Lock ABM MACs with activation lock.

New Contributor II


We have bunch of intel, m1 and m2 Macs.

I am trying to lock them with activation lock so that no one can erase the mac the device.

Currently, the Macs can be forced into recovery mode and use "erase MAC" to fresh install the OS.

Erase MACErase MAC

Can someone guide me to lock with company ABM please?

Any help is appreciated!




Valued Contributor III

Set a Firmware password for Intel Macs and a recovery password for Apple Silicon Macs. You cannot manage Recovery, but you can password protect it. You can run a script to set a Firmware Password for Intel Macs. Firmware Passwords don't exist for Apple Silicon, and this function is handled by the Recovery Password. The Recovery Password for Apple Silicon is set when the device is enrolled if configured in prestage. 


There is not a MDM command that I am aware of to set the recovery lock password. So, reprovisinioning a device once that setting has been configured in prestage will enable the lock. Else you can look in to JAMF API, Recovery Lock Enablement in macOS Using the Jamf Pro API - Technical Articles | Jamf.




New Contributor III

Agreeing with AJPinto - there isn't away to prevent Erasing a Mac but there is a way to lock down the path to get to this point:

  1. Intel Macs - configure a Firmware password so you need that to get to Recovery Mode
  2. Apple Silicon - configure a Recovery Lock in PreStage (same effect)

You can set a Firmware password (Intel) after the Mac has been enrolled via Policy, but Recovery Lock can only be configured on Apple Silicon during enrolment so the only way to do that is a wipe/erase and enrolment.