Managing the activation lock for iOS devices

The activation lock feature:

  • is designed to prevent anyone from using a lost or stolen device.
  • provides administrators with more options for deterring theft of supervised devices.
  • enables administrators to reclaim supervised devices and reassign them to other employees.

A security policy option enables the Activation Lock on newly registered phones. Enabling this option prompts Ivanti EPMM to acquire the bypass code for the devices. When you configure an iOS device as supervised, you can generate a device-specific Activation Lock bypass code which you can later use to remove the Activation Lock. The Send Activation Lock Bypass action in the Devices page sends the necessary code to the target devices.

You must have a connection between Ivanti EPMM and Apple's Activation Lock Bypass server to be able to store bypass codes for supervised, managed devices. The server’s URL is:

https://deviceservices-external.apple.com/deviceservicesworkers/escrowKeyUnlock

  • Per Apple policy, the Activation Lock bypass code works once per device. The device must be reset before another bypass code will work.
  • Per Apple policy, Ivanti EPMM can acquire the bypass code only when the device is first registered.
  • For supervised devices already registered with Ivanti EPMM, select Actions > Send Activation Lock Bypass to acquire the bypass codes for these devices.

Applying an activation lock

As soon as Find My iPhone is turned on, a mapping between this iCloud account and a hardware identifier for this device is saved to Apple’s activation servers. From that point, no one can turn off Find My iPhone, erase the device, or reactivate it without entering the existing Apple ID and password. If someone other than you wiped your device and then tried to re-activate and use it, they would be prompted for your Apple ID and password in Setup Assistant.

If you have a corporate-liable deployment, and your devices are supervised, activation lock is disabled for supervised devices by default, and device users cannot turn it on. Most corporate administrators are likely to leave the Activation Lock disabled, as it is primarily a consumer feature. Should you decide to enable the feature:

Table 22.   Activation locks

Action

What to Do

Enable Activation Lock

Complete the following steps prior to device registration:

1. Turn on Find My Phone.
2. In the Security policy, select Enable Activation Lock.
3. Register the device.

Ivanti EPMM acquires the bypass code at this time.

Note that it can take some time before the device reports that the activation lock has been enabled.

Send Activation Lock Bypass Code

1. In the Device page, select the iOS device.
2. Select Actions > Send Activation Lock Bypass Code.

If you have a corporate-liable deployment, and your devices are unsupervised, activation lock will be enabled as soon as the end-user signs in to iCloud with their Apple ID and turns on Find My Device. MDM servers, including Ivanti EPMM, cannot control activation lock on unsupervised devices. Supervision is the flag that says this device is corporate owned. Device users can lock activation with their personal credentials, leaving you no recourse should they leave the company. For this scenario, Ivanti recommends the following process:

  • Add the removal of the Activation Lock to your employee agreement.

    You should not consider the device returned unless the Activation Lock is removed.

  • Confirm that the Activation Lock has been removed when the device is returned to you.
  • Contact Apple Enterprise Support if the Activation Lock has not been removed.

Removing the Activation Lock

If the device has not been wiped, and the user is willing to enter the Apple ID password:

  1. Launch the Settings app on the device.
  2. Go to the iCloud screen.
  3. Turn off Find My Device.
  4. Have the device user enter the Apple ID password.

    Another option is to have the user erase all content and settings.

If the device has already been wiped, and the user is willing to enter the Apple ID password:

  1. Follow the steps in Setup Assistant.
  2. If the Activation Lock screen is displayed, have the device user enter the Apple ID and password or ask the user to remove the device from their account in iCloud.

If you have an enterprise support contract with Apple, you can contact them to request an activation lock removal.