Re: iOS 13 Devices Marked as Compromised

mibir · ‎06-06-2019

Hey All,

Curious if anyone has any folks already upgrading to iOS 13 and if they are seeing any issues with devices being marked as compromised. We have 9 developers that have upgraded for testing and 3 of the 9 have been marked as compromised after upgrading but 6 of them seem to be fine. I'm guessing something is going a little weird during the update process that confuses Intelligent Hub but was curious if anyone else is seeing odd behavior.

RicardoPachecoR · ‎06-06-2019

In the past, new iOS versions will be flagged as Compromised when the Intelligent Hub (AirWatch) agent is not updated accordingly. Are all of your developers running iOS 13 with the same Hub version? With iOS 9 release, AirWatch called all customer directly to make sure that the 'Enterprise Wipe' upon compromise setting for this very same reason.

Currently, the setting is located in Groups & Settings -> Apps -> Settings and Policies -> Security Policies ->Compromised Protection. My site is set to Disabled.
I do not recommend enabling it unless you understand the impact in your environment.

BRIANJENKINSBRI · ‎06-06-2019

We too have this setting disabled due to the false positives in the past with new iOS versions, and handle compromise detection with a compliance policy.

ahakimb · ‎06-13-2019

Thanks,
Any official information regarding the update of the client ?

LukeDC · ‎06-13-2019

Don't expect any updates really. It's not a priority at the moment. It could get fixed by the iOS beta releases as well, who knows.

sturmanc · ‎06-14-2019

Getting Ready for Apple Fall 2019 Releases
https://support.workspaceone.com/articles/360024561354

Dynamic Compromised Detection is a new feature which allows SDK applications to securely update the compromised detection algorithm over-the-air. This will allow for a faster turnaround when false positive issues are found. Customers and developers with apps using these new SDK versions which support dynamic compromised detection will no longer have to update and/or re-release their apps. It is recommended to ensure your users are on the minimum supported version especially for Dynamic Compromised Detection.
Note: The Workspace ONE team has already found an issue in iOS 13 beta 1 giving false positives for compromised detection. We hope to have this resolved as soon as possible.

RichB2u2 · ‎06-14-2019

Sorry but they lost my trust in compromised protection a long time ago and we won't be enabling it anytime soon. When their iOS AirWatch Agent app caused the false positive compromised detection and erased student iPads we have not turned it on since. We only had false positives and it never found a really compromised device.

mibir · ‎06-14-2019

So how does everyone handle their compliance policy then? Manually review everything that is marked as compromised? Surely you can't just ignore a device marked as compromised - in the event it is jailbroken, rooted, etc it would need to be dealt with.

RicardoPachecoR · ‎06-14-2019

Shared SaaS: 19.5.0.2 (1905)

I suggest you disable the setting and setup a compliance policy that detects jailbroken devices. Setup a 1st notification by email, 2nd warning by email and inform of enterprise wipe action and a 3rd with the actual enterprise wipe action. As for the time span in between them, it would be best for you to work with your Data Security, Risk & Compliance and IT Leadership. There is action that needs to be taken for jailbroken devices.

mibir · ‎06-14-2019

Yeah, makes sense. That also allows for exclusion then which means we can have an assignment group that adds iOS 13 devices as they check in and get excluded from the compliance policy.

antherITguy · ‎07-25-2019

Does anyone know if there's currently a version of Workspace One that is compatible with iOS 13? I'm seeing the same issue where when an enrolled iOS 13 is upgraded, it's immediately flagged as compromised.

Which setting disables this behavior?

RichB2u2 · ‎07-25-2019

As shown above:
' Groups & Settings -> Apps -> Settings and Policies -> Security Policies ->Compromised Protection. My site is set to Disabled.'
Until the Intelligent Hub gets updated it will continue to flag iOS 13 as compromised which is a false positive.

sturmanc · ‎07-25-2019

We stopped seeing iOS/iPadOS 13 being detected as compromised with HUB version 19.06 for iOS.

ThomasBeckerTho · ‎08-23-2019

Since iOS 13 Beta 5 we also get a false compromised report but only when opening Boxer. Therefore Boxer wipes its data but any other enterprise apps are untouched.
It also only happens on Boxer with VPN using VMware Tunnel. We also have an alternative setup where Boxer only uses a certificate for authentification and no VPN and the problem does not occur with that setup.
Compromised detection is disabled as writen by @Rich B. We are on-prem v1810.
Anyone experienced the same thing or has a solution?

SumitVedi · ‎08-29-2019

Can any boby please guide that is it possible to migrate the iOS device enrolled using container to Hub in 18.10 UEM version? what is the impact?

ThomasBeckerTho · ‎09-04-2019

The latest release for Boxer (5.10) and Hub (19.08) seem to have fixed my problem.

EmilGhoting · ‎09-18-2019

We are seeing the same when the MAG/VPN Tunnel is opened via an internally developed app. Compromised Protection is enabled currently on the console and Hub Version is 19.08.0. Is the solution to temporarily turn off Compromised Protection? Does turning this off in a production environment affect anything else?

Stansfield · ‎09-18-2019

Do you use app wrapping or sdk with compromised detection on your internal app by an chance?

EmilGhoting · ‎09-18-2019

Yes, we are using App wrapping (w/VM Tunnel) + Compromised Protection under Settings> Apps> Settings and Policies> Security Policies.

Stansfield · ‎09-18-2019

Are you using the latest version to wrap the app? it has to be updated along with the Hub

iOS 13 Devices Marked as Compromised

Device Management