Prevent Profile Installation

Not sure if you can stop them installing them but the JSS will know what config profiles are in scope and create smart groups for any others. If they have an unwanted profile installed the device would be put into the smart group and subsequently locked (or some other action) so they have to get it unlocked by an adult.

Same issue here. We've had several iPads come to us with third-party Provisioning Profiles installed that allow students to, for example, bypass our app age restriction or install apps despite the app store being disabled. Parents are raising concerns that they cannot properly supervise their student's app usage and are looking to us for answers. We've love it if there was a way to prevent unapproved provisioning profiles from being installed, but currently there doesn't appear to be (there's an option to prevent the install of Configuration Profiles, but it does nothing to prevent things like vShare and Movie Box). Presently all we can do is detect when iPads have these profiles installed, but that's fighting a never ending uphill battle.

The only thing we have seen to help with this is to block said websites from which the students are downloading the profiles. It also prevents the app from communicating to their server so if they did download "vshare" again it will no longer work. Also, you may not be able to remove the profiles without something like xcode, as the profiles do not show up when checking the physical iPad. To remove the profile in xcode, plug in the device to the Mac and tap the “trust” button on the iPad. Select the iPad from the list(To display the Devices window, choose Window > Devices or press Command-Shift-2) and control-click it. It should pop up with a box that says “show provisioning profiles.” Select any of the profiles you wish to remove and press the “ – “key to delete them. I've noticed that sometimes it does not seem to remove, it stays on the screen, but if you run an update on the device it will show those profiles removed. We've done similar to this article as far as helping prevent the use of these profiles. https://jamfnation.jamfsoftware.com/discussion.html?id=13021

Klenke.daniel, could you elaborate on how to remove profiles with Xcode? I've plugged an iPad with third-party provisioning profiles in and trusted it, but I don't see a list with the iPad.

Sorry, forgot to mention you need to show devices. To display the Devices window, choose Window > Devices or press Command-Shift-2.

I was under the impression that if we uncheck the Allow installing configuration profiles (supervised only) for a configuration profile it will not allow apps to install a profile on the device. This is what I have noticed with my field test using the Free VPN - Onavo Project App.

What can we do to prevent them from setting up a VPN using the device settings?

unpicking the restriction allow Allow installing configuration profiles (supervised only) should work if the device is supervised.

doesn't mean they can't go and wipe your entire mdm enrolment not eh ipad though to circumvent it.

Hi, using Casper Suite 9.8.1 or newer on supervised devices you can now prevent users from "trusting" third party dev like vShare and provisioning profiles, which going forward will stop this behavior....
Now if I could tell which are jail broken, and also remove the already installed provisioning profiles without wiping the device...
Will be trying this with xCode in the next few days

We also discovered that once this restriction is applied prevent users from "trusting" third party dev like vShare and provisioning profiles
We can temporarily set the Date forward (1 year works well for most) , which then either automatically deletes or allows us to delete all of the now "expired" provisioning profiles. Set date back to correct and no new provisioning profiles or third party apps can be accepted
This was the easiest way we've found so far to clean this up, as Xcode did not always allow us to remove them.