Jamf Nation Community

we run into this problem often. you only have three options. 1. hope the user remembers it. 2. guess random numbers and hope for the best. 3. DFU restore and hope they have a backup.

@St0rMl0rD We've had success with this setup but don't believe it's officially supported by Apple. Important to note this works for us because we're not using 802.1x or a captive portal for wired connections at this time.

Apple USB Ethernet adapter

iPad Camera connection kit

Lightning to 30-pin Adapter

Plug the USB Ethernet adapter into powered USB 3.0 hub. I don't think you need to use a 3.0 USB hub but that's all we had for testing.

Connect the USB hub to the iPad via the Camera Connector adapter.

I've successfully tested the Clear Passcode command with a DEP enrolled device and this USB Ethernet adapter setup. I can also confirm same setup worked to clear the passcode if the iPad was in Airplane mode or WiFi was off.

You will see the following erroneous message on your iPad: Cannot Use Device - Apple USB Ethernet Adapter: The connected device is not supported.

The iPad is able to connect to APNS and our JSS.

Yes, the ethernet method works, but it's not officially supported and it may stop working at any time in one of the future iOS updates. We need an official, Apple supported way of doing this.

Totally agree with you and thanks for reaching out to Apple. I'll also reach out to our Apple Account Engineer for an Apple supported way of doing this.

@St0rMl0rD Here is the response from our Apple Account engineer:

"In instances such as this, it's been noted that having - at initial deployment, deploy a profile with a pre-configured open Wi-fi network that is only ever used for initial deployment, and also during this kind of recovery (as it will then exist in the Preferred Networks List). Some folks will keep the specific SSID turned off unless activation/deployment or a type of [Passcode Wipe] recovery..."

Planning on testing this open SSID deployment strategy today. I'll report back with the results.

@lionelgruenberg, having an open Wi-Fi AP won't solve this issue, unfortunately. Wi-Fi will remain off until a passcode is entered after the reboot.

You're correct Apple doesn't officially support the Ethernet rig, but it's been available since iOS 6 (I believe) and it's the only method that'll get you into the device short of wiping it. I would imagine Apple's official response will be you need to wipe the device.

If you have to purchase every part for the rig, you're looking at under $100. You may already have a USB hub (consider using a monitor with built-in USB) as well as the USB to Ethernet adapter. The camera adapter isn't too commonly used in IT but it's a $30 investment that will pay for itself if that's all you need to purchase.

@talkingmoose is correct here. For now, iOS works over ethernet connection, but as it's not officially supported by Apple, one can't rely that it will work forever.

@talkingmoose @St0rMl0rD Yep no luck with the open WiFi network deployment strategy. Escalating this technical issue through to AppleCare.

@St0rMl0rD @talkingmoose Spoke with an Enterprise Servers & Edu support advisor who said with a passcode enabled on an iOS device what we're seeing is the expected behavior. Reference Case 793536407. Hopefully Apple can come up with an officially supported solution for us sooner rather than later.

Looks like someone has released an easy [solution for this problem](http://www.zdnet.com/article/lightning-ethernet-cable-for-the-iphone-or-ipad/

@gregleeper reading through
the FAQ It looks like this cable only works with 3rd party apps and not natively supported by iOS' network stack.

@gregleeper, @lionelgruenberg is right, this cable only works with their SDK.

If the device is allready locked because of to many failed tries you only can bring it to a Apple Certified Service Center. They can do an unlock request (no matter DEP or not) to unlock the device. After that you have to reset the device. It comes back unlocked. The request could take 1-2 weeks.

If the device is just passcode locked you can put it into service mode (Switch off, plug cable in, hold the home button and plug it into the computer). iTunes Logo with cable appears and you can it wipe and restore it completely. If there was no Find my iPhone-Apple-ID-enabled, it comes up unlocked. Otherwise Apple Unlock Request.

I think you missed the point here a bit, @tsossong

@St0rMl0rD dont think so, because I have exact the same issue here with some schools. DEP doesnt prevent you from reseting it at service mode. And if hell breaks loose, doing a unlock request is the official way Apple would clear such passcode-locks. Thats independent from DEP.

I solve such issues 5-6 times a day.

btw. the most passcode locked device i have trouble with keeping theyre WiFi also after restart. Just 2 out of 5 will need unlock request and reenrollment after service mode.

I think @tsossong is referring to activation lock.

@lionelgruenberg - The solution is the setup you showed and @talkingmoose confirmed. That's it, simple and straight-forward. The passcode disable items are security-related so as you've seen, this behavior you're seeing is considered normal.

Yes @tsossong is refering to Activation Lock, which is not what we're discussing here, as we're discussing Passcode Lock. @john_wetter it works for now, but it's not officially supported, and we need an officially supported solution. That's why me and someone else here submitted a bug to bugreported.apple.com, and we escalated the issue with our system engineers in Apple, so hopefully they realise the importance of this and solve this as soon as possible. Until then, we'll just keep etherneting it out.

Sorry but just to get me right. You can break a activation lock and a passcode lock with my refered methods. I tried it...it works for both.

True, but the underlying thing here is that many of our students don't have up-to-date iCloud Backups, and in this case, their data would be gone. Plus to that, it's a method of solution that takes days and cannot be solved on the spot, when a user needs it.

