Activation Locked iPads

SOLVED
vassallon
Kind of a big deal

Activation Locked iPads

I was just curious if anyone else out there is seeing a rash of activation locked iPads starting this week. I have open tickets with both Apple and Meraki on this issue but it appears that when an iPad is reset either on the device or through the MDM, it is being locked to the DEP/ASM account that we have tied into Meraki.

 

I can clear the activation lock just fine through Meraki, however in a school district this is adding a huge new step in the process which is quite the hassle. Instead of just resetting an iPad and giving it to the next student, I need to be notified to clear the activation lock which is delaying the process and causing headaches with in the schools.

Found this helpful? Give me some Kudos! (click on the little up-arrow below)
1 ACCEPTED SOLUTION
Kevin_C
Meraki Employee
Meraki Employee

Hi @vassallon,

 

A couple of updates since the Activation Lock feature update was initially released. 

 

  1. There is a new Privacy and Lock payload that you can deploy. If "Allow activation lock" is unchecked/disabled (default is enabled), this payload will enforce the following behavior on newly-enrolled supervised devices:
    • Prevent SM from enabling cloud-based Apple School Manager/Apple Business Manager cloud-based Activation Lock
    • If personal iCloud accounts are allowed on devices, the ability to enable device-based Activation Lock with Find My iPhone is disabled2019-02-26_0956.png

       

  2. When sending an Erase Device command from the Dashboard, you may select "Attempt to disable activation lock..." SM will try to bypass Activation Lock using the last known codes for the device before issuing a device wipe command.2019-02-26_1002.png

     

View solution in original post

35 REPLIES 35
vassallon
Kind of a big deal

It's also interesting that Meraki announced this new "feature" right as this all popped up too.

 

New Dashboard Features

 
Activation Lock Cloud Bypass Enabled February 12, 2019

Activation lock cloud bypass is now enabled on supervised Apple devices enrolled via DEP. When activation lock is activated, Systems Manager attempts to store the latest device activation lock bypass code (stored locally on the device) and cloud activation lock bypass code (stored in Apple's cloud) for each device.

To see both codes, go to MDM Commands > Mobile Security on the details page of a target device and click on Show bypass code.

If you click Disable activation lock, Systems Manager will attempt to disable the device's activation lock using both of the available codes. If either works, the Dashboard will display "Activation lock disabled!" If the command fails to execute with both of the saved codes, the Dashboard will show alerts and errors received for each individual code.

Found this helpful? Give me some Kudos! (click on the little up-arrow below)
vassallon
Kind of a big deal

The issue is almost like this feature that I asked about got implemented without any way to control it within in Meraki.

 

https://community.meraki.com/t5/Endpoint-Management-Systems/Device-Based-Activation-Locks/m-p/21893

Found this helpful? Give me some Kudos! (click on the little up-arrow below)

@vassallon so this is all your fault for requesting something new? 😛

@EncinitasMatt Most likely it is my fault, but you would think that Meraki would give us some control over how it functions.

 

 

Found this helpful? Give me some Kudos! (click on the little up-arrow below)
EncinitasMatt
Here to help

We are a school district with the same issue.  After dealing with Apple and Meraki support for hours yesterday we got a short reply from Meraki:

 

This was brought to our attention yesterday and there was a new feature that was activated from our end.
Hence this is expected behavior when a device is reset.

 

I agree it seems to be a new "feature" that was implemented with no way to turn it off.  It is a hassle now, but will be a nightmare in summer when we wipe all the iPads.

@EncinitasMatt Okay good to know I'm not going crazy and it's something only affecting us here.  I appreciate that they have added it but without some level of control and how it is applied it's a worthless headache of a feature.

 

Yeah a summer reset will be brutal if we have to go through and clear activation locks on all iPads for no good reason.

Found this helpful? Give me some Kudos! (click on the little up-arrow below)
JamesG1
Here to help

This has been a headache since last week and we have been going back and forth with Apple trying to get to the bottom of it. 

