We deploy more than 600 iOS devices and are thinking of switching to DEP for easier distribution. However, during reviewing the DEP and issues that we currently have, we have stumbled upon an issue that we cannot solve and that is crucial if we want to switch to DEP. We have also opened up a bug report with Apple and are following up with them on this as well. I was just wondering if there are any schools that use DEP and have come across this issue, and how they solved it.
So, here it is:
Sometimes, users forget their passcode lock. With JSS, we can push out "Clear Passcode" command, that removes the clear passcode and requires the user to enter a new passcode, as set by our policy. However, if the user restarts the device, the entire device is encrypted along with the keychain, and the device does not connect to any Wi-Fi network, therefore it cannot receive the "Clear Passcode" command. With Apple Configurator, we could connect the locked device to Configurator, remove the MDM profile, and the device would unlock. However, this will be no longer possible with DEP. We have tried the Ethernet connectivity of the iPad and that works for now, but it is not an official way of doing it, and Apple may remove the possibility at any point in the future. The iOS device has to be able to connect to a Wi-Fi network so we can unlock it.
Steps to Reproduce:
1. Supervise an iOS device with Apple Configurator
2. Enroll the iOS device into a MDM
3. Set up passcode on the iOS device
4. Let's say the user of the device forgets the iOS passcode lock
5. Restart the iOS device and remember you don't know the passcode lock anymore
6. On MDM, push out a "Clear Passcode" command to the device
7. Because the device doesn't have Wi-Fi connectivity, the command will never reach the device
Expected Results:
After restarting the iOS device, it automatically connects to known Wi-Fi networks.
Actual Results:
After restarting the iOS device, it does not connect to any of Wi-Fi networks.
Thanks!
I ran into that issue a few days ago. Luckily the person who took the ipad and set a code let us know what it was. Kind of weird that a restart doesn't allow the wireless to work, defeats the purpose of the clear passcode command and "find my iPad".
we run into this problem often. you only have three options. 1. hope the user remembers it. 2. guess random numbers and hope for the best. 3. DFU restore and hope they have a backup.
@St0rMl0rD We've had success with this setup but don't believe it's officially supported by Apple. Important to note this works for us because we're not using 802.1x or a captive portal for wired connections at this time.
Apple USB Ethernet adapter
iPad Camera connection kit
Lightning to 30-pin Adapter
Plug the USB Ethernet adapter into powered USB 3.0 hub. I don't think you need to use a 3.0 USB hub but that's all we had for testing.
Connect the USB hub to the iPad via the Camera Connector adapter.

I've successfully tested the Clear Passcode command with a DEP enrolled device and this USB Ethernet adapter setup. I can also confirm same setup worked to clear the passcode if the iPad was in Airplane mode or WiFi was off.
You will see the following erroneous message on your iPad: Cannot Use Device - Apple USB Ethernet Adapter: The connected device is not supported.

The iPad is able to connect to APNS and our JSS.
Yes, the ethernet method works, but it's not officially supported and it may stop working at any time in one of the future iOS updates. We need an official, Apple supported way of doing this.
Totally agree with you and thanks for reaching out to Apple. I'll also reach out to our Apple Account Engineer for an Apple supported way of doing this.
@St0rMl0rD Here is the response from our Apple Account engineer:
"In instances such as this, it's been noted that having - at initial deployment, deploy a profile with a pre-configured open Wi-fi network that is only ever used for initial deployment, and also during this kind of recovery (as it will then exist in the Preferred Networks List). Some folks will keep the specific SSID turned off unless activation/deployment or a type of [Passcode Wipe] recovery..."
Planning on testing this open SSID deployment strategy today. I'll report back with the results.
@lionelgruenberg, having an open Wi-Fi AP won't solve this issue, unfortunately. Wi-Fi will remain off until a passcode is entered after the reboot.
You're correct Apple doesn't officially support the Ethernet rig, but it's been available since iOS 6 (I believe) and it's the only method that'll get you into the device short of wiping it. I would imagine Apple's official response will be you need to wipe the device.
If you have to purchase every part for the rig, you're looking at under $100. You may already have a USB hub (consider using a monitor with built-in USB) as well as the USB to Ethernet adapter. The camera adapter isn't too commonly used in IT but it's a $30 investment that will pay for itself if that's all you need to purchase.
@talkingmoose is correct here. For now, iOS works over ethernet connection, but as it's not officially supported by Apple, one can't rely that it will work forever.