I switched to DEP at the beginning of this school year, 900 students. I have an ethernet rig, but it does NOT always work. I have not been able to determine the variables yet, mostly because I'm trying to get a student up and going. For those iPads that do work, I get the Clear Password command 10 seconds after plugging in the cable. For those that don't work, I get the normal message that it isn't supported but never get APNS pushes. I've tried multiple variants of when I plug the cable in, restarts, etc. I end up having to do an iCloud restore, as long as the student has listened to me and configured it, and hasn't ignored the out of space messages. :)

We do need a better method, whether open WiFi access that still works when passcode locked, or perhaps just guaranteed ethernet capability.

chris

@St0rMl0rD - If I was a betting person, I would say you will never have a supported solution in the way you are requesting it. What there is currently is a solution that works. It's great that you've submitted for this but I just wouldn't hold up any plans based on this is all I'm saying.

Don't really care, as long as it works :) @cdenesha that's weird...For us, the ethernet works 90% of the time, so that's troubling. Oh well, in those cases, we will just have to restore the device, I guess.

I submitted a radar.

I was going to bring this up, after starting to investigate DEP, glad someone had done it for me already. It is actually making me consider avoiding DEP. Despite its benefits.

The way I can see Apple solving this solution is:

Apple to permit DEP managed devices to connect to an existing wifi service from the lock screen, and if there is no existing wifi service, then disallow enabling a passcode.

Or if they can enable a bridge of internet from a connected computer, to the ipad, only to apple services and if necessary to any mdm config applied to the device.

Second to that, if a device is passcode disabled, requiring connect to itunes, I dont see this working either, unless the itunes it is connected to is enabled with the DEP account, or a DEP admin account.

PS. Interesting ethernet connection hack.. I'm going to have to try that.

You may find with the other 10%, they have the wrong date and time.

How do things work if the iPad is passcode disabled? e.g. when they have locked it beyond the point of not being able to enter a passcode.

In my deployment (+/-700 devices, 7th and 8th grade), this surprisingly hasn't been much of an issue. One thing I would to chime regarding is the Ethernet/Camera Adapter/Powered Hub - it's certainly not supported and in my experience, it has been hit or miss with around a 50% success rate.

I don't see Apple 'fixing' this, it's a security feature, not a bug.

Security feature that prevents us from doing our jobs properly? :)

I can understand why it's locked following a restart, but perhaps there should be an MDM option to include a remote management wireless profile that's always available? If not, even a "join wireless" option on the lock screen itself where you could supply one-time wireless credentials

Or a master unlock code generated for each device when enrolled.

All ideas should be fed to Apple as either a radar against the MDM Framework (iOS Enhancement) or at apple.com/feedback!! :)

Hmm the pictured method does actually connect it to ethernet, ethen though it says its unsupported.

I found swiping up to activate the camera, seems to assist with the connection, as it would immediately prompt for proxy credentials.

I guess this will do for now, but cause it is not a approved method, to rely on it, is a bit dicey, but it will do for now.

I posted this to another thread, but that thread is linking here, so I thought I'd try this:

Has anyone been able to get the this to work with the new Lightning to USB 3 Camera adapter (powered by iPad power adapter) plus a USB to Ethernet adapter? I can get online with an iPad that is already unlocked, but when I try to get online with an iPad that's been disabled (but showing passcode unlock screen) it won't connect.

How are you verifying you're not online when at the passcode screen? Because this is a wired connection, the Wi-Fi icon won't appear at the top of the screen.

Test sending an unlock command from your JSS to the device. Verify it unlocks by swiping from left to right as if you're about to enter the passcode.

Hi @talkingmoose I did your exact method to test the connection and it was a no go. I was able to verify the connection on an unlocked iPad with wifi turned off, but it seems that the locked iPad has all internet connections disabled.

Hi @timvenchus. We too are having the exact same issue with an iPad running 9.3.1 that is locked with the user unable to remember his passcode. We got the new Lightning to USB 3 Camera adapter and the USB to Ethernet adapter to attempt to get the iPad to connect to the JSS so we could send the "Clear Passcode" command, but it is not working for us either. I can confirm from our DHCP server that the iPad does get an IP address over the Ethernet connection and I can ping the iPad from the server, but for some reason the iPad never seems to talk to the JSS. I'm not sure if the JSS is just not "looking" for this iPad on that IP or if the APN servers don't "recognize" that this iPad is on a different IP.

If anyone has any further tips or tricks to try, please let us know. We are trying to avoid wiping the device if necessary because the student did not have everything backed up and there are finals coming up soon. (Granted, he can't use anything on it right now since it is locked, so maybe this is just a learning lesson for him.) Any and all help is appreciated. Thanks.

Weird, it's working perfectly fine for us in those scenarios. We can restart the iPad, and when it comes back and it's locked with no Wi-Fi, connecting it to the ethernet will get it solved in seconds.

@St0rMl0rD Are you using the new Apple Lightning to USB 3 adapter and Apple USB to Ethernet adapter (with power from iPad power adapter), or a different setup e.g. with a powered USB hub? Unfortunately I don't have a powered USB hub hand to test out alternate setups.