If you're a MacAdmin, there's a good chance you've seen the dreaded Activation Lock screen before. If you have a machine that displays this page, you have a machine with a preexisting Activation Lock. For admins and nonadmins alike, it's super annoying. But have no fear — I'll teach you how to get rid of it (and share other tips for managing Activation Lock).
When removing Activation Lock from a device, the method depends on whether it was a manually enrolled device (user-linked) or an auto-enrolled or supervised device (organization-linked). |
How to disable Activation Lock with Apple Support
Apple Support offers a few ways to remove Activation Lock.
To remove Activation Lock on an unmanaged or unsupervised device where the individual user has locked it via a personal iCloud account, you can use one of the following methods:
If you know your Apple ID and password, you can remove Activation Lock by following these steps from Apple.
If you can't find your Apple ID password, you can recover it through Apple by following the prompts.
You can start an Activation Lock support request if you have proof of purchase documentation. Proof of ownership must include the product serial number, IMEI, or MEID. (The device must be erased at the end of this process to complete the unlock.)
For supervised/ADE devices, or if the device is locked with an Apple ID tied to your workplace domain, contact Apple Education and Business tech support for the next steps: (800) 800-2775.
Things to keep in mind when you call Apple Education and Business tech support:
You'll need to actually call Apple Support. Business Activation Unlock cannot be requested online at the time of publication.
After the phone call, Apple Support sends you an unlock form. This form expires after a few business days, so don't delay, or you'll have to repeat the entire process.
Historically, you should be golden if you can show Apple Business Support (not consumer support; don't waste your time) that the locked device's serial number exists in your organization's ABM/ASM inventory. This could save you time digging through receipts.
How to disable Activation Lock with your MDM
Already got your device enrolled in an MDM? Excellent — you may not need to go through Apple Support to turn off Activation Lock! Instead, you can use a device enrollment credential override or an Activation Lock bypass code.
Device enrollment credential override
Okay, hold on to your hats because this one blew my circuits when I discovered it in Apple's KBs.
If an iOS device is secured with an organization-linked Activation Lock, a credential override can unlock the device even when your MDM isn't communicating effectively with the device. Rather than using the Apple ID of the individual who activated the device lock, use the credentials of the user who created the device enrollment token for the MDM to which the locked device is assigned in Apple Business Manager.
Image credit: 9to5Mac.com
In this example, I am the user who created the device enrollment token for the test server in the first image. I enter the Apple ID and PW credentials I used to generate the device enrollment token that links SimpleMDM to Apple Business Manager into the Activation Lock screen on iOS to attempt an unlock, as seen in the second image.
The user account that created the device enrollment token in Apple Business Manager would require the role of an Administrator or Device Enrollment Manager. (Site Manager is also applicable if using Apple School Manager.) If these prerequisites apply to your situation, try this method first to save yourself some time!
With organization-linked Activation Lock for iPhone and iPad, the MDM contacts Apple servers to lock or unlock the device, independent of the user or device status. It creates a bypass code for turning Activation Lock on or off. |
What is Activation Lock bypass code?
If your enterprise devices are supervised and managed by ABM, one of the easiest ways to remove an Activation Lock is to send an ActivationLockBypassCodeCommand through your MDM and clear the lock.
With organization-linked Activation Lock, the MDM solution independently interacts with Apple's servers to lock or unlock devices without user involvement or device status. The MDM crafts a unique bypass code for Activation Lock control, which it dispatches to Apple's servers.
With an Activation Lock bypass code command, the Activation Lock on supervised Apple devices can be removed remotely if the associated Apple ID and password are unavailable. The main drawback is that it doesn't constantly check in; if you must disable Activation Lock, you must send an Activation Lock bypass code command every time a user locks it.
Minimum tech specs required for ActivationLockBypassCodeCommand
MDM
Supervision required |
Software
iOS 7.1+ | iPadOS 7.1+ | macOS 10.15+ |
Hardware
macOS |
T2 or Apple Silicon required |
How do I use the Activation Lock bypass code?
Set up the device in Apple Business Manager or School Manager: Enroll the device in ABM or ASM.
Set up MDM: Configure an MDM solution, like SimpleMDM. This solution manages your device and generates the bypass code.
Find the bypass code: Use your MDM solution to find the bypass code. Generally, this is done by navigating to the device details page in your MDM control panel and selecting Show Bypass Code.
Enter the bypass code: According to Apple Support, "If you have physical possession of the device on an iPhone or iPad, enter the MDM Activation Lock bypass code on the Activation Lock Screen in the Apple ID password field, and leave the username field blank. On a Mac, the bypass code can be entered by clicking Recovery Assistant in the menu bar [on the Activation Lock screen] and selecting the 'Activate with MDM key' option."
Reset the device: A factory reset removes the Activation Lock after successfully unlocking the device. Clear any remaining Activation Locks via your MDM solution before distributing the device to avoid potential issues.
Remember: To complete this process, your device must reach the Apple activation servers. The easiest connection method in an enterprise environment may be a direct connection through ethernet. |
How to use Activation Lock bypass code with SimpleMDM
In SimpleMDM:
Go to Devices.
Click on the desired device that you want to unlock.
Click the Actions button on the top right of the Device Details page.
Select Disable Activation Lock from the Actions drop-down menu.
A warning pop-up window appears to complete the action. Click OK to proceed.
When a device initially enrolls in SimpleMDM, it sends the ActivationLockBypassCode to the device, collects the bypass code, and stores the code on the device record. The Disable Activation Lock button in SimpleMDM takes any previously stored codes and automatically removes any existing Activation Lock if present. |
Loading...
Activation Lock FAQs
What is ActivationLockBypassCodeCommand?
The ActivationLockBypassCodeCommand is a device command used within Apple's Mobile Device Management protocol. This command obtains an Activation Lock bypass code for a supervised device. This bypass code, a device-specific key, can then be used to disable or remove the Activation Lock functionality on that device.
When the ActivationLockBypassCodeCommand is pushed to a supervised device, the device returns a ActivationLockBypassCodeCommand response that can then be used by the admin to unlock the device, bypassing the Activation Lock.
Is Activation Lock technically iCloud Activation Lock?
Yes.
Activation Lock in Apple's ecosystem is tied explicitly to a user's iCloud account. When Find My iPhone, Find My iPad, or Find My Mac is enabled on a device, the Activation Lock is turned on. This feature locks the device to the user's Apple ID, which is managed through iCloud, helping to deter theft and unauthorized use.
However, in an enterprise or educational environment where devices are corporately owned, MDM solutions provide tools like the Activation Lock bypass code to allow administrators to disable the Activation Lock when needed, such as when a device is being prepared for a new user.
It's worth mentioning that other device ecosystems, like Android, have similar concepts that might be called "activation locks" but aren't tied to iCloud because iCloud is an Apple-specific service. Android has a feature analogous to Activation Lock known as Google's Factory Reset Protection (FRP), which is tied to a user's Google account.
What is an MDM key?
An MDM key typically refers to a cryptographic key used to secure the management of devices. The MDM uses encryption keys to communicate securely with enrolled devices.
During the enrollment and management processes, the MDM keys are generated and used automatically within the system — between the device and the MDM server. When a device is enrolled into an MDM, the MDM server securely stores these keys and uses them internally to communicate securely with devices and validate commands.
Activation Lock got you stuck? SimpleMDM is here to help! Don't miss this chance to unlock your knowledge and power up your skills with a 30-day free trial of SimpleMDM.
