Mac device enrollmentSolved

@luuk , I think it is available somewhere on the “Device Info” page in the portal.

I remember seeing that option too, but not quite where. 

@luuk , once the FileVault settings have been configured using the FileVault policy and FileVault enabled on the device, the FileVault Recovery Key will be available under the Security Info of the Device Info page. This key will be in the form of jumbled letters separated by dashes. Use this key in the Recovery Key column on the Recovery mode screen without the dashes to decrypt the FileVault.  

Regards, 
Elle Reed, 
Hexnode UEM. 

Thanks @elle_reed , but another one of my Macs has become locked by Activation Lock! How do I overcome that now?

@luuk , you can go to the “Apple Business Manager” Portal and locate the device under the “Devices” section using its serial number and disable the Activation Lock from the menu (three dots on the right side of the device info page). You need to be a “Device Enrollment Manager” in the ABM portal so that you can do this.

@mees , yeah, that was easy to disable. I was able to reset the device now, but is it secure to keep the activation lock off like that?

@luuk , it is recommended to keep the Activation lock on for your devices for an added security layer during login. Utilizing the Advanced Restrictions for macOS, the activation lock can be enabled, checking the Activation Lock box under Security and Privacy. For even more added security during login, the iCloud login can also be restricted by disabling the Users can modify an account option, preventing users from modifying their managed Apple IDs. 

@elle_reed , I just did that and enabled the Activation lock back on. One last question: how do I transfer a device to another employee in the organization, without data tranferring over from the previous user to the next?

@luuk , the recommended procedure is as follows:

• First, disenroll the device from the Hexnode portal.
• Proceed to mark the device as disenrolled in the portal.
• Confirm from the Apple Business Manager console that the MDM server assignment is accurate.
• Factory reset the device from System Settings > General > Transfer or Reset > Erase all contents and settings.
• During set-up, since ADE profile is assigned, the device will auto enroll to Hexnode. Make sure to use Enforce Authentication for the Authentication method.

This procedure will make sure that the new user receives a newly wiped, fully provisioned device.

Thanks @elle_reed , I will be sure to use this method for future re-provisioning as well.