iOS 7 - device reuse can be difficult

cenders's picture

cenders

Joined: Nov 8, 2013
Your rating: None (2 votes)

With Find My iPhone turned on in iOS 7, your Apple ID password will always be required before anyone can Erase the iphone or reactivate and use the device.

So if we fire someone and they fail to give us their Apple ID password, they have effectively locked out of the phone preventing it from being re-used.

How are enterprises going to deal with this? Is there an MDM solution out there that can circumvent this or load a profile that prevents this scenario from happening?

Top
cenders's picture

cenders

Joined: Sep 19, 2013

More details at this link

Your rating: None (1 vote)

http://support.apple.com/kb/HT5818

Top
Lexian's picture

Lexian

Joined: Sep 20, 2013

iOS 7 Device Re-Use

Your rating: None (2 votes)

iOS devices can use up to 5 different AppleIDs for content etc, but the First One becomes the the one that controls the find my ipad features.

This would mostly be a policy change of how you deploy them, Make them register their company owned email address as the primary apple id.

If you ever have to, you should be able to take control/gain access to a terminated employees email account and request a password reset, currently 2 options are available, verify with security questions, or E-Mail, if done via email they merely send a password reset link to the email and you get to type in a new one.

I have a work issued ipad, and I have my work account linked so that I can use work paid of apps, but I have a second itunes account so that I can buy apps out of my own pocket and retain ownership of them if I ever purchase a personal iOS device and to maintain a clear audit trail.

Top
brlx's picture

brlx

Joined: Jan 31, 2012

What if the device is managed with MDM

Your rating: None (1 vote)

Do you have any info on whether this is the case when the device is managed with MDM? So if the device is company owned and going to be replaced or the employee leaves the company, can the MDM wipe the device clean?

Top
Aaron Freimark's picture

Aaron Freimark

Joined: Nov 6, 2010
WWW

MDM doesn't help

Your rating: None (1 vote)

MDM won't help here because the Activation Lock feature is not controlled by the device. It is controlled by Apple's activation servers.

One option is to change your policies to charge the employee when this happens.

But I think you have identified a real issue. In Apple's world, company-owned devices should be supervised. Unsupervised devices are assumes to be property of the employee, and there is no way Apple is enabling the company to remove Activation Lock.

But what about for supervised devices? It does seem Activation Lock should behave differently for supervised devices.

--
Aaron Freimark, Enterprise iOS founder & GroundControl CEO

Top
Duane Herring's picture

Duane Herring

Joined: Sep 23, 2013

Apple's response to the issue...

Your rating: None (2 votes)

Hi all,

Apple has published the following support article that attempts to address the issue above...

http://support.apple.com/kb/HT5927?locale=en_AU&viewlocale=en_AU

Discuss...

Regards,
Duane Herring
Enterprise Mobility Services Lead
Commonwealth Bank of Australia

Top
Aaron Freimark's picture

Aaron Freimark

Joined: Nov 6, 2010
WWW

Duane, nice find. That's

Your rating: None

Duane, nice find. That's front-page worthy.

--
Aaron Freimark, Enterprise iOS founder & GroundControl CEO

Top
sapperox's picture

sapperox

Joined: Sep 23, 2013

How about disabling iCloud via MDM?

Your rating: None

If iCloud has to be active to use it and we deactivate it would that not keep the user from turning on Find My iPhone (and thus alleviate this issue)?

Mark T.
MDM Systems Admin - KCI
San Antonio,TX

Top
cenders's picture

cenders

Joined: Sep 19, 2013

Nice find Duane. So, I guess

Your rating: None

Nice find Duane. So, I guess I have to figure out how we take all of the currently deployed iphones that were deployed unsupervised... and supervise them.

Top
sapperox's picture

sapperox

Joined: Sep 23, 2013

I'm the same boat as Cenders...

Your rating: None

To answer my own question, I can't turn off iCloud, just block synching of content, so users can still setup iCloud and Activation Lock...

