Activation Lock on Mac: the complete guide#

Activation Lock on a Mac is not a setting you turn on. It arms automatically the moment you enable Find My Mac on a supported machine, and from that point Apple's activation servers record the Mac as bound to your Apple Account. Wiping the SSD, reinstalling macOS, and running a DFU restore all leave the lock intact, because the lock record lives on the server and is keyed to the hardware. Apple retired its standalone serial-number lock checker in 2017, so the only reliable way to verify a Mac before paying is a live boot to the Setup Assistant with Wi-Fi connected.

This is the complete reference: how the lock is triggered, the hardware that supports it, the four lock screens that get confused for it, every legitimate clear, the in-person verification procedure, and why every "iCloud unlock service" is a scam. The cluster pillar for buyers and sellers who want one page that covers the entire feature.

If you want a free, signed check of a Mac's Activation Lock and Find My Mac state before you buy, the signed Macfax check of Activation Lock and Find My state covers it.

What Activation Lock actually is#

Activation Lock is Apple's anti-theft feature that prevents anyone from reactivating a Mac after an erase or macOS reinstall without the Apple Account that originally enabled Find My Mac on the device. It protects hardware reuse, not data. A thief cannot reactivate the Mac as their own; the buyer of a stolen Mac cannot use it past the Setup Assistant. Encryption of the actual data is FileVault's job. The two features are independent.

On Mac, the feature arrived with macOS Catalina 10.15 in October 2019, the same release that introduced the Find My app on Mac. It is supported only on Macs with the Apple T2 Security Chip (2018 to 2020 Intel models) or Apple silicon (M-series, late 2020 onward). Pre-2018 Intel Macs without a T2 cannot have Activation Lock at all, because the lock requires the Secure Enclave plus either Secure Boot (T2) or Full Security (Apple silicon). The full glossary-style definition lives at what Activation Lock on a Mac actually is for readers who want a shorter answer.

How it arms and disarms#

There is no "Turn on Activation Lock" control in System Settings. Apple ties the feature to Find My Mac and arms it automatically:

1. You sign into iCloud with your Apple Account on a supported Mac (macOS Catalina or later, T2 or Apple silicon).
2. You enable Find My Mac under System Settings → [your name] → iCloud → Find My Mac → Turn On. The Setup Assistant prompts for this during initial setup.
3. Activation Lock arms. Apple's servers record that this Apple Account is bound to this Mac's hardware identity. From that point on, the Apple Account password or the device passcode is required to turn Find My off, erase the Mac, or reactivate it after an erase.

Apple's own documentation puts it directly: on a Mac that meets the requirements, you "just turn on Find My to enable Activation Lock," and "it remains enabled as long as you keep Find My turned on." Turning Find My off with the Apple Account password disarms it instantly; subsequent erases will not trigger the lock screen. The full owner's guide to Find My Mac covers the setting itself in depth.

Apple enforces three additional requirements for the lock to actually engage:

• On Apple silicon, the security policy must be set to Full Security (the default) in Startup Security.
• On T2 Intel, the startup security must be set to Secure Boot with "Disallow booting from external or removable media" (also defaults).
• Two-factor authentication must be enabled on the Apple Account.

In normal use these are all the default state. If a user has dropped Apple silicon to Reduced Security to install third-party kernel extensions, the lock is not enforced on that machine until Full Security is restored.

The hardware enforcement#

Activation Lock is server-enforced and hardware-bound. The lock record lives on Apple's activation servers, keyed to the device's hardware identity. The hardware itself participates in the enforcement before macOS loads.

On Apple silicon, the Low-Level Bootloader (LLB) verifies that a valid LocalPolicy exists and that its anti-replay values match the Secure Storage Component. If none exists, the LLB boots to recoveryOS, which detects that the Mac is not activated and contacts Apple's activation server for an activation certificate. The LLB will not boot macOS without a valid LocalPolicy. When a Mac is locked, the device combines a local cryptographic key with a RemotePolicy certificate retrieved from Apple's servers to construct that LocalPolicy.

On T2 Intel, the T2 firmware verifies that a valid activation certificate is present before allowing the machine to boot. UEFI firmware loaded by the T2 queries the T2 for activation status and will not boot macOS unless a valid certificate is present.

