MDM Profile Visibility

gskibum
Contributor III

Hello, I'm working with attorneys concerning a user's iPhone that is being subpoenaed.

I am finding a problem in that I cannot make a backup with iTunes that I can interract with. No matter what I do, there is a password set and the user doesn't know this password.

I also can't turn off the requirement for encryption in iTunes, without having that unknown password.

I don't see any profiles that have been installed, which leads me to my question: Can profiles be installed and not be visible in Settings/General/Profiles & Device Management?

5 REPLIES 5

jason_bracy
Contributor III

When an iOS device is enrolled in MDM it requires that iTunes backups be encrypted. There is no way around this.

mm2270
Legendary Contributor III

Indeed, password protected encrypted iTunes backups become a requirement when enrolled in an MDM. Not sure you are going to be able to get access to the backup. He/she must have set this password the first time the iTunes backup occurred. Pretty sure it prompts to create a password the first time it happens, but it won't prompt for that password on subsequent backups. So I'm not surprised they don't remember it. I almost forget my own password sometimes and have had scary moments when trying to restore my phone from an iTunes backup when I thought I wouldn't be able to do it due to the password being required for that too.

jason_bracy
Contributor III

You can look in their Keychain for the password. It will be under an entry labeled "iPhone Backup"

gskibum
Contributor III

@mm2270 To be sure that I understand you correctly, a profile I am unable to see in Settings/General/Profiles & Device Management could be set on the device? The device isn't enrolled in any MDMs that I am aware of (that was sloppy verbiage on my part). Another IT person that has done vindictive things to this organization had copious amounts of time with this iPhone and other iOS devices. I'm wondering if he or someone else may have set this encryption requrement with some kind of profile I cannot see.

The phone does have an Exchange account set on it. But the mail server is so screwed up Mac OS devices and IOS devices cannot connect to it anymore.

@jason.bracy The user screwed up her Keychain and all items are lost.

It looks like this user is SOL and will have to give up her phone to the attorneys. This issue has really become one of me wanting to be clear about what I am seeing, just for the sake of knowledge.

A profile requiring backup encryption can be put onto a device and not be visible in Settings/General/Profiles & Device Management? And the backup password is stored not only in the Keychain, but is also stored on the device itself. The second part makes sense to me (after all that's the way encryption works), but not being able to see a profile like this is news to me.

jason_bracy
Contributor III

Well, if you have the device you can delete the old backup in iTunes and create a new backup prior to giving the device to the attorney.

To answer the initial question, to the best of my knowledge there is no way to have a hidden profile on the device. If the device has an Exchange account, then it is probably the Exchange server that is enforcing encrypted backup. I don't know if this is done by default or if it is an ActivSync setting, but I'm pretty sure that it is on by default in the ActivSync configuration.