Activation lock though really nice features of iOS for personal devices helping stop device getting stolen, on enterprise (Work owned) devices can be a real pain especially if a personal Apple account is used and the user has left the company leaving the device activation lock.

For some time this could mean having a large number of devices that could not be used and getting Apple to unlock them over Email can take some time, when devices are MDM enrolled into MobileIron using DEP a (supervised) device you do get an MDM to unlock code but I have found that this doesn’t always work.

If your running MobileIron for your MDM it has got a Security Policy option that can turn off Activation Lock for new devices set up after the policy is setup!

To set this open Policies & Configs
Open your Security policy, we have a policy just for DEP (Worked owned devices)

Under iOS settings un-tick “Enable Activation Lock”

I’ve found if you already have devices set up this setting will not turn off Activation Lock on the devices but it will stop it been turned back on if it is turned off and new devices will not able to turn on Activation Lock, As long as all of your devices are in DEP turning off Activation Lock should not really be an issue as you need a network account to set the device back up.

Hope this helps out other MDM Administers and stops the pain of trying to get a user to remember the logon to their iCloud account.