time to focus on the device itself. Most times reaching out to the owner of the Apple ID is a waste of time and I recommend using the guideline below immediately:
If resetting the NVRAM doesn't work:
Boot into Internet Recovery > Click Utilities on the menu bar > Click Terminal > type resetpassword and press RETURN > Select the password reset window > Click Recovery Assistant on the menu bar > Click Erase Mac.
Wait for the computer to reboot (may take up to 5 mins) and then boot into Internet Recovery again > Disk Utility > Erase internal SSD > Reinstall Mac OS.
If all else fails, call Apple Enterprise 866.752.7753 and select option 1. Do not chat GSX help! They have a support Team there is dedicated to activation unlock requests. be prepared with the serial number and have a screenshot of this device from Apple School Manager and/or Jamf just in case.
Posted on 06-28-2023 06:02 PM
To help people that come across this thread when searching...
As per an Apple Support supervisor, there are 2 levels of activation lock, the Apple server side and locally on the Mac. If Find My Mac is enabled, for various reasons it may never make it to the Apple servers.
This is completely inaccurate. There are two "types" of Activation, Organization-linked (or MDM-level enabled) and User-linked (or User-level enabled). Organization-linked is only available for iPhones and iPads (as of the time of this writing).
Source: Activation Lock on Apple devices
Find My cannot be turned on Activation Locked enabled if the device cannot communicate with Apple's activation servers. Activation Lock information is only stored on Apple's activation servers, and it only checked when a device goes through activation during Setup Assistant.
The device itself does not know if Activation Lock is in-fact enabled (in addition MDM queries to devices to check if Activation Lock is enabled are not reliable).
Source: Creating and Using Bypass Codes
So if you request the owner of the Apple ID remove the device from their list of devices and they do so, yet the device still has activation lock set on it, it's time to focus on the device itself. Most times reaching out to the owner of the Apple ID is a waste of time
When a device is removed from an account, Activation Lock is removed. This status isn't "pushed" to a device, so the device will need to go "back through" the activation process (e.g. Setup Assistant may need to be restarted or the device wiped and re-setup again).
Requesting the owner of an Apple ID is only a waste of time if the MDM has a valid Activation Lock Bypass Code. But the Apple ID owner can remove Activation Lock.
I recommend using the guideline below immediately:
If resetting the NVRAM doesn't work:
Boot into Internet Recovery > Click Utilities on the menu bar > Click Terminal > type resetpassword and press RETURN > Select the password reset window > Click Recovery Assistant on the menu bar > Click Erase Mac.
Wait for the computer to reboot (may take up to 5 mins) and then boot into Internet Recovery again > Disk Utility > Erase internal SSD > Reinstall Mac OS.
The NVRAM has nothing to do with Activation Lock -- at least, from the perspective of "is it enabled or not" -- it's all on Apple's side. In addition, erasing a device does not affect Activation Lock either.
Posted on 06-28-2023 06:41 PM
I can't edit the above reply any more, but I'd like to amend these two paragraphs (minor grammar issue and addition information):
Find My cannot be turned on and Activation Locked enabled if the device cannot communicate with Apple's activation servers. Activation Lock information is only stored on Apple's activation servers, and it only checked when a device goes through activation during Setup Assistant.
The device itself does not know if Activation Lock is in-fact enabled (in addition MDM queries to devices to check if Activation Lock is enabled are not reliable) as Activation Lock can be removed at any time without involving the device (e.g. via the Apple ID owner removing a device from their account or via an MDM clearing Activation Lock directly with Apple).
Source: Creating and Using Bypass Codes
Posted on 09-29-2021 05:44 AM
I prevent them from signing in to Apple IDs in the first place...
defaults write /Library/Preferences/com.apple.systempreferences.plist DisabledPreferencePanes -array-add "com.apple.preferences.AppleIDPrefPane"
This kills the Apple ID sign in pane, and they then cant add the device to their Find My. Had way too many problems with this in the past, so now they are locked out.
Posted on 06-28-2023 06:34 PM
Regarding the two screenshots shared:
I'm interpreting the first in that you attempted to enter the Bypass Code in the Apple ID's password field. (Mainly because of the length of the password and the CAPS LOCK symbol.) If this is what was attempted, this is incorrect. The Bypass Code for Macs are not entered here -- this is where Bypass Codes for iPhone and iPads are entered.
Sources: Activation Lock on Apple devices (text referenced is highlighted) and Disabling Activation Lock
For the second screen shot, the error:
404 - Device not found or activation lock bypass is invalid
Is literally the error from Apple's activation service API used to clear Activation Lock. Jamf Pro is actually just passing it straight to you (which is awesome and only does for Computers and Shared iPads, other devices Jamf Pro does not tell you when it fails to clear Activation Lock [unless you look in the JamfSoftwareServer.log]).
Source: Use a Bypass Code to Disable Activation Lock
This is what it means, the Bypass Code was invalid. Now, the question here is, was this device enrolled via ADE or another method? With Macs, if enrolled post setup (e.g. not via Automated Device Enrollment) the user can enable Find My, thus Activation Lock is enabled.
Sources: User-linked Activation Lock on Mac computers and Allowing Activation Lock on Mac
Bypass Codes are not created unless a device is going through the Setup Assistant and enrolling into MDM at the time time or when an MDM requests a Bypass Code and one was not previously created.
Source: Get the Bypass Code for Activation Lock
So, if a device is setup, Find My is enabled (which only associates the Apple ID with the "Activation Lock record" on Apple's activation service), then the device is enrolled into MDM, that's when the Bypass Code is created, but the Bypass Code isn't "added" to the "Activation Lock record" that was setup -- those are not "editable." Find My has to be turned off and turned back on for both the Bypass Code and the users' Apple ID to be associated on the "Activation Lock record."
Hope this information helps someone one day.