We deploy more than 600 iOS devices and are thinking of switching to DEP for easier distribution. However, during reviewing the DEP and issues that we currently have, we have stumbled upon an issue that we cannot solve and that is crucial if we want to switch to DEP. We have also opened up a bug report with Apple and are following up with them on this as well. I was just wondering if there are any schools that use DEP and have come across this issue, and how they solved it.
So, here it is:
Sometimes, users forget their passcode lock. With JSS, we can push out "Clear Passcode" command, that removes the clear passcode and requires the user to enter a new passcode, as set by our policy. However, if the user restarts the device, the entire device is encrypted along with the keychain, and the device does not connect to any Wi-Fi network, therefore it cannot receive the "Clear Passcode" command. With Apple Configurator, we could connect the locked device to Configurator, remove the MDM profile, and the device would unlock. However, this will be no longer possible with DEP. We have tried the Ethernet connectivity of the iPad and that works for now, but it is not an official way of doing it, and Apple may remove the possibility at any point in the future. The iOS device has to be able to connect to a Wi-Fi network so we can unlock it.
Steps to Reproduce:
1. Supervise an iOS device with Apple Configurator
2. Enroll the iOS device into a MDM
3. Set up passcode on the iOS device
4. Let's say the user of the device forgets the iOS passcode lock
5. Restart the iOS device and remember you don't know the passcode lock anymore
6. On MDM, push out a "Clear Passcode" command to the device
7. Because the device doesn't have Wi-Fi connectivity, the command will never reach the device
After restarting the iOS device, it automatically connects to known Wi-Fi networks.
After restarting the iOS device, it does not connect to any of Wi-Fi networks.
@timvenchus, I did some testing here with the USB 3 adapter and found something that may help you.
I'm using the same pieces for the rig found here on Lifehacker.com:
At first, my iOS device kept receiving a message that I wasn't supplying enough power for the USB Ethernet adapter. After some trial and error, I determined my power supply (far right in the picture) was the problem. It said "iPod USB Power Adapter" (model A1205) and made no mention of wattage. (After some research online I found it's 5W.)
I found a second adapter that specifically said 10W USB Power Adapter (model A1357). The USB symbol on the cable itself also plugged in upside down compared to the first adapter, so I could tell they were different somehow.
This second adapter worked.
Tried this today on a device and it failed, so i did a bit of testing and think i may have found the issue.
It looks like the MDM root certificate had expired on the device, i checked some more students in his class and they were on and old expired certificate as well.
After getting the student permission to wipe the device, i preceded to inroll the device again and then permanently disable it again with incorrect pin code attempts.
After connecting the iPad via the lighting to usb, usb hub and a usb to ethernet contraption, it work instantly.
Yes what I'm seeing is that I Can't clear any PassCode's any more on device's with 10.3.1 using a wired connection. Testing on my test device if device is Passcode lock no MDM commands are working, If I unlock the device commands do work. This is going to be a Problem clearing Passcode on devices we need to access.
Just found this also
There appears to be a bug in iOS (10.3.1) with push notifications and Ethernet. We use the Apple Lightning to USB 3 Camera Adapter and a USB Ethernet adapter to provide network to devices in the field. During a troublesome deployment we discovered that the Apple Push Notification Service (APNS) does not establish a connection if the WiFi radio is off or not joined to a known network. That WiFi network does not need to have valid internet, or even DHCP available, the device will choose a self assigned IP and then the APNS connection will use the Ethernet adapter.
I imagine this has something to do with how APNS behaves when both Cellular and WiFi are available. I'm curious if Apple TV has a similar bug, I imagine not, given the fact the Ethernet is built in and likely a more common scenario. Although a seldom used feature, the Lightning to USB to Ethernet configuration was feature in a past keynote (https://sixcolors.com/post/2016/03/apples-lightning-to-usb-3-adapter-bri...).
MDM commands are triggered by APNS messages which means MDM is not functional in an Ethernet only environment.
It was a tricky one to discover, requiring packet captures, and other network analysis to isolate, I hope this helps someone else in the future.
With MacOS High Sierra, if Internet Sharing (or Content Caching with Internet Connection) is enabled on your Mac, all you need to do is connect the iPad to your Mac using Lightning cable and (though it might take some time) eventually your iPad should start communicating with the MDM and receive that Clear Passcode command.
I manage about 1400 iPad and it does not work for me.
I have an iPad in iOS 11.4.1 locked without wifi :
- I sent the clear passcode command.
- My mac is in high Sierra, I am connected to the wired network, I have enabled connection sharing and caching.
- When I connect the iPad with the cable lightning to my mac it appears on the iPad "unlock the tablet to use the accessory" and nothing happens on the iPad.
- The commands is already in pending in JAMF Pro
It happens very often that students forget their password and that the tablets are locked.
I strongly wish to maintain the homogeinity of the park in ios 11 and therefore do a DFU.
Did I do something wrong?
I am interested in any idea
Thank you in advance
All of our kids' passcodes are the same as their lunch codes, so we have them on file. If a kid were to change their passcode, and then forget it, they will receive a conduct violation for tampering with their passcode. This is kind of a deterrent to keep the kids from messing with them.
If for some reason a kid does change their code and forgets it, we would do as follows:
1. If it's still on Wi-Fi, clear the passcode by JSS.
2. If it's not on Wi-Fi, connect via Ethernet, then clear passcode by JSS.
3. If Ethernet fails, put iPad into DFU and restore the iPad. (The student will be held responsible for any lost class work)
That's it... the kid will get a working iPad back one way or another. FYI, our 1:1 iPad deployment is only for 5th through 8th grades.
@xavier.daleo The behaviour you're seeing is due to a change in the iPad settings (as of iOS 11.3?).
In order to allow iOS devices to use the USB connection (either with the USB->Ethernet adapter, or I'm assuming also with internet sharing), you need to disable the "USB Restricted Mode" (see attached screenshot).
You can find this in the "Restrictions" payload, at the bottom of the "Functionality" tab.