What do schools that use DEP with iPads do, when a user forgets their passcode?

St0rMl0rD
Contributor III

We deploy more than 600 iOS devices and are thinking of switching to DEP for easier distribution. However, during reviewing the DEP and issues that we currently have, we have stumbled upon an issue that we cannot solve and that is crucial if we want to switch to DEP. We have also opened up a bug report with Apple and are following up with them on this as well. I was just wondering if there are any schools that use DEP and have come across this issue, and how they solved it.

So, here it is:

Sometimes, users forget their passcode lock. With JSS, we can push out "Clear Passcode" command, that removes the clear passcode and requires the user to enter a new passcode, as set by our policy. However, if the user restarts the device, the entire device is encrypted along with the keychain, and the device does not connect to any Wi-Fi network, therefore it cannot receive the "Clear Passcode" command. With Apple Configurator, we could connect the locked device to Configurator, remove the MDM profile, and the device would unlock. However, this will be no longer possible with DEP. We have tried the Ethernet connectivity of the iPad and that works for now, but it is not an official way of doing it, and Apple may remove the possibility at any point in the future. The iOS device has to be able to connect to a Wi-Fi network so we can unlock it.

Steps to Reproduce:
1. Supervise an iOS device with Apple Configurator
2. Enroll the iOS device into a MDM
3. Set up passcode on the iOS device
4. Let's say the user of the device forgets the iOS passcode lock
5. Restart the iOS device and remember you don't know the passcode lock anymore
6. On MDM, push out a "Clear Passcode" command to the device
7. Because the device doesn't have Wi-Fi connectivity, the command will never reach the device

Expected Results:
After restarting the iOS device, it automatically connects to known Wi-Fi networks.

Actual Results:
After restarting the iOS device, it does not connect to any of Wi-Fi networks.

Thanks!

57 REPLIES 57

talkingmoose
Moderator
Moderator

@timvenchus, I did some testing here with the USB 3 adapter and found something that may help you.

I'm using the same pieces for the rig found here on Lifehacker.com:

USB 3 Camera adapter and Ethernet rig

At first, my iOS device kept receiving a message that I wasn't supplying enough power for the USB Ethernet adapter. After some trial and error, I determined my power supply (far right in the picture) was the problem. It said "iPod USB Power Adapter" (model A1205) and made no mention of wattage. (After some research online I found it's 5W.)

I found a second adapter that specifically said 10W USB Power Adapter (model A1357). The USB symbol on the cable itself also plugged in upside down compared to the first adapter, so I could tell they were different somehow.

This second adapter worked.

talkingmoose
Moderator
Moderator

Aaaaaand now that I read further down the thread (maybe I should that before posting things), I see your issue isn't with the device receiving an IP address. Never mind.

St0rMl0rD
Contributor III

@timvenchus we have a powered usb hub set up with all the necessary cables at all times, so if I get an iPad like that, I only look it up in JSS, send clear passcode command and connect it, and voila.

dfinney
New Contributor

Tried this today on a device and it failed, so i did a bit of testing and think i may have found the issue.

It looks like the MDM root certificate had expired on the device, i checked some more students in his class and they were on and old expired certificate as well.

After getting the student permission to wipe the device, i preceded to inroll the device again and then permanently disable it again with incorrect pin code attempts.

After connecting the iPad via the lighting to usb, usb hub and a usb to ethernet contraption, it work instantly.

64a04c2af82a4be8a05664db9617954b

netten
New Contributor

does DFU mode can remove MDM mode on iphone and ipad ?

VT-Vincent
New Contributor III

Yes, but the device would simply re-enroll at activation if it's in DEP and assigned to a pre-stage enrollment.

cbrewer
Valued Contributor II

Anyone else seeing that this no longer works in iOS 10.3? I can still get an IP address with my Apple USB Ethernet adapter, but after reboot I can't run any MDM commands until the passcode is entered.

kuypers
New Contributor III

Yes what I'm seeing is that I Can't clear any PassCode's any more on device's with 10.3.1 using a wired connection. Testing on my test device if device is Passcode lock no MDM commands are working, If I unlock the device commands do work. This is going to be a Problem clearing Passcode on devices we need to access.

kuypers
New Contributor III

Just found this also

[http://www.enterpriseios.com/story/2017/04/07/Push_notifications_to_iOS_require_WiFi_link_when_Ethernet_used
](link URL)

There appears to be a bug in iOS (10.3.1) with push notifications and Ethernet. We use the Apple Lightning to USB 3 Camera Adapter and a USB Ethernet adapter to provide network to devices in the field. During a troublesome deployment we discovered that the Apple Push Notification Service (APNS) does not establish a connection if the WiFi radio is off or not joined to a known network. That WiFi network does not need to have valid internet, or even DHCP available, the device will choose a self assigned IP and then the APNS connection will use the Ethernet adapter.

