This iPhone is supervised and managed by … Learn more about device supervision…on a personal iPhone?

In some organizations, some employees are provided a company purchased iPhone and then allowed to keep it after a certain time has passed. The first thing that you as an IT administrator want to do is most likely ensure the device is no longer managed and contains no company data. Apple walks you through the steps of releasing a iOS device from Apple Business Manager with a final note stating: “After a device is released, it must be erased and restored.

You would think this would be very simple, but unfortunately it’s not. The process of personalizing an iPhone can be quite convoluted in some scenarios because there are some remnants that get left behind if you try to simply restore the data on the iPhone after an erase and restore.

You might argue, the user should not keep any personal data on a company phone, but the lines get blurred especially as most people prefer to carry one device. It’s not unreasonable for someone who is getting gifted a company phone to perhaps want to retain the settings, apps and data on the phone that are personal without having any of the company data on it restored. Sure, you can just tell the user to erase and setup the phone as new, but reconfiguring an iPhone can be quite a lot to ask of someone! In any case, this blog post is not about the merits of mixing personal and corporate data on one device so that’s all I’ll say on the matter.

The problem: This iPhone is supervised…even after a restore!

Before I continue, note that the following scenario was tested in iOS 12 & iOS 13 and with a MDM profile that was set to be unremovable.

There are going to be a lot of steps here for you to reproduce the issue and a subsequent number of steps if you want to work around the issue.

Reproducing the problem

First attempt

The first attempt of steps to reproduce the issue:

  1. Open an unconfigured iPhone (completely reset) and setup the iPhone as a new phone.
  2. As you setup the new iPhone, make sure you go through enrollment via Device Enrollment Program/Apple Business Manager/Apple School Manager (or DEP/ABM/ASM for brevity going forward).
  3. Once enrolled, make sure to ensure that an iCloud account is signed in to allow for backups.
  4. Once at the home screen, initiate and complete iCloud backup by going through Settings > Apple ID > iCloud > iCloud Backup > Backup Now.
  5. Go into the MDM server (in my case Jamf Pro) and send the Unmanage MDM command to the device.
  6. We need to confirm there are no remnants of device management left behind:
    • Confirm MDM profiles are removed by going to Settings > General > Device Management. If you don’t see Device Management then it is not managed.
    • Confirm message about device being supervised does NOT appear: This iPhone is supervised and managed by ACME Corporation. Learn more about device supervision…
    • Confirm the trusted root certificate Acme Corporation JSS Built-in Certificate is not installed. Go to Settings > General > About > Certificate Trust Settings.
  7. Unassign the device in DEP from the MDM server JSS. This makes it so that I can re-assign it in later testing if I want.
  8. Confirm device is not being picked up by the MDM server as an available device from DEP. In Jamf Pro, this would be the pre-staging scope for PreStage Enrollment I’ve configured.
  9. Reset device by going to Settings > General > Reset > Erase All Content and Settings.
  10. At the Setup Assistant, restore from iCloud backup.

The end result after taking all those steps is that the device has a MDM profile and other profiles upon restore. Additionally the device is still communicating with the MDM server. Lastly, the following message appears at the top of the Settings app: “This iPhone is supervised and managed by Acme Corporation. Learn more about device supervision…”

What I found strange in this process is that the device was unassigned from an MDM server in DEP/ABM/ASM. That is to say, when it did a restore, it reconnected to the MDM server without going through DEP/ABM/ASM and somehow had enough components restored to re-establish its connection to the MDM server and continue updating inventory. My expectation is that the device will check in with DEP to see if the device is to be enrolled as an institutional device and should be enrolled/communicate with the MDM server.

I thought the above was strange and unexpected. So I thought maybe it’s the fact that I took a backup prior to sending the Unmanage MDM command (step 5 above). I figured I’d do another test this time with the iCloud backup taking place just prior to doing a full “Erase All Content and Settings” (step 9 from above).

Second attempt

The second attempt to reproduce the issue:

  1. Open an unconfigured iPhone (completely reset) and setup the iPhone as a new phone.
  2. As you setup the new iPhone, make sure you go through enrollment via DEP/ABM/ASM.
  3. Once enrolled, make sure to ensure that an iCloud account is signed in to allow for backups later on.
  4. Go into the MDM server (in my case Jamf Pro) and send the Unmanage MDM command to the device.
  5. We need to confirm there are no remnants of device management left behind:
    • Confirm MDM profiles are removed by going to Settings > General > Device Management. If you don’t see Device Management then it is not managed.
    • Confirm message about device being supervised does NOT appear: This iPhone is supervised and managed by ACME Corporation. Learn more about device supervision…
    • Confirm the trusted root certificate Acme Corporation JSS Built-in Certificate is not installed. Go to Settings > General > About > Certificate Trust Settings.
  6. Unassign the device in DEP from the MDM server JSS. This makes it so that I can re-assign it in later testing if I want.
  7. Confirm device is not being picked up by the MDM server as an available device from DEP. In Jamf Pro, this would be the pre-staging scope for PreStage Enrollment I’ve configured.
  8. Initiate and complete iCloud backup by going through Settings > Apple ID > iCloud > iCloud Backup > Backup Now.
  9. Reset device by going to Settings > General > Reset > Erase All Content and Settings.
  10. At the Setup Assistant, restore from iCloud backup.

The end result after taking all those steps is that the device does NOT have an MDM profile or any other MDM-pushed profiles upon restore. Additionally the device is NOT communicating with the MDM server. However, the device continues to show in the top of the Settings app the message: “This iPhone is supervised and managed by Acme Corporation. Learn more about device supervision…”.

