VMware Workspace ONE Community
ThomHedl
Contributor
Contributor

iBackupbot

Hi,
With the app iBackupbot on a mac students/users are able to remove MDM profiles from iPad. This enables the students to remove all restrictions and install 3rd pt. apps.
Is there a way to prevent this oppurtunity?

Last week we discovered by chance that a pupil had managed to perform a  ' Enterprice wipe '  on an iOS device.
Labels (1)
Reply
0 Kudos
12 Replies
WilbertKandt
Enthusiast
Enthusiast

Hi Thomas, did you purchase / enroll the iPads through Apple Device Enrollment Program (DEP) to provisioning your iPads in combination with SuperVised mode ?

See for more information (please ignore version nr): https://docs.vmware.com/en/VMware-AirWatch/9.2/vmware-airwatch-guides-92/GUID-AW92-SupervisedBenefit...
Reply
0 Kudos
ThomHedl
Contributor
Contributor

Hi,


Yes, all of our 6000 ipads is purchased through DEP. With a lot of restrictions in the student profile and so on in Airwatch MDM.
Theoreticly this shouldnt be possible.. but i've seen it today with the students who showed me what they did - and it works like a dream.


 The device that the student performed a enterprice wipe on is still in DEP, but is uable to be managed by Airwatch. 

The biggest issue with this is the possibility for the students to install the profile ' Tweakbox'  and 3rd pt. illegal apps with their potential security treats.

(Sorry for my bad english)

Reply
0 Kudos
PeterThomasPete
Contributor
Contributor

This is intriguing. Just to be sure, have you double checked that your DEP profile(s) are set to not be allowed to be deleted? I believe this is by default with DEP. I just double checked and my DEP profiles cannot be removed on teh device, and the profile cannot be manually removed via Apple Configurator 2 on a Mac that has the trust certificate that allows pairing. MY thought process here being if you include a trust certificate in your DEP profiles for the managed Macs when they hook up a managed iPad with the same cert it would allow the profile to be manually deleted. It does not work I get the following error ' The profile “Device Manager” does not have the expected certificate for removal. [MCInstallationErrorDomain – 0xFA8 (4008)]'  

Have you tried making your restrictions profile not removable? It sounds like you may already have all this locked out.

How do you enroll a device to DEP? Are you forcing a username and password enrollment on the setup screens? Its possible if you dont have it set this way they are just wiping the devices and then re-setting up and never following the enrollment steps. Just trying to think through options for you.
Reply
0 Kudos
PeterThomasPete
Contributor
Contributor

Thomas, could you provide any details as to what they are using in ibackupbot to delete the restrictions/enrollment profile? I installed and poked around at a device and nothing I can find looks to link to profiles of any kind. There is a folder in the ' raw file system'  that is labeled air sync, maybe that is it?
Reply
0 Kudos
ThomHedl
Contributor
Contributor

Hi,
I'm not sure of all the steps the students did, but basicly this guide do the trick: https://myicloud.info/remove-mdm-profile-iphone-ipad-ipod/
I've just did this on my ipad to test. The students did install a new profile from ibackupbot, which gave them access to App store which is originaly blocked by Airwatch settings.

Students enroll their ipad with username and password imported from school administrative system. They cant bypass these steps and the ipad is forced to enroll after reset.

In restriction setting in Airwatch profile these settings is not enabled:
- Allow manual profile installation
- Allow configuring restrictions
- allow account modification



Reply
0 Kudos
LukeDC
Expert
Expert

Don't allow pairing is an option
Reply
0 Kudos
ThomHedl
Contributor
Contributor

Luke - is this the option you're thinking of?
' Pairing with non-Configurator hosts'

With this option we get a unwanted effect that schools cant reset ipad's with iTunes, and thats a bit challenging with about 6000 ipads 🙂
Reply
0 Kudos
LukeDC
Expert
Expert

Did you test this on ios 12 devices?
Reply
0 Kudos
LukeDC
Expert
Expert

I watched the youtube and it is using very old iOS versions and old devices. I'd also wonder if you force encrypted backups if this would be possible as well.
Reply
0 Kudos
ThomHedl
Contributor
Contributor

Tested with a iOS 12.2 device today, so it still works.
Reply
0 Kudos
Stansfield
Enthusiast
Enthusiast

If you look in settings do you have a remove option on the mdm profile for the devices you are able to make this work on?
Reply
0 Kudos
RichB2u2
Hot Shot
Hot Shot

If the DEP profile is set with the option ' Lock MDM Profile'  then it won't show the Remove option on the device. If that profile is removed from the backup as described in the video and then the backup is restored, the device will not be checking in. The only indication you would have in the console is that a device has stopped checking in to know this may have occurred! I assume all apps pushed from the console would remain installed as there would not be a break MDM command sent to the device to remove MDM installed apps.
Reply
0 Kudos