Enable Lost mode!!! Don't turn iPad OFF!! and iPad code enabled. Lethal!

cpominville
Contributor

Our Jamf version 10.16.1-t1572055156
iPad in discussion, 13.2.3
Mac version 10.15.1

I had a situation Friday where I had to put an iPad in Enable Lost Mode. I have played with this before, with iOS 12, and Mac 10.14.x last year. Turn it on, turn it off, just easy peasy.

Today Monday, YOU CAN NEVER TURN ENABLED MODE OFF!! I even plugged the iPad into an ethernet adapter we have for this very thing, as in the past if a user turned off the 1-1 iPad, it would never connect to wifi until you get passed the iPad code. Can't get past the iPad code, can't connect to wifi. Can't connect to wifi, no command from Jamf is gonna hit the iPad. So we got an ethernet adapter, so we could get Jamf commands to hit the iPad through an ethernet connection. I MUST MENTION THAT THE IPAD WAS TURNED OFF when enable lost mode was on, because the beep beep sound from enabling lost mode, was driving the person crazy. Turning off the iPad when in Lost mode, BIG NONO!! After that....Turning off the iPad is what caused all this chaos. Please note, at the end of this writing, I have learned that the iPad also had a code on.

No command from Jamf would hit the iPad even when connected to the ethernet connection, NADA!! I also tried connecting the iPad with a USB cable to my Mac and turn on Content Caching so it would use my Mac's network connection, NADA!!

Called Apple and had a last ditch suggestion. Put the iPad in DFU mode, and do a UPDATE, NOT restore. In the process of the update there was a small window of opportunity where somehow it received the commands from Jamf and unlocked it!!

Some of you might say, who cares, just RESTORE it and bring it back. Well, that was not an option as the Police were involved and wanted to see the iPad data.

As I write this, I am trying it with my personal company iPad which is enrolled in Jamf. The Enable lost mode command does the same thing, IF THE IPAD IS POWERED OFF AND a CODE is on the iPad prior to sending the Enable Lost mode command, locks the iPad and then there is nothing I can do to get a network connection. Apple's last ditch suggestion is NOT working on my iPad ...had to DFU and RESTORE.

After restoring my iPad, I was able Enable Lost Mode and then Disable Lost Mode, as I had NOT turned off my iPad in this process. However, please note, the Lost Mode message is not appearing on my iPad but the sound is there. So I know its in lost mode.

As I am testing further, I thought I had a good grasp of what was happening, but apparently I don't. Turning off my iPad while in lost mode, when it comes back on the wifi connects!!?? WTF??
Oh, wait, I am not crazy, if I make sure the iPad CODE is activated, THEN send the Enable Lost Mode command, and then when it reboots it will NOT connect to wifi until I enter my iPad code and I am back with the scenario above. Phew, I thought I had lost my marbles there for a second.

So, one lesson learned, NEVER send an Enable lost mode command without clearing passcode FIRST.

Able to recreate original problem. That is a good thing. Summary ,iPad has iPad code ON, send Enable Lost mode command and then Power off iPad. No more network connections will work with iPad. This brings to mind a question. How do I know that the command to unlock iPad (remove the code on the front) will hit the iPad BEFORE I send the Enable lost mode command? perhaps send them 5 minutes apart?

I am trying as I write this part, to try Apple's DFU Update suggestion. Thats twice now, it has NOT worked for me. I got real lucky with the iPad for the police!! PHEW! Cause that trick has NOT worked with my iPad. Second time I try it.

I hope I was able to explain this with some clarity.

It boils down to this, from what I have learned today.

Code on iPad, send Enable lost mode, and then power off iPad?
VERY BAD combination!!!

8 REPLIES 8

larry_barrett
Valued Contributor

Do you have allow USB Restricted Mode enabled via restrictions profile?

cdenesha
Valued Contributor III

The order in which you send the Clear Passcode command and the Enable Lost Mode command actually does not matter - they both get through even when the iPad is not being used. Just be sure to send both at once!

Please upvote the following FR: Send Clear Passcode to Mobile Device just before Enable Lost Mode command

cpominville
Contributor

HI Larry...

I don't even know what that is USB Restricted Mode, so therefore I must say I don't have that enabled.

larry_barrett
Valued Contributor

@cpominville Approximately 6 months ago (somebody correct me if I'm wrong here) USB restricted mode was automatically added to the list of available restrictions. Double check your restrictions. Your solution is "woo".

"therefore I must say I don't have that enabled". Do you think you're the first person to have this problem? Why would I, someone you don't know, bring it up?

For anyone else reading this: You can definitely turn off an iPad in lost mode, you can silence the alarm and Apple Configurator 2 is your friend.

cpominville
Contributor

I felt a little jab there!!! ;-) Careful, might have to give you a bass guitar lesson!

I read up on it....I see it on the iPad itself.

Now to see if it's also a feature you can configure or not in profiles...

cpominville
Contributor

And it is.....but do we want that "off" in the event of a burglary of my boss's iPad? Go with Apple, leave it on...by default.

larry_barrett
Valued Contributor

:)

I asked my Apple Rep, "What is this even for?". Imagine the usb charging stations you see at an airport. Or in a restaurant. This prevents careless users from plugging into some random cord and exposing themselves to a security breach/unwanted sync.

Anyways, at our school, we use Configurator 2 when an iPad gets borked. If you have this restriction on, you end up being kinda stuck if you've got a WiFi issue (profile removed, etc). If JAMF can't talk to it, a mac running configurator 2 can (under the right scenario - specifically establish trust between the Configurator machine and the iPad ahead of time).

Here's a good Jamf discussion on ethernet dongles that work, no idea if they currently work (mine don't, I think the break point was 10.3 but don't quote me on that.) Ethernet Connection for iPads. I've had some success sharing internet connection from a macbook (lightning to usb), but YMMV.
0042d7340973420caca4bee41d1e23fe

Lost mode can be an absolute bear sometimes. Just remind yourself, the iPad could have just as easily been stolen when it was lost, a wipe is not the end of the world.

Mark_Leitch
New Contributor

In another thread, if the device is in low power mode some services will not start. I am going to charge the device first. Then restart.