Help

"Activation Lock" iOS7 work around for supervised devices

glynn
New Contributor

Posted on ‎10-02-2013 05:44 PM

Running into huge road blocks with "Activation Lock" feature on iOS7. Our district has about 2500 student iPads which have their own apple ID. At the beginning of the year rollout we were on iOS6.1.3. We have our students activate find my iPad app. If any re-provisioning had to be done to a device in 6.1.3 such as a passcode lock out, a simple touch with iTunes or Configurator would blow it out and you could move on with the device. Now activation lock in iOS7 has me in a real jam with no option but a complete wipe and loss of data for the student. Seems like I've moved from a scalpel to a chainsaw approach which is killing me. We all know we get handed locked up devices for a myriad of reasons most of which because the student either forgot their apple ID password or passcode. Has anyone found a technical work around for this?

0 Kudos
15 REPLIES 15

cdenesha
Valued Contributor II

Posted on ‎10-02-2013 06:46 PM

I think if find my ipad is on when you take a backup, it will also be turned on when you restore. Which of course turns on Activation Lock which causes an error while trying to restore.

I saw this in my testing yesterday so I am making sure Find my iPad is off before the backup is taken. Get the student to reset their password and get that setting off first is my only advice, which is probably not helpful. :(

For the pass code, can't this be removed via MDM?

chris

0 Kudos

Buffington
New Contributor

Posted on ‎10-03-2013 09:02 AM

While not necessarily a solution to managed devices that already have Activation Lock on them, there are resources from Apple to use Configurator to allow for Find My (iDevice) while leaving the Activation Lock off.

http://support.apple.com/kb/HT5927

And in worse-case scenarios, I believe there are escalation paths within Apple to resolve Activation Lock issues if you can provide proof of ownership.

0 Kudos

clifhirtle
Contributor II

Posted on ‎10-22-2013 07:44 AM

Seeing same issue here. Spoke with Apple Enterprise Support this AM, who recommended a standard decomissioning process involving turning off Find My Phone. Peachy if every user follows instructions to a T.

Alternatively, you can call Apple Enterprise Support and provide the following info, which should suffice for proof of ownership and unlock (after 2-3 day wait) of your device:

  • Device invoice number
  • Business name + postal address
  • IMEI + serial number of device

Heard rumors of a more enterprise-friendly iOS provisioning portal coming down the line, but that was starting with the carriers versus organizations first. Would not hold my breath on that one.

0 Kudos

pickerin
Contributor II

Posted on ‎10-22-2013 11:15 AM

It's much worse than you think...

A total wipe (even a DFU restore of the stock OS) will not clear the Activation Lock. The Activation Lock is enabled if the phone was EVER tied to an iCloud account and Find My iPhone was enabled. The IMEI (or UIUID, not sure which) of the device is stored in the user's iCloud account. When the device goes to activate if it's IMEI (or UIUID) is present on an active iCloud account with Find My iPhone enabled, then the device will auto-lock.

The only way around this is to provision the device's MDM profile using Apple Configurator when NEW. Otherwise, there is no way to clear the Activation Lock without the user's cooperation.

http://support.apple.com/kb/HT5818

This is now the disgruntled employee's best friend. Just enable Find My iPhone before turning your device back in, and it's a paperweight.

0 Kudos

bentoms
Release Candidate Programs Tester

Posted on ‎10-22-2013 11:18 AM

I'm guessing the solution may also lie with the announced but not enabled "simplified enrollment."

0 Kudos

cdenesha
Valued Contributor II

Posted on ‎10-22-2013 11:53 AM

Just have the user turn off Find my iPad/iPhone and then immediately erase it.

From the link you posted:

"Do I need to turn off Find My iPhone before giving away my device?

Yes. Before giving your device to someone else, always turn off Find My iPhone to ensure that the other person will be able to activate and use the device normally. The best way to do this is to erase all content and settings from your device before handing it over. This will completely erase your device, turn off Find My iPhone, and remove the device from your iCloud account. On your iOS device, go to Settings > General > Reset > Erase All Content and Settings."

Then be sure to use Configurator and Prepare the devise as Supervised.

http://support.apple.com/kb/HT5927

chris

0 Kudos

pickerin
Contributor II

Posted on ‎10-23-2013 09:41 AM

That's harder to do if you're firing them, or if the person separating them is in another state...

0 Kudos

clifhirtle
Contributor II

Posted on ‎10-29-2013 08:31 AM

This may have existed before, but in just wiping an iPhone 5S running 7.0.3 I got prompted to authenticate with my iCloud password to remove the device from the account BEFORE a full device erase would go through. This seems a logical and significant improvement in default behavior. Or at least significantly better than trying to guess who the heck Apple ID is being asked with c@mac.com at the Activation Lock screen.

Anybody seen this prompt to remove a device-iCloud registration before 7.0.3?

UPDATE: confirmed this feature exists on iOS 7.0.2 as well.

0 Kudos

pickerin
Contributor II

Posted on ‎10-29-2013 10:29 AM

Pretty sure it's been that way since 7.0. However, if you had a device on 6 that you wiped, it looked like it was fine. Then if you upgraded it to 7 as part of a redeploy, it would then be locked immediately after the upgrade.

Fun stuff!

0 Kudos

dhough
New Contributor

Posted on ‎11-04-2013 12:25 PM

Does anyone know if erasing via ActiveSync will undermine this?

0 Kudos

bentoms
Release Candidate Programs Tester

Posted on ‎11-04-2013 02:10 PM

@dalehoughton ActiveSync. != activation lock.

Any kind of remote wipe still requires activation through the methods given above.

0 Kudos

easyedc
Valued Contributor II

Posted on ‎01-24-2014 07:58 AM

We've recently started coming across this issue, and I wonder what solutions others have come across. From one post I read somewhere else, if you install a management configuration profile (JAMF MDM? or for us Good for Enterprise (which is our email solution) it should disable the activation lock. Anyone else see that or get it to work?

0 Kudos

tcam
Contributor

Posted on ‎01-24-2014 08:09 AM

@clifhirtle great tip

Any time an iPad is returned to us, we're using turning off Find My iPhone.

0 Kudos

clifhirtle
Contributor II

Posted on ‎01-24-2014 08:11 AM

@easyedc][/url][/url][/url][/url it is not so much that the MDM disables Activation Lock, but that you can use a MDM to enable Supervised mode or disable Find My Phone, which would prevent activation of Activation Lock.

If the users already have their phones tied to an Apple ID or you do not want to disable Find My Phone (as in the case of BYOD iPhones) the only workaround I've seen is ensuring you have a proper trade-in process that disable FMP, working through AppleCare to prove ownership and unlock, or using a single AppleID <shudder> so that you always have control over which devices are integrated to Find My Phone.

Here's some links with more info:

0 Kudos

pickerin
Contributor II

Posted on ‎01-24-2014 08:33 AM

@easyedc - To answer the question, no, having an MDM solution installed does not prevent Activation Lock. If they tie to an AppleID and enable Find My iPhone, you're toast.

Installing an MDM solution would give you the ability to prevent iCloud and/or Find My iPhone, but if you want the user to have access to both, then you cannot prevent Activation Lock.

The only pre-deployment option is through Apple's Configurator which will allow you to disallow Activation Lock, but it requires that you physically have possession of the phone prior to activation, which in a BYOD environment, you will not be able to accomplish.

0 Kudos