Mark T.
MDM Systems Admin - KCI
San Antonio,TX

Top
georgekkim's picture

georgekkim

Joined: Sep 24, 2013
WWW

...half way freaking out

Your rating: None

Prior to IOS7, we recommeneded users activate icloud/find my iphone, but the devices were in unsupervised mode, not as a big of an issue in IOS6 to put device in recovery mode. With rapid adoption of IOS7, the baked in Find My iPhone/Activation Lock "feature" could definitely brick some phones coming back. Haven't even started freaking out about AirDrop yet....

georgekkim

Top
EnterpriseiOSLover's picture

EnterpriseiOSLover

Joined: Sep 25, 2013

Possible Solution to Corporate Deployments....

Your rating: None

With this new Lock feature I've been fiddling with the idea of doing this ( an idea posted on the apple forums awhile ago : https://discussions.apple.com/thread/4852726?start=0&tstart=0)


Prepare one device
Adding the iCloud account on that device by entering the account and password on the actual device
Making a backup of that device with a generic iCloud account for that cart of iPads
Adding that back up to all devices

Now all devices have iCloud on them and are trackable with find my iPad. We want to lock that account on so that students can not erase it.

Touching every device
Settings
General
Restrictions
Enable Restrictions
Accounts
Don't Allow Changes


We already block Account Changes- but the idea of creating one iPad with a singular (enterprise admin owned apple account) - logging into iCloud with it and setting up FindMyiPhone -- and then creating a backup of that (core configuration) and then restoring that onto every iPad going forward seems like an enticing idea.

After that initial restore happens we can continue to add our companies MDM application and any device specific configurations for the LOB.

Some of the advantages of doing this would be
1. You could manage all of your iPads tracking ( outside of MDM ) in a single place-
2. Utilizing FindMyiPhone gives you increased tracking capabilities outside of what MDM can offer, (example: ability to re-enable location services remotely for findmyiphone if disabled by the owner of the iPad, ability to manage hundreds or thousands of iPads on a single findmyiPhone account from a single iPad, Ability to display lock screen messages and or actually change the device passcode of the device (something MDM can't do)
3. Would speed up provisioning and would alleviate the worry of having an end user login to the iPad with their personal iCloud account and setup FindMyiPhone which could potentially brick the device
4. Wouldn't need to supervise the device, assuming that you lock account changes in restriction settings.

The only concerns I have potentially are:
1. An unknown limit of devices that can be activated to a single iCloud account
2. Someone uploading malicious pictures to the shared photo stream in iCloud and having it spread to all corporate iPads activated with that account ( this can be disabled in the iCloud shared settings and hopefully restored as part of the initial backup configuration
3. The inability in the future to allow for individuals to use their own personal iCloud accounts on corporate tablets (not really a con but might be in certain scenarios )

Has anyone else tried this? Currently doing this or something similar in your deployments?

Top
Aaron Freimark's picture

Aaron Freimark

Joined: Nov 6, 2010
WWW

I'm not sure the restore

Your rating: None (2 votes)

I'm not sure the restore would connect the new device to iCloud. Have you tested that?

--
Aaron Freimark, Enterprise iOS founder & GroundControl CEO

Top
georgekkim's picture

georgekkim

Joined: Sep 24, 2013
WWW

Yup. Any iOS 7 device that

Your rating: None

Yup. Any iOS 7 device that was activated with an apple Id AND enabled iCloud/find my iPhone will require that specific apple id to activate the device, whether restore, dfu, recovery. It will also prevent you from wiping the device if you don't have he apple id. Try it for yourselves and let me know!

georgekkim

Top
Mavwin's picture

Mavwin

Joined: Sep 25, 2013
WWW

MobileIron

Your rating: None (1 vote)

Yesterday I heard that in the next update to the MobileIron VSP admins can prevent users to enable Find my iPhone on their phones.

