A lost - or stolen - iPhone is almost every iPhone owner’s worst nightmare. With the release of iOS 7, Apple has baked in some features designed to prevent iPhone theft, or at least make it much less lucrative. While this is a great feature for the end user’s piece of mind, it could be a new nightmare for the enterprise.
What Activation Lock Does
The feature, Activation Lock, is intended to deter iPhone theft by securely locking each iPhone to its owner. In short, a thief can’t steal an iPhone, erase the contents, and sell it for reactivation. When the device is wiped, it can’t be reactivated without the Apple ID and Password that were originally used to activate it – no matter if it’s erased remotely (for example, from a corporate MDM server) or manually.
And MDM can’t block Activation Lock. Activation Lock is automatically enabled if Find My iPhone is enabled. What's more, Activation Lock applies to all iOS 7 devices - iPads as well as iPhones.
But what does this mean for corporate-owned devices? Activation Lock could completely disrupt standard enterprise practices. Since the device is tied to the original user’s Apple ID and Password, it would be difficult to re-activate the iPhone for another user, even if the iPhone is factory restored before it’s reissued.
Without the Apple ID and Password, there’s no way to re-activate it.
How it Could Affect Your Bottom Line
The fundamental issue for the enterprise is cost: if you can’t re-activate devices, you can’t reissue them. Instead of getting the most out of your iPhone hardware investment, you may need to purchase a brand new device for each new iPhone user. The device then becomes useless when the employee leaves the company.
This would be unheard of with other tech hardware, like a laptop or desk phone. Tying each iPhone a specific user for its entire lifecycle will substantially drive up the cost of doing business in an iOS environment.
So what can be done?
Unfortunately, a foolproof solution hasn't been identified yet. Requiring end users to turn over their Apple ID and Password or wipe the device themselves upon departure from the company is one potentially unpopular policy-based method of addressing the issue.
Alternately a company could require end users only activate their corporate-issued iPhone with a corporate Apple ID and Password – prepared for them ahead of time, and tracked in a spreadsheet or database. This is time consuming, and you’re counting on the user to not log off, and log into the device with a different Apple ID.
It looks like a better solution might be forthcoming, but details are scarce. There’s a possibility that iPhones that are placed into Supervised Mode (which allows the enterprise more control over what happens with the device) with Apple Configurator won’t be affected by activation lock.
The catch? The iPhone needs to be physically connected to the computer your enterprise’s Apple Configurator is running on. It’s a manual process that requires users to part with their devices. It’s not scalable.
There is also speculation that Apple plans to roll out a method to enable Supervised Mode over the air in conjunction with preconfigured MDM enrollment; until that happens current phones will need to be manually converted to Supervised Mode through Apple Configurator.
You Need an Interim Strategy... Now.
Whichever choice your enterprise makes to mitigate the impact of Activation Lock on your current iPhone assets, it will need to happen soon. By the end of the week, we expect millions of corporate iPhone users will have inadvertently enabled Activation Lock by upgrading to iOS 7, making their devices useless for future redeployment.