Managed Apple IDs Triggering Activation Lock

_aDiedericks
Contributor

Hi there,

Last year we introduced Google Workspace Federated Managed Apple IDs into our environment to negate the use of personal Apple IDs. Dealing with activation locks were particularly tedious on those personal Apple ID linked devices so we opted for making use of Managed Apple IDs since they do not have Find My functionality associated with them. Logically this should resolve the activation lock issue and also allow users to make use of some iCloud related functions.

The behaviour we saw as a result was a 70% uptick of devices triggering activation lock that when formatted both through Jamf Pro or directly in-OS using the erase or format functions. The difference with these activation locks is that they ask for the last iCloud signin used but do not have the hint i.e "s*****z@icloud.com" and since Managed Apple IDs don't support Find My the devices cannot be unlocked even if we use the Managed Apple ID credentials.

Most logical response then would be to use the activation lock bypass code. Problem is our environment was migrated from Meraki using the Jamf migration toolset so majority of devices in the environment are UIE devices so activation lock bypass is not possible.

Currently the wiping process is entirely RNG on whether or not it triggers activation lock. Yes, we've signed out of the Managed Apple IDs before wipes, it doesn't make a difference. We have thought of signing into an I.T controlled personal Apple ID and intentionally triggering the activation lock and making this our process for all future wipes that is obviously not the most elegant solution so I was hoping anyone else is able to give input on this matter.

6 REPLIES 6

_aDiedericks
Contributor

Here is an example of a scenario where a user signed out of their Managed Apple ID prior to formatting and yet it triggered activation lock. Keeping in mind that Managed Apple IDs dont have Find My yet somehow causes activation lock but you are not able to successfully authentication to pass this point even with the correct credentials.

Screenshot 2023-10-13 at 14.32.44.png

jcarr
Release Candidate Programs Tester

Contact AppleCare.  With a list of affected devices, they should be able to clear Activation Lock in bulk.  Assuming the device serial numbers are all in your ASM/ABM org, that should suffice for proof of ownership.

Yes, this is what we're doing already. I'm more asking about how to avoid this all together in the methodology.

jcarr
Release Candidate Programs Tester

Gotcha.  The best way to avoid this in the future is to enable the "Prevent user from enabling Activation Lock" option in the PreStage enrollment.

This is also already the case. The devices we are having issues with are UIE migrated devices. 

jcarr
Release Candidate Programs Tester

Understood. Activation lock can only be suppressed for Supervised devices which required ADE.