VMware Workspace ONE Community
mibir
Contributor
Contributor

iOS 13 Devices Marked as Compromised

Hey All,

Curious if anyone has any folks already upgrading to iOS 13 and if they are seeing any issues with devices being marked as compromised. We have 9 developers that have upgraded for testing and 3 of the 9 have been marked as compromised after upgrading but 6 of them seem to be fine. I'm guessing something is going a little weird during the update process that confuses Intelligent Hub but was curious if anyone else is seeing odd behavior.
Labels (1)
100 Replies
JarvisMeier
Contributor
Contributor

Nailed down what is causing my device to be labeled as compromised: it’s the SMB share on my personal NAS at home.  The compromised status changes only once I start browsing files.  Log files indicate suspicious files and it marks my device as compromised.  I’m going to assume one of the files is my directory marked “torrents”.

Once I remove the share in Files and do a “send data” in Hub my device shows up as clean.

There’s gotta be a way to turn this off.
Reply
0 Kudos
DavidWuDavidWu1
Contributor
Contributor

for my device, it was fine 13.2.1, after updated to 13.2.2, it marked as compromised. had to disable the email compliance policy to bypass this. (hub version 19.09.1)
Reply
0 Kudos
JarvisMeier
Contributor
Contributor

Definitely an issue with mounting file servers in ' Files'  and having it trip the dynamic compromise protections.  You can see the check here in the logs from my device connecting to a SMB share.  Once the share is unmounted the device becomes clean:

2019-10-07 15:54:13:348 Hub[1421:174361] -[DynamicJailbreakFlowControllerOperation persistProcessedEnginePayload:payloadSignature:completion:] [Line:138][I]: Storing dynamic jailbreak rules payload...
2019-10-07 15:54:13:359 Hub[1421:174361] method [Line:1][E]: Exception: 75E739E3F1(): smb://jarvismeier@10.0.1.180/Storage on /private/var/mobile/Library/LiveFiles/com.apple.filesystems.smbclientd/nx3EygStorage lifs (1470001c) w  , Description: (null)
2019-10-07 15:54:13:359 Hub[1421:174361] -[AWSDKExceptionLogger logException:WithInfo:] [Line:50][W]: Jailbreak tracker is not set!
2019-10-07 15:54:13:359 Hub[1421:174361] (null) [Line:23][E]: Mount with Unexpected attributes: smb://jarvismeier@10.0.1.180/Storage on /private/var/mobile/Library/LiveFiles/com.apple.filesystems.smbclientd/nx3EygStorage lifs (1470001c) w 
2019-10-07 15:54:13:361 Hub[1421:174361] (null) [Line:23][E]: Total Prohibited Files: 13
2019-10-07 15:54:13:371 Hub[1421:174361] (null) [Line:23][E]: Device is detected to be compromised
2019-10-07 15:54:13:371 Hub[1421:174361] (null) [Line:23][E]: [{' id' :' BundledRules_SDK_20190905' },{' name' :' deviceJailBreakCheck' ,' passed' :true},{' name' :' mountCheck' ,' passed' :false},{' name' :' vnodeEnforcementCheck' ,' passed' :true},{' name' :' procEnforcementCheck' ,' passed' :true},{' name' :' environmentChecks' ,' passed' :true},{' name' :' codeSigningChecks' ,' passed' :true},{' name' :' debugChecks' ,' passed' :true},{' name' :' prohibitedFileExistenceChecks' ,' passed' :true},{' name' :' disallowedOperationChecks' ,' passed' :true}]
2019-10-07 15:54:13:371 Hub[1421:174361] -[DynamicJailbreakFlowControllerOperation completedCompromisedDeviceDetection:checks:identifier:evaluationTokenProvider:] [Line:125][E]: Dynamic jailbreak device detection finished with result: 1 for payload identifier: BundledRules_SDK_20190905
Reply
0 Kudos
MarkSchwantje
Enthusiast
Enthusiast