"Policies to manage/control this feature will be available in VSP 5.7.8 which is due for release end of September 2013."

Hope it's true Smile

Top
Aaron Freimark's picture

Aaron Freimark

Joined: Nov 6, 2010
WWW

Dubious

Your rating: None (1 vote)

A key feature of iOS MDM is that Apple installs the MDM agent, not the MDM vendor. That is why so many MDM vendors have similar or identical features. MobileIron wouldn't have some special feature unavailable to everyone else.

Now what they may be talking about is over the air supervision, which will arrive (someday) in the form of "Simplified Device Enrollment." Since we know supervision disables find my iPhone, their claim may be a creative marketing twist.

--
Aaron Freimark, Enterprise iOS founder & GroundControl CEO

Top
EnterpriseiOSLover's picture

EnterpriseiOSLover

Joined: Sep 25, 2013

Confirmed

Your rating: None
Aaron Freimark wrote:

I'm not sure the restore would connect the new device to iCloud. Have you tested that?

I've confirmed that a backup/restore of an iPad loaded with iCloud and with the FindMyiPhone feature turned on will indeed restore to new devices.

If you enable restrictions settings in your original backup to block account changes this will also be backed up and restored.

The only downside is that the device name ( which is ultimately what shows up in FindMyiPhone when you try to locate ) will be the same for all devices restored, so as a final step after the restore you must go into settings > general > about and change the name to whatever naming convention you have setup for your corporate devices. ( or I suppose you could just do this in iTunes when the iPad is still connected after the restore.

My concerns around a unseen limit remains though. Last thing we need is to deploy 200 devices like this and then reach a flag and have the iCloud account banned or removed...I'll need to contact our apple reps for insight.

Top
Mavwin's picture

Mavwin

Joined: Sep 25, 2013
WWW

Yes, you're right about that

Your rating: None

Yes, you're right about that all the MDM vendors have access to all the MDM-apis from Apple.

If Find My iPhone is activated on the device before the user enrolls it it won't be deactivated. I tested that yesterday and when I tried to do a reset of my iPhone I had to give my appleid password to be able to reset it.

---
Magnus Norberg
Sweden

Top
richb's picture

richb

Joined: Mar 21, 2012

iCloud Backup filled up

Your rating: None

We got into this condition (Possible Solution to Corporate Deployments) by accident. We got new iPads supervised with Configurator (which takes care of the naming concern by sequentially numbering them), however, the master being restored had the school Apple ID configured for iCloud when initially going through the setup screen to build the master. The problem became apparent when iCloud Backup complained the 5 GB free space was filled. Backups started happening on all the iPads and a few hundred were done this way. In the iOS 6 mentality it should have been simple to make a new master to restore that didn't include that Apple ID. With the new Activation Lock feature, on a Supervised iPad, when an Apple ID is entered for iCloud, a master without that Apple ID cannot be restored!

There are basically two solutions for these iPads now of time not originally planned:

  1. Touch every iPad and delete the iCloud account (less than 10 minutes) x 300 = 50 man hours
  2. Un-Supervise and start over - Wipe while individually maintaining the same name as now assigned and recorded in other systems; but the bulk of the time is re-installing all the apps (less than 20 minutes) x 300 = 100 man hours
Top
EnterpriseiOSLover's picture

EnterpriseiOSLover

Joined: Sep 25, 2013

Against TOS/EULA

Your rating: None

After talking with our apple reps it would appear that settings up iCloud accounts in the way I described is against their terms of service in that iCloud and FindMyIphone are meant to be a 1 to 1 device relationship to the apple ID and the user and not spread across an enterprise and hundreds of devices.

He also mentioned that there would be a 10 device limit to findmyiphone and it would start dropping iPads off after the 10th device was added ( haven't tested this but it is what was mentioned )

If you go down this route just keep this in mind.

