Sections
- How to disable Activation Lock with Apple Support
- How to disable Activation Lock with your MDM
- Activation Lock FAQs
Sections
If you're a MacAdmin, there's a good chance you've seen the dreaded Activation Lock screen before. If you have a machine that displays this page, you have a machine with a preexisting Activation Lock. For admins and nonadmins alike, it's super annoying. But have no fear — I'll teach you how to get rid of it (and share other tips for managing Activation Lock).
The method for removing the Activation Lock from a device depends on whether it was manually enrolled (user-linked) or auto-enrolled / supervised (organization-linked).
Organization-linked is more straightforward, requiring ABM, ASM, or ABE. It allows an MDM solution to control Activation Lock through server-side interactions. The former, user-linked, needs a personal Apple ID and the Find My feature, which enables the user to lock a device to their Apple ID.
How to disable Activation Lock with Apple Support
Apple Support offers a few ways to remove Activation Lock.
To remove Activation Lock on an unmanaged or unsupervised device where the individual user has locked it via a personal iCloud account, you can use one of the following methods:
If you know your Apple ID and password, you can remove Activation Lock by following these steps from Apple.
If you can't find your Apple ID password, you can recover it through Apple by following the prompts.
You can start an Activation Lock support request if you have proof of purchase documentation. Proof of ownership must include the product serial number, IMEI, or MEID. (The device must be erased at the end of this process to complete the unlock.)
For supervised/ADE devices, or if the device is locked with an Apple ID tied to your workplace domain, contact Apple Education and Business tech support for the next steps: (800) 800-2775.
Things to keep in mind when you call Apple Education and Business tech support:
See AlsoMy Apple Watch is locked and I don't have…'Why does my Apple Watch keep locking?': How to stop your Apple Watch from locking when it shouldn'tAre Apple Watches Locked to a Carrier?I bought a used Apple Watch and it's lock…You'll need to actually call Apple Support. Business Activation Unlock cannot be requested online at the time of publication.
After the phone call, Apple Support sends you an unlock form. This form expires after a few business days, so don't delay, or you'll have to repeat the entire process.
Historically, you should be golden if you can show Apple Business Support (not consumer support; don't waste your time) that the locked device's serial number exists in your organization's ABM/ASM inventory. This could save you time digging through receipts.
How to disable Activation Lock with your MDM
Already got your device enrolled in an MDM? Excellent — you may not need to go through Apple Support to turn off Activation Lock! Instead, you can use a device enrollment credential override or an Activation Lock bypass code.
Device enrollment credential override
Okay, hold on to your hats because this one blew my circuits when I discovered it in Apple's KBs.
If an iOS device is secured with an organization-linked Activation Lock, a credential override can unlock the device even when your MDM isn't communicating effectively with the device. Rather than using the Apple ID of the individual who activated the device lock, use the credentials of the user who created the device enrollment token for the MDM to which the locked device is assigned in Apple Business Manager.
Image credit: 9to5Mac.com
In this example, I am the user who created the device enrollment token for the test server in the first image. I enter the Apple ID and PW credentials I used to generate the device enrollment token that links SimpleMDM to Apple Business Manager into the Activation Lock screen on iOS to attempt an unlock, as seen in the second image.
The user account that created the device enrollment token in Apple Business Manager would require the role of an Administrator or Device Enrollment Manager. (Site Manager is also applicable if using Apple School Manager.) If these prerequisites apply to your situation, try this method first to save yourself some time!
With organization-linked Activation Lock for iPhone and iPad, the MDM contacts Apple servers to lock or unlock the device, independent of the user or device status. It creates a bypass code for turning Activation Lock on or off.
What is Activation Lock bypass code?
If your enterprise devices are supervised and managed by ABM, one of the easiest ways to remove an Activation Lock is to send an ActivationLockBypassCodeCommand through your MDM and clear the lock.
With organization-linked Activation Lock, the MDM solution independently interacts with Apple's servers to lock or unlock devices without user involvement or device status. The MDM crafts a unique bypass code for Activation Lock control, which it dispatches to Apple's servers.