Jarvis M - Are those just the regular Hub logs that you send using the ' Send Logs'  function?
Reply
0 Kudos
JarvisMeier
Contributor
Contributor

yep!  regular hub logs. 
Reply
0 Kudos
ScottWitmer
Contributor
Contributor

David W.   Where did you disable this ' had to disable the email compliance policy to bypass this'
Reply
0 Kudos
DavidWuDavidWu1
Contributor
Contributor

scott- in email/compliance policy area
Reply
0 Kudos
ThomasBeckerTho
Enthusiast
Enthusiast

So iOS 13.2 got released to the public and the problem is still not fixed. Boxer is detecting iOS 13.2 as compromised and wipes itself. Intelligent Hub is working fine, it doesn't flag the device as compromised only Boxer does.
Reply
0 Kudos
BenByCegeka
Contributor
Contributor

iPadOS 13.2 is installed on my iPad Pro 10,5'  and the device isn't compromised. I can start Boxer (Version 5.11.2) without Problems, the same with HUB App.


We have read that the latest AirWatch apps are required for release 13.2.

Reply
0 Kudos
ThomasBeckerTho
Enthusiast
Enthusiast

Benjamin G.
iPadOS 13.2 seem to work fine too for me. Problem only appears on iOS.
Reply
0 Kudos
Stansfield
Enthusiast
Enthusiast

My Hub flagged my device as compromised with 13.2 and their chart https://kb.vmware.com/s/article/2960338?lang=en_US&queryTerm=2960338 still does not list any apps compatible for iPads which is wonderful same day support.  We ticketed with them a while back on it and they said that the compromised detection was broken and had no timeline for a fix they just pointed us at this forum thread.  They said to monitor it they would not even leave the ticket open for monitoring a fix so I would not expect it to work ever again since they do not seem to think it is an issue even worth monitoring.
Reply
0 Kudos
BenByCegeka
Contributor
Contributor

Thomas B.
Also no problems with iPhone SE and iOS 13.2 Beta. The latest AirWatch apps are installed.
Reply
0 Kudos
Stansfield
Enthusiast
Enthusiast

That is part of the weird part it is not hitting everything just a small but random chunk of the devices and I have had it hit a fair number of iPads
Reply
0 Kudos
ThomasBeckerTho
Enthusiast
Enthusiast

Benjamin G.
Sorry to bother you again. Which version of the beta are you running? The problem startet to appear since 13.2 beta 2, before that it worked fine.
The strange thing is that I can't even deactivate compromised detection for Boxer anywhere. There is no option for that.
(We also run latested VMware apps.)
Reply
0 Kudos
BenByCegeka
Contributor
Contributor

Hello Thomas,

i forgot to write that ist the Public Beta (13.2 (17B84)). Sorry
Reply
0 Kudos
stevewalker2018
Contributor
Contributor

I have noticed today that running iOS 13.2 (Build 17B84) that they are being detected as ' Compromised flag changed from Unknown to True'  and the device is wiped. I'm going to raise a support ticket now on this.
Reply
0 Kudos
ThomasBeckerTho
Enthusiast
Enthusiast

I narrowed my issue down. The issue appears on both iOS and iPadOS 13.2 and only when using VMware Boxer in conjunction with VMware Tunnel (all latest version).
If I use Boxer without VPN Tunnel ,compromised detection does not hit.

Reply
0 Kudos
stevewalker2018
Contributor
Contributor

We are are not using Boxer here, only the Hub app is installed. In the meantime I've switched Compromised Protection off.
Reply
0 Kudos
JarvisMeier
Contributor
Contributor

Just got confirmation that mounted SMB shares in the files app does cause a false positive compromised device detection.  An engineer said it's a bug and it will be fixed in 1911 of the console.
Reply
0 Kudos
GuenterGruber
Contributor
Contributor

In our environment around 15.000 devices are on 13.x and around 1300 of them are compromise-flagged. We swiched off the compromise-detection a time ago, and I cant find any reason to re-enable it. We dont using Boxer and the HUB version is 19.10
Reply
0 Kudos