We've decided to not enable FindMyiPhone and stick with blocking account changes in Restriction settings to prevent people from activating their own apple ID on the device.

The only risk we have is if the device is wiped of all corporate content and then locked down with a personal users ID.

Top
D.Ray's picture

D.Ray

Joined: Dec 5, 2012

We were bit by this the other day

Your rating: None

We were bit by this the other day. We had an employee get let go, and they updated their iPad 2 running iOS 6 to iOS 7.

The employee had changed the passcode on the device, and was unresponsive to requests for the new passcode.

To get around this, I put the device in DFU mode, and set it up as as a new iPad in iTunes.

That got me past the passcode issue, but I was stuck at the screen asking for the Apple ID used to originally setup the iPad.

The weird part was, that we originally used our corporate Apple ID to setup the iPad, then signed out so the user could install their own apps.

It appears that somehow during the iOS 7 install, the user was able to enter his own Apple ID and make that the new 'original' Apple ID.

The user was - understandably - not interested in sharing his Apple ID, but there was a workaround:

Go to icloud.com/find (https://www.icloud.com/#find):
1. Select the device from the Find My iPhone device list by clicking All Devices at the top of the screen.
2. Erase the device by clicking the Erase button. This will erase all content and settings from the device. When prompted, do not enter a phone number or message. Click Next until the device is erased.
3. When the erase is complete, click "Remove from Account" to remove the device from the account.

Top
georgekkim's picture

georgekkim

Joined: Sep 24, 2013
WWW

Exactly the scenario that my admins are dreading

Your rating: None

The icloud erase may work if it was originally set up with your "corporate" icloud apple id account. Haven't given that a try. But for users there is a limit of 10 devices. Apple, according to a conversation I had over this issue, may have increase the limit to 100.

I went to Apple directly and had a conversation via an MDM provider.

The conversation went something like this...

Me: [Described the above situation - user upgrades to ios7, activation lock/find my iphone, leaves on bad terms, bricked device.]
Apple: well, if the employee didn't return the device in a usable fashion, then it's like returning a piece of equipment, like a car/truck in an unusable state.
Me: Well. Yeah. But in iOS6, I could put the device in DFU/Recovery mode and wipe and restart. Now in iOS7 a corporate device has been hi-jacked and basically belongs to the user's id. No enterprise admin recourse.
Apple: well... we were trying to solve the problem of theft/activation right away....
Me: That's cool and all and I do like Find my iPhone and activation lock, but that's consumer feature that you're not allowing Enterprise admins nor MDM providers to overcome. When does the enterprise get have the benefit of this function? Is there an Enterprise device registry? An activation lock enterprise remover?
Apple: No. We're working on it. But it really is a policy issue. The users have to return the device in a functional state.

Ugh...

georgekkim

Top
D.Ray's picture

D.Ray

Joined: Dec 5, 2012

1 to 1 device relationship

Your rating: None

So, you're saying there needs to be a 1-1 relationship b/w iCloud account and iPad.

So, each iPad has to have it's own iCloud account to comply with Apple's TOS?

Top
georgekkim's picture

georgekkim

Joined: Sep 24, 2013
WWW

icloud account and # of devices

Your rating: None

I think by default, an icloud account is limited to 5 devices. Apple may have loosened this up to 10 now that people have more than just a couple of devices, maybe even 10. I think devices may start to fall off the account if you try to keep adding more devices to an icloud account. Haven't tempted fate myself. We thought about doing this for all corporate devices with find my iphone in earlier releases, but was told that this would not work by apple support...

georgekkim

Top
clifhirtle's picture

clifhirtle

Joined: Oct 29, 2013

Activation Lock Non-Supervised Options

Your rating: None (4 votes)

As far as I know this is not advertised anywhere but confirmed directly with Apple last week that if you have a corporate-owned device and no access to the iCloud account a past employee used, you can also call AppleCare enterprise support and prove ownership to have the device unlocked on Apple's side directly. Here's a standard Activation Lock process I put together for our IT support team...

