VMware Workspace ONE Community
samuelcarlid
Contributor
Contributor

Break MDM Confirmed

I have a ipad that is properly fetched from Apple into Airwatch.


When I wipe the device it says it's about to be managed by my organisation. However, no agent or catalog app is installed.


When I go into IOS settings it still says that it is managed but I have no profiles installed. Consulting the Device Event Log in Airwatch shows me that everything has been requested but there's a warning message ' Break MDM Confirmed' . What is this?

Labels (1)
Reply
0 Kudos
18 Replies
BethC
Hot Shot
Hot Shot

' Break MDM Confirmed'  means that the device has been effectively unenrolled. If you are getting that under troubleshooting, I would highly recommend that you unenroll from the device, delete the device record from the console and start over. Something went terribly wrong during the enrollment or compliance check and that's why you are getting that message and profiles are not installed.
Reply
0 Kudos
samuelcarlid
Contributor
Contributor

I've deleted the device repeatedly but the error returns every time.
I get MDM Enrollment Started, MDM Enrollment Complete and then after some requests to install profiles: Break MDM Confirmed

Enrollment status is Discovered.


I have no compliance policies defined.
Reply
0 Kudos
PeterThomasPete
Contributor
Contributor

If you are using DEP to register with the console I would recommend that not only you delete the active device record from AirWatch but you also unassign the serial number from the Apple side in Apple Business manager and then sync device in AirWatch to ensure all traces of that device is removed. Are you fully restoring the device or just doing a wipe all content in settings?
Reply
0 Kudos
LukeDC
Expert
Expert

Any apps being installed? You're not passing some compliance section. Check under ' All Settings > Apps > Settings and Policies'  for Compromise Detection. If that is enabled and the device is being detected as compromised it will immediately break the MDM connection.
Reply
0 Kudos
samuelcarlid
Contributor
Contributor

Thank you for all suggestions.


I disabled Compromise Detection. Deleted device from Airwatch. Unassigned it in Apple School Manager. Synced Airwatch and did a thorough search to make sure it was gone from AW.


I then reassigned it in ASM and synced it to AW. It appeared with status Registered.


Erased all content and settings. Device entered the normal enrollment process. For a few seconds the status changed to Enrolled but swiftly changed to Unenrolled. Same as before.


No Apps or Profiles are installed. Event Log shows several requests to install Apps and Profiles and nothing happens on the device since MDM breaks.

Reply
0 Kudos
LukeDC
Expert
Expert

I'd do a DFU restore on it. Maybe something is broken on the iOS system level. DFU wipes it clean and installs a fresh base OS again.
Reply
0 Kudos
samuelcarlid
Contributor
Contributor

Sadly not even DFU helped. But thanks.
Reply
0 Kudos
PAULO75
Contributor
Contributor

We are having a lot of devices automatically unenroll themselves. When we look in the troubleshooting logs for those devices it says that the BreakMDM was issued by the Sysadmin! We have not issued this command to any devices, sent a wipe or similar. None of our compliance policies are set to automatically unenroll a device. This has been happening for a number of weeks and we are no close to resolving this issue. The AW environment seems to be increasingly unstable and unreliable. Even passcode wipes and enterprise wipes are sometimes not taking at all. Anyone having similar issues? We have also noticed on the Apple devices that users are able to remove the MDM profile! Which is locked down!
Thanks
Paul.
Reply
0 Kudos
CodyDirrigle
Contributor
Contributor

Paul we are having the same issue since going to 9.7, i just went and turned off the compromise protection to see if that resolves it
Reply
0 Kudos
JohnMarler
Enthusiast
Enthusiast

I am seeing the same thing with an android device. I have tried deleting the device, the user, pre-registering the device, web and app enrollment, compromise protection disabled in settings-apps-settings and policies-sdk app compliance, but I keep getting this error. We are on prem 9.5.0.17. Has anyone found a solution to this?
Reply
0 Kudos
TitaKong
Contributor
Contributor

We are having the same issue at this moment with AW 9.6.0.8.


' We are having a lot of devices automatically unenroll themselves. When we look in the troubleshooting logs for those devices it says that the BreakMDM was issued by the Sysadmin! We have not issued this command to any devices, sent a wipe or similar. None of our compliance policies are set to automatically unenroll a device. This has been happening for a number of weeks and we are no close to resolving this issue.'

Reply
0 Kudos
Boe_K
Enthusiast
Enthusiast

I have seen this happen to a couple of devices in our environment 18.11.0.4 (1811) I didn't put much thought into it and thought the users were just unenrolling, has anyone reached out to support and if so what are they saying on the issue?
Reply
0 Kudos
LukeDC
Expert
Expert

Check your ' Compromised Detection'  Settings at https://yourserver/AirWatch/#/AirWatch/Settings/AppSecurityPolicies

' All settings > Apps > Settings & policies'

If it is enabled and the Hub (or any VMware airwatch app) detects the device is compromised, it will ' Enterprise wipe'  it. You won't see it in the logs most likely either. This setting causes plenty of false positives and wreaks havoc generally. I would disable it and implement compliance policies instead.
Reply
0 Kudos
Boe_K
Enthusiast
Enthusiast

Thanks Luke I've seen a few people say the same thing, we currently have not run into the false positives. The only device that maybe the cause on is an Samsung S8 Test device I have but I just figured it got unenrolled at random because I'm running a leaked copy of Android Pie on it so we could get our documentation updated ahead of the official launch which is supposed to be fairly soon for a number of different Samsung devices.  
Reply
0 Kudos
ANDREWLOFGREN
Contributor
Contributor

Any updates on this issue? I had a iPhone with the same issue a few days ago. I have gone through and removed the device from AirWatch and DEP. Re-added entirely and the same issue. Only one phone so far luckily. I was able to replace it with a spare for now. After factory restoring the iPhone its showing the same behavior. I am guessing its something strange with this particular device but it would be good to know the exact failure so I can bring something to Apple.
Reply
0 Kudos
JacquesPerrolle
Enthusiast
Enthusiast

I too any now having an issue akin to this.
iPhone 6s, iOS 12.1.3, assigned to DEP, gets the management, but during the process of putting in the PIN... I get an email ' your device is enrolled'  and then immediately ' your device is unenrolled'  due to ' Reason: Device Details page' ... which is a break MDM for unknown reasons.  Doesn't matter how often I nuke the device.  Doesn't matter which DEP MDM server I assign it to.  Always the same issue.  Heck, even trying to manually enroll it, I'm told that it's ' not whitelisted' .
Reply
0 Kudos
bethereornot1
Contributor
Contributor

Our Compromised Detection is disabled and I have an open ticket with VMWare, we have removed an entry in the SQL db and it appeared to work for one device but then it didn't work for the 2nd device or the 3rd.
Reply
0 Kudos
bethereornot1
Contributor
Contributor

We are seeing it again but just on one device at this time. We are using version 2001 HF28. Of course it had to be on a VIP's device. I am currently in the process of upgrading to latest version on AirWatch so lets hope it fixes the unsolved issue. Today is 7-12-2021

Tags (1)
Reply
0 Kudos