 

We have 9000+ iPads. This change does not make for happy redeployments. Hopefully it will be rolled back.

 

James

Kevin_C
Meraki Employee
Meraki Employee

Hi @vassallon,

 

A couple of updates since the Activation Lock feature update was initially released. 

 

  1. There is a new Privacy and Lock payload that you can deploy. If "Allow activation lock" is unchecked/disabled (default is enabled), this payload will enforce the following behavior on newly-enrolled supervised devices:
    • Prevent SM from enabling cloud-based Apple School Manager/Apple Business Manager cloud-based Activation Lock
    • If personal iCloud accounts are allowed on devices, the ability to enable device-based Activation Lock with Find My iPhone is disabled2019-02-26_0956.png

       

  2. When sending an Erase Device command from the Dashboard, you may select "Attempt to disable activation lock..." SM will try to bypass Activation Lock using the last known codes for the device before issuing a device wipe command.2019-02-26_1002.png

     

vassallon
Kind of a big deal

@Kevin_C So to make sure I understand correctly, if I uncheck the box then this annoying new "feature" of iPads being locked to the district DEP account will go away on a reset and students will no longer be able to activation lock iPads when logging in?

Found this helpful? Give me some Kudos! (click on the little up-arrow below)

@vassallon  Unchecking the box will make the Activation Lock prompt go away only if the device was already scoped to the profile at the time of initial activation/enrollment.  

 

For currently enrolled devices (which are presumably currently Activation Locked), you will need to either:

 

  • Send a wipe command from the SM Dashboard using the "Attempt to disable activation lock..." flag2019-02-26_1002.png

     

  • Disable activation lock using the available command under MDM Commands > Mobile Security on the Device Details page before wiping the device2019-02-26_1637.png

     

After devices are re-enrolled, SM will not try to activation lock again if the device is scoped to a profile where "Allow Activation Lock" is unchecked.

beks88
A model citizen

What's the default behavior, when no privacy payload is configured?

Kevin_C
Meraki Employee
Meraki Employee

The default behavior is to automatically enable ABM/ASM Activation Lock

Mark24
Getting noticed

@Kevin_C  is there a way to control which ABM/ASM Account is used for the Activation Lock ? How does it determine which account to use ?

alexis_cazalaa
Building a reputation

So just to recap : before this ASM/ABM cloud based activation lock was brutally implemented, device based activation lock was possible, but now we HAVE to disable both in order to get rid of this "new feature" right ?

 

Also, use case : i work in a school, we will have to "unenroll" 300+ iPads ( without erasing them ) how will i be able to mass "disable activation lock", ?  

@alexis_cazalaa In my understand, that is correct. Before we could have user based device activation locks, now if we want that functionality we end up with the ASM/ABM cloud based activation lock after the other lock is cleared. 

 

In addition, once we uncheck the box for Allow activation lock, it only removes it from future locking and does not remove the activation lock that was already put into place. The only way to clear that lock is to remove it from each device by hand through Meraki or work with Apple to clear then en masse.

Found this helpful? Give me some Kudos! (click on the little up-arrow below)

@vassallon I just created a ticket, will post updates..

This is crazy!

 

Our reference case is 03882231.

Thank you to @JamesG1 for telling me about the Python script and sending it my way. 

 

Please if you are having issues with activation locks, reach out to Meraki support. They can send you a script and enable the ability to use it to clear activation locks en masse for your iPads.

Found this helpful? Give me some Kudos! (click on the little up-arrow below)

from what i understand, if the device is DEP, user based activation is overriden...
so if you need to bypass/clear DEP activation lock, you will also clear the user personal icloud's activation lock ( find my device ).

also means if it's stolen you're screwed, no more protection against it....

 

@Kevin_C  can you confirm please ?

