Disable Activation Lock on Supervised iOS/iPadOS devices with Intune
Microsoft Intune can help you manage iOS/iPadOS Activation Lock, a feature of the Find My iPhone app for iOS/iPadOS 8.0 and later devices. Activation Lock is enabled automatically when a user opens the Find My iPhone app on a device. After it is enabled, the user's Apple ID and password must be entered before anyone can:
- Turn off Find My iPhone
- Erase the device
- Reactivate the device
How Activation Lock affects you
While Activation Lock helps secure iOS/iPadOS devices and improves the chances of recovering a lost or stolen device, this capability can present you, as an IT admin, with a number of challenges. For example:
- A user sets up Activation Lock on a device. The user then leaves the company and returns the device. Without the user's Apple ID and password, there is no way to reactivate the device.
- You need a report of all devices that have Activation Lock enabled.
- You want to reassign some devices to a different department during a device refresh in your organization. You can only reassign devices that do not have Activation Lock enabled.
To help solve these problems, Apple introduced Activation Lock disable in iOS/iPadOS 7.1. Disable Activation Lock lets you remove the Activation Lock from supervised devices without the user's Apple ID and password. Supervised devices can generate a device-specific Activation Lock bypass code, which is stored on Apple's activation server.
Supervised mode for iOS/iPadOS devices lets you use Apple Configurator to lock down a device and limit functionality to specific business purposes. Supervised mode is used only for corporate-owned devices.
You can read more about Activation Lock on Apple's web site.
How Intune helps you manage Activation Lock
Intune can request the Activation Lock status of supervised devices that run iOS/iPadOS 8.0 and later. For supervised devices only, Intune can retrieve the Disable Activation Lock code and directly issue it to the device. If the device has been wiped, you can directly access the device by using a blank user name and the code as the password.
The business benefits of using Intune to manage Activation Lock are:
- The user gets the security benefits of the Find My iPhone app.
- You can enable users to do their work and know that when a device needs to be repurposed, you can retire or unlock it.
Before you start
Before you can disable Activation Lock on devices, you must enable it by following these instructions:
- Configure an Intune device restriction profile for iOS/iPadOS using the information in How to configure device restriction settings.
- In the device restriction settings for iOS, under the General settings, enable the option Activation Lock.
- Save the profile, and then assign it to the devices on which you want to manage Disable Activation Lock.
How to use Disable Activation Lock
After you disable the Activation Lock on a device, if the Find My iPhone app is started, a new Activation Lock is automatically applied. Because of this, you should be in physical possession of the device before you follow this procedure.
The Intune Disable Activation Lock remote device action removes the Activation Lock from an iOS/iPadOS device without requiring the user’s Apple ID and password. After you disable the Activation Lock, the device turns on Activation Lock again when the Find My iPhone app starts. Disable the Activation Lock only if you have physical access to the device.
Sign in to the Microsoft Endpoint Manager Admin Center.
On the Intune blade, select Devices.
On the Devices blade, select All devices.
On the list of devices that you manage, select the Disable Activation Lock device remote action.
Go to the device's “Hardware” section, and then copy the Activation Lock bypass code value under Conditional Access.
Copy the bypass code before you wipe the device. If you reset the device settings before you copy the code, the code is removed from Azure.
Go to the Overview blade for the device, and then select Wipe.
After the device is reset, you are prompted for the Apple ID and password. Leave the ID field blank, and then enter the bypass code for the password. This removes the account from the device.
You can examine the status of the unlock request on the details page for the device in the Manage devices workload.