Managing Activation Lock on macOS Devices in Workspace ONE UEM
If you’ve ever enabled the Find My feature on an iOS and macOS device, then you are probably familiar with Apple’s Activation Lock. Activation Lock is a factory reset protection feature that Apple has implemented to ensure that unauthorized persons cannot erase and reuse a lost or stolen iOS or macOS device. Activation Lock securely stores your Apple ID on Apple’s activation servers and links it to your device. If anyone tries to turn off Find My, erase your device, or reactivate your device, they will be prompted for your Apple ID and password. If invalid credentials are entered, the device will continue to be nonfunctional until correct credentials are entered. IT admins could manage Activation Lock on corporate-owned iOS devices in Workspace ONE UEM. This allowed them to protect their assets and lessen the chance of a data breach due to a lost or stolen iOS device.
With the release of version 2402 of Workspace ONE UEM, you can now manage Activation Lock on supervised macOS devices as well. This new feature works in a similar fashion to iOS. When a supervised macOS device is enrolled in Workspace ONE UEM, Activation Lock can be enabled on the device. IT admins can clear Activation Lock on individual devices in the console, and even obtain an Activation Lock Bypass Code if needed.
This new Activation Lock feature is supported on supervised macOS 10.15 or higher devices.
Configuring Activation Lock for macOS Devices
You can enable Activation Lock for all your DEP-enrolled devices in the Workspace ONE console by going into All Settings -> Devices & Users -> Apple -> Activation Lock and click Enabled. Then select one or more Smart Groups that contain the devices on which you wish to enable Activation Lock. Once this setting is enabled, all supervised devices within the assigned groups will have Activation Lock enabled when enrolled.
You can also enable Activation Lock on individual macOS devices from the device’s Details View. Click the More Actions menu and select Enable Activation Lock. Workspace ONE UEM will activate Activation Lock on the device.
Bypassing Activation Lock on macOS Devices
As discussed, Activation Lock offers enterprises the benefit of securing lost or stolen macOS devices. But it can present challenges in the enterprise when an employee leaves the company and turns in a corporate macOS device with Activation Lock enabled. When an IT admin resets the device to give it to another employee, the Activation Lock will prompt for the previous employee’s credentials. Without those credentials, the device will be rendered useless to the enterprise.
Luckily, supervised macOS devices enrolled in and managed by Workspace ONE UEM can have their Activation Lock bypassed. There are three ways that IT admins can bypass the Activation Lock.
- Clear the Activation Lock in the console.
- Enter an Activation Lock Bypass Code on the device.
- Perform a Device Wipe command and select the option to clear Activation Lock.
Clear the Activation Lock in the Console
Clearing the Activation Lock can be performed from the Device Details View. You simply need to click More Actions menu and scroll down to the Disable Activation Lock option.
Enter an Activation Lock Bypass Code on the Device
Your second option is to enter a bypass code on the device. You can find the Activation Lock Bypass Code in the Workspace ONE console. As described above, you start in the More Actions menu and click Disable Activation Lock. Workspace ONE will display the bypass code which you will enter on the device during the Setup Assistant. On the macOS device, you will enter the bypass code in the Activation Lock’s password field, leaving the Apple ID username field empty.
Perform a Device Wipe command and select the option to clear Activation Lock
Finally, when you perform a Device Wipe on a macOS device, Workspace ONE will give you the option to deactivate Activation Lock as part of the process. Select Disable Activation Lock when prompted.
Checking the Status of Activation Lock on a macOS Device
If you need to know whether Activation Lock is enabled on a device, you can do this in the Workspace ONE console from the device’s Details View. Check the Summary tab in the Security section.
Summary
Apple’s Activation Lock is an additional security tool that IT admins can enable to ensure that someone can’t turn off Find My, erase, or reactivate a lost or stolen corporate device. With version 2402 of Workspace ONE, this protection can now be extended to corporate macOS devices as well. With multiple options for enabling this feature on macOS devices, IT admins can protect their corporate assets and lessen the chance of a data breach due to a lost or stolen macOS device.
For more information about managing macOS devices with Workspace ONE, check out these resources on Tech Zone.
'%3E%3Cpath id='Rectangle_1' data-name='Rectangle 1' d='M0,0H800V300H0Z' transform='translate(2297 -300)' fill='%23E2F0D9'/%3E%3Cg id='Group_5' data-name='Group 5' transform='translate(-6 -3)'%3E%3Ctext transform='translate(2534 -152)' font-size='50' font-family='Roboto-Regular, Roboto'%3E%3Ctspan x='0' y='0'%3ECurated Assets%3C/tspan%3E%3C/text%3E%3Ctext transform='translate(2683 -99)' font-size='20' font-family='Roboto-Regular, Roboto'%3E%3Ctspan x='0' y='0'%3ECard%3C/tspan%3E%3C/text%3E%3C/g%3E%3C/g%3E%3C/svg%3E)