Bypass Activation Lock on Supervised iOS devices with Intune
Microsoft Intune can help you manage iOS Activation Lock, a feature of the Find My iPhone app for iOS 8.0 and later devices. Activation Lock is enabled automatically when a user opens the Find My iPhone app on a device. After it is enabled, the user's Apple ID and password must be entered before anyone can:
- Turn off Find My iPhone
- Erase the device
- Reactivate the device
How Activation Lock affects you
While Activation Lock helps secure iOS devices and improves the chances of recovering a lost or stolen device, this capability can present you, as an IT admin, with a number of challenges. For example:
- A user sets up Activation Lock on a device. The user then leaves the company and returns the device. Without the user's Apple ID and password, there is no way to reactivate the device.
- You need a report of all devices that have Activation Lock enabled.
- You want to reassign some devices to a different department during a device refresh in your organization. You can only reassign devices that do not have Activation Lock enabled.
To help solve these problems, Apple introduced Activation Lock bypass in iOS 7.1. Activation Lock bypass lets you remove the Activation Lock from supervised devices without the user's Apple ID and password. Supervised devices can generate a device-specific Activation Lock bypass code, which is stored on Apple's activation server.
Supervised mode for iOS devices lets you use Apple Configurator to lock down a device and limit functionality to specific business purposes. Supervised mode is used only for corporate-owned devices.
You can read more about Activation Lock on Apple's web site.
How Intune helps you manage Activation Lock
Intune can request the Activation Lock status of supervised devices that run iOS 8.0 and later. For supervised devices only, Intune can retrieve the Activation Lock bypass code and directly issue it to the device. If the device has been wiped, you can directly access the device by using a blank user name and the code as the password.
The business benefits of using Intune to manage Activation Lock are:
- The user gets the security benefits of the Find My iPhone app.
- You can enable users to do their work and know that when a device needs to be repurposed, you can retire or unlock it.
Before you start
Before you can bypass Activation Lock on devices, you must enable it by following these instructions:
- Configure an Intune device restriction profile for iOS using the information in How to configure device restriction settings.
- In the device restriction settings for iOS, under the General settings, enable the option Activation Lock.
- Save the profile, and then assign it to the devices on which you want to manage Activation Lock bypass.
How to use Activation Lock bypass
After you bypass the Activation Lock on a device, if the Find My iPhone app is started, a new Activation Lock is automatically applied. Because of this, you should be in physical possession of the device before you follow this procedure.
The Intune Bypass Activation Lock remote device action removes the Activation Lock from an iOS device without requiring the user’s Apple ID and password. After you bypass the Activation Lock, the device turns on Activation Lock again when the Find My iPhone app starts. Bypass the Activation Lock only if you have physical access to the device.
Sign in to Intune.
On the Intune blade, select Devices.
On the Devices blade, select All devices.
On the list of devices that you manage, select the Bypass Activation Lock device remote action.
Go to the device's “Hardware” section, and then copy the Activation Lock bypass code value under Conditional Access.
Copy the bypass code before you wipe the device. If you reset the device settings before you copy the code, the code is removed from Azure.
Go to the Overview blade for the device, and then select Wipe.
After the device is reset, you are prompted for the Apple ID and password. Leave the ID field blank, and then enter the bypass code for the password. This removes the account from the device.
You can examine the status of the unlock request on the details page for the device in the Manage devices workload.