<Jared Cleghorn />

About Me

Hi! My name is Jared Cleghorn—welcome to my website! I am a student at the University of Alabama pursuing a B.S. with majors in physics and mathematics and a minor in computer science. I also work as a student web developer for the University of Alabama Libraries.

iOS DEP MDM Bypass

February 6, 2021

This post gives a procedure for bypassing automatic Mobile Device Management (MDM) enrollment due to Device Enrollment Program (DEP) registration on iOS. Normally, if an iOS device is registered with DEP, it is automatically enrolled in MDM during its initial setup, which installs a profile on the device. Schools and businesses use DEP MDM profiles to do things like automate configuration and add restrictions, and they are not removable through the Settings app.

I have only tried this bypass on an iPhone 7 Plus running iOS 14.4, but it seems likely to work on any iOS device that you can jailbreak. checkra1n can jailbreak iPhone 5s through iPhone X on iOS 12 and up. Start by restoring the device. After the restore finishes, do not start setting up the device—immediately jailbreak it. On Mac, you can install checkra1n using Homebrew. To install Homebrew, run

/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"

Then, to install checkra1n, run

brew install --cask checkra1n

To start checkra1n, run

xattr -d com.apple.quarantine /Applications/checkra1n.app
/Applications/checkra1n.app/Contents/MacOS/checkra1n

Note that checkra1n does not seem to work with USB-C to Lightning cables. After the jailbreak finishes, you need to SSH into the device. To do this, you will need iProxy, which can be installed via libimobiledevice using Homebrew by running

brew install libimobiledevice

Next, forward TCP port 2222 on your computer to port 44 on your iOS device by running

iproxy 2222 44

Now you can SSH into your device in a different terminal tab or window using

ssh -p 2222 root@localhost

The password is "alpine". Once you're in, run

cat > /private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/CloudConfigurationDetails.plist << EOF
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
	<dict>
		<key>CloudConfigurationUIComplete</key>
		<true/>
		<key>ConfigurationWasApplied</key>
		<true/>
		<key>PostSetupProfileWasInstalled</key>
		<true/>
	</dict>
</plist>
EOF

This writes a certain configuration file to your device that seems to trick it into thinking that it has already performed MDM enrollment during setup. Finally, respring the device by running

killall -9 SpringBoard

You should now be able to set up the device without going through MDM enrollment.

Sources:

Copyright © 2021 Jared Cleghorn. All rights reserved.