← Blog

iCloud unlock and MDM bypass on Mac: why every service is a scam

iCloud locked Macs and MDM-bound Macs cannot be unlocked by a third party. Apple sells no consumer iCloud removal product, and every "bypass" service sells the appearance of a clean Mac, not a clean Mac. Activation Lock and ABM/ASM enrollment are enforced on Apple's servers, so every client-side workaround unwinds the moment the device re-contacts Apple.

Ben Carter
Ben CarterIndustry analyst
9 min read
activation-lockmdmicloud-unlockmac-fraudfraud-awarenessbuying-guides
iCloud unlock and MDM bypass on Mac: why every service is a scam

iCloud unlock and MDM bypass on Mac: why every service is a scam#

Apple sells no consumer iCloud removal product, and every third-party service that claims to remove Activation Lock, the iCloud-bound lock that survives any SSD wipe, or MDM enrollment from a Mac is selling the appearance of a clean device, not a clean device. An iCloud-locked MacBook Pro or MDM-bound corporate Mac stays locked. The services typically advertise on Instagram, Telegram, and YouTube at $100 to $300, promise "permanent" or "official" removal, and deliver a local workaround that unwinds the moment the Mac re-contacts Apple's servers.

The reason this industry can persist is that both Mac locks are enforced server-side. The local Mac is a client that re-checks. Any bypass that lives only on the disk is rented time, not a fix. The broader catalog of how to avoid MacBook scams when buying second-hand sits this one inside the rest of the used-Mac fraud landscape.

What is actually being locked#

On any Apple Silicon Mac (M1, M2, M3, M4 family) or T2-equipped Intel Mac, two independent locks may be in play.

Activation Lock triggers automatically when Find My Mac is enabled, which is the default on every Apple-ID-bound Mac with Apple Silicon or T2. Once on, the device's hardware identifier is registered on Apple's iCloud activation servers as locked to a specific Apple ID. During Setup Assistant, the Mac contacts those servers. If the device is still locked, Setup Assistant halts on the Activation Lock screen with the obfuscated Apple ID hint (j••••@gmail.com). The lock lives on Apple's servers, not on the disk. Erasing the SSD, reinstalling macOS, or physically replacing internal components does not remove it.

MDM enrollment via Apple Business Manager (ABM), Apple School Manager (ASM), or the older Device Enrollment Program (DEP) (collectively Automated Device Enrollment, ADE) permanently binds the serial number to that organization on Apple's enrollment servers. On every fresh boot, every macOS reinstall, and every Erase All Content and Settings, the Mac contacts Apple's enrollment servers (iprofiles.apple.com, deviceenrollment.apple.com, albert.apple.com), learns which MDM server it belongs to, and automatically downloads the management profile. Wiping the SSD does nothing. Reinstalling macOS does nothing. The binding is to the serial number at Apple's servers. The mechanics of the Remote Management screen on a Mac and why it survives every wipe are covered in detail separately.

The unlock-service industry exists because both locks have the same property: they look local but are enforced remotely.

What the typical "bypass" actually does#

There is a documented category of local workarounds, summarized in publicly available writeups such as the one at https://joshua.hu/bypassing-kandji-mdm-apple-business-abmmacos-2025. They follow the same pattern.

  1. Boot the Mac into Recovery and disable System Integrity Protection with csrutil disable.
  2. Delete or empty the active enrollment configuration profiles in the system's profiles directory.
  3. Create empty dummy files to convince Setup Assistant that a cloud configuration has already been applied.
  4. Append loopback redirects to /etc/hosts so that key Apple activation, device-enrollment, and profiling domains (iprofiles.apple.com, deviceenrollment.apple.com, albert.apple.com) resolve to 0.0.0.0 or 127.0.0.1, preventing the device from learning its true server-side state.
  5. Disable or unload the launch daemons that check enrollment, including com.apple.ManagedClientAgent.enrollagent, com.apple.mdmclient.daemon, and com.apple.devicemanagementclient.teslad.

That sequence hides the Remote Management prompt at the user-interface level. The device remains registered in ABM on Apple's central database. The Activation Lock variant is narrower: there is no comparable local "unlock" for current Apple Silicon Macs, because the activation check is gated by the Secure Enclave's communication with Apple's iCloud activation servers and does not present a local file that can be neutralized. The closest demonstrated technique is the unstable "fail-open" exploit against T2 Macs that bypasses local activation checks on a single boot, but the lock remains active on Apple's servers and any OS update, network reconnect, or restart can re-trigger the activation request.

What unwinds it#

Any of these reverses the bypass:

  • A clean macOS reinstall.
  • An NVRAM reset.
  • A system update that re-enables SIP and overwrites /etc/hosts.
  • Erase All Content and Settings, which re-runs the Setup Assistant enrollment query.
  • Any process that re-queries Apple's enrollment servers from a network where DNS resolution is not redirected.

A buyer who runs any of those (which covers the normal life of a Mac) brings the lock back. The "permanent unlock" promise is therefore false in the only sense that matters: the device returns to its managed or activation-locked state without warning.

The secondary harms#

The bypass not working is not the only problem.