@alexis_cazalaa

  1. Thank you for pointing out the column sorting issue. A fix was deployed to address this, can you confirm?
  2. With regards to the command failing, is it also failing when selecting only one device (vs. multiples)? In any event, I would suggest opening a support case so that we can triage this effectively.
  3. That is correct, the Activation Lock bypass command attempts to clear the Activation Lock status using all known codes, whether that be user-initiated iCloud or ABM/ASM-enabled.  But the lock status is type-agnostic.  You cannot "clear" Activation Lock for one type while leaving the other enabled. 

    We are considering allowing admins to configure supervised DEP devices to allow user-initiated iCloud activation lock without necessarily enabling ABM activation lock, but this is not a recommended configuration. The ABM/ASM activation lock is far more reliably managed than the personal iCloud activation lock.  There is not a reliable way to ensure that the activation lock bypass code received for a user-initiated iCloud activation lock is 100% accurate.  Also with ABM/ASM activation lock, in the unlikely event that the bypass code does not work, the ABM/ASM account is a known admin account, providing administrators with a reliable bypass alternative if the device is wiped. 
alexis_cazalaa
Building a reputation

1) yes it is, thank you

2) it did and i opened a ticket but since an hour or two it now shows success. It seems that success/failure status is only about sending the command, not if it worked or not.. 

That is correct. Check out the note at the bottom of the Activation Lock KB article: https://documentation.meraki.com/SM/Monitoring_and_Reporting/Activation_Lock_for_iOS_Devices
alexis_cazalaa
Building a reputation

Just FYI on point number 3

I also had created a ticket about this and i received multiple answers :

support first told me that clicking on the bypass button would clear DEP but not user-initiated iCloud activation Lock.
then in a second comment they say the bypass button sends the two sets of codes and then Apple decides between the two.. like russian roulette....
i'm on the phone so i asked the guy to put that in writing in my ticket but that's their conclusion.
ticket number is 03855425 btw

@vassallon  - A couple of new changes to support Activation Lock Bypass

 

  1. There is a new Activation Lock Bypass API suite, which will allow you to initiate bypass commands in bulk to your device fleet.  As of today, this is still behind NFO and requires a support case for access.  When necessary, Support can also help provide a script which will attempt to unlock all devices.
  2. There is also a new Bypass Activation Lock command in the Command menu on the device list page which allows you to send Bypass Activation Lock commands in bulk directly from Dashboard.
  3. Admins can now view the current Activation Lock status of all devices using the new Activation Lock column in the device list.  Click the + sign in the upper right of the device list grid to add this column to your view.  Activation Lock status can also be viewed on the device details page under the "Management" section.

    list view.png

     

For more information about Activation Lock including the updates detailed above, check out the Activation Lock KB article.

vassallon
Kind of a big deal

Thank you for options 2 and 3 those are awesome to have available in the dashboard.

Found this helpful? Give me some Kudos! (click on the little up-arrow below)
vassallon
Kind of a big deal

@Kevin_C You might want to tweak the logic a bit for running it from the Dashboard.

 

Attempting Activation Lock bypass on 1141 devices.

Attempts will be made in 12 batches of 100 devices each.

(12/12) batches complete

Batch 1 (devices 1-1) status: success
Batch 2 (devices 101-101) status: success
Batch 3 (devices 201-201) status: success
Batch 4 (devices 301-301) status: success
Batch 5 (devices 401-401) status: success
Batch 6 (devices 501-501) status: success
Batch 7 (devices 601-601) status: success
Batch 8 (devices 701-701) status: success
Batch 9 (devices 801-801) status: failure
  • API rate limit exceeded for organization
Batch 10 (devices 901-901) status: failure
  • API rate limit exceeded for organization
Batch 11 (devices 1001-1001) status: failure
  • API rate limit exceeded for organization
Batch 12 (devices 1101-1101) status: failure
  • API rate limit exceeded for organization
Found this helpful? Give me some Kudos! (click on the little up-arrow below)

@vassallon a fix was pushed so that the device counts are accurately displayed ("devices 1-100, 101-200, etc" instead of devices 1-1, 101-101"). Can you verify?

