topic Re: iOS 13 Devices Marked as Compromised in Workspace ONE Discussions

iOS 13 Devices Marked as Compromised

mibir — Thu, 06 Jun 2019 16:49:57 GMT

Hey All,

Curious if anyone has any folks already upgrading to iOS 13 and if they are seeing any issues with devices being marked as compromised. We have 9 developers that have upgraded for testing and 3 of the 9 have been marked as compromised after upgrading but 6 of them seem to be fine. I'm guessing something is going a little weird during the update process that confuses Intelligent Hub but was curious if anyone else is seeing odd behavior.

Re: iOS 13 Devices Marked as Compromised

RicardoPachecoR — Thu, 06 Jun 2019 17:13:27 GMT

In the past, new iOS versions will be flagged as Compromised when the Intelligent Hub (AirWatch) agent is not updated accordingly. Are all of your developers running iOS 13 with the same Hub version? With iOS 9 release, AirWatch called all customer directly to make sure that the 'Enterprise Wipe' upon compromise setting for this very same reason.

Currently, the setting is located in Groups & Settings -> Apps -> Settings and Policies -> Security Policies ->Compromised Protection. My site is set to Disabled.
I do not recommend enabling it unless you understand the impact in your environment.

Re: iOS 13 Devices Marked as Compromised

BRIANJENKINSBRI — Thu, 06 Jun 2019 17:35:07 GMT

We too have this setting disabled due to the false positives in the past with new iOS versions, and handle compromise detection with a compliance policy.

Re: iOS 13 Devices Marked as Compromised

ahakimb — Thu, 13 Jun 2019 12:35:01 GMT

Thanks,
Any official information regarding the update of the client ?

Re: iOS 13 Devices Marked as Compromised

LukeDC — Thu, 13 Jun 2019 13:15:25 GMT

Don't expect any updates really. It's not a priority at the moment. It could get fixed by the iOS beta releases as well, who knows.

Re: iOS 13 Devices Marked as Compromised

sturmanc — Fri, 14 Jun 2019 13:17:40 GMT

Getting Ready for Apple Fall 2019 Releases
https://support.workspaceone.com/articles/360024561354

Dynamic Compromised Detection is a new feature which allows SDK applications to securely update the compromised detection algorithm over-the-air. This will allow for a faster turnaround when false positive issues are found. Customers and developers with apps using these new SDK versions which support dynamic compromised detection will no longer have to update and/or re-release their apps. It is recommended to ensure your users are on the minimum supported version especially for Dynamic Compromised Detection.
Note: The Workspace ONE team has already found an issue in iOS 13 beta 1 giving false positives for compromised detection. We hope to have this resolved as soon as possible.

Re: iOS 13 Devices Marked as Compromised

RichB2u2 — Fri, 14 Jun 2019 15:09:23 GMT

Sorry but they lost my trust in compromised protection a long time ago and we won't be enabling it anytime soon. When their iOS AirWatch Agent app caused the false positive compromised detection and erased student iPads we have not turned it on since. We only had false positives and it never found a really compromised device.

Re: iOS 13 Devices Marked as Compromised

mibir — Fri, 14 Jun 2019 16:21:38 GMT

So how does everyone handle their compliance policy then? Manually review everything that is marked as compromised? Surely you can't just ignore a device marked as compromised - in the event it is jailbroken, rooted, etc it would need to be dealt with.

Re: iOS 13 Devices Marked as Compromised

RicardoPachecoR — Fri, 14 Jun 2019 16:35:05 GMT

Shared SaaS: 19.5.0.2 (1905)

I suggest you disable the setting and setup a compliance policy that detects jailbroken devices. Setup a 1st notification by email, 2nd warning by email and inform of enterprise wipe action and a 3rd with the actual enterprise wipe action. As for the time span in between them, it would be best for you to work with your Data Security, Risk & Compliance and IT Leadership. There is action that needs to be taken for jailbroken devices.

Re: iOS 13 Devices Marked as Compromised

mibir — Fri, 14 Jun 2019 17:21:13 GMT

Yeah, makes sense. That also allows for exclusion then which means we can have an assignment group that adds iOS 13 devices as they check in and get excluded from the compliance policy.

Re: iOS 13 Devices Marked as Compromised

antherITguy — Thu, 25 Jul 2019 15:36:10 GMT

Does anyone know if there's currently a version of Workspace One that is compatible with iOS 13? I'm seeing the same issue where when an enrolled iOS 13 is upgraded, it's immediately flagged as compromised.

Which setting disables this behavior?

Re: iOS 13 Devices Marked as Compromised

RichB2u2 — Thu, 25 Jul 2019 16:17:34 GMT

As shown above:
' Groups & Settings -> Apps -> Settings and Policies -> Security Policies ->Compromised Protection. My site is set to Disabled.'
Until the Intelligent Hub gets updated it will continue to flag iOS 13 as compromised which is a false positive.

Re: iOS 13 Devices Marked as Compromised

sturmanc — Thu, 25 Jul 2019 18:35:43 GMT

We stopped seeing iOS/iPadOS 13 being detected as compromised with HUB version 19.06 for iOS.

Re: iOS 13 Devices Marked as Compromised

ThomasBeckerTho — Fri, 23 Aug 2019 09:56:06 GMT

Since iOS 13 Beta 5 we also get a false compromised report but only when opening Boxer. Therefore Boxer wipes its data but any other enterprise apps are untouched.
It also only happens on Boxer with VPN using VMware Tunnel. We also have an alternative setup where Boxer only uses a certificate for authentification and no VPN and the problem does not occur with that setup.
Compromised detection is disabled as writen by @Rich B. We are on-prem v1810.
Anyone experienced the same thing or has a solution?

Re: iOS 13 Devices Marked as Compromised

SumitVedi — Thu, 29 Aug 2019 11:16:29 GMT

Can any boby please guide that is it possible to migrate the iOS device enrolled using container to Hub in 18.10 UEM version? what is the impact?

Re: iOS 13 Devices Marked as Compromised

ThomasBeckerTho — Thu, 05 Sep 2019 06:33:47 GMT

The latest release for Boxer (5.10) and Hub (19.08) seem to have fixed my problem.

Re: iOS 13 Devices Marked as Compromised

EmilGhoting — Wed, 18 Sep 2019 17:35:30 GMT

We are seeing the same when the MAG/VPN Tunnel is opened via an internally developed app. Compromised Protection is enabled currently on the console and Hub Version is 19.08.0. Is the solution to temporarily turn off Compromised Protection? Does turning this off in a production environment affect anything else?

Re: iOS 13 Devices Marked as Compromised

Stansfield — Wed, 18 Sep 2019 18:07:18 GMT

Do you use app wrapping or sdk with compromised detection on your internal app by an chance?

Re: iOS 13 Devices Marked as Compromised

EmilGhoting — Wed, 18 Sep 2019 18:12:31 GMT

Yes, we are using App wrapping (w/VM Tunnel) + Compromised Protection under Settings> Apps> Settings and Policies> Security Policies.

Re: iOS 13 Devices Marked as Compromised

Stansfield — Wed, 18 Sep 2019 19:00:19 GMT

Are you using the latest version to wrap the app? it has to be updated along with the Hub