or Connect
AppleInsider › Forums › Mobile › iPad › Los Angeles schools halt home use of district-issued iPads after students hack security restrictions
New Posts  All Forums:Forum Nav:

Los Angeles schools halt home use of district-issued iPads after students hack security restrictions - Page 3

post #81 of 110
Quote:
Originally Posted by VicV View Post

Is everyone here serious about "security" on an iPad? There is no such thing. It's not Apple's intent to "lock things down". The school district just didn't do their homework or planning. Or someone just did it to get it on their resume. I'm surprised it took a week.

I'm not employed by Apple but I detest comments by people who haven't the faintest idea what they're talking about. I started adding Macs into the large in house system I managed back in 1989. I have been involved in securing Apple systems since then. If you don't understand how Apple builds security into their systems then quit complaining about it. iOS is the most secure mobile OS. You can choose to limit the systems capabilities or open it up. It's up to the user. This doesn't mean Apple doesn't have any security.
post #82 of 110
Quote:
Originally Posted by denobin View Post

If they are using a MDM suite of any value, then this is just a misconfiguration; easily remedied. I manage 2000 iPads with MobileIron and this type of bypass is not possible without triggering an alert, at which point they force the offending student to swap out the iPad for another one and apply appropriate disciplinary measures.

 

They use AirWatch, a great system, and I believe they DO have alerts set up.  But what are you going to do?  Discipline 300/day every week? This is just a subset of students at 3 of 47 pilot schools.  They have only scratched the deployment surface here.  They will kill themselves chasing after kids that delete config profiles.  

post #83 of 110
Quote:
Originally Posted by yoyo2222 View Post

Given the number of sale of iPads to the district it seems like Apple could provide someone to instruct them how to lock it down.
However, at the end of the day it is the district's responsibility.

 

The only way to truly lock them down is to enable Supervisor Mode and that must be done physically.  Each device has to be tethered to its host Mac Computer, from there the profile can be deployed AND HIDDEN.  The problem is that this does not scale.  You would have to join 600,000 iPads to 30,000 Macs and keep track of which ones are bound together!

post #84 of 110
Quote:
Originally Posted by NasserAE View Post
 

Ok.. why these profiles are not password protected against delete? Were they password protected and the students circumvented this security measure?

 

You cannot password protect 3rd party MDM config profiles.  Apple does not allow it as part of their development kit.  Anyone can delete the profile and there is nothing they can do about it.  

post #85 of 110
Quote:
Originally Posted by PhishyKris View Post

The only way to truly lock them down is to enable Supervisor Mode and that must be done physically.  Each device has to be tethered to its host Mac Computer, from there the profile can be deployed AND HIDDEN.  The problem is that this does not scale.  You would have to join 600,000 iPads to 30,000 Macs and keep track of which ones are bound together!
Umm, no. You don't seem to know anything about MDM on iOS because none of what you said is true.
post #86 of 110
Quote:
Originally Posted by PhishyKris View Post

You cannot password protect 3rd party MDM config profiles.  Apple does not allow it as part of their development kit.  Anyone can delete the profile and there is nothing they can do about it.  
You can most certainly set profiles as being user deletable or not in MDM.
post #87 of 110
there's no way they can secure this stuff. they should start being realistic and stop trying to prevent kids from being kids.
IDIOTS !!
post #88 of 110
Quote:
Originally Posted by akqies View Post

Aren't those profiles kept in Settings and can't they just lock down Settings to prevent this?

 

There are two profiles installed when you install an MDM for a mass deployment. The first one can be set to non-removable and locked with a passcode, but the second one that handles the custom restrictions can be deleted by the user with the press of a button and there's nothing anyone can do about it because Apple programmed it that way.

 

Fortunately there is still a setting in there locked by the normal restriction code to prevent account switching which would really wreak havoc (they'd be able to log in under their own personal iTunes account and download apps etc.).

 

Apple really needs to fix that gaping hole.

post #89 of 110
Quote:
Originally Posted by focher View Post


You can most certainly set profiles as being user deletable or not in MDM.

 

There are two profiles installed for an MDM. Only the first profile can be set to not delete. The second one cannot be restricted from deletion.

post #90 of 110
Quote:
Originally Posted by PhishyKris View Post
 

 

You cannot password protect 3rd party MDM config profiles.  Apple does not allow it as part of their development kit.  Anyone can delete the profile and there is nothing they can do about it.  

 

^This. The second profile in the MDM install can be deleted by anyone.

post #91 of 110
If apple adds this touch I'd I think in 2 years it will be "admin. Finger scan required" once even a try is started.

I'm glad I'm not in schools like this, unfortunately last year was the only school I went to that will likely ever add iPads, all the others except 1 a century behind, but one was a Mac pusher, just did not want "mobile"
post #92 of 110
Quote:
Originally Posted by christopher126 View Post

Quote:
Originally Posted by Tallest Skil View Post

What responsibility is this of Apple’s?

I take ur point. But not every organization is as smart as Apple. Most have people working for them that have the personalities of dented shit cans. Especially, in IT, and doubly so, in US School districts! I wouldn't trust most of them with a pair of scissors! 1smile.gif

Just saying, on big time orders it's worth paying a team a few $100 grand to help get it implemented correctly and avoid the bad press!

