Detecting Jailbroken iPads

Not applicable

Hi everyone,

Day 2 of our 400-strong iPad roll out.. all going "OK" BUT my seventh graders are already jailbreaking iPads..

Anyone have a thought on how to create a Smart Group, or any other policies I can implement/create, to detect and/or block this activity?

Thanks,

Christopher K. Sokolov
San Domenico School

17 REPLIES 17

dhowell
Contributor

You could create a group that has the cydia.app, its almost always on jailbroken devices.

D. Trey Howell ACMT, ACHDS, CCA
trey.howell at austinisd.org
Desktop Engineering
twitter @aisdmacgeek

plawrence
Contributor II

Hi List

Can Casper MDM be configured to detect jailbroken iPads? I saw a comment previously to search for the Cydia app, but that doesn't appear to work, Cydia doesn't appear in the App Inventory list. I have an iPad here that I am happy to test things on if anyone has ideas.

Thanks.

Patrick Lawrence

Not applicable

I'm only thinking out loud here – but seeing as though all jailbroken iOS devices get a default account of root with password alpine (one that people RARELY change)…couldn't you write a script that basically sniffed around for this backdoor and/or change a few things to lock them out of their iOS device? The theory being that when it returns to HQ for servicing" you can throw it back in jail and reprimand the client?

Thinking out loud…

Rhys.

plawrence
Contributor II

Interesting idea. Is SSH (port 22) enabled by default when you jailbreak? If so, we can just do a port scan on the wireless network to see which devices have port 22 open and then track down the offenders. Don't even need to login.

Patrick

jwojda
Valued Contributor II

Could you also look for the Cydia app?

We are going through this too, from what I've heard JB detection is
flakey. A few file changes via ssh and suddenly the device shows as
being un-jailbroken (normal) when in fact it is JB.

John Wojda

Lead System Engineer, DEI & Mobility

3333 Beverly Rd. B2-338B

Hoffman Estates, IL 60179

Phone: (847)286-7855

Page: (224)532.3447

Team Lead DEI: Matt Beiriger
<mailto:mbeirig at searshc.com;jwojda at searshc.com?subject=John%20Wojda%20Fe
edback&body=I%20am%20contacting%20you%20regarding%20John%20Wojda.>

Team Lead Mobility: Chris
<mailto:cstaana at searshc.com;jwojda at searshc.com?subject=John%20Wojda%20Fe
edback&body=I%20am%20contacting%20you%20regarding%20John%20Wojda.> Sta
Ana

Mac Tip/Tricks/Self Service & Support
<http://bit.ly/gMa7TB>

"Any time you choose to be inflexible in your approach to an
unpredictable project you are already building failure into your plan"

plawrence
Contributor II

John

How I understand it some other MDM providers require you to have their app installed on your device, this app will regularly do "something" to the iPad that it wouldnt normally be able to do (like edit/read a certain file). If this test fails, then the iPad isnt jailbroken, if it succeeds in doing its "something" then the iPad must be jailbroken.

We'll probably just make our kids update their iPads to 4.3.5 (or iOS 5 when it comes out). As far as I am aware you cant go backwards or jailbreak a 4.3.5 device anyway (I could be wrong here).

I am going to look into the port scanning option though.

Patrick.

jarednichols
Honored Contributor

Every iOS 5 beta has been jailbroken thus far, so don't hold out hope on that route :)

Though, Apple *did* just hire the kid so maybe the rate of jailbreaking will slow down a hair.

j
---
Jared F. Nichols
Desktop Engineer, Client Services
Information Services Department
MIT Lincoln Laboratory
244 Wood Street
Lexington, Massachusetts 02420
781.981.5436

jwojda
Valued Contributor II

The iPad 2, short of that PDF exploint @ 4.3.3 and 4.3.4 (patched in
4.3.5), has not been JB... my guess is new equipment will use a similar
process.