In both designs, the Secure Enclave stores the cryptographic keys binding the device to its activation state, and storage encryption is hardware-accelerated and tied to that enclave. A thief therefore cannot pull the SSD to read data, nor reflash macOS to clear the lock. The full hardware-deep-dive on the chain across Activation Lock enforcement on M1 through M4 Macs covers what changed across generations.

The four lock screens that get confused#

This is where most of the confusion lives. Only the first of these four screens is Activation Lock.

The Activation Lock "Activate Mac" screen appears in Setup Assistant after an erase or macOS reinstall when Apple's servers still record the Mac as bound to an account with Find My on. Messaging reads roughly "This Mac is linked to an Apple ID. Enter the Apple ID and password that was previously used with this Mac", with the account shown obfuscated (e.g., k••••@icloud.com). If Lost Mode was set, it may add "This Mac was reported lost or stolen." The only ways past it are the original Apple Account credentials, the local user's previously used device password, or an MDM bypass code.

The Lost Mode screen reads "This Mac has been locked with Find My Mac." It appears when the owner manually flagged the Mac as lost via iCloud.com/find or the Find My app. The required input differs by architecture. On Intel and T2, the screen demands a 4- or 6-digit PIN that the owner set at the moment Lost Mode was activated. On Apple silicon there is no system PIN; the screen demands the owner's Apple ID and password directly. The full breakdown of what the "This Mac has been locked with Find My Mac" screen means covers what to do if you hit it.

The FileVault unlock screen is a preboot prompt (before macOS loads) that decrypts the disk. It requires the FileVault-enabled user's password or the FileVault recovery key, and appears on any fully owner-controlled Mac when FileVault is on. Nothing to do with Activation Lock.

The firmware password prompt is Intel-only. It is obsolete on Apple silicon, which has no EFI and uses Recovery Lock instead. It gates startup modifiers like external boot or Recovery. A DFU restore removes it; the same DFU restore does not clear Activation Lock.

The ordinary gray macOS login screen with user avatars is not a lock in this sense. It is just OS user authentication on a fully set-up Mac.

Why a wipe does not clear it#

Erase All Content and Settings (EACS), introduced in macOS Monterey 12 for T2 and Apple silicon Macs, is the correct preparation flow for a seller. The Erase Assistant prompts for the administrator password and the Apple Account password, then signs the user out of iCloud, turns off Find My and Activation Lock, destroys the per-device cryptographic keys (making storage instantly unreadable), and restarts to a clean "Hello" Setup Assistant.

A legacy recovery wipe (booting into recoveryOS and reformatting the internal APFS container in Disk Utility) does not turn off Activation Lock. If Find My was active before the wipe, the activation record remains on Apple's servers. On reboot, the Mac detects the lock and halts at the Activation Lock screen.

A DFU restore via Apple Configurator (or via Finder on macOS Sonoma 14 or later) does the same thing. A revive updates firmware and recoveryOS only, preserving user data. A restore updates firmware/recoveryOS and erases the SSD, reinstalling macOS from an IPSW. Neither clears Activation Lock. A DFU restore removes the Intel firmware password or the Apple silicon Recovery Lock, but Activation Lock is server-side and tied to the hardware identity (serial / ECID). After a successful restore the Mac contacts the activation servers, discovers it is locked, and presents the Activation Lock screen in Setup Assistant exactly as any other wipe would. This is the precise reason every "I did a DFU restore on video, the Mac is unlocked" sales pitch is wrong; the catalog at the recurring DFU-restore "proof of unlock" forgeries covers the recurring forgeries.

Every legitimate clear#

There are five legitimate paths back to a usable Mac. Every other path is bypass methodology, which this guide does not cover.

The original Apple Account password. On the Mac itself: System Settings → [your name] → iCloud → Find My Mac → Turn Off, then enter the Apple Account password. Activation Lock is disarmed the instant Find My goes off. From another device or when the Mac is offline, sign in at iCloud.com/find, select the Mac, and click Remove from Account. The Find My app on an iPhone or iPad signed into the same account also works (Devices → select the Mac → Remove This Device). The owner-side procedure is covered in how to remove Activation Lock from your Mac the legitimate way.

