IBM Security MaaS360

 View Only

  • 1.  Apple devices re-enrolling themselves

    Posted Tue February 11, 2020 09:04 AM
    Hi,
    One of our clients has an issue whereby they remove control from devices, factory reset and wipe the device the, without any input, the device re-enrolls itself and they receive a notification.

    If they were using DEP I would have somewhere to look but they don't.

    Anyone had this, know of a resolution?

    Thanks in advance.

    ------------------------------
    Bryn Abbott
    ------------------------------


  • 2.  RE: Apple devices re-enrolling themselves

    Posted Tue February 11, 2020 09:54 PM
    Hi Bryn - are they restoring from a backup during the re-activation process?

    ------------------------------
    Matt Shaver
    System Architect
    IBM
    mshaver@us.ibm.com
    ------------------------------

    Original Message


  • 3.  RE: Apple devices re-enrolling themselves

    Posted Wed February 12, 2020 03:26 AM
    Hi Matt - I don't believe so but will clarify.

    If they wipe the device and then log into their apple account, that what you're getting at?

    ------------------------------
    Bryn Abbott
    ------------------------------

    Original Message


  • 4.  RE: Apple devices re-enrolling themselves

    Posted Wed February 12, 2020 10:51 AM
    If they backed up the device while it was enrolled in MaaS360, then they restore that backup to the very same device, we'd see it restore the management profile as well, which may be what's happening.  The workaround would be to remove the MaaS360 management profile and then backup the device to either iTunes or iCloud.

    ------------------------------
    Matt Shaver
    System Architect
    IBM
    mshaver@us.ibm.com
    ------------------------------

    Original Message


  • 5.  RE: Apple devices re-enrolling themselves

    Posted Fri February 14, 2020 03:31 AM
    Hi Matt,
    Thanks for the advice.
    I've checked back with the client and they confirm that the process they follow is:
    Remove control in MaaS
    Factory reset the device.
    Upon restarting the iPhone it self resisters before they have even entered any credentials for iCloud or Apple use account.
    Devices are not enrolled in DEP.
    I see that Ray Domingue is having similar issue on Android and if the control isn't comletely removing, is there a way to check that before wiping the device?


    ------------------------------
    Bryn Abbott
    ------------------------------

    Original Message


  • 6.  RE: Apple devices re-enrolling themselves

    Posted Fri February 14, 2020 11:26 AM
    In the case of a device wipe there would be no way for us to maintain control unless there was an enrollment program in place.  While Android does have some workflows that could be a little more subtle, with iOS it has to be in DEP or some other external program (such as Apple Configurator) for there to be an enrollment.  We wouldn't be able to force it in any other scenario with the possible exception of a managed backup being restored to the device.

    If they can reproduce this reliably - would it be possible for them to get me a set of device level console logs pulled from a time when the issue was replicated?

    ------------------------------
    Matt Shaver
    System Architect
    IBM
    mshaver@us.ibm.com
    ------------------------------

    Original Message


  • 7.  RE: Apple devices re-enrolling themselves

    Posted Tue May 14, 2024 05:10 PM

    Current ABM and IBM MaaS360 Admin. Ran into the same issues you were.

    I had 2 iPod Touch 6th generation, iOS 12.5.7 16 GB devices that were "re-enrolling" themselves constantly, drove me mad.

    These devices did not have profile removal options like other iOS.

    I would remove control and hide just like your client was doing Bryn. The devices would show up as Pending Control Removal and I would erase the device, not from IBM MaaS but from the device itself. After booting the device would prompt the same start-up questions (you can skip the Apple ID prompt by going to "forgot iCloud" and selecting "Set up later in Settings") I would then click "Don't Transfer App & Data" to ensure that nothing was left over to re-enroll the device. I would then be met with the same screen "Remote Management" and a message that the device would be managed by my organization. At the same time the device would populate back into my MaaS360 with an active status (and consuming another license).

    This happened because of one main factor; when the device connected to the internet (or via iTunes) the device was being checked by apple server to see if it is a managed device. Usually a good thing, however if the device is still in your ABM Apple Business Manager as a device. You will keep "boot looping" just with extra steps.

    To fix your problem

    1) Unenroll normally from the MDM (Remove Control first then Hide)

    2) Navigate to your ABM and select Devices, then the device you want to remove, then in the top right corner, there are three tiny dots in a circle. Click on this and select Release from Organization.

    3) Preform a Device Erase from the device itself.

    When the device boots back up, there should be no prompting of Remote Management when completing the initial device setup.

    You can verify the device is removed by checking Devices> Device Inventory> Managed State > Pending Control Removal & InActive.

    Hope this help; I know a little late I was looking for the answer myself when I forgot about releasing the device.



    ------------------------------
    Brandon Walton
    ------------------------------

    Original Message