Posted on 05-11-2022 01:09 PM
Some IT employees decided to remove devices from Jamf and give users full admin rights, and access to the App store. Upper management is about to require all devices be returned, so they can be wiped and re-enrolled into Jamf.
Here's the issue -- Apple IDs. Since the iPads were unmanaged, Users probably attached their apple ID to the iCloud, App Store, etc. How would you go about wiping these devices?
Have the user remove their apple ID from the device before bringing it in???? What about devices where the employee left, and it isn't in Jamf? Do we need to go to apple for that?
Posted on 05-11-2022 01:17 PM
Require that all users returning the devices sign out of iCloud.
If they refuse, ask admin to hold their paychecks until they're signed out.
If that is not possible, Apple does have a method for clearing the devices from activation lock.
Also, if you're using Jamf Pro, there should be an option for entering the Activation Lock Bypass Code when the device is plugged into Finder to activate.
If that code does not work, you can send a list of the serial numbers to Apple, and they can clear those from Activation Lock, but that can take some time.
Posted on 05-11-2022 01:44 PM
I would absolutely love to withhold their paychecks, but this is a government institution, and people get butt hurt real fast and threaten to sue a lot.
Most of the devices won't be in Jamf, so I won't be able to use the bypass code. I think advising all employees to remove their apple ID is the best option.
Posted on 05-11-2022 04:44 PM
You can try using Apple Configurator to get them configured and enrolled into JAMF and Apple School/Business Manager. But that may be a lot of manual labor...
Posted on 05-11-2022 05:37 PM
we're considering Apple configurator, but there's only a couple of us authorized to use configurator, ASM, and Jamf.
What we may do is try to get users to remove their apple ID, for any devices leftover we'll use configurator. I
Posted on 05-11-2022 05:40 PM
Configurator won't remove an iCloud lock. The only ways to do that are with a bypass code from an MDM, the owner entering their credentials to disable it, or opening a support ticket with Apple to release the lock.
Posted on 05-11-2022 05:47 PM
Yes correct. My brain is getting icloud lock and passcode locks mixed up. That's been an issue too. It seems after multiple attempts and a restart, the device disables everything, so the USB-c port doesn't even work until you enter the right passcode. Don't know the passcode, and I can't send a clear passcode command because the ports disabled.
Posted on 05-11-2022 05:19 PM
Hopefully the iPads are still in ASM. Otherwise you are going to be in for a world of hurt manually adding them back in with configurator one at a time. Have the staff sign out of their AppleIDs before they bring them in, if they don't you are going to have to submit tickets with Apple to get the devices unlocked. They will do them in bulk with a big list, but it still takes a week or so to complete and you need a proof of purchase. If they are still in ASM(and assigned to your JAMF Server) you should just be able to do an erase all content and settings and then it will bring them back in as managed.
Posted on 05-11-2022 05:41 PM
I think the majority of them are still in ASM. So if the users comply and remove their IDs, wiping and resetting will be easy.
Looks like we'll just three different piles. Devices ready to wiped, devices Apple need to unlock, devices to old to manage.