VMware Workspace ONE Announcements Apple Device Management

New management capabilities now available for macOS Activation Lock in Workspace ONE

Anyone who has had a laptop stolen knows the great frustration that comes with losing not only an expensive piece of tech but also the precious work and personal information, photos, and everything else that’s stored on it. Apple understands this, and long ago introduced a feature designed to make would-be thieves think twice about stealing Apple hardware.

Activation Lock is a security mechanism for macOS and iOS devices that ensures a device, even if it has been factory-reset — even if an admin has erased the device remotely — can never be accessed by anyone except the original owner (or, at least, someone with their credentials).

Theft deterrent

If a MacBook was stolen and a factory reset performed with Activation Lock enabled, the device would still ask for existing authorization codes at next startup. Without the authorization codes, the only way to gain access would be to contact Apple support, provide proof of purchase, and have them clear the Activation Lock. So, with this function enabled, no thief can ever use or resell a stolen Apple device (to a happy customer at least), nor can identity theft or corporate espionage take place, as all files and resources remain securely locked away even after a reset. Thus, there’s simply no reason to take whatever risks may be involved in stealing an Apple device in the first place. It’s an elegant solution to an ugly problem.

Potential challenges in business

In business, however, Activation Lock can sometimes become an obstacle. Specifically, an employee who has left the company may run a factory reset on a device to wipe personal information before returning it to IT, with Activation Lock still enabled. Because IT doesn’t have the user’s credentials, in the absence of some kind of MDM-based workaround, the only recourse would be a time-consuming search for proof of purchase and a subsequent call to Apple support to get Activation Lock cleared.

The solution in Workspace ONE

With the launch of Workspace ONE version 2402, Workspace ONE now provides the ability both to enable and to clear Activation Lock on supervised Macs. To enable Activation Lock, admins can use the “All Settings” capability to set global policy enabling Activation Lock on all Macs, or by Smart Groups. By contrast, the “Details View” allows you to manage individual devices. Options for bypassing and clearing are more detailed and flexible.

How to disable Activation Lock

You can disable Activation Lock on all Macs or set policy by Smart Groups or by individual device, in the same way you enable the functionality as noted above.

However, if Activation Lock was left enabled and is an obstacle to re-assigning a used device, there are several options:

  • Clear Activation Lock in the console: Admins can clear it on a specific Mac through the console in the “Device Details” view with a simple mouse click.
  • Enter a bypass code: Workspace ONE provides a code you can enter during Setup Assistant to bypass Activation Lock.
  • Wipe the device via Workspace ONE: Simply perform a wipe using Workspace ONE. Doing so will give you the option to disable the Activation Lock function.
Activation Lock

For the sake of clarification, we should note this only works on supervised devices. Workspace ONE admins will not be able to clear Activation Lock from BYOD or any other type of unmanaged device.

In conclusion …

We can see that with this new functionality in the console, Activation Lock on macOS becomes what it was always meant to be for Workspace ONE customers: all good in terms of accomplishing security through deterrence, with none of the obstacles.

Additional resources