How to clear passcode on iPads with no WiFi?

dhanadhan
New Contributor III

iPads that sit on lock screen for a few hours, go to partial sleep mode which disconnects from WiFi. The only way to connect them to WiFi is to wake it up and go to home screen. If an iPad is locked with passcode and not connected to WiFi, how will it complete the "Clear passcode" command through Jamf? There is literally no way to connect back to the internet using the same WiFi, Ethernet or Internet Sharing. In the past, people claimed that Ethernet to lightning adapters worked, but since iOS 11.4.1, USB restricted mode disabled the use of dongles at the lock screen.

We have a lot of iPads for staff that are simply added to Jamf without any configuration policies applied to them. I know there is an option to enable/disable USB restricted mode under configuration policies, but the problem is that we are not applying any policies to these iPads. So by default, USB restricted mode is Enabled which prevents use of dongles while at the lock screen.

The only way to solve this matter is to Wipe through iTunes or Configurator. However, all data will be gone and that is not good at all.

Does anyone have a better solution to this problem? Is there a way to apply Apple's default policies through Jamf and only modify the USB restricted mode policy? Of course, this will not fix the problem for currently locked iPads, but it could prevent in the future.

1 ACCEPTED SOLUTION

dhanadhan
New Contributor III

We have found a solution to this problem. It will not fix the problem on currently locked iPads, but it will help to solve this problem in future using the Belkin Lightning to Ethernet (PoE) dongle. We are planning to apply the USB Restricted mode settings to all staff iPads. Configuration policy configured only with this function will not change anything else from default settings. That is exactly what we were looking for. We will do more testing with different test cases, but i am pretty sure it will work. I will mark this post as a solution if we succeed with tests.

I still think this policy should be applied automatically from Jamf on all managed iPads that are allowed to put a passcode. Without this, Jamf commands are useless on locked iPads.

View solution in original post

17 REPLIES 17

dhanadhan
New Contributor III

I guess no one has a solution to this problem?

mschroder
Valued Contributor

It is strange that as only policy you have the USB restricted mode. Does this mode still allow to connect the device to a Mac and have the Mac share it's network connection?

TexasITAdmin
New Contributor III

I have had this problem many times with no good solution. For example during covid crisis dozens of iPads were sent home blindly without much thought as to profiles. Students or parents put a lock code on it, student disconnected it from the wifi, or turned wifi off. Then we get stuck with a stuck iPad. We aren't a mac shop so we don't just have OSX devices laying around to be plugged into.

What are the options? What the dongle the was talked about? Is there some way to clear a lock code with a USB stick?

I wasn't aware you can do internet sharing via USB

jefff
Contributor II

@TexasITAdmin The "dongle" is a Lightning to Ethernet adapter. You can either buy these from a third-party manufacturer or cobble one together with a set of Apple adapters.

As an education customer of Apple, if your iPads aren't supervised, you can call Apple Education Support and follow the menu picks for Tech Support > Activation Lock, to get Apple to unlock the devices. You may need to provide Apple with proof of ownership, such as a sales receipt or an order number.

swaney29
New Contributor

In order to unlock the iPad from Jamf, it must be connected to the internet, simple as that. Jamf can't reach a device that's offline. It can be connected through wifi, or through a wired connection. If it's at a lock screen, then if you're lucky it may be in range of a saved wifi network, otherwise if it was ever turned off (or its battery died) it won't even try to connect to wifi.

In the later case, where wifi is not an option, your only remaining option to get it online is a wired connection using a dongle. If you don't have USB restricted mode (which requires supervision IIRC) then that may not be an option either and your only remaining option is the itunes/configurator reset. We have the same problem at my workplace, and we use USB unrestricted mode to address it, but unless I'm mistaken, there's no way to share your internet connection through iTunes/Configurator and you need a special dongle setup to connect the iPad to an ethernet connection. Our users generally don't have the network dongle available so this situation almost always requires an in-person appointment unless they're ok with wiping the device, but since we disable USB restricted mode that in-person option still works for resetting passcodes. If your users have the dongle, the hard part is already done. Just have them hook it up, press the button in Jamf on your end, and wait a few minutes for the device to connect.

What USB restricted mode does is prevent the device from trusting new external contraptions, such as dongles for connecting to ethernet, to reset its password. You may recall back when the FBI demanded Apple provide a way for law enforcement to unlock iPads, in a likely attempt to set a precedent so they could routinely frisk people's devices to build evidence for drug charges? USB restricted mode is directly related to that showdown, and when set (by default) you cannot connect to the internet until the device has been unlocked specifically to prevent the iPad from being unlocked remotely by a potentially adversarial party. With rare exceptions, there's very little reason not to toggle that setting in an enterprise since you cannot recover any data if you lose the passcode. You can find the setting in Jamf under Configuration Profiles -> Restrictions -> Functionality -> USB restricted mode and the setting you're looking for is Restricted.

