Activation Lock is a security feature for devices running iOS 7 and higher that uses Apple's Find My iPhone functionality. This feature makes it difficult for unauthorized persons to use a lost or stolen device.

When Activation Lock is enabled, an end user's Apple ID and password are required to unlock a device even if the device is wiped or factory reset, including through DFU mode. For more information about Activation Lock as an iOS feature, read the Apple Support article Find My iPhone Activation Lock.

Prerequisites

To use the Activation Lock feature, devices must have the following:

  • A valid Apple ID and password assigned
  • Find My iPhone enabled

Activation Lock for Unsupervised vs. Supervised Devices

The extent to which you can manage devices with Activation Lock depends on whether the devices are supervised or unsupervised. The following table outlines the differences:

Unsupervised Supervised
End user must enable Find My iPhone setting.

Administrator can view whether Activation Lock is enabled on a particular device.

Administrator must accept a notification when performing a device wipe command, which warns that a device with Activation Lock enabled cannot be reactivated without the original Apple ID and password*.
Administrator can enable Activation Lock. This will automatically activate the Find My iPhone setting.

Administrator can view whether Activation Lock is enabled on a particular device.

Administrator can clear the Activation Lock using one of three methods.
To learn how to remove a previous owner's Apple ID in order to reactivate a device, read the Apple Support article Find My iPhone Activation Lock.

Enable Activation Lock for iOS Devices

For supervised devices running iOS 7 and higher, you can configure Activation Lock and force it to be enabled.

Procedure

  1. Navigate to Groups & Settings > All Settings > Devices & Users > Apple > Apple iOS > Managed Settings.

  2. Select the Activation Lock setting.

  3. Select Save.

Viewing Activation Lock Status

For both unsupervised and supervised devices running iOS 7 and higher, you can view whether Activation Lock is enabled on the device. Procedure

  1. Navigate to Devices > List View.

  2. Select an iOS device.

Under the Security section, you can see whether Activation Lock is activated or deactivated.

Clear Activation Lock on iOS Devices

For supervised devices running iOS 7 and later, you can clear the Activation Lock using one of three methods.

Procedure

  1. Use the Clear Activation Lock command

  2. Enter an Activation Lock Bypass Code directly onto the device.

  3. Perform a Device Wipe Command and select an option to clear the Activation Lock.

Use the Clear Activation Lock Command

Using the Clear Activation Lock command you can clear the Activation Lock on a device without performing a device wipe. This command is useful if you know the whereabouts of the device and do not want to wipe its contents completely to clear the lock.

This command also works if the device is unenrolled from Workspace ONE UEM MDM.

  1. Navigate to Devices > List View.

  2. Select an iOS device.

  3. The Device Details page displays Select the More drop-down to see a list of available remote commands.

  4. Select Clear Activation Lock.

  5. Select Deactivate.

Enter an Activation Lock Bypass Code

Entering an Activation Lock Bypass Code can be useful if the device has been unenrolled from Workspace ONE UEM MDM and you have no means by which to perform a Clear Activation Lock command or device wipe.

  1. Navigate to Devices > List View.

  2. Select an iOS device. The Device Details page displays.

  3. Select the More drop-down to see a list of available remote commands.

  4. Select Clear Activation Lock. The Activation Lock Bypass Code displays on the screen.

Reactivate the device once factory wiped using MDM. When you reach the Activate iPhone pane in the Setup Assistant, enter the bypass code as the Activation Lock password and leave the Apple ID text box empty.

Perform a Device Wipe Command

When performing a device wipe command, you also have the option of clearing the Activation Lock on a device.

  1. Navigate to Devices > List View.

  2. Select an iOS device. The Device Details page displays.

  3. Select the More drop-down to see a list of available remote commands.

  4. Select Device Wipe. The Device Wipe page displays.

  5. Select Clear Activation Lock. Enter your Security PIN, and the device is wiped.

Activation Lock - Wipe Command Workflow Matrix

The following matrix shows the workflow to check the activation lock bypass code before issuing the wipe command from the UEM console to the device. The bypass code check can be initiated from the Device List View page or the Device Details page.

Command Activation Lock Bypass Code Workflow
Device List View Device Details page
Device Wipe Not applicable Sends query to the device for fetching the activation lock bypass code.

Device marked as Device Wipe Initiated in the UEM console.

If the wipe protection is turned off on the device, the device responds with the bypass code to the UEM console.

The UEM console sends the device wipe command to the device.

Device responds with the successful wipe message to the UEM console.

Device is marked as Unenrolled in the UEM console.
Enterprise Wipe Sends query to the device for fetching the activation lock bypass code.

Device is marked as Enterprise Wipe Initiated in the UEM console.

If the wipe protection is turned off on the device, the device responds with the bypass code to the UEM console.

The UEM console sends the enterprise wipe command to the device.

Device responds with the successful wipe message to the UEM console.

Device marked as Unenrolled in the UEM console.
Sends query to the device for fetching the activation lock bypass code.

Device marked as Enterprise Wipe Initiated in the UEM console.

If the wipe protection is turned off on the device, the device responds with the bypass code to the UEM console.

The UEM console sends the enterprise wipe command to the device.

Device responds with the successful wipe message to the UEM console.

Device marked as Unenrolled in the UEM console.
check-circle-line exclamation-circle-line close-line
Scroll to top icon