What Is Activation Lock?
Activation Lock is an Apple feature designed to prevent the unauthorized transfer or use of Apple devices. Built into Apple’s Find My system, it’s Apple’s implementation of factory reset protection, which manufacturers are legally required to include in order to sell smartphones in the US. It initially appeared (as iCloud Activation Lock) on the iPhone in 2013 as part of iOS 7, but has since been implemented on iPad, Apple Watch, and Mac with Apple silicon or the T2 security chip.
How Activation Lock Works
When Find My is turned on on a device, Activation Lock is enforced each time the hardware is activated. That means that, when Wi-Fi is selected, the device will contact Apple for an activation certificate. In practice, this means that, when the user authorizes the device with their credentials, it will just work.
However, if a device is lost, a user or admin can mark it as lost in iCloud or with an MDM solution. (Kandji implements this using Enable Lost Mode, in the Action menu.) This puts Activation Lock in place. Users and admins can lock the screen, require a passcode, wipe data, and/or display a message urging return of the device. Most consoles also display a Find My map to show the last location of the device.
An iPhone locked using Activation Lock will request valid user credentials and won’t function until those credentials are entered. Activation Lock cannot be bypassed easily, and the iPhone cannot be used until unlocked, even if all the data is wiped and the device reset using Device Firmware Update mode (DFU). A device in Lost Mode cannot be used or reactivated without the necessary password, though IT can remotely disable Lost Mode if it is retrieved.
How to Use Activation Lock
There are two types of Activation Lock: User- and Device-based.
- User-based requires that the device is linked to a user’s personal iCloud account. That’s fine for consumers but organizations may require a more scalable, centrally managed tool to track their device fleets.
- Device-based Managed Lost Mode requires Apple Business Manager or Apple School Manager and is compatible with most Apple MDM solutions (including Kandji).
While MDM solutions don’t permit user-based Activation Lock on supervised devices by default, they can permit it if they choose to do so. If they do, the MDM solution fetches a bypass code which it securely stores. If a user cannot authenticate their device in the normal way, the IT admin can use the MDM solution and the stored bypass code to unlock the device. It is essential for admins to secure and back up these bypass codes, as Activation Lock can not be cleared without them.
How to Remove Activation Lock
On iPhone devices running iOS 15 or later, locked devices display an iPhone Locked to Owner screen when activated. Earlier iOS versions will either refuse to be unlocked, display an emergency message, or request the original user’s Apple ID.
Admins can remotely turn off Lost Mode and remove Activation Lock protection from a managed device from their MDM solution. They can also retrieve an Activation Lock bypass code when required, such as when an employee leaves a company but neglects to unlock their device.
If the bypass code is not available (which can happen when you migrate from one MDM solution to another), the IT team can contact AppleCare Enterprise Support to remove the lock.
In some cases—particularly if too many unsuccessful attempts have been made to unlock a device while it is lost—a warning that the iPhone is disabled will appear. In those cases, the device must be restored, which entails a complete data wipe. Some third-party companies claim they can unlock protected devices, but they’re usually just jailbreaking the device and are not recommended for business use.