Author: Benjamin Flamm – Product Manager 2 | Microsoft Intune

Activation Lock on Apple devices helps keep the device secure if it falls into the wrong hands and works to prevent unauthorized access to data on devices that are owned by your organization. While Intune has a feature to disable Activation Lock, we wanted to highlight that Apple has also made this functionality available in Apple School Manager (ASM) and Apple Business Manager (ABM), keep reading to learn more!

Allowing Activation Lock using Intune

First, devices need to be enrolled through Automated Device Enrollment, which will enable supervision and generate an Activation Lock bypass code that is stored in the Microsoft Intune admin center under the per-device Hardware blade (Devices > All devices > select a device > Hardware).

A screenshot of a devices Hardware details, highlighting the Activation Lock bypass code in the Microsoft Intune admin center.

Next, you’ll need to allow users to enable Activation Lock on devices by configuring the “Activation Lock Allowed While Supervised” setting to Allowed in the settings catalog under Device configuration > Settings catalog > MDM Options.

As a final step, users need to sign in to the Find My app on their device which will lock the device to their Apple account.

A screenshot of the Sign In page for ‘Find My’ on an Apple device.

If a user already has Find My enabled when this setting is configured, then the device will be activation locked. If a user never enables Find My then the device will never be activation locked. To verify if Activation Lock is enabled on an iOS or iPadOS device, go to System Settings, select the Apple Account, and then Find My:

To verify if Activation Lock is enabled on a macOS device, go to System Settings, iCloud, Find My Mac:

On macOS, you can also verify the status of Activation Lock on devices by selecting the Apple menu in the menu bar, holding down the option key until the System Information option shows, and clicking System Information.

Once a device is locked to a user’s Apple account, you’ll need their account and password to access the device. This is troublesome and can be unattainable in situations where the user has already left the company. Alternatively, you can use the Activation Lock bypass code, but if the device has been wiped or removed from Intune, this code will no longer be available. The bypass codes would’ve had to be manually copied and saved somewhere else prior.

Disable Activation Lock action using Intune

To address these issues, we introduced the Disable Activation Lock device action in Intune, which allows you to remotely turn off Activation Lock on supervised iOS/iPadOS and macOS devices without needing the previous user’s Apple account and password or the bypass code. You can learn more on how to manage activation lock through Intune by reviewing Disable Activation Lock on Apple devices with Intune.

While this action is helpful, it doesn’t allow you to remotely view the status of Activation Lock on a device and if the device is ready to be repurposed.

Activation Lock management in ABM and ASM

At WWDC24 in June, Apple announced the ability to manage Activation Lock on devices that were enrolled using Automated Device Enrollment and managed in ABM and ASM. Not only does this new functionality let you ‘Turn off activation lock’, but you can also view the status of Activation Lock on devices directly from the AMB/ASM console:

You can learn more about this capability by reviewing Apple’s documentation:

Turn off Activation Lock in Apple Business Manager | Apple Support.

This is a major improvement for managing Activation Lock and we’re so excited to see this available in ABM and ASM. While Activation Lock management is still supported in Intune, we recommended using this new method through ABM and ASM for disabling Activation Lock on devices.

If you have any questions leave a comment below or reach out to us on X @IntuneSuppTeam.

​Microsoft Tech Community – Latest Blogs –Read More