IMG_0001 copy.PNG

The results in my second attempt are really unexpected given the conflicting message and observations. How can it not have an MDM profile but still be considered supervised? As a regular user, I’d certainly think the device is still being managed by the company even though it has been gifted as a personal device.

Working around the problem

There will be two iOS devices required for this:

  • iPhone 1: The phone from the user is getting gifted. This can be considered the old iOS device for the purposes of this guide.
  • iPhone 2: The IT unmanaged iOS device. This is another iOS device that can hold the same amount of storage as was being held on iPhone 1. Make sure iPhone 2 is wiped and ready.

Procedure

  1. First check to see if the user’s phone (iPhone #1) is enrolled in DEP/ABM/ASM. Look up serial number. If it does show up, then proceed to release the device from DEP/ABM/ASM.
  2. Go into the MDM server (in my case Jamf Pro) and send the Unmanage MDM command.
  3. Confirm MDM profiles are removed. Go to Settings > General > Device Management (if you don’t see Device Management then it is not managed)
  4. Unassign device in ABM from MDM server Jamf Pro. Go to http://business.apple.com.
  5. Confirm device is not being picked up in Jamf Pro as an available device in the pre-staging scope for PreStage Enrollment:
    • Jamf Pro > Devices > PreStage Enrollment > Initial Setup > Scope
  6. Initiate and complete iCloud backup. Alternatively, you can do an iTunes backup. Or both!
  7. Reset device by going to Settings > General > Reset > Erase All Content and Settings.
  8. Open the unconfigured iPhone #2. As you go through the setup assistant, restore from the iCloud backup (from iPhone #1).
  9. iCloud account is signed in.
  10. On iPhone #2, confirm MDM profiles are removed. Go to Settings > General > Device Management (if you don’t see Device Management then it is not managed)
  11. Confirm the device is not being picked up by the MDM server as an available device from ABM.
  12. Confirm message about device being supervised does NOT appear: This iPhone is supervised and managed by Acme Corporation. Learn more about device supervision…
  13. Confirm the trusted root certificate Acme Corporation JSS Built-in Certificate is not installed (the certificate might be different on other MDM providers). Go to Settings > General > About > Certificate Trust Settings. If you do not see this trusted root certificate, you can proceed to the next step. If you do see it, follow the below steps:
    1. Open up Safari on iPhone #2.
    2. Go to https://jamfserver.acme.domain.com/enroll and enroll the device into MDM through User Initiated Enrollment. For other MDM vendors, this would be the process of enrolling a device by manually installing the MDM profile profile. This may seem counterintuitive at first but it will make sense in a moment.
    3. Once enrolled into MDM, on the iPhone #2 go to Settings > General > Device Management > MDM Profile and click Remove Management. Confirm the trusted root certificate Acme Corporation JSS Built-in Certificate is not installed by going to Settings > General > About > Certificate Trust Settings.
      Note: The reason this works to remove the trusted root certificate is because an iOS backup actually backs up and restores the trusted root certificate even if a profile is not installed. However trusted root certificates are tied to profiles and the only way to remove them is to have the profile that installed the trusted root certificate in the first place on the device.
  14. Initiate and complete iCloud backup on iPhone #2 (or iTunes backup).
  15. Sign out of iCloud on iPhone #2.
  16. Go back to iPhone #1 which at this point should be completely wiped. During setup assistant, choose to setup as iPhone from iCloud backup (or iTunes backup).
  17. Choose the backup from iPhone #2 (created 3 steps ago.)

The end results here are:

  • iPhone #1 does NOT have an MDM profile or any other MDM-pushed profiles upon restore. The device should not be communicating with the MDM server.
  • The device does NOT continue to display the supervision message at the top of the Settings app either.

Why is there so much work just to make sure a restored iOS device has no management remnants?

Perhaps Apple can better answer this question than I can. I will only provide my very layman understanding of what’s going on here.

During Setup Assistant, on a new device (no restore involved), iOS goes through the process of checking whether the device is configured for DEP/ABM/ASM. Once it detects the device is assigned to an MDM server, the remote enrollment process goes through and an MDM profile is installed.

In my first attempt at reproducing the issue, Setup Assistant noticed that the backup had an MDM profile. When that MDM profile was restored, the device was able to quickly re-establish communication with the MDM server. This is intentional behavior by Apple. After all, if the backup was of a managed device, then the restore should also get the same device restored to a managed state.

In my second attempt, the backup should not have had any remnants of a MDM profile. But it appears that even though the Unmanage MDM command was sent to the device, there were still remnants left behind by the MDM profile. Even though the MDM profile was not necessarily in the backup, those remnants still were in the backup and therefore came back when we went through the iCloud restore. This can be considered a bug potentially, but I haven’t had any traction with Apple on the issue.

Needless to say, it appears that when Apple performs an iCloud or iTunes backup, everything on the device that can possibly be backed up (including management profiles) is indeed backed up.

However when it comes to performing a restore, it seems that Apple differentiates between restoring a backup to the same device and a new/different device. When you restore a backup from the same device, it restores everything. If you restore a backup from a different device (per the work around), there’s a bit less data that’s being restored which is why you don’t see the remnants of management left behind as seen in my second attempt.

It would be interesting to see what exactly is going on at the file system level in terms of what is being restored on the same device and a different device. However I’ll leave that task for someone else to explore. As you can imagine, there was a lot of erasing of iPhones to get these results. I hope this has been informative for you. If you’ve got alternative suggestions, feel free to discuss in the comments.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s