Posted on 04-18-2017 08:28 AM
Ok I have been looking for a bit now and I cannot for the life of me find out how to properly use the activation lock bypass. I do not see proper instruction anywhere on Jamf nation or in the administrators guide. I have the device supervised and now sitting at the activation lock screen but entering the bypass code I received from the device in the JSS does not work. I have tried this with 5 different devices so far and have had zero success. Is there a step by step walkthrough that shows how this actually works from beginning to end?
EDIT: I have followed the steps as laid out in the JAMF webinar without success. I have tried entering the code with and without dashes, I have connected to iTunes and tried the copy/paste method, I have triple checked proper capitalization and entries and it just does not work.
Posted on 04-18-2017 08:32 AM
You would put the code in the password field (leaving user Id blank) when trying to activate a device at the activation locked screen.
Posted on 04-18-2017 08:37 AM
Is there more to it though? I have done that and it never works. I have watched multiple videos including the JAMF webinar about activation lock, followed all the steps and nothing. Doesnt work.
Posted on 04-18-2017 08:43 AM
There is...if it is "stale" it doesn't work. To make sure I don't make a typo, I copy/paste into iTunes because iTunes presents the same window on an activation locked device. I've also seen it work with no dashes.
In short it's not foolproof...it works about 70% of the time. More effective is wiping through JSS while checking "clear activation lock" and training users to check that prior to hand in. Combining all those methods I'm able to deal with it 90% of the time.
There are some every year that I have to file a case with Apple and go through the rigmarole To get them to clear.
Posted on 04-18-2017 08:49 AM
Thank you. I just want to understand why I cant do what I want to do. Its frustrating that a solution to a problem almost every MDM admin has dealt with only works occasionally and that the guidelines for using it aren't laid out better.
Posted on 04-18-2017 08:54 AM
My honest druthers would be some command to neuter activation lock from ever getting turned on to start with on DEP-based managed corporate devices.
I've improved my odds this year simply by closing the App Store, not using iCloud and assigning apps to devices for students. We still do user-based VPP for staff though so it's always a few per year to contend with.
Posted on 04-18-2017 09:05 AM
UPDATE: I finally got it. I took your advice and went after it before it could get stale and it finally took hold. So the trick is to get everything to the ready and then get the code and immediately enter it. Which once again would be nice if there was documentation stating this. Thank you for your help.
And I fully agree, in a managed environment removing activation lock should be an option.
Posted on 04-18-2017 09:08 AM
It's not terribly well documented but after dealing with 4000+ 1 to 1 devices for 3 years, it's a road I've been down plenty of times.
It's one of those issues that are so big to me that I have devised hand in procedures to principals for departing staff. The aren't universally followed but they help in the real world. The only exceptions are hostile departures and the very rare case that nothing works.
I had one time on a graceful departure where I had the principal track down the former staff member and get them to cooperate. I hate that but better than filing a case with Apple and having to prove ownership, wait a week or two and be told that "we should consider using an MDM solution with DEP". I hate that lecture most of all .
Posted on 04-18-2017 09:21 AM
If anyone is interested in having control over this feature, there is a feature request here.
The mdm has to enable the ability for devices to enable activation lock. JSS automatically turns this on for all devices and, unfortunately, does not give the ability to control it.
Posted on 04-18-2017 09:24 AM
I already voted up in the past, but anyone else is welcome to vote up as well. I noticed it is not under review so hopefully more folks feel similarly.
Posted on 04-18-2017 09:56 AM
Wow, this would be fantastic to control. Having our devices in DEP is sufficient; activation lock is basically redundant.
I don't know how many hours we've spent on the phone with Apple getting our iPads out of activation lock but I'll bet it's added up to quite a few.