💻❗️🗑️
Here’s a story…
Jordan works at a small business. On her first day, Jordan purchased a brand new MacBook at the Apple Store and signed into her personal iCloud account. A year later, Jordan enrolled the device in the company’s MDM solution, but shortly after that, she left the company and moved across the country for a new job. Jordan’s device was wiped two days after her last day, consistent with the company's usual off-boarding procedures. A new hire replaced Jordan and was given that same MacBook a few weeks later, but the MacBook was Activation Locked behind Jordan’s iCloud account. The company reached out to Jordan for help, but she couldn’t remember the device password and felt uncomfortable sharing her personal iCloud credentials. The device was unable to be used, so it had to be eWasted.
To recover the device in a situation like Jordan’s, a business needs one of the following:
In reality, a company rarely has access to (1) or (2). And in Jordan’s story, (3) will be unavailable because the bypass code is generated and escrowed off the device the moment Activation Lock is enabled (which in this case was before the device is managed).
This is an unfortunate story, especially since MacBooks are not a trivial investment for most businesses. We’ve heard from many administrators who have been caught by surprise with Activation Lock and now own a $2,000 paperweight. It’s critical for any company that owns macOS devices to understand this risk.
Generally speaking, Activation Lock is a product built for the individual consumer, not for the small business or enterprise. By design, it’s meant to make it harder for the device to change hands, which sounds great for a personal MacBook but is a nightmare if we’re managing a fleet of a few hundred devices that rotate among employees. To best insulate your business from this pain, we recommend two things:
After following these steps, you can allow Activation Lock to be enabled on devices without too much of an additional maintenance burden, but for most small businesses, it’ll be easiest to keep it disabled across the fleet as much as you’re able to.
The use of Activation Lock by a small business could make sense if it offers additional security for the company. However, Activation Lock only controls the use of the device after it has been wiped, and no risk to corporate data remains. Otherwise, there may be some merit in contributing to Apple’s intended ‘deterrent effect’ of stealing MacBooks, but in our opinion, the onus should be on Apple to improve the device management experience if they want businesses to leverage this capability.
We hope this was helpful for those of you trying to decide how you want to address Activation Lock within the context of your business. It’s frustrating to see so many devices getting thrown away for no good reason. If you have any questions or ever want to connect, please don’t hesitate to reach out!
