You’ve got 50, maybe 80 Macs across your team. One person handles IT, when they can. Then someone leaves, and suddenly you’re locked out of a $1,300 device. No one knows the Apple ID. You can’t wipe it. You can’t redeploy it. You’ve hit the wall that Apple calls Activation Lock.
When businesses don’t properly manage Activation Lock with their Apple devices, that could lead to scenarios that will lose them precious revenue. This includes device lockouts and even devices being written off because they can’t be accessed anymore. This leads to waste and lower productivity.
Here is how to set up and manage Mac Activation Lock, as well as its potential pitfalls if it’s not handled properly.
What is Activation Lock?
Activation Lock is an Apple security feature strictly tied to an iCloud account logged into a macOS or iOS device. Its purpose is to prevent unauthorized activation if the device is stolen.
Once it’s activated, nobody will be able to deactivate Find My Mac or reset the MacBook to factory settings without entering the correct Apple account credentials. A thief or someone who finds a lost MacBook will not have those details and will be unable to wipe the device, rendering it useless to them.
IT departments will find this an extremely useful function for protecting the company’s hardware assets. But while it has its benefits, it can also have serious disadvantages.
The main one is the potential for Activation Lock to give the company serious headaches if the device is not offboarded properly when an employee leaves, or when that device is reassigned to another employee.
What are the potential pitfalls of Activation Lock?
So, if mismanaged, what are the downsides of using Activation Lock?
- The device becomes unusable after the assigned employee has left.
Why It Matters – the company could potentially have to pay $1,300+ for a new device and there will be delays and lost productivity while they wait for the new device to arrive. If this happens often, new device purchases will quickly become a major business cost.
- Apple will not disable Activation Lock for you.
Why It Matters—If you have a locked Mac and there’s no way to unlock it, Apple will only provide limited support and stop well short of actually removing the lock for you. This means any essential files on the device (such as invoices and receipts) that are not backed up will be lost forever.
- You can’t resell or reassign devices.
Why It Matters – if a company's Apple device is permanently locked, it becomes useless to the company and would have to be written off. IT budgets will be quickly spent on replacements, and useless devices will soon stack up. If the device is leased by another company, it could lead to financial penalties.
So, what are the solutions to avoid scenarios like this? Let’s look at a few.
Mobile Device Management (MDM)
Mobile Device Management (MDM) is your best friend when it comes to managing enterprise MacBooks.
It allows the device owner to disable Activation Lock remotely, removing the need for the MacBook user to remember to do it themselves. The company’s IT department can access the dashboard and disable the MDM lock with a few clicks.
It does this by generating bypass codes, which disables Activation Lock without even needing the Apple account details. There is a detailed guide on the Apple help pages about Activation Lock and how to bypass it with MDM.
Which MDM is the best one?
Examples of MDMs include (but are not limited to) Kandji, Jamf Pro, and Mosyle. Which one should you go for? It all depends on your use case.
Kandji is generally considered to be one for most users' needs. Its slick automations replace a lot of scripts which Jamf demands. One feature is that if someone turns off a setting (deliberately or otherwise), Kandji turns it on again.
When a device is enrolled by Apple Business Manager, Kandji enables Activation Lock automatically, while the bypass codes are generated and stored in Kandji.
If you’re a big sprawling organization with lots of custom requirements, then Jamf may be more to your liking. However, it isn’t cheap and it isn’t that easy to use.
Jamf tracks Activation Lock status in real time, and machines not signed in will be flagged for IT to investigate. Plus, as with Kandji, the bypass codes are securely stored in the Jamf dashboard.
If your budget is tight, and you just want something straightforward, then Mosyle could be the best candidate. It gives the owner of the device, not the user, control over the locking and unlocking of the device.
Its dashboard gives real-time device status monitoring, and it will lock and unlock devices based on the company’s policies.
Apple Business Manager
Apple Business Manager (ABM) is not an MDM, but rather something that works seamlessly alongside one.
