Open Radar

 
Summary:
Note - this is being investigate by Apple Professional Service ticket 100291765343.
iCloud ActivationLock Bypass Code behavior has changed between iOS 10 and iOS 11 and the change makes clearing ActivationLock hard if not impossible by MDM.  

Steps to Reproduce:
1. Have a DEP supervised device ; wipe it, activate it and enroll it via an MDM. Make sure the user is prompted for Apple ID.
2. MDM server must:
a. Request ActivationLockBypass Code
b. Clear ActivationLock Bypass code on the device
c. send setting to allow ActivationLock while supervised
3. on the device, activate find my phone
4. remove Activation Lock by calling https://deviceservices-external.apple.com/deviceservicesworkers/escrowKeyUnlock with the code retrieved in a.

Expected Results:
Service must return 200 OK - and activation lock must be removed. wiping the device must not ask for Apple ID after activation.

Actual Results:
Service returns 404 - escrow key mismatch.


Version:
11.0.0

Notes:
- this works with iOS 10.
- if, after step 3, I ask for the code again, I get a new code different from the one from step 2. this new code works and allows to unlock the device. It sounds like the code has been regenerated when Find My Phone is enabled.

this change is not documented, and has bad side effects:
1. with iOS 10, the workflow is easy - activate, get code, clear code, done. With iOS 11, we need to get the code regularly. What if the user enables find my phone and wipe the device before MDM could get the code ? 
2. the code is supposed to be removed from the device after 15 days. What if the user takes the device outside the MDM network, enable find my phone, wait 15 days, comes back. MDM will ask for the code but it will be removed.

This is a major change which can lead to lock issues :(.