macOS Activation Lock Bypass
Co-author - @Shameem Akhtar
Introduction :
Activation lock enables owner of the Mac to prevent others from using the Mac when lost or stolen. One can enable this by signing into their Mac with Apple ID & turning On Find My option. Users can refer Apple’s article to use this feature - https://support.apple.com/en-in/102541# . To Turn it off, disable Find My or sign out of the Apple ID altogether.
Activation Lock & MDM :
For Device or MDM Administrators this feature poses a problem if the employee or user of corporate Mac enables Find My with their personal Apple ID but didn’t turn it off while leaving or returning the Mac. Admin will need that employee’s Apple ID credentials to turn it off & there is a chance the employee may not share or unavailable to provide the credentials.
Using MDM capabilities MDM Admin can retrieve a key from MDM enrolled devices which can bypass the user’s Activation Lock on the Mac without needing to signing out user’s Apple ID.
Requirements :
To Turn on Activation Lock –
- Mac must be have the Apple Silicon Chip or Apple T2 Security Chip,
- Secure Boot enabled in its default setting – Full Security, with ‘Disallow booting from external media” selected under the External Boot section,
- Two factor authentication enabled for user’s Apple ID,
- macOS Version must be Catalina or later.
For MDM to be able to bypass the Activation lock –
- Device must satisfy the above requirements,
- Mac has to be supervised.
Workflow :
Flowchart legend -
* https://support.apple.com/guide/findmy-mac/activation-lock-and-find-my-on-mac-fmm2dd428a48/mac & https://support.apple.com/en-us/HT208987
** https://support.apple.com/en-us/HT202804
*** https://support.apple.com/en-in/guide/mdm/apd593fdd1c9/web
Workflow steps on MaaS360 admin Portal –
- Once an eligible device is enrolled to MaaS360 MDM, navigate to Devices > your enrolled Mac,
- Click on More > Clear Activation Lock,
- Here , you can take two actions –
- Copy the code to bypass Activation Lock, string of characters retrieved via MDM from device. Admin can enter this string while recovering the Mac - in Mac recovery mode, choose Recovery Assistant > Activate with MDM Key.
- Another action is to click ‘Continue’ to clear the activation lock on device. Action will return Success or Failed, if Success Mac can be restored without previously signed in user’s Apple ID. If failed saying ‘Device not found’, then it mostly means Find My is Off or the action or code was already used to recover Mac.
- ‘Clear Activation Lock’ option is also available when you take Device Wipe action, in this case clear Activation lock action is triggered along with wipe action.
Use Cases :
Note to Administrators -
- Make sure the device is supervised before user turns on Find My.
- Not all recovery-methods may show an option to enter MDM key, in that case use portal action.
- If your Mac has multiple users or multiple partitions, Activation Lock is turned on only for the first person who sets up Find My. That person’s Apple ID and password are required to turn off Find My, sign out, or remotely erase your device.
- ‘Clear Activation Lock’ action fails saying ‘Device not found’, it mostly means Find My is Off or the action or code was already used to recover Mac.
- Make sure the Mac to be recovered is connected to network that allow all network traffic from Apple.