Perfectly good MacBooks have been subject to a now all too common fate: being eWasted
Here’s a story…
Jordan works at a small business. On her first day, Jordan purchased a brand new MacBook at the Apple Store and signed into her personal iCloud account. A year later, Jordan enrolled the device in the company’s MDM solution, but shortly after that, she left the company and moved across the country for a new job. Jordan’s device was wiped two days after her last day, consistent with the company's usual off-boarding procedures. A new hire replaced Jordan and was given that same MacBook a few weeks later, but the MacBook was Activation Locked behind Jordan’s iCloud account. The company reached out to Jordan for help, but she couldn’t remember the device password and felt uncomfortable sharing her personal iCloud credentials. The device was unable to be used, so it had to be eWasted.
To recover the device in a situation like Jordan’s, a business needs one of the following:
- iCloud credentials
- Device password
- Activation Lock bypass code
In reality, a company rarely has access to (1) or (2). And in Jordan’s story, (3) will be unavailable because the bypass code is generated and escrowed off the device the moment Activation Lock is enabled (which in this case was before the device is managed).
This is an unfortunate story, especially since MacBooks are not a trivial investment for most businesses. We’ve heard from many administrators who have been caught by surprise with Activation Lock and now own a $2,000 paperweight. It’s critical for any company that owns macOS devices to understand this risk.
Protecting your fleet
Generally speaking, Activation Lock is a product built for the individual consumer, not for the small business or enterprise. By design, it’s meant to make it harder for the device to change hands, which sounds great for a personal MacBook but is a nightmare if we’re managing a fleet of a few hundred devices that rotate among employees. To best insulate your business from this pain, we recommend two things:
- Configure Automated Device Enrollment with your MDM solution so that you can secure Activation Lock bypass codes. Your MDM tool may even allow you to prevent automatically-enrolled devices from being Activation Lock enabled in the first place.
- Audit your fleet to determine which devices have been Activation Lock enabled prior to enrollment. Manually work with these employees to disable Activation Lock. They can even re-enable afterward if you'd like to allow it because, this time, you’ll get the bypass code.
After following these steps, you can allow Activation Lock to be enabled on devices without too much of an additional maintenance burden, but for most small businesses, it’ll be easiest to keep it disabled across the fleet as much as you’re able to.
The use of Activation Lock by a small business could make sense if it offers additional security for the company. However, Activation Lock only controls the use of the device after it has been wiped, and no risk to corporate data remains. Otherwise, there may be some merit in contributing to Apple’s intended ‘deterrent effect’ of stealing MacBooks, but in our opinion, the onus should be on Apple to improve the device management experience if they want businesses to leverage this capability.
We hope this was helpful for those of you trying to decide how you want to address Activation Lock within the context of your business. It’s frustrating to see so many devices getting thrown away for no good reason. If you have any questions or ever want to connect, please don’t hesitate to reach out!