Re: Break MDM Confirmed

AlexanderMuc · ‎12-14-2022

Hello!

In recent years, we have repeatedly had the problem that devices in the enrollment process have reset themselves with the message "Break MDM".

For a few weeks now, this has also been happening with devices that have already been registered. In the troubleshooting only a "Break MDM Confirmed" appears. Most of the time the devices perform a factory reset. In a few cases, there is no enterprise wipe and the hub continues to check in to MDM as if nothing ever happened.
It's mostly Android devices with an Enhanced Work Profile that are affected, but there are no discernible patterns in device models, security patch levels, or Hub version. The action seems to occur more with a 1-2 day lag from a software update.

Since yesterday, devices in the double digits have had a break MDM performed, which is very alarming. Compromised detection is disabled and the devices are compliant with us.

Is there anyone with similar problems or even a potential solution?

We are currently hesitating with a SR, as it is impossible for us to get any hub logs or even dumpstates of the incident.

Red1025 · ‎12-29-2022

Hi!

We're currently facing the same issue you descripted.
Since the start of December, our appliance has "lost" the connection to several devices.

Yesterday we had the first case of a "Break MDM" device right at the end of the enrollment process.
The other devices have been in use a while ago. Now, over the last few weeks WS1 marked them as "Unenrolled", but none of them has executed an enterprise wipe.
Other than that you can't install apps from the hub anymore they seem to work like normal. WS1 even displays some basic information like "last seen" or the current battery level.

All our devices are from Samsung, running on Android 12 with work profile enabled.

Have you been able to find a solution to this problem?

TimHardy · ‎01-06-2023

Hi, I have had this issue with a few environments and it was due to Safetynet giving a false compromised. To identify and address this we took two actions

1, we temporarily disabled compromised Protection which stops devices getting auto wiped when marked as compromised, we then setup a compliance rule to highlight the compromised devices. This stopped devices being wiped and allowed us to identify the compromised devices to capture logs from and then worked with VMware to prove it was safteynet marking the device as compromised

To do this

Disabled Compromised Protection

Settings > Apps > Settings and Policies > Compromised Protection > change to disabled save

Create compliance policy

Devices > Compliance Policy > List view > Add

Rules > Compromised status = Is compromised

Action > Send email to Admin

Assignment > Top OG

Save

2, After collecting logs we identified that although we had disabled Safteynet in the System settings all existing devices still had Safetynet enabled on the device side (NOTE new enrolments were fine SafetyNet was disabled as per the system setting was only existing device that did not take the settings). We investigated this with VMware for some time and ended up having to deploy the following custom XML profile to the devices.

<characteristic type="CustomSettingsV2" uuid="e459fdf2-22dd-4b5b-8502-0aafe72167ec">

<parm name="packageid" value="com.airwatch.androidagent" />

<parm name="CustomSettings" value="{
 "CustomSettings": "{\"SafetyNetEnabled\": false}"
}" />

</characteristic>

Once deployed we confirmed from the device logs that all existing devices had correctly disabled SafetyNet and the issue was resolved

Hope this helps

TimHardy · ‎01-06-2023

Sorry after reading your description again i see you state your devices are not compromised so probably not the same thing, will teach me for not reading the full description 🙂

AlexanderMuc · ‎01-12-2023

We have not yet been able to track down the cause, but have several indications.

Since 07.12.2022, our devices have been receiving updates for Hub 22.11.0.8. From 14.12.2022, Hub updates have increased exponentially, as well as break MDM actions from end devices.
On 20.12.2022, we delayed hub updates for 90 days and were able to stabilise the situation for the time being.
We were able to export hub logs for some devices and checked the logs on the web server. The Break MDM was always carried out at a very short interval (seconds to minutes) after the hub update to 22.11.0.8. The error rate during the update is about 4%.

The error has so far only occurred on COPE devices, which have presumably all were running Android 13.
In addition, the error seems to occur more on COPE devices where the DPC (Hub) was not removed from the personal space after enrolment.
Not removing the Hub app from the personal space has so far been a workaround for another issue for which a ticket was opened a year ago. This ticket has still not been resolved. When the DPC in the personal space was removed under Android 12, the DPC in the Work Profile lost all network connectivity. after a reboot The error disappeared at the latest after one software update and was probably fixed by Google with the GooglePlaSystemUpdates around June/July.

It is reported to us that the hub in the personal area could be activated by the OS and then triggers a Break MDM. This does not delete the work profile. We find this theory not at all implausible, as there are no indications of a Break MDM in the Hub logs.
To find out the exact cause, we would need bug reports, which are almost impossible to obtain in this incident.

It wouldn't be the first time the Hub has had a break MDM because of bugs: https://www.reddit.com/r/WorkspaceOne/comments/tnhlrr/comment/i24w7k4/?utm_source=share&utm_medium=w...

Our ticket has now been open for 24 days. So far, they have only asked for a Zoom call, but have not responded to the suggested dates offered. Either VMware doesn't take the issue seriously, or they immediately have a headache when they read about a Break MDM...

@TimHardy: Thanks for CustomSettings for disabling SafetyNet. Even if I exclude the Compromised Protection, the payload might be useful in the future. 🙂

AlexanderMuc · ‎02-17-2023

We have been informed by support that the original issue has been known for some time and VMware has an open ticket with Samsung.

In case of an (Enhanced) Work Profile, if the Hub app is not removed from the personal space, this error can occur. The OS randomly activates the Hub in the personal space. It then checks in with WorkspaceONE and triggers a BreakMDM.
VMware has made adjustments in Hub 22.04 to keep the Hub app disabled in the personal space even if the OS activates it. We cannot confirm that this change still works since 22.11.

As VMware is aware of this issue, we have asked support for a KB article. However, I currently assume that they will not publish an article. Therefore, here is information in case someone is affected and is looking for causes.

jpjp1 · ‎02-23-2023

we have removed safetynetattestion and have had no issues since, google is replacing this in 2023/2024 so that seemed liek the only solution we had as it was happening numerous times to the same devices.