Resolving iOS Activation Locks

Apple offers a FAQ for Activation Lock at the following page:
iCloud: Find My iPhone Activation Lock in iOS7 (http://support.apple.com/kb/HT5818).

It is critical to understand that as of 10/13 there are only 3 means of preventing a NON-supervised iOS 7 device with Find My Phone enabled from locking activation:

1) Deactivate Find My Phone on device before erasing data (requiring access to device).
2) Remove device from the iCloud account has been activated with (requiring Apple ID credentials).
3) Remove Lock through Apple Enterprise Support (requiring proof of ownership).

To prevent activation lock out on company-owned devices that are returned/retired follow these steps:

Scenario 1: Device is Returned by Not Yet Wiped
Users/IT deactivates Find My Phone from Settings > iCloud > Find My Phone before erasing/wiping the device.

Scenario 2: Device is Returned by Already Wiped
User must follow Apple's deactivation directions, log into their iCloud account, and remove the device from their list of iCloud devices.

Scenario 3: Device is Returned, Already Wiped, Previous User Unknown/Unreachable
IT / Enterprise Mobile must call Apple Enterprise Support and put in a request to for activation lock reset (2-3 day expected turnaround)
Contact: 866-752-7753. Provide purchase date of device, invoice number of purchase, business name + postal address, and both IMEI and serial number of device (obtainable by tapping the "i" icon lower-right corner of initial iOS setup screen).

Top
georgekkim's picture

georgekkim

Joined: Sep 24, 2013
WWW

Nicely put. Thanks!

Your rating: None (2 votes)

Finally someone who understands....

Was working with Apple and they kept on going back to a "policy" thing, but they also admitted that if I had bricked devices (which there are some) with proof of purchase, that support would be able to do an activation lock reset.

According to Apple reps, there is no limit on icloud device limit now. Practically speaking though, using the same icloud account is inherently trouble, as some one previously mentioned, due to backup and sharing of photo, contact, messages, etc.

georgekkim

Top
Xalio's picture

Xalio

Joined: Nov 8, 2011
WWW

An other way to disable activation lock

Your rating: None

If the user erases the device through Setting> General > Reset > Erase all content and settings he will get prompted for it's Apple ID to disable Activation Lock.

Nicolas


@nicolasraison
fr.linkedin.com/pub/nicolas-raison/45/431/522/
Top
mscheid13's picture

mscheid13

Joined: Jan 23, 2013
WWW

Supervision also prevents Activation Lock

Your rating: None (1 vote)

Something I am not seeing mentioned here for dealing with Activation Lock in the Enterpries. If a devide is supervised it it will prevent activation lock even if find my iphone is enabled. In essance what apple is saying is that Supervision superseeds Activation Lock. I am testing this theory now but this is confirmed by our apple contacts.

Top
EnterpriseiOSLover's picture

EnterpriseiOSLover

Joined: Sep 25, 2013

Re: Supervision also prevents Activation Lock

Your rating: None (1 vote)

This is a good point and it is true ( we tested this )

But, until supervision can be turned on remotely or it's yearly certificate doesn't get in the way of deployments where iPads don't come back to be reprovisioned every year (most deployments we see). This continues to not be a viable solution.

Top
cenders's picture

cenders

Joined: Sep 19, 2013

Every year?

Your rating: None

What? Supervised devices have to be touched (reprovisioned/resupervised) every year?

Top
EnterpriseiOSLover's picture

EnterpriseiOSLover

Joined: Sep 25, 2013

https://discussions.apple.com

Your rating: None

https://discussions.apple.com/message/22382263#22382263

This discussions talks a bit about it- The simon gentleman seems to tell the original poster that you can "push out a new self signed supervision cert " ( I found that this is not the case )

Top

Who is online?

There are currently 0 admins, 0 users and 18 guests online. Connected users: .

Recent Activity