With an Activation Lock bypass code command, the Activation Lock on supervised Apple devices can be removed remotely if the associated Apple ID and password are unavailable. The main drawback is that it doesn't constantly check in; if you must disable Activation Lock, you must send an Activation Lock bypass code command every time a user locks it.
Minimum tech specs required for ActivationLockBypassCodeCommand
Supervision required
Software
iOS 7.1+ | iPadOS 7.1+ | macOS 10.15+ |
Hardware
macOS |
T2 or Apple Silicon required |
How do I use the Activation Lock bypass code?
Set up the device in Apple Business Manager or School Manager: Enroll the device in ABM or ASM.
Set up MDM: Configure an MDM solution, like SimpleMDM. This solution manages your device and generates the bypass code.
Find the bypass code: Use your MDM solution to find the bypass code.Generally, this is done by navigating to the device details page in your MDM control panel and selecting Show Bypass Code.
Enter the bypass code: According to Apple Support, "If you have physical possession of the device on an iPhone or iPad, enter the MDM Activation Lock bypass code on the Activation Lock Screen in the Apple ID password field, and leave the username field blank. On a Mac, the bypass code can be entered by clicking Recovery Assistant in the menu bar [on the Activation Lock screen] and selecting the 'Activate with MDM key' option."
Reset the device: A factory reset removes the Activation Lock after successfully unlocking the device. Clear any remaining Activation Locks via your MDM solution before distributing the device to avoid potential issues.
Remember, in an enterprise environment, your device must reach the Apple activation servers to complete this process. The easiest connection method may be a direct connection through ethernet.
How to use Activation Lock bypass code with SimpleMDM
In SimpleMDM:
Go to Devices.
Click on the desired device that you want to unlock.
Click the Actions button on the top right of the Device Details page.
Select Disable Activation Lock from the Actions drop-down menu.
A warning pop-up window appears to complete the action. Click OK to proceed.
When a device initially enrolls in SimpleMDM, it sends the ActivationLockBypassCode to the device, collects the bypass code, and stores the code on the device record. The Disable Activation Lock button in SimpleMDM takes any previously stored codes and automatically removes any existing Activation Lock if present.
Loading...
Activation Lock FAQs
What is an MDM Activation Lock bypass code?
An MDM Activation Lock bypass code is a cryptographic key code generated during the deployment of managed Apple devices through an MDM. You can use this bypass code to clear the device's activation lock without the Apple ID and password.
What is ActivationLockBypassCodeCommand?
The ActivationLockBypassCodeCommand obtains an Activation Lock bypass code for a supervised device. This bypass code, a device-specific key, can then be used to disable or remove the Activation Lock functionality on that device.
When the ActivationLockBypassCodeCommand is pushed to a supervised device, the device returns an ActivationLockBypassCodeCommand response that can then be used by the admin to unlock the device, bypassing the Activation Lock.
Is Activation Lock technically iCloud Activation Lock?
Yes. Activation Lock in Apple's ecosystem is tied explicitly to a user's iCloud account. When Find My iPhone, Find My iPad, or Find My Mac is enabled on a device, the Activation Lock is turned on. This feature locks the device to the user's Apple ID, which is managed through iCloud, helping to deter theft and unauthorized use.
However, in an enterprise or educational environment where devices are corporately owned, MDM solutions provide tools like the Activation Lock bypass code to allow administrators to disable the Activation Lock when needed, such as when a device is being prepared for a new user.
It's worth mentioning that other device ecosystems, like Android, have similar concepts that might be called "activation locks" but aren't tied to iCloud because iCloud is an Apple-specific service. Android has a feature analogous to Activation Lock known as Google's Factory Reset Protection (FRP), which is tied to a user's Google account.
What is an MDM key?
An MDM key is a cryptographic key used to secure device management. The MDM uses encryption keys to communicate securely with enrolled devices.
During the enrollment and management processes, the MDM keys are generated and used automatically within the system — between the device and the MDM server. When a device is enrolled into an MDM, the MDM server securely stores these keys and uses them internally to communicate securely with devices and validate commands.
Activation Lock got you stuck? SimpleMDM is here to help! Don't miss this chance to unlock your knowledge and power up your skills with a 30-day free trial of SimpleMDM.
