Jamf Nation Community

reneejames · ‎06-23-2017

I manage my iPads through Casper, the students have NO APP store and get their apps through self-sevice. I am wiping iPads this summer and I see a few students that of course have out-smarted the tech and apps on their iPads that we NOT distributed through self service and I would never allow these apps. How did they circumvent the system? How do I stop them from doing this again?
the self service app is still on the iPad and I see the profiles on the iPad, so they did not delete the profile.....so curious how this happened?
thanks

conor · ‎06-23-2017

Edited out this due to comment below making a good point

blackholemac · ‎06-23-2017

I am hesitant to post here on this forum on this specific issue. Give me some means of directly getting a hold of you and vetting that you're not a student and I will be able to explain at least two work arounds that I have found and shut down hard. They are very obscure but we caught a large ring of our students using them. There are many ways to do it but most of them involve a couple of simple things you can do to shut them down. Also if you understand why I am hesitant to respond publicly to this post, feel free to vote up my request for private mailboxes on jamf nation for direct discussions of this very nature. I know jamf-nation is about openness, but it's also very easily Google searched by students that want to get around restrictions.

bentoms · ‎06-23-2017

We've seen folks sideloading.. under restrictions block:

Allow trusting new enterprise app authors
Allow installing apps using Apple Configurator and iTunes (iOS 9 and later) /Allow installing apps using App Store (iOS 5–iOS 8 only)
Allow installing configuration profiles (supervised only)

Some of these are newish restrictions, so might not be enforced.

Also, once the side loading app is found.. Don't Allow it under restrictions.

You can then create a Smart Group looking for the side loading app.. to speak to the students

blackholemac · ‎06-23-2017

@bentoms has given good advice and uses a similar strategy with the smart group that I do, and most of my exploits that I've discovered in the district can be closed using these additional restrictions. I will not disclose the exact source of some of these side loading methods as there is one other one not listed here that we have gotten bitten by in the past. It is a total cat and mouse game, but in short, tightening certain target restrictions can shut down most of the methods used.

To keep the post more positive, I can share an K-12-type thing we do to relieve some pressure on the students that want to get around stuff. We have a very early discussion about games with them at start of school and get them to vote on a principal-approved list of fun-type games and we select the top 3 and allow the students to put them on the device through Self Service. Then if anyone gets in trouble for classroom infractions or device misuse issues, these incentive games are yanked mercilessly and devices are further restricted depending on the infraction. I also have handed this normally IT-level discipline over to the actual building principals in our district. I give them very narrowly prescribed rights in Casper to execute these type of punishments. Our middle school principal loves it and feels empowered that way. We are giving that to all building administrators starting next fall that sit through the training on the subject.

jared_f · ‎06-23-2017

I use the whitelist apps payload to restrict what apps can be launched (basically the apps we make avalible. If a user figure out how to install a restricted app it just disappears after it finishes downloading.

reneejames · ‎06-23-2017

Blackholemac----- you can directly reach me at Ginny.Gustad@k12.sd.us.....Network Administrator at the Beresford School District in Beresford SD........you can directly email me at this address..........thanks

Jamf Nation Community

un allowed apps installed on student iPads, even though managed