Some "unlock services" additionally collect the Mac's serial number after the customer submits it for "verification" or "eligibility." That serial then enters the resale-fraud ecosystem: relisted with cloned photos, used as the visible serial in a Mac Studio case-swap listing, or matched against active AppleCare+ coverage in the warranty-fraud market. Other services contact the actual original owner of an Activation-Locked device and try to extract a kickback "ownership transfer," using the buyer's payment as leverage to pressure the rightful owner.

There is also no public Apple page that shows Activation Lock status by Mac serial. Apple retired the iCloud Activation Lock checker in 2018. Any third-party "checker" advertised online is scraping repair-flow rejections at best, not authoritative server state, and several of those checker sites are themselves the marketing funnels for unlock services. The reference on what Apple's checkcoverage.apple.com actually returns for a Mac covers what the page does and does not show (warranty and AppleCare standing, not Activation Lock).

Using bypass tools on a device that is not legally yours may also constitute computer-fraud or unauthorized-access violations in some jurisdictions, separately from the underlying question of whether the Mac was originally stolen.

How to detect a Mac that was "bypassed" rather than legitimately clean#

If a seller demonstrates a Mac that appears unmanaged, the diagnostic outputs distinguish an authentic-clean device from a device that was bypassed by the techniques above. The signatures are different.

DiagnosticCommandAuthentic-clean outputBypassed output
Server-side enrollment querysudo profiles show -type enrollmentError fetching Device Enrollment configuration: Client is not DEP enabledReturns organizational metadata, MDM server URLs, or hangs due to redirected DNS
Local profile inventorysystem_profiler SPConfigurationProfileDataTypeNo configuration profiles installed or empty blockActive payloads, restrictions, or enterprise certificates
DNS redirection tablecat /etc/hostsStandard local entries only (127.0.0.1 localhost)Entries mapping iprofiles.apple.com or deviceenrollment.apple.com to 0.0.0.0
System Integrity Protectioncsrutil statusSystem Integrity Protection status: enabled.System Integrity Protection status: disabled. (commonly left off to keep file-level bypasses active)

Any single "compromised" output is grounds to refuse the device.

The single best non-technical check is to force a reset before payment. Have the seller perform Erase All Content and Settings on video, then walk Setup Assistant through the Wi-Fi step on a network the seller does not control. A cellular hotspot is the safest choice because the seller cannot redirect DNS at a network layer the buyer cannot see. A clean Mac proceeds through language, Wi-Fi, and Migration Assistant. An ADE-bound Mac surfaces a Remote Management screen with the organization's name immediately after the Wi-Fi step. An Activation-Locked Mac surfaces the Activation Lock screen before Wi-Fi configuration completes. The video script for an Activation Lock check that actually holds up walks through the buyer-side discipline in detail.

The legitimate removal paths#

For Activation Lock there are two:

  1. The original Apple ID password. The owner signs into icloud.com/find, selects the Mac under All Devices, and chooses Remove from Account. The lock resolves in seconds.
  2. Apple-accepted proof of original purchase submitted to the Activation Lock Support Request at https://al-support.apple.com/. Apple accepts an original Apple Store or Apple Online Store receipt showing the buyer's name and the serial number, or an Apple Authorized Reseller invoice (Best Buy, B&H) with the same. Apple does not accept eBay, PayPal, or Facebook Marketplace receipts, private bills of sale, photographs of the box, or Check Coverage screenshots. The Activation Lock Support Request is a long-shot for second-hand buyers without original-owner cooperation, but it is free.

For MDM/ADE there are exactly three:

  1. The organization's ABM or ASM administrator signs into business.apple.com or school.apple.com, navigates to Devices, finds the serial, and clicks Release Device. Apple's documentation is explicit that this is irreversible: the device cannot be re-added to that tenant afterward.
  2. The organization's MDM admin issues a remote "remove management profile" command from the MDM console. This works only while the device is online and managed, and on supervised devices it still leaves the device eligible for re-enrollment if it is not also released in ABM.
  3. The original purchaser provides original purchase receipts to Apple Business Support, sometimes routed through AppleCare Enterprise, with documented chain of ownership. Apple may then release the device server-side. This is exceptional and requires documentation second-hand buyers do not have.

All three MDM paths require the original organization's cooperation. There is no fourth path. A second-hand individual buyer with no link to the original organization has effectively no remediation other than returning the Mac inside the marketplace dispute window or accepting that the device is bricked.

What this means if you are looking at a "for sale, iCloud unlocked, ready to set up" listing#

The phrasing is the tell. A genuinely unlocked Mac does not require the qualifier. A seller who advertises "iCloud unlocked" in the listing title has anticipated the buyer's question, which means they expect the question, which means the device's history involves Activation Lock or MDM at some prior point. That is not by itself evidence of fraud, but it places the burden of proof on the seller, not the buyer.

The verification posture that survives every variant of bypass:

  • Demand Erase All Content and Settings on live video, run before payment, with the buyer's username on a dated paper visible in the same frame.
  • Demand the Setup Assistant flow proceed past the Wi-Fi step on a network the buyer chooses (cellular hotspot ideally).
  • Demand the buyer's own re-verification on the received unit, on the buyer's network, on first boot.
  • Refuse to pay until all three are in evidence.

The unlock-service industry exists to sell the gap between "the device looks clean right now" and "the device is actually clean on Apple's servers." The first sentence is rentable. The second is not. Apple's enforcement is the authoritative state, and the only durable answer is to make sure Apple's servers agree with the listing before money moves.