John Wojda

Lead System Engineer, DEI & Mobility

3333 Beverly Rd. B2-338B

Hoffman Estates, IL 60179

Phone: (847)286-7855

Page: (224)532.3447

Team Lead DEI: Matt Beiriger
<mailto:mbeirig at searshc.com;jwojda at searshc.com?subject=John%20Wojda%20Fe
edback&body=I%20am%20contacting%20you%20regarding%20John%20Wojda.>

Team Lead Mobility: Chris
<mailto:cstaana at searshc.com;jwojda at searshc.com?subject=John%20Wojda%20Fe
edback&body=I%20am%20contacting%20you%20regarding%20John%20Wojda.> Sta
Ana

Mac Tip/Tricks/Self Service & Support
<http://bit.ly/gMa7TB>

"Any time you choose to be inflexible in your approach to an
unpredictable project you are already building failure into your plan"

tlarkin
Honored Contributor

You can look for Jail Broken package managers like Cydia. If Cydia is
present on your iOS device, it has been jail broken! *Queue Thin Lizzy
music*

-Tom

Dan
New Contributor

With regards to the port scanning option, I don't believe ssh (port 22) is enabled by default upon jailbreaking, at least it didn't used to. It requires the OpenSSH package to be installed by the user after the device is jailbroken, but as I said, this was the case when I used to jailbreak iOS 1-3, not sure about the newer methods.

Regards,

Daniel Sung
Junior Systems Administrator
Framestore
9 Noel Street, London W1F 8GH
www.framestore.com

wtmanley
New Contributor

I've tested the new jailbreak here on 5.0 and 5.0.1 on A5 devices. We've found that the jailbreak for iOS 5 isn't possible until the MDM profile is removed. I'm just going to keep an eye on who's devices are showing unmanaged or not phoning home.

Side note: Cydia.app doesn't show up on devices' app inventory in Casper, along with apps installed directly from Cydia. Also, SSH isn't opened by default when Cydia is installed, so the port scanning method seems to be useless.

Any ideas or recommendations would be helpful!

tlarkin
Honored Contributor

Hmm, why doesn't Cydia show up in the Casper inventory report?

jwojda
Valued Contributor II

When we were going through this last year, our MDM provider said because Cydia doesn't show up on the devices application list and therefore they couldn't detect if it was running. Seems fishy to me, maybe I will ask them to revisit that question.

jarednichols
Honored Contributor

Odd that Cydia doesn't show up, so I did some digging. I jailbroke my iPhone 4S a few days ago to poke around. So, stock apps, or 3rd party apps installed by AppStore appear like this (note this is in /Applications):

drwxrwxr-x 37 root admin 1632 Nov 4 08:49 Camera.app/

Cydia (and things installed by it such as Winterboard - a themeing app), on the otherhand looks like this:

drwxr-xr-x 16 root wheel 2108 Mar 26 2011 Cydia.app/

I noticed a listing for Nike.app/ and that's obviously a built-in app but doesn't show on my phone (I presume) because I do not have the Nike pedometer hardware. So, I wonder if something inside the app causes it to not show on an inventory? Does Nike.app show up on anyone's Casper iOS inventories? (We don't do MDM so I can't test.)

tlarkin
Honored Contributor

That makes sense because Cydia 'roots' your device. So, it looks like all cydia stuff is not only owned by root, but only accesible by root since it is in the 'wheel' group.

I am not in a position to dig through our MDM stuff since I am transitioning here at work and have other stuff that needs to get accomplished. Also, our iOS devices are currently being round up and updated to iOS 5, since we deployed them on iOS 4, so I am not sure what is all out there. I can shoot my iOS person an email though and find out.

cgordy
Contributor

I'm looking at a jail broke device right now, and here's what I would do...
Create a smart group.
Edit criteria.
Configuration Profiles....edit, for Profile Name..."has" selection and for the criteria, enter the word jailbrake.

My jail broken device has this profile and the jss can see it and search by it.
This method is how I detect who is not running the current mdm profile in my district.

cgordy
Contributor

Edit - spell that jailbreak not jailbrake