@talkingmoose @St0rMl0rD Yep no luck with the open WiFi network deployment strategy. Escalating this technical issue through to AppleCare.
@St0rMl0rD @talkingmoose Spoke with an Enterprise Servers & Edu support advisor who said with a passcode enabled on an iOS device what we're seeing is the expected behavior. Reference Case 793536407. Hopefully Apple can come up with an officially supported solution for us sooner rather than later.
Looks like someone has released an easy [solution for this problem](http://www.zdnet.com/article/lightning-ethernet-cable-for-the-iphone-or-ipad/
@gregleeper reading through
the FAQ It looks like this cable only works with 3rd party apps and not natively supported by iOS' network stack.
@gregleeper, @lionelgruenberg is right, this cable only works with their SDK.
If the device is allready locked because of to many failed tries you only can bring it to a Apple Certified Service Center. They can do an unlock request (no matter DEP or not) to unlock the device. After that you have to reset the device. It comes back unlocked. The request could take 1-2 weeks.
If the device is just passcode locked you can put it into service mode (Switch off, plug cable in, hold the home button and plug it into the computer). iTunes Logo with cable appears and you can it wipe and restore it completely. If there was no Find my iPhone-Apple-ID-enabled, it comes up unlocked. Otherwise Apple Unlock Request.
I think you missed the point here a bit, @tsossong
@St0rMl0rD dont think so, because I have exact the same issue here with some schools. DEP doesnt prevent you from reseting it at service mode. And if hell breaks loose, doing a unlock request is the official way Apple would clear such passcode-locks. Thats independent from DEP.
I solve such issues 5-6 times a day.
btw. the most passcode locked device i have trouble with keeping theyre WiFi also after restart. Just 2 out of 5 will need unlock request and reenrollment after service mode.
I think @tsossong is referring to activation lock.
@lionelgruenberg - The solution is the setup you showed and @talkingmoose confirmed. That's it, simple and straight-forward. The passcode disable items are security-related so as you've seen, this behavior you're seeing is considered normal.
Yes @tsossong is refering to Activation Lock, which is not what we're discussing here, as we're discussing Passcode Lock. @john_wetter it works for now, but it's not officially supported, and we need an officially supported solution. That's why me and someone else here submitted a bug to bugreported.apple.com, and we escalated the issue with our system engineers in Apple, so hopefully they realise the importance of this and solve this as soon as possible. Until then, we'll just keep etherneting it out.
Sorry but just to get me right. You can break a activation lock and a passcode lock with my refered methods. I tried it...it works for both.
True, but the underlying thing here is that many of our students don't have up-to-date iCloud Backups, and in this case, their data would be gone. Plus to that, it's a method of solution that takes days and cannot be solved on the spot, when a user needs it.
I switched to DEP at the beginning of this school year, 900 students. I have an ethernet rig, but it does NOT always work. I have not been able to determine the variables yet, mostly because I'm trying to get a student up and going. For those iPads that do work, I get the Clear Password command 10 seconds after plugging in the cable. For those that don't work, I get the normal message that it isn't supported but never get APNS pushes. I've tried multiple variants of when I plug the cable in, restarts, etc. I end up having to do an iCloud restore, as long as the student has listened to me and configured it, and hasn't ignored the out of space messages. :)
We do need a better method, whether open WiFi access that still works when passcode locked, or perhaps just guaranteed ethernet capability.
chris
@St0rMl0rD - If I was a betting person, I would say you will never have a supported solution in the way you are requesting it. What there is currently is a solution that works. It's great that you've submitted for this but I just wouldn't hold up any plans based on this is all I'm saying.
Don't really care, as long as it works
@cdenesha that's weird...For us, the ethernet works 90% of the time, so that's troubling. Oh well, in those cases, we will just have to restore the device, I guess.
I was going to bring this up, after starting to investigate DEP, glad someone had done it for me already. It is actually making me consider avoiding DEP. Despite its benefits.
The way I can see Apple solving this solution is:
Apple to permit DEP managed devices to connect to an existing wifi service from the lock screen, and if there is no existing wifi service, then disallow enabling a passcode.
Or if they can enable a bridge of internet from a connected computer, to the ipad, only to apple services and if necessary to any mdm config applied to the device.
Second to that, if a device is passcode disabled, requiring connect to itunes, I dont see this working either, unless the itunes it is connected to is enabled with the DEP account, or a DEP admin account.
PS. Interesting ethernet connection hack.. I'm going to have to try that.