You can set up Find My on your Mac so you can locate it and protect it if it’s ever lost or stolen. You can also share your location with others. When you add your Mac to Find My, Activation Lock is automatically turned on. After it's enabled, the user's Apple ID and password must be entered before anyone can:
- Turn off Find My Mac
- Erase the device
- Reactivate the device
While Activation Lock helps secure Apple devices and improves the chances of recovering a lost or stolen device, this capability can present you, as an IT admin, with many challenges. For example:
- A user sets up Activation Lock on a device. The user then leaves the company and returns the device. Without the user's Apple ID and password, there's no way to reactivate the device.
- You want to reassign some devices to a different department during a device refresh in your organization. You can only reassign devices that don't have Activation Lock enabled.
To help solve these problems, Apple introduced the ability to disable Activation Lock for supervised devices (macOS 10.15 or later), without the user's Apple ID and password. Supervised devices generate a device-specific Activation Lock bypass code, which is stored on Apple's activation server. Intune supports this feature.
First I want to check the current Activation Lock status on my test Mac. For that we need System Information. Click on Alt (or Options) at the same time as the Apple logo to expose System Information on the menu. Then look in the hardware section. I've highlighted where the Activation Lock status should be, but it's not there. Why is that? It's because my Mac doesn't support the feature. Activation Lock is available on all Apple silicon Macs. But on devices that use Intel chips the feature is restricted to models with an Apple T2 Security Chip, running macOS Catalina or later. So as an example, a non-T2 Intel Mac—such as the MacBook Air (2017)—will not support Activation Lock. You can see from the screenshot that my device has a Dual-Core Intel Core i5.
We can still see how this is supposed to work. On the test device I've turned on Location Services (System Preferences > Security & Privacy > Enable Location Services). This is a requirement for Find My Mac.
Find My Mac can be found in the Applications list.
Have a look at the hardware properties of the device in Intune. Under Conditional Access we can see that the device is supervised. We can also see that the Activation lock bypass code field is not populated.
- Manually entering the Activation Lock bypass code on the device
- Using the Disable Activation Lock device action
No comments:
Post a Comment