Activation Lock security
How Apple enforces Activation Lock varies depending on whether the device is an iPhone or an iPad, a Mac with Apple silicon or an Intel-based Mac with the Apple T2 Security Chip.
Behaviour on iPhone and iPad
On iPhone and iPad devices, Activation Lock is enforced through the activation process after the Wi-Fi selection screen in iOS and iPadOS Setup Assistant. When a device indicates its activating, it sends a request to an Apple server to get an activation certificate. Devices that are Activation Locked prompt the user for the iCloud credentials of the user that enabled Activation Lock at this time. iOS and iPadOS Setup Assistant won’t progress unless a valid certificate can be obtained.
Behaviour on a Mac with Apple silicon
In a Mac with Apple silicon, LLB verifies that a valid LocalPolicy for the device exists and that the LocalPolicy policy anti-replay values match the values stored in the Secure Storage Component. The Low-Level Bootloader (LLB) boots to recoveryOS if:
There is no LocalPolicy for the current macOS
The LocalPolicy is invalid for that macOS
The LocalPolicy anti-replay value hash values don’t match the hashes of values stored in the Secure Storage Component
recoveryOS detects that the Mac computer isn’t activated and contacts the activation server to get an activation certificate. If the device is Activation Locked, recoveryOS prompts the user for iCloud credentials of the user that enabled Activation Lock at this time. After a valid activation certificate is obtained, that activation certificate key is used to obtain a RemotePolicy certificate. The Mac computer uses the LocalPolicy key and RemotePolicy certificate to produce a valid LocalPolicy. LLB won’t allow booting of macOS unless a valid LocalPolicy is present.
Behaviour on Intel-based Mac computers
In an Intel-based Mac with a T2 chip, the T2 chip firmware verifies that a valid activation certificate is present before allowing the computer to boot to macOS. UEFI firmware loaded by the T2 chip is responsible for querying the activation status of the device from the T2 chip and booting to recoveryOS instead of booting to macOS if a valid activation certificate isn’t present. recoveryOS detects that the Mac isn’t activated and contacts the activation server to get an activation certificate. If the device is Activation Locked, recoveryOS prompts the user for iCloud credentials of the user that enabled Activation Lock at this time. UEFI firmware won’t allow booting of macOS unless a valid activation certificate is present.