I imagine this has something to do with how APNS behaves when both Cellular and WiFi are available. I'm curious if Apple TV has a similar bug, I imagine not, given the fact the Ethernet is built in and likely a more common scenario. Although a seldom used feature, the Lightning to USB to Ethernet configuration was feature in a past keynote (https://sixcolors.com/post/2016/03/apples-lightning-to-usb-3-adapter-bri...).

MDM commands are triggered by APNS messages which means MDM is not functional in an Ethernet only environment.

It was a tricky one to discover, requiring packet captures, and other network analysis to isolate, I hope this helps someone else in the future.

Radar:
http://www.openradar.me/31494325

wjw
New Contributor

Was able to connect locked iPad to MacBook through USB and share MacBook's internet connection. Allowed me to get my 10.3.1 iPad unlocked. Thanks to @Emmert suggestion in https://www.jamf.com/jamf-nation/discussions/23801/rj45-adaptor-for-ipads

Malcolm
Contributor II

so @kuypers does that mean that 10.3.1 and above devices dont work or is there a work around?

As I found the same result as you did, I knew the ipad was communication over ethernet, as it could be pinged, but it wouldn't respond to MDM commands.

Malcolm
Contributor II

This solution works: https://www.howtogeek.com/214259/how-to-reverse-tether-an-iphone-or-ipad-to-your-pc-or-mac/

Malcolm
Contributor II

Correction.... it did work but only for a small few.

rfaruk
New Contributor II

With MacOS High Sierra, if Internet Sharing (or Content Caching with Internet Connection) is enabled on your Mac, all you need to do is connect the iPad to your Mac using Lightning cable and (though it might take some time) eventually your iPad should start communicating with the MDM and receive that Clear Passcode command.

mmichael
New Contributor

Thank you so much @rfaruk .. this has worked perfectly and resolved the issue :-)d40627ea45374f8a875a7d4c452b5075

xavier_daleo
New Contributor

Hello,

I manage about 1400 iPad and it does not work for me.
I have an iPad in iOS 11.4.1 locked without wifi :
- I sent the clear passcode command.
- My mac is in high Sierra, I am connected to the wired network, I have enabled connection sharing and caching.
- When I connect the iPad with the cable lightning to my mac it appears on the iPad "unlock the tablet to use the accessory" and nothing happens on the iPad.
- The commands is already in pending in JAMF Pro
It happens very often that students forget their password and that the tablets are locked.
I strongly wish to maintain the homogeinity of the park in ios 11 and therefore do a DFU.
Did I do something wrong?

I am interested in any idea

Thank you in advance

WhippsT
Contributor

All of our kids' passcodes are the same as their lunch codes, so we have them on file. If a kid were to change their passcode, and then forget it, they will receive a conduct violation for tampering with their passcode. This is kind of a deterrent to keep the kids from messing with them.

If for some reason a kid does change their code and forgets it, we would do as follows:
1. If it's still on Wi-Fi, clear the passcode by JSS.
2. If it's not on Wi-Fi, connect via Ethernet, then clear passcode by JSS.
3. If Ethernet fails, put iPad into DFU and restore the iPad. (The student will be held responsible for any lost class work)

That's it... the kid will get a working iPad back one way or another. FYI, our 1:1 iPad deployment is only for 5th through 8th grades.

LukeMason
New Contributor III

@xavier.daleo The behaviour you're seeing is due to a change in the iPad settings (as of iOS 11.3?).

In order to allow iOS devices to use the USB connection (either with the USB->Ethernet adapter, or I'm assuming also with internet sharing), you need to disable the "USB Restricted Mode" (see attached screenshot).

You can find this in the "Restrictions" payload, at the bottom of the "Functionality" tab.

3568629b5be34443a2ba6e618b284bdd