iOS 7 - device reuse can be difficult

iOS devices can use up to 5 different AppleIDs for content etc, but the First One becomes the the one that controls the find my ipad features.

This would mostly be a policy change of how you deploy them, Make them register their company owned email address as the primary apple id.

If you ever have to, you should be able to take control/gain access to a terminated employees email account and request a password reset, currently 2 options are available, verify with security questions, or E-Mail, if done via email they merely send a password reset link to the email and you get to type in a new one.

I have a work issued ipad, and I have my work account linked so that I can use work paid of apps, but I have a second itunes account so that I can buy apps out of my own pocket and retain ownership of them if I ever purchase a personal iOS device and to maintain a clear audit trail.

MDM won't help here because the Activation Lock feature is not controlled by the device. It is controlled by Apple's activation servers.

One option is to change your policies to charge the employee when this happens.

But I think you have identified a real issue. In Apple's world, company-owned devices should be supervised. Unsupervised devices are assumes to be property of the employee, and there is no way Apple is enabling the company to remove Activation Lock.

But what about for supervised devices? It does seem Activation Lock should behave differently for supervised devices.

Duane, nice find. That's front-page worthy.

Nice find Duane. So, I guess I have to figure out how we take all of the currently deployed iphones that were deployed unsupervised... and supervise them.

Prior to IOS7, we recommeneded users activate icloud/find my iphone, but the devices were in unsupervised mode, not as a big of an issue in IOS6 to put device in recovery mode. With rapid adoption of IOS7, the baked in Find My iPhone/Activation Lock "feature" could definitely brick some phones coming back. Haven't even started freaking out about AirDrop yet....

I'm not sure the restore would connect the new device to iCloud. Have you tested that?

Yesterday I heard that in the next update to the MobileIron VSP admins can prevent users to enable Find my iPhone on their phones.

"Policies to manage/control this feature will be available in VSP 5.7.8 which is due for release end of September 2013."

Hope it's true

I've confirmed that a backup/restore of an iPad loaded with iCloud and with the FindMyiPhone feature turned on will indeed restore to new devices.

If you enable restrictions settings in your original backup to block account changes this will also be backed up and restored.

The only downside is that the device name ( which is ultimately what shows up in FindMyiPhone when you try to locate ) will be the same for all devices restored, so as a final step after the restore you must go into settings > general > about and change the name to whatever naming convention you have setup for your corporate devices. ( or I suppose you could just do this in iTunes when the iPad is still connected after the restore.

My concerns around a unseen limit remains though. Last thing we need is to deploy 200 devices like this and then reach a flag and have the iCloud account banned or removed...I'll need to contact our apple reps for insight.

We got into this condition (Possible Solution to Corporate Deployments) by accident. We got new iPads supervised with Configurator (which takes care of the naming concern by sequentially numbering them), however, the master being restored had the school Apple ID configured for iCloud when initially going through the setup screen to build the master. The problem became apparent when iCloud Backup complained the 5 GB free space was filled. Backups started happening on all the iPads and a few hundred were done this way. In the iOS 6 mentality it should have been simple to make a new master to restore that didn't include that Apple ID. With the new Activation Lock feature, on a Supervised iPad, when an Apple ID is entered for iCloud, a master without that Apple ID cannot be restored!

There are basically two solutions for these iPads now of time not originally planned:

1. Touch every iPad and delete the iCloud account (less than 10 minutes) x 300 = 50 man hours
2. Un-Supervise and start over - Wipe while individually maintaining the same name as now assigned and recorded in other systems; but the bulk of the time is re-installing all the apps (less than 20 minutes) x 300 = 100 man hours

We were bit by this the other day. We had an employee get let go, and they updated their iPad 2 running iOS 6 to iOS 7.

The employee had changed the passcode on the device, and was unresponsive to requests for the new passcode.

To get around this, I put the device in DFU mode, and set it up as as a new iPad in iTunes.

That got me past the passcode issue, but I was stuck at the screen asking for the Apple ID used to originally setup the iPad.

The weird part was, that we originally used our corporate Apple ID to setup the iPad, then signed out so the user could install their own apps.

It appears that somehow during the iOS 7 install, the user was able to enter his own Apple ID and make that the new 'original' Apple ID.

The user was - understandably - not interested in sharing his Apple ID, but there was a workaround:

Go to icloud.com/find (https://www.icloud.com/#find):
1. Select the device from the Find My iPhone device list by clicking All Devices at the top of the screen.
2. Erase the device by clicking the Erase button. This will erase all content and settings from the device. When prompted, do not enter a phone number or message. Click Next until the device is erased.
3. When the erase is complete, click "Remove from Account" to remove the device from the account.

So, you're saying there needs to be a 1-1 relationship b/w iCloud account and iPad.

So, each iPad has to have it's own iCloud account to comply with Apple's TOS?

As far as I know this is not advertised anywhere but confirmed directly with Apple last week that if you have a corporate-owned device and no access to the iCloud account a past employee used, you can also call AppleCare enterprise support and prove ownership to have the device unlocked on Apple's side directly. Here's a standard Activation Lock process I put together for our IT support team...

Resolving iOS Activation Locks

Apple offers a FAQ for Activation Lock at the following page:
iCloud: Find My iPhone Activation Lock in iOS7 (http://support.apple.com/kb/HT5818).

It is critical to understand that as of 10/13 there are only 3 means of preventing a NON-supervised iOS 7 device with Find My Phone enabled from locking activation:

1) Deactivate Find My Phone on device before erasing data (requiring access to device).
2) Remove device from the iCloud account has been activated with (requiring Apple ID credentials).
3) Remove Lock through Apple Enterprise Support (requiring proof of ownership).

To prevent activation lock out on company-owned devices that are returned/retired follow these steps:

Scenario 1: Device is Returned by Not Yet Wiped
Users/IT deactivates Find My Phone from Settings > iCloud > Find My Phone before erasing/wiping the device.

Scenario 2: Device is Returned by Already Wiped
User must follow Apple's deactivation directions, log into their iCloud account, and remove the device from their list of iCloud devices.

Scenario 3: Device is Returned, Already Wiped, Previous User Unknown/Unreachable
IT / Enterprise Mobile must call Apple Enterprise Support and put in a request to for activation lock reset (2-3 day expected turnaround)
Contact: 866-752-7753. Provide purchase date of device, invoice number of purchase, business name + postal address, and both IMEI and serial number of device (obtainable by tapping the "i" icon lower-right corner of initial iOS setup screen).

If the user erases the device through Setting> General > Reset > Erase all content and settings he will get prompted for it's Apple ID to disable Activation Lock.

Nicolas

This is a good point and it is true ( we tested this )

But, until supervision can be turned on remotely or it's yearly certificate doesn't get in the way of deployments where iPads don't come back to be reprovisioned every year (most deployments we see). This continues to not be a viable solution.

https://discussions.apple.com/message/22382263#22382263

This discussions talks a bit about it- The simon gentleman seems to tell the original poster that you can "push out a new self signed supervision cert " ( I found that this is not the case )