You say you "are not applying any policies to these iPads". I don't know if that's because workplace politics prevent you from managing the iPads, or if you're confused or just trying to avoid getting too intrusive or what, but I think you just laid out a perfectly good justification for this particular setting you could present to management. These iPads are already managed by Jamf - the single biggest privacy hurdle to overcome - and USB unrestricted mode is but a single setting you would automatically layer on top of that which is very unobtrusive with no user impact. As an organization, you're going to need to make a decision here - either IT pushes that setting out, or you accept that there will be data loss any time someone forgets their passcode.

dhanadhan
New Contributor III
It is strange that as only policy you have the USB restricted mode. Does this mode still allow to connect the device to a Mac and have the Mac share it's network connection?

@mschroder Yes, already tried connecting it to my MacBook Air, but it needs to trusted first before using the internet sharing. If iPads are locked with a passcode, you cannot trust and MacBook won't even recognize them.

@TexasITAdmin Since they are Student iPads, you should have some policies applied to them. Look for the one that prevents USB dongle use at the lock screen. If you allow USB dongles, you will be able to use Lightning to Ethernet dongle to send Clear Passcode command through Jamf. We have staff iPads with no policies so by default USB restricted mode is enabled.

@jefff Will they do this remotely? If yes, i do not think it will clear passcode since iPads are not connected to Internet while at the lock screen. It must be connected to WiFi before it clears the passcode sent from Apple or Jamf.

@swaney29 Thank you for the reply. I appreciate your expertise on this issue. We are not applying any policies as these are staff iPads and we want to leave everything as default. Of course, we are applying policies to Student iPads, but they cannot even set a passcode because we have it blocked. On the other hand, we are allowing staff to set passcode. Now, if we apply some policies just so we can control the USB restricted mode, how do we keep everything else to default? JAMF does not have any default policy template we can apply. We do not want to create another issue by going through all policies to apply. Can't jamf apply the USB restricted mode policy separately on all supervised iPads or at least give an option when they are enrolled? This is very important since JAMF is useless if iPads cannot connect to the internet.

mschroder
Valued Contributor

I am surprised that you need to trust the device before you can share the internet connection. I seem to remember that I shared a connection to a iPad that was set to not trust any computer, and I could still share the network. It was the only way to recover the iPad that had a messed up config - no internet, no way to get a sane config.

dhanadhan
New Contributor III

We have found a solution to this problem. It will not fix the problem on currently locked iPads, but it will help to solve this problem in future using the Belkin Lightning to Ethernet (PoE) dongle. We are planning to apply the USB Restricted mode settings to all staff iPads. Configuration policy configured only with this function will not change anything else from default settings. That is exactly what we were looking for. We will do more testing with different test cases, but i am pretty sure it will work. I will mark this post as a solution if we succeed with tests.

I still think this policy should be applied automatically from Jamf on all managed iPads that are allowed to put a passcode. Without this, Jamf commands are useless on locked iPads.

Strannik
New Contributor III

@dhanadhan Yes, you can push config profile with just 1 restriction leaving everything else at default.
We disable USB restricted mode on all our iPads. But we also enforce password requirement on all staff iPads.
iPad still need to "trust" computer if you want to sync it with iTunes, but 3rd party Ethernet dongle works fine on locked iPad.

faengelm
New Contributor

How about creating a temporary Wi-Fi network with the same network name and password?

dhanadhan
New Contributor III
How about creating a temporary Wi-Fi network with the same network name and password?

@faengelm If iPads are sitting on the lock screen for a while with a passcode lock, it will not even try to connect to any WiFi no matter what. It is design to only try connecting to WiFi when it is unlocked and on home screen.

rtown56
New Contributor

ARGH. So - I want to allow a USB internet Share from caching server, or an ethernet lightning dongle.
What should I set in the attached image - Why are these settings having such counter intuitive names and options with no explanation notes?!?
I have the same issue, after x y or z the iPad will not connect to WiFi therefore cannot unlock, clear passcode or ANYTHING.
We have to DFU and wipe via AC2 which really sucks when the student has assesment stored in photo roll or an app that isn't backed up. We block iCloud storage so no backups or photos sync online ....
f50887f272f9425fa9c9771c2962475e

dlevendo
New Contributor III

I have USB restricted mode set to Restrict on all our deployed iPads via a config profile and it allows the use of a USB-Ethernet adapter connected to the iPad via the Apple Lightning to USB 3 Camera Adapter and power from an iPad charger as the accessories draw more power than the iPad can provide. I wish I never had to use it, but I run into similar situations and this works flawlessly about 9/10 times.

dhanadhan
New Contributor III

@rtown56 I don't think USB restricted mode policy will allow USB Internet Share if iPads are locked or disabled. It might need to Trust the laptop you are connecting to so for the purpose of unlocking iPads without WiFi, it might not work. Dongles on the other hand do not require Trust permission so they just work at the lock screen once you "Restrict" USB restricted mode.

Thank you for this suggestion!

I had accidentally applied the "USB Restricted" and an invalid WiFi config, and locked myself out of an iPad. I thought I had bricked it, but sharing the ethernet from an active iMac fixed the situation.

david_yenzer
Contributor II

Following - we have now implemented this by adding Configuration Profiles -> Restrictions -> Functionality -> USB restricted mode and turning it to Restricted. We have tested on a handful of devices here and it worked successfully to allow us to get ethernet access and clear the passcode. Thanks for the tip!

tdenton
Contributor

I'm sure you can format the lock Ipads with apple configurator. The iPad needs to be in DFU mode.