Home > Jamf Pro, macOS, macOS Recovery, Mobile Device Management > Using an Activation Lock bypass code from Jamf Pro to clear Activation Lock on a Mac

Using an Activation Lock bypass code from Jamf Pro to clear Activation Lock on a Mac

As part of macOS Catalina, Apple introduced Activation Lock for Macs. As on iOS, Activation Lock is an anti-theft feature designed to prevent activation of a Mac if it’s lost or stolen.

Activation Lock on Macs does have some requirements in order for it to work. The Mac must:

  • Run macOS Catalina or later
  • Use the Apple T2 Security chip
  • Two-factor authentication must be enabled on the Apple ID used for enable Activation Lock.
  • Secure Boot must be enabled with Full Security settings and Disallow booting from external media selected.

Screen Shot 2020 06 18 at 3 40 31 PM

 

Once these requirements are satisfied, Activation Lock is automatically enabled when Apple’s Find My service is enabled.

However, having Activation Lock turn on when Find My is enabled can lead to situations where it’s enabled by an employee on company-owned equipment. When this happens, companies, schools or institutions need a way to bypass Activation Lock without needing to know anything about the Apple ID used by the employee.

To provide this bypass, Apple has made it possible for companies, schools and institutions to use their MDM solution to clear Activation Lock. For more details, please see below the jump:

In order to clear Activation Lock using a MDM, the Mac in question needs to be supervised, which has the following requirements. The Mac must:

If a Mac is supervised and managed via Jamf Pro 10.20.0 or later, an Activation Lock bypass code is automatically generated and stored as part of the computer’s inventory. It’s available in the computer’s inventory listing, under the Management section.

Screen Shot 2020 06 19 at 5 21 39 PM

 

Note: This Activation Lock bypass code capability is not exclusive to Jamf Pro; it’s available to all MDM solutions. If your MDM solution does not yet support it, ask your vendor to add this support.

To use the Activation Lock bypass code, please use the following procedure:

1. Get the bypass code from Jamf Pro.

Screen Shot 2020 06 19 at 5 07 07 PM

2. Boot to macOS Recovery or Internet Recovery .
3. Make sure your Mac is able to communicate with the Internet and the required Apple services.
3. At the Activation Lock screen, go to the Recovery Assistant menu and select Activate with MDM key…

Screen Shot 2020 06 19 at 7 15 45 PM

4. Enter the bypass code and click the Next button.

Screen Shot 2020 06 19 at 7 15 57 PM

 

Once the bypass code has been accepted, the Mac should clear the activation lock and activate.

Screen Shot 2020 06 19 at 7 16 07 PM

To illustrate, I’ve made a video showing the described process.

  1. Craig Chambers
    June 22, 2020 at 5:35 pm

    Question about enabling activation lock. When you say “Two-factor authentication must be enabled on the Apple ID used for enable Activation Lock” does the mean if we want all computers to have this enabled we need to manually enable FindMy on the Mac’s (either by telling the user to do it or doing it ourselves before deploying to the user)? Is there a way to enable via Jamf agent or MDM? Once it’s enabled, do we have to go into the Apple ID account to lock the device, or can that be done through a Mac Management tool or MDM?

  2. Andreas Ley
    July 29, 2020 at 6:36 pm

    Another very helpful article. I think this blog has saved my sanity several times already. Thank you very much!

  3. K S.
    April 9, 2021 at 7:58 pm

    hi,

    when using Jamf Casper we are successfully getting the bypass code after enrollment and allowing the user to enable activation lock. However after all above criteria is met we never get the sub-menu to “activate with MDM key..” Why is this?? We have replicated this bug/problem on a T2 intel Mac with both 10.15.7 and Big Sur 11.2.3 as well as an M1 Mac with 11.2.3…the issue with M1 Mac’s is there IS NO T2 chip. I can’t find a single Apple kBase article with update info concerning this process and M1…so is Activation Lock Bypass useless with an M1 machine??

    • K S
      April 11, 2021 at 12:14 am

      You have to choose to erase the M1 Mac first and then upon reboot you have to connect to a network first for it to “check-in” and trigger activation lock. ONLY THEN, is there the “unlock with MDM Key..” sub menu…this did not happen at all on Catalina with T2 and Intel.” 🤔

  4. K S
    April 12, 2021 at 1:42 pm

    your article is incorrect. You have to boot to local Recovery THEN ERASE the Mac….the option to “Activate with MDM Key..” ONLY shows up in the menu AFTER the Mac has been erased via Recovery. Then it will auto re-boot, THEN you have to use internet recovery. Once it loads internet recovery you have the option…how could you leave out this important step?? This is the same for Big Sur OR Catalina…Intel or M1.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: