Circumventing Restricted Apps via Sideloading

h1ghereducati0n
New Contributor

tl;dr: student circumvented Jamf Pro to install App Store alternative... how?

In the high-school I'm at, we have restricted the App Store for some students and predictably they seem to have found a way around it and are installing apps like Minecraft and so forth. Fairly harmless in general, but persistently we've noticed the presence of TutuApp. In the brief reading I've done, TutuApp is apparently an App Store alternative. I'm still trying to figure out how it was installed.

We're concerned because iOS 11 apparently breaks many of TutuApp's features and while recent updates to TutuApp supposedly fixes this, it also installs a Nesstool profile. According to the forums, nobody is really sure what this is or where it came from or why it installs a VPN profile on their machine.

We first observed this when a student came into the office citing Wifi issues. No VPN should be present but there was a VPN toggle in his Settings. It was automatically toggling on and the off again rapidly, as if the software were fighting with itself. We then observed, in addition to our school profile in General, two additional profiles. One with TutuApp and the associated apps listed (Minecraft, etc) and a second profile with Nesstool. The student of course claims he doesn't know where it came from. Removal of the 2nd profile did stop the VPN and the toggle went away.

I suspect our profile was actively trying to prevent a VPN from running while something else was actively trying to enable it. My main worry is the forums have expressed concern or have evidence of this app copying payment information and other personal data and sending it… somewhere.

I am still new to Jamf as a whole, but I'm trying to learn as quickly as I can. My boss has asked me to hunt down solutions for an issue we've been having. Has anyone had experience dealing either with this exact app or with similar issues?

9 REPLIES 9

jreeves
New Contributor III

I may have missed it in the post but do you have the check box for "allow installing configuration profiles" unchecked in your restrictions profile? edea8892e24247309bfa16a0934fc40c
most apps like this install via configuration profile and allow system level use of the device. but with that checkbox unchecked students do not have access to delete

of course if your devices are not supervised this will not be an option.

thejenbot
Contributor III

We have ^ that ^ profile installed but I just found out one of the little monsters at our school had this on there. It installed a profile anyway. RAWR! The VPN part wasn't configured though...this profile was in the same area as the MDM profile and was called Jilin Tripglobal Network Technology Co., Ltd.

cdenesha
Valued Contributor II

In addition to unchecking that setting, you should uncheck 'Allow trusting new enterprise app authors' which is intended to block the non-App Store apps. Search these forums for that string. In my district we find the Provisioning Profile gets installed but can't do anything. So we have a Smart Group send us email and report on those students with it in inventory and send them to speak to Administration. The criteria is 'Provisioning Profile Name' LIKE and leave the field blank.

chris

johntgeck
Contributor

Sorry to resurrect this thread; has anyone had any trouble with this since they restricted the "allow installing configuration profiles" or "Allow trusting new enterprise app authors" option for users? We just had this crop up today and I'm currently working on deploying it on a testbed iPad, then seeing if I can still enroll the device via DEP and still have it install all of our profiles with no errors.

sdecook
Contributor

We don't do any enterprise app pushes so we have not had experience with that. I will say that the "installing configuration profiles" option will still allow jamf to install them. What this prevents is the user from installing them. Most third party app stores are just webclips to websites. They install a configuration profile that will point to a site to install the apps.

We did find a problem before where we could not have this option checked as our onboarding process to get connected to our 802.1x network required the user to install several profiles. If we had the option set the user couldn't get on the WiFi. We reworked our onboarding so it is not an issue now.

mainelysteve
Valued Contributor II

@johntgeck We had this crop up last year but have not had any issues this year. We turned off trusting enterprise app authors and allow installing configuration profiles. I believe the checkbox means config profiles that are downloaded and installed manually are either allowed or denied. Pushed profiles either DEP or post setup will install just fine.

I did have a few cherubs setup their iPad and it took longer than usual for the App Store restriction profile to install. They of course took that opportunity to install lotsa games and social media apps. I'm thankful 10.8/10.9 has the option to hold the user in Setup Assistant until that stuff gets installed.

johntgeck
Contributor

@sdecook @mainelysteve Thanks for the replies! Yeah it looks like I'll need to look further into this since our site uses 802.1x as well and it looks like I'm having issues. I scoped the new profile to my testbed and erased it, and once I enrolled it, I can't see any available wireless networks. I'll do some more investigating, I'm sure it's a conflicting profile or something.

johntgeck
Contributor

Update: I figured out the source of the problem; it was indeed conflicting configuration profiles related to locking down the wireless. We folded them into one unified profile, and added in the settings to block configuration profile installs and new enterprise app authors, and everything's airtight again. Thanks for the help everyone!

VickieBoyle
New Contributor

I have a problem, can I ask a question?