The local user's device passcode. At the Activation Lock screen on a Mac whose owner has the local user password but not the Apple Account password, Apple will sometimes accept the device passcode as a fallback.

An MDM-escrowed bypass code. On supervised devices managed by an MDM, the device-generated bypass code can be applied at the Activation Lock screen by leaving the Apple ID field blank and entering the code in the password field, or via Recovery Assistant → "Activate with MDM key…" in recoveryOS. The code is highly time-sensitive: under some configurations it must be retrieved within 15 to 30 days of supervision, after which it becomes permanently unretrievable from the hardware.

Apple Business or School Manager removal. Since macOS Sequoia 15 / WWDC 2024, an org with Manage Devices privileges can turn Activation Lock on or off directly in the ABM/ASM console (Devices → select device → More → Turn Off Activation Lock), provided the device was in ABM/ASM before the lock was set.

Apple proof-of-purchase support request. As a last resort, Apple's Activation Lock support request at al-support.apple.com is the only legitimate path for an owner who has no credentials and never had MDM. You must provide the device's serial number and an original receipt from Apple or an Apple Authorized Reseller showing the serial number, purchase date, and reseller details. In some flows, photo ID matching the receipt name is required. The device cannot currently be in Lost Mode, managed by MDM, or reported missing. Per Apple Community moderators, a response can take up to 30 days and comes by email. Apple routinely rejects receipts from eBay, gray-market resellers, general electronics stores that are not Authorized Resellers, and private bills of sale. The pattern is stark: a legitimate original owner who kept their Apple Store or Apple.com receipt almost always succeeds; a private-party second-hand buyer with only a private sales receipt almost always fails. The full procedural walkthrough is in the Apple Activation Lock removal request.

For an inherited Mac from a deceased owner, Apple's Digital Legacy program (set up in advance) or a court order naming the estate representative are the formal paths. Apple's team has discretionarily assisted with death certificates and proof of relationship, but legal probate documentation transferring the specific asset must accompany the receipt.

The check that holds up before paying#

Apple once let anyone enter a serial or IMEI to check Activation Lock status. It removed that tool in early 2017. The support document reference came down on January 24, 2017, and the iCloud.com/activationlock URL went dark the following night. Reporting at the time tied the takedown to a serialization exploit: hardware hackers were algorithmically generating valid serials of legitimately purchased, unactivated devices, then using the checker to identify which cloned identities came back unlocked. Apple never issued an official explanation. As of 2026 there is no official Apple web tool that reports a Mac's Activation Lock state by serial number.

checkcoverage.apple.com still exists but serves a different purpose. It confirms warranty and AppleCare status and that the serial is a genuinely registered Apple product, which is useful against serial cloning and unauthorized board swaps. It does not report Activation Lock state. Any third-party "iCloud Activation Lock check by IMEI/serial" site is commercial and advisory at best. Many return guesses or upsell a "removal service" that does not work.

The reliable verification is an in-person live boot. The full checklist is in how to check Activation Lock status on a Mac, and the buyer-side decision-stage version is in the 90-second Activation Lock check before buying. The compressed sequence:

1. Verify the serial at checkcoverage.apple.com is a real Apple product with a plausible purchase or warranty date for the model.
2. Identify the chip: Apple menu → About This Mac (M-series), or look for "Apple T2 chip" under Controller / iBridge in System Information. Lock support depends on this.
3. Watch the seller sign out of iCloud and run Erase All Content and Settings in your presence (System Settings → General → Transfer or Reset → Erase All Content and Settings).
4. Watch the Mac boot all the way to the multilingual "Hello" Setup Assistant.
5. Connect to Wi-Fi (your hotspot or theirs) during Setup Assistant to force the activation check. If it proceeds straight to Region → keyboard → Wi-Fi → Data and Privacy with no Activation Lock screen and no Remote Management screen, the Mac is genuinely clear.
6. Pay only after step 5, with a method that allows reversal. Cash for a substantial used Mac is the highest-risk option.