If you are having issues with the API rate limit when the command is sent in bulk, please open a support ticket so that we can track, diagnose, and address this appropriately.
vassallon
Kind of a big deal

@Kevin_C 

 

Yes, the numbering appears to be fixed but the API rate limit issue still occurs.

 

(12/12) batches complete

Batch 1 (devices 1-100) status: success
Batch 2 (devices 101-200) status: success
Batch 3 (devices 201-300) status: success
Batch 4 (devices 301-400) status: success
Batch 5 (devices 401-500) status: success
Batch 6 (devices 501-600) status: success
Batch 7 (devices 601-700) status: failure
  • API rate limit exceeded for organization
Batch 8 (devices 701-800) status: success
Batch 9 (devices 801-900) status: failure
  • API rate limit exceeded for organization
Batch 10 (devices 901-1000) status: success
Batch 11 (devices 1001-1100) status: failure
  • API rate limit exceeded for organization
Batch 12 (devices 1101-1125) status: failure
  • API rate limit exceeded for organization
Found this helpful? Give me some Kudos! (click on the little up-arrow below)

@vassallon A change was pushed last week that should resolve the API rate limiting issue.  Can you try out the bulk action again and verify?

vassallon
Kind of a big deal

@Kevin_C Looks good now.

 

(12/12) batches complete

Batch 1 (devices 1-100) status: success
Batch 2 (devices 101-200) status: success
Batch 3 (devices 201-300) status: success
Batch 4 (devices 301-400) status: success
Batch 5 (devices 401-500) status: success
Batch 6 (devices 501-600) status: success
Batch 7 (devices 601-700) status: success
Batch 8 (devices 701-800) status: success
Batch 9 (devices 801-900) status: success
Batch 10 (devices 901-1000) status: success
Batch 11 (devices 1001-1100) status: success
Batch 12 (devices 1101-1110) status: success
Found this helpful? Give me some Kudos! (click on the little up-arrow below)
alexis_cazalaa
Building a reputation

Option 2 doesn't work

.Capture.PNG

 

Option 3 can't sort using that column, results still mixed between enabled and disabled

I'd just like to point out this is a very poor implementation of a feature.

 

Where is the ability to not enable activation lock by default?

 

Where do you specify which AppleID gets used for the activation lock?

 

When a device is factory reset without clearing the activation lock, the MDM profile does not push until the lock is cleared. Meaning there is no option to view a bypass code in Meraki for that device any longer, making the bypass code field pointless.

 

This has somehow defaulted to using the Apple ID for our DEP master account, which I can not give out the password for in these cases, and there appears to be no option in Meraki to set the activation lock account to a different Apple ID.

 

I really expect this kind of overzealous security f*** up from Apple direct, but am pretty disappointed to see it coming from Meraki this time.

pstokes
Here to help

Has anyone seen activation lock just randomly appear on a device? Just recently I've had a single ipad at random display the activation lock screen. It's happened 2 times within 2 months now. The user claims they aren't doing anything when this happens and the device hasn't been reset. 

 

We do have the allow activation lock box checked on our profile payload. The status for this device shows disabled. 

beks88
A model citizen

It seems like I'm experiencing the same issue. User has been 2 weeks on holiday, now gets a prompt with activation lock.
Have to check several things before posting more infos.

Device last online -> 2 weeks ago
Activation lock shows -> disabled

 

Device seem currently to be offline, so need first to work with user to get it online 😄

beks88
A model citizen

@pstokes I had yesterday an iPad which showed up as offline and activation lock enabled.

 

I pushed the command to disable activation lock, instructed the user to restart the iPad and he was able to enroll as expected.

 

Still need to figure out how to fix my problem with the iPhone as mentioned before

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels