Description

This article provides context regarding the different types of lock screens users might run into and/or different types of commands we can use in Jamf Pro.

Activation Lock

This setting can be enabled on macOS or iOS when:

A end user signs into an Apple Account and enables Find My Device on either macOS or iOS.
An Activation Lock command is sent from Jamf Pro for either macOS or iOS.

If a device is Supervised when an Activation Lock is enabled on a device we should get an Activation Lock Bypass Code inventoried into the device record under the Management tab of the device in question.

See this article for more information on enabling or clearing Activation Lock with Jamf Pro.

This image shows the activation lock screen on a computer and iphone.

MDM Lock Command (macOS)

This is a command that is issued from Jamf Pro, most commonly for lost or stolen devices. When a Lock Code is issued from Jamf Pro, we specify the passcode that is set. The end user might see something similar to the images below:

this is an example of what a mdm lock screen may display. This is another example of an MDM lock screen.

The lock code is stored in the device record under History > Management History > Completed Commands > Lock Device.

This image shows the lock command passcode in the Jamf Pro inventory record.

If the code is unknown Jamf Support may be able to assist but it depends on the timing/log flushing.

EFI or Firmware Lock

The EFI/Firmware lock was an option for Intel computers to ensure computers could not get to settings outside of the OS without first entering a password. The EFI Password lock screen is shown below:

This image shows what the efi lock screen looks like.

The EFI Lock is enabled using a policy in Jamf Pro (Policies > New > EFI Password > Configure).

image shows the policy options to set/remove efi password

This password is not stored anywhere in Jamf Pro. If the passcode is forgotten, you will need to contact Apple.

Recovery Lock

Recovery lock is used on Apple Silicon devices only; it functions similar to the EFI or Firmware lock above. End users would see something similar to the image below letting them know Recovery is locked.

image shows the recovery is locked screen on apple silicon macs

Recovery Lock can be enabled in the PreStage or set via the API.

image shows the set recovery lock password option in a prestage enrollment

For more information on this feature, see the recoveryOS password section on Apple's Startup security in macOS article.

iOS Device Lock

When iOS/iPadOS devices have a passcode entered too many times incorrectly, they get locked. End users will see:

image shows an iphone disabled due to incorrect passcode image shows an ipad that is not available due to incorrect passcode

If the iPhone remains disabled and the passcode is not known, follow the steps on: Perform Factory Reset On iOS/iPadOS Devices.

macOS Device Lock

This similar to iOS Device Lock happens on an macOS device due to a passcode being entered too many times incorrectly.

Image shows the login window of an account that is disabled.

Generally the only time we will see this is when we have the setting "Max Number of Failed Attempts" set in a computer configuration profile under the Passcode payload.

FileVault Personal Recovery Key

The macOS Recovery screen will show Recovery Key and request that the recovery key be entered to unlock the volume.

The FileVault recovery key can be found in the inventory record in Jamf Pro if it was escrowed. For more information see, FileVault Management with Jamf Pro.

What does "device is busy - will try again" mean in the Jamf Pro device record?

Unmanaging and Removing devices from Jamf Pro

Enabling FileVault via Configuration Profile with Jamf Pro

How to regain communication with devices when a different APNs cert is uploaded into Jamf Now

Troubleshooting Automated Device Enrollment

Different types of Lock Screens