We recently had an issue where a company owned iPhone was handed to a member of staff, they set it up with a new icloud account and password that they then forgot, they left the company and handed back a device that was working (they knew the passcode, it would boot up) but couldn't have anything installed on it because the icloud account was not known
I've been through the process of:
- setting up a Miradore MDM account,
- setting up an Apple Business Account,
- linking ABM to Miradore's MDM server,
- installing the Miradore profile on the phone,
- recovering the old employee icloud account details after plenty of calls with apple and waiting 16 days for a reset,
- logging into their icloud and erasing, then removing the phone from their account (in icloud FindMyIphone),
- using Apple Configurator 2 to run a prep on the device and
- finally having Apple Business Manager assign the device to the Miradore MDM via its serial number
The phone is provisioned in a "stops at Hello setup screen and the user it is given to may set it up as a new iphone/restore it accordingly" way
Before giving out the phone again I thought I'd test the process of recovery, which I was hoping would have gotten easier, that happened last time. I would:
- pretend to be a forgetful user,
- register the phone to a new icloud account,
- pretend I forgot the password,
- hand it back to the IT dept saying "sorry, here;s your device, I forgot the icloud password i set it up with"
I fully expected that they could just open Apple Business Manager, or Miradore (I'm not sure which), hit "wipe" and poof; it becomes a new iphone again ready to be handed to the next user, because Apple know it's owned by the company and they would scrub the icloud details off it/release it from any association with "Forgetful Me"
Having hit the option in Miradore to wipe the iphone, it's restarted with an activation lock that is demanding the details of the test user I created..
This isn't how I was hoping it would go; I wanted it to revert to being a brand new iphone with no activation lock. As it is right now it's saying it is activation locked and can only be unlocked by test.user@mycompany.com – exactly the same situation I was in last time with the real forgetful user
What have I missed about the whole setup? How can I make things so that the company owns the phone and can wipe any employee logins, data, details, activation locks etc off at any point?
Best Answer
Is the device enrolled with Apple DEP? If not, you can’t remotely remove activation lock with a simple click.
The WIPE button can do 1 of 2 things. It really depends on how it’s configured
Wipe Managed App Data (these are apps from your Volume Purchase Agreement). The customer data stays in tact (including their Apple ID).
Wipe all data. This is probably the default configuration for your MDM. It erases all data as if the customer tapped SETTINGS -> GENERAL -> RESET
If you are NOT enrolled in Apple’s DEP then you’ll need to supervise the device. This will provide you with a lot more options. You can remove the Apple ID, change the background wall paper, turn on or off the GPS, etc.
Reference: https://support.apple.com/en-us/HT202804
I am an AirWatch MDM Administrator