The "Activation Lock Status" field under hold-Option → Apple menu → System Information → Hardware is a strong signal where the field is exposed, but it is not absolute proof. The authoritative state lives on Apple's servers, which is why the live boot is the gold standard. There are also reports that the field has been removed or hidden on Apple silicon in some recent macOS versions; rely on the clean live boot rather than treating its absence as a verdict.

The pawn shop pitfall#

A Mac can appear fully cleared yet remain bound to a previous owner's account. If a seller reinstalls macOS offline or otherwise bypasses the activation check during setup, the local OS will boot and log in normally. But the hardware ID is still registered to the previous owner. If that owner later audits their iCloud device inventory and marks the Mac lost, the Mac receives the command over the Find My network and locks instantly, leaving the buyer with a bricked machine and no local recourse. This is why the live boot to the Setup Assistant with Wi-Fi connected matters. Without the activation check forced, a seemingly clean Mac may be a time bomb. The pawn shop pitfall in detail covers the variants and the buyer-protection procedure.

What to do if you receive a locked Mac#

Be realistic: a Mac locked to an inaccessible Apple Account is, in nearly every scenario, a paperweight. Options, best first:

• Re-contact the seller. The fastest fix is the seller signing into iCloud.com/find on any device and clicking Remove from Account. They do not need to be physically present. Many disputes are honest mistakes; provide the serial and ask politely.
• Apple's proof-of-purchase route at al-support.apple.com, realistic only if you hold an original Apple or Authorized Reseller receipt with the serial in your name.
• Marketplace and payment buyer protection. eBay Money Back Guarantee, PayPal Goods and Services, credit-card chargebacks (Reg E or Reg Z in the US, Section 75 in the UK), and platform protections on Swappa or Back Market are your real recourse. File quickly; windows are typically 30 to 180 days.
• If the device was stolen, report it to police with the serial and any seller communications. It will not make the Mac usable, but it supports the case.
• Do not pay for any "iCloud unlock" service. The full explanation is at why iCloud unlock and MDM bypass services are always scams.

Erasing, reformatting, reinstalling macOS, or booting external drives will not bypass the block. Verification is enforced by Apple's servers, and the servers do not care what state the local SSD is in.

Remote Management is different#

The "Remote Management" screen that can appear after Setup Assistant, stating the Mac will be configured by an organization, is MDM enrollment via Automated Device Enrollment (ADE, formerly DEP), not Activation Lock. It appears because the serial is registered to an organization's Apple Business Manager (ABM) or Apple School Manager (ASM) tenant, and during setup Apple directs the Mac to enroll with that org's MDM server. The two locks have different remedies, and a second-hand Mac can present either or both.

A Mac on the Remote Management screen with no relationship to any organization should be considered an unsuitable purchase. Apple Support generally cannot remove an MDM lock on behalf of a private buyer; only the owning organization can. The full picture is in Remote Management screen on a used Mac.

What this means for the reader#

Activation Lock is the cheapest thing in computing to get right and one of the most expensive to get wrong. Sellers who run Erase All Content and Settings to a clean "Hello" screen, sign out of iCloud first, and verify the Mac has left their account at iCloud.com/find produce buyers who never see a problem. Buyers who insist on the live-boot procedure with Wi-Fi connected during Setup Assistant catch the problem before money changes hands. Buyers who skip the live boot, accept screenshots, or pay cash on a Mac at a normal login screen are the population that fills the locked-Mac threads on every Apple forum.

The honest summary of every legitimate clear is short: the Apple Account password (best), an MDM bypass code (rare), ABM/ASM removal (organizational), or the proof-of-purchase request to al-support.apple.com (slow and only realistic for original Apple-receipt holders). Every other path that promises an "unlock" is one of: phishing, theft re-laundering, a JavaScript stage play that produces fake progress bars, or a temporary partial bypass that the next macOS update wipes. None of them work on Apple silicon's boot chain, which has no public bypass at all.

If you are buying, the free Macfax Activation Lock check gives you a signed report of the Mac's Activation Lock state, Find My Mac status, iCloud account binding, and MDM enrollment before you pay, so the next Mac you buy is not the one that turns up locked the morning after.