Some IT employees decided to remove devices from Jamf and give users full admin rights, and access to the App store. Upper management is about to require all devices be returned, so they can be wiped and re-enrolled into Jamf.
Here's the issue -- Apple IDs. Since the iPads were unmanaged, Users probably attached their apple ID to the iCloud, App Store, etc. How would you go about wiping these devices?
Have the user remove their apple ID from the device before bringing it in???? What about devices where the employee left, and it isn't in Jamf? Do we need to go to apple for that?
Require that all users returning the devices sign out of iCloud.
If they refuse, ask admin to hold their paychecks until they're signed out.
If that is not possible, Apple does have a method for clearing the devices from activation lock.
Also, if you're using Jamf Pro, there should be an option for entering the Activation Lock Bypass Code when the device is plugged into Finder to activate.
If that code does not work, you can send a list of the serial numbers to Apple, and they can clear those from Activation Lock, but that can take some time.
I would absolutely love to withhold their paychecks, but this is a government institution, and people get butt hurt real fast and threaten to sue a lot.
Most of the devices won't be in Jamf, so I won't be able to use the bypass code. I think advising all employees to remove their apple ID is the best option.
Configurator won't remove an iCloud lock. The only ways to do that are with a bypass code from an MDM, the owner entering their credentials to disable it, or opening a support ticket with Apple to release the lock.
Yes correct. My brain is getting icloud lock and passcode locks mixed up. That's been an issue too. It seems after multiple attempts and a restart, the device disables everything, so the USB-c port doesn't even work until you enter the right passcode. Don't know the passcode, and I can't send a clear passcode command because the ports disabled.
Hopefully the iPads are still in ASM. Otherwise you are going to be in for a world of hurt manually adding them back in with configurator one at a time. Have the staff sign out of their AppleIDs before they bring them in, if they don't you are going to have to submit tickets with Apple to get the devices unlocked. They will do them in bulk with a big list, but it still takes a week or so to complete and you need a proof of purchase. If they are still in ASM(and assigned to your JAMF Server) you should just be able to do an erase all content and settings and then it will bring them back in as managed.
I think the majority of them are still in ASM. So if the users comply and remove their IDs, wiping and resetting will be easy.
Looks like we'll just three different piles. Devices ready to wiped, devices Apple need to unlock, devices to old to manage.