Jamf Nation Community

DrStr4ng3 · ‎12-18-2018

Since this topic has not been discussed here in recent years I would like to know if Jailbreak detection is reliable or not now. I am using a smart group to check for the is jailbreak trigger and I have had two detections during my rollout of JAMFpro. One device continues to trigger even days after I have performed a full wipe and restore while connected to a mac.

Does anyone else have trouble with this detection method not working or is this a rock-solid result when it triggers? I am at a school and we would need to know if this is reliable before going after students for the result.

tomhastings · ‎12-18-2018

I had enabled Jailbreak detection at my last job. In five years I never had a student Jailbreak and iPad however, they found many other ways to hack their devices. VPNs, Config. Profiles, policies installed from sketchy sites, Apps installed from asian web sites, etc. I set up smart groups to look for violations. There are so many ways to "hack" the management that are much easier than a full on Jailbreak.

DrStr4ng3 · ‎12-18-2018

I concur that there are multiple ways to get around things. When my JAMF server was set up the tech had me set up the jailbreak detection. I was just wondering if it was accurate. If it is then I have a student who has performed it twice.

jared_f · ‎12-18-2018

I read a few weeks ago that there was some issues with the built in detection function in Jamf Pro. I believe using the smart group criteria: any device containing the app name "Cydia" worked as a work-around to this problem. Here are a few restrictions I push to all enrolled iOS devices that cut down on users, specifically students, from getting around things:

Disallow Proximity Password Request
Safari Fraud Warning
Limited ad tracking
Don't Allow VPN Creation Disallow trusting enterprise apps
Disallow diagnostic submission
Enforce Automatic Date & Time
Disallow Pop-ups in Safari
Disallow Installing Configuration Profiles (this won't impact Jamf Pro's ability to install configuration profiles)

I have the following smart groups notify me on membership change:
Applications contain:
TweakBox
Aloha
Anonymous
betternet
private
proxy
tor browser
tunnel
unblocker
vpn

Apple's VPN restriction doesn't stop apps from configuring VPNs and profiles from installing - just user's from manually configuring them under settings.

I also have one that checks for profiles containing:
anonymous
private
proxy
tunnel
unblocker
vpn

Devices really never hit this as I disable allowing trusting enterprise app authors and installing configuration profiles.

prl · ‎12-18-2018

@DrStr4ng3 The best defense against jailbreaking and sketchy web-born configuration profiles is keeping Apple software updated. And @jared_f 's technique would help too! Self Service needs to be installed for the jailbreak detection to work by the way.

Emmert · ‎12-18-2018

I've had a user install a CotoMovies profile in the last month, despite us having un-trusted developers disabled. It's always a cat and mouse game.

Jailbreaking is sort of ... a decade ago. Strange profiles are what you want to look for.

edit: Why Are My Capical Letters in Bold?

jared_f · ‎12-18-2018

Not sure if this would work, but you could do a smart group based on profiles NOT containing MDM Profile

bcampbell · ‎12-19-2018

> Not sure if this would work, but you could do a smart group based on profiles NOT containing MDM Profile

Is "Disallow Installing Configuration Profiles" not reliable? I did that to prevent students from installing iOS betas and never heard about anyone doing that again. There was never a hardline prohibition telling students not to do that, but it caused unnecessary complications and there was no sound reason to do it on an iPad dedicated to academic work.

tomhastings · ‎12-19-2018

When you find the odd profiles installed, do a bit of research. Most times they were installed by visiting a web site. Turn that info over to the firewall team to set a block.

DrStr4ng3 · ‎12-19-2018

The issue I am running in to (and this is in support at the moment, they are elevating to higher to see whats up) is that the jailbreak detection checks the device reporting if it is in jailbreak or not. If the device reports yes, or doesn't report its status this triggers the jailbreak detection.

I did a small rollout of JAMF from our old MDM and 15 out of 27 devices triggered the jailbreak. Several of them are devices I had my hands on and performed a software restore.

@jared_f Thank you for the detail in your post. I will be going through my profiles to adjust.

@prl My self service is installed so not an issue there. One thing to note is that devices do not get added to the jailbreak smart group until they attempt to install something in self service. Then it triggers the jailbreak or they just don't report their status.

DrStr4ng3 · ‎12-19-2018

Being New to JAMF where do I go to set up the profile detection and blocking of installation?

DrStr4ng3 · ‎12-19-2018

I found the disallow installing profiles. Thanks

jared_f · ‎12-22-2018

@DrStr4ng3 The others are smart groups based on the contains app name and contains profile criteria.

DrStr4ng3 · ‎01-24-2019

I know this thread is old by now so this is a follow up for others who might have an issue. The JAMF jaibreak detection gets triggered when a device enrolls and opens the self service app. Everytime Self-service is opened jailbreak triggers. Once the requested app is installed and self service is closed jailbreak notification goes away.

So the detection is not reliable (as of yet) in the system

prl · ‎01-25-2019

it was reliable when jailbreak was rampant and easy. Now you can simply update iOS every time a jailbreak is released for an iOS version and the concern is gone. It’s a broken and unnecessary feature for new versions of iOS.

Jamf Nation Community

Jailbreak Detection on iPads Reliable?