Using an Activation Lock bypass code from Jamf Pro to clear Activation Lock on a Mac
As part of macOS Catalina, Apple introduced Activation Lock for Macs. As on iOS, Activation Lock is an anti-theft feature designed to prevent activation of a Mac if it’s lost or stolen.
Activation Lock on Macs does have some requirements in order for it to work. The Mac must:
- Run macOS Catalina or later
- Use the Apple T2 Security chip
- Two-factor authentication must be enabled on the Apple ID used for enable Activation Lock.
- Secure Boot must be enabled with Full Security settings and Disallow booting from external media selected.
Once these requirements are satisfied, Activation Lock is automatically enabled when Apple’s Find My service is enabled.
However, having Activation Lock turn on when Find My is enabled can lead to situations where it’s enabled by an employee on company-owned equipment. When this happens, companies, schools or institutions need a way to bypass Activation Lock without needing to know anything about the Apple ID used by the employee.
To provide this bypass, Apple has made it possible for companies, schools and institutions to use their MDM solution to clear Activation Lock. For more details, please see below the jump:
In order to clear Activation Lock using a MDM, the Mac in question needs to be supervised, which has the following requirements. The Mac must:
- Use macOS Catalina or later
- Be enrolled with an MDM
- MDM must be using Apple’s Automated Device Enrollment service via Apple Business Manager or Apple School Manager.
If a Mac is supervised and managed via Jamf Pro 10.20.0 or later, an Activation Lock bypass code is automatically generated and stored as part of the computer’s inventory. It’s available in the computer’s inventory listing, under the Management section.
Note: This Activation Lock bypass code capability is not exclusive to Jamf Pro; it’s available to all MDM solutions. If your MDM solution does not yet support it, ask your vendor to add this support.
To use the Activation Lock bypass code, please use the following procedure:
1. Get the bypass code from Jamf Pro.
2. Boot to macOS Recovery or Internet Recovery .
3. Make sure your Mac is able to communicate with the Internet and the required Apple services.
3. At the Activation Lock screen, go to the Recovery Assistant menu and select Activate with MDM key…
4. Enter the bypass code and click the Next button.
Once the bypass code has been accepted, the Mac should clear the activation lock and activate.
To illustrate, I’ve made a video showing the described process.
Question about enabling activation lock. When you say “Two-factor authentication must be enabled on the Apple ID used for enable Activation Lock” does the mean if we want all computers to have this enabled we need to manually enable FindMy on the Mac’s (either by telling the user to do it or doing it ourselves before deploying to the user)? Is there a way to enable via Jamf agent or MDM? Once it’s enabled, do we have to go into the Apple ID account to lock the device, or can that be done through a Mac Management tool or MDM?
Another very helpful article. I think this blog has saved my sanity several times already. Thank you very much!
When trying to bypass Activation Lock on Big Sur, I do not see the menu item “Activate with MDM Key”. (My System Report/Hardware Overview showed Activation Lock Status is Enabled.)
Have you tested this process on Big Sur, running “Recovery Assistant version 1.0 (132)”?
hi,
when using Jamf Casper we are successfully getting the bypass code after enrollment and allowing the user to enable activation lock. However after all above criteria is met we never get the sub-menu to “activate with MDM key..” Why is this?? We have replicated this bug/problem on a T2 intel Mac with both 10.15.7 and Big Sur 11.2.3 as well as an M1 Mac with 11.2.3…the issue with M1 Mac’s is there IS NO T2 chip. I can’t find a single Apple kBase article with update info concerning this process and M1…so is Activation Lock Bypass useless with an M1 machine??
You have to choose to erase the M1 Mac first and then upon reboot you have to connect to a network first for it to “check-in” and trigger activation lock. ONLY THEN, is there the “unlock with MDM Key..” sub menu…this did not happen at all on Catalina with T2 and Intel.” 🤔
your article is incorrect. You have to boot to local Recovery THEN ERASE the Mac….the option to “Activate with MDM Key..” ONLY shows up in the menu AFTER the Mac has been erased via Recovery. Then it will auto re-boot, THEN you have to use internet recovery. Once it loads internet recovery you have the option…how could you leave out this important step?? This is the same for Big Sur OR Catalina…Intel or M1.