If an MDM is the operations room of the company, ABM is the front reception desk. ABM handles all incoming new devices before they even come out of the box, automatically registers them with the MDM, and manages the Apple account IDs for each device. Then the device is automatically passed by ABM to the MDM key to activate the Mac.
In other words, using Apple Business Manager reduces new device setup time, ensures that IT supervision of that device is in place from the moment the device is first used.
Even more importantly, IT has the immediate power to control and bypass Activation Lock, even if the device user signs in with a personal Apple ID. This kind of control is impossible without Apple Business Manager.
If you’re dealing with a lot of Apple devices in your organization, then you absolutely need both Apple Business Manager and an MDM. Otherwise you’re looking at future liabilities that could potentially cripple the company.
Educate employees on how Activation Lock works
Of course, the simplest method of managing Activation Lock is to simply educate employees on how it all works. Not being able to unregister the device may not always come down to malicious intent – it could simply be a lack of knowledge of what needs to be done.
📘 To be covered during IT onboarding or offboarding training
✔️How to properly sign out of iCloud
✔️How to disable Find My Mac
✔️Why Find My Mac must be disabled manually
✔️Consequences of an improperly offboarded device
Offboard departing employees properly
Instead of hoping that the departing employee remembers to do it properly, companies can avoid headaches by establishing a proper automated offboarding process for every device.
📘 For IT to complete when offboarding an employee
✔️Revoke user's Apple ID access via Apple Business Manager
✔️Generate a new Activation Lock bypass code
✔️Store the bypass code securely in the MDM
✔️Reassign the device to IT or a new user
✔️Confirm iCloud and Find My Mac are fully disabled
How to remove Activation Lock on a MacBook
The procedure to remove Activation Lock comes down to the following:
- The easiest method is to ask the outgoing employee to disable it themselves by signing out of the Apple account.
- If this isn’t possible anymore, then a bypass code generated by an MDM key should do the trick. Obviously, this needs to be set up beforehand, not after the fact.
- If a bypass code isn’t doable, then contacting Apple Support would be your last option, and they may be able to offer Activation Lock help. However, you would likely have to produce the sales receipts for the MacBook in question to prove you’re the legal owner. You should also put together any supporting documentation, such as the serial number of the machine.
How to prevent potential future problems with Activation Lock
How do you turn Activation Lock from a headache into a business asset?
👉To begin with, companies should avoid buying Apple devices which are not sold by Apple-authorized resellers. These resellers will register the devices with Apple Business Manager, while those bought from Amazon will not be registered.
👉These ABM-registered devices should then flow seamlessly into the company MDM. The MDM can be configured to do this all automatically, without input from IT, including generating the Activation Lock bypass keys when the device is enrolled. Done properly, IT rarely needs to do anything.
👉 Before completing an employee’s exit process, make sure their Apple ID has been removed from all company devices. This should be a required step in offboarding to prevent Activation Lock issues down the line.
👉Use MDM’s reporting tools to build a dashboard showing the status of all devices with Activation Lock. If any of the devices suddenly have Activation Lock disabled, or it has been logged into by a different Apple ID, then IT knows to deal with the problem immediately.
Prioritize regular device maintenance
If your business depends on Macs to keep operations running, keeping them in top shape is just as important. CleanMyMac Business offers an easy, affordable way to do exactly that — without the complexity of heavy enterprise tools.
Seamlessly integrating with Apple Business Manager and your MDM, it provides remote troubleshooting, patching, security monitoring, and system cleanup — all from a single, intuitive dashboard. It takes just minutes to deploy, giving IT teams real-time visibility into device health, security, and compliance.
Start with a free 14-day trial and see how it fits your workflow. It helps IT teams stay ahead of issues—preventing support tickets and costly disruptions before they happen.
Apple Activation Lock can be a lifesaver for businesses, but it can also be a curse if not handled correctly. The worst case? Lost revenue due to lost time and reduced productivity.
By establishing an automated offboarding process combining Apple Business Manager and an MDM, a company can make sure that every Apple device in its inventory can be seamlessly transferred from one employee to another, without hitting any roadblocks.