Chill, bro! 1smile.gif

Don't sweat TS. He doesn't have a clue on this one. Apple's account team for LAUSD is all over this by now. It won't take much effort for a field service rep to show them the proper way to use Apple Configurator.
post #93 of 110

And I will add that if the MDM profile is removed, the admins will get an email notice as mentioned above but it basically means the device will no longer show up on the tracking provided by the MDM software. That means iPads go missing and start showing up at pawn shops. They probably engraved them, but no big deal for someone who really wants an iPad.

post #94 of 110
Quote:
Originally Posted by Phone-UI-Guy View Post


Don't sweat TS. He doesn't have a clue on this one. Apple's account team for LAUSD is all over this by now. It won't take much effort for a field service rep to show them the proper way to use Apple Configurator.

 

I guarantee you they already know how; they just deployed several thousand devices. There is a security hole that allows the deletion of the second MDM profile regardless of the settings for the first profile.

post #95 of 110
Quote:
Originally Posted by rob53 View Post

The blame is on the IT managers not the students. Proper configuration of an MDM system would have kept them out. The MDM has a separate admin password for all system changes. This is inexcusable. I'd bet the IT managers and techs (if they had any) never read the manuals.

 

Please see the responses above.

post #96 of 110
I question that this was a security hack. I suspect that the student were probably more knowledgable about how to use the iPads than faculty, staff and parents were, especially those adults that are veteran Windows users. Apple's a great company, but I wish that Apple had seen this possible security breach coming. It would have saved Apple some embarrassment.
post #97 of 110
Quote:
Originally Posted by Gazoobee View Post
 

 

More like, "Best evidence yet that restricting YouTube and Facebook is silly."  What could they possibly do with access to either that is wrong or that they can't normally do on any other computer?    

 

Clearly you've never let a ten-year-old loose on YouTube to see what happens. Those "related videos" get weird fast.

post #98 of 110
Layer 7 filtering via signatures from the network gear can detect specific mobile app usage and block it or a properly configured MDM profile or deployment would have fixed this. Further they should be filtering at the network level as well, knowing all to well that it was a target.
post #99 of 110
If a school board is going to use iPads, that's great. But they need to use the devices whole-heartedly. They can't expect to out-smart kids and put silly security settings on - it won't work in this day and age.
post #100 of 110
Originally Posted by sxpert View Post
there's no way they can secure this stuff. they should start being realistic and stop trying to prevent kids from being kids.
IDIOTS !!
Originally Posted by kabirrb View Post
If a school board is going to use iPads, that's great. But they need to use the devices whole-heartedly. They can't expect to out-smart kids and put silly security settings on - it won't work in this day and age.
 

There’s something very wrong with you two.

 

Originally Posted by Phone-UI-Guy View Post
Don't sweat TS. He doesn't have a clue on this one. Apple's account team for LAUSD is all over this by now. It won't take much effort for a field service rep to show them the proper way to use Apple Configurator.

 

Explain what contractual, moral, or ethical obligation Apple has for doing this. 

 

Did I say anything about Apple not doing it? You should already know the answer to that. In fact, I expect Apple to do something, simply because they’re Apple. But they have no responsibility to do so. Come off it, man.

Originally Posted by Slurpy

There's just a TINY chance that Apple will also be able to figure out payments. Oh wait, they did already… …and you’re already f*ed.

 

Reply

Originally Posted by Slurpy

There's just a TINY chance that Apple will also be able to figure out payments. Oh wait, they did already… …and you’re already f*ed.

 

Reply
post #101 of 110
Quote:
Originally Posted by lkrupp View Post
 

 

Kid takes iPad home. Kid meets pedophile predator on Facebook or Google+ or some other social media site. Kid gets molested or goes missing.

 

I removed two words ("school issued") from your first sentence. Now, who's responsibility is it? And honestly, how is the "child exploitation" problem solved by keeping technology out of the hands of students?

 

Over half a million iPads are being issued to students. The part completely missing from this "debate" so far, is that a very large percentage of those student's households already have iPads in them. A large number of those kids might already have one of their own. How are those managed? Who's responsible there, and how is the school issued one any different? If it goes home with the child, it surely is the responsibility of the parent that it is cared for and used "properly", no? 

 

In the end, I agree with the premise that if it's issued for school use, it should be limited primarily to that use. There's no way to police that really, but I still personally think that if managed well it's a great idea and has tons of positive upside.

 

The "child exploitation" FUD is just sad… so would exercise of that "American Way" lawsuit should it come to that.

post #102 of 110
Quote:
Originally Posted by lkrupp View Post

Best evidence yet that this technology has no place being issued to every student. Keep a lid on it in the school lab. Not so much because it doesn't have a legitimate use but because the little bastards can't be trusted. And their parents are probably no better. Old dad probably would be on xhamster.com with the kid's iPad.

This is not a "computer" that's being used to teach computer programming, but a tool that presumably is being used throughout the day.   It doesn't just belong in a "computer lab".   That's thinking from 30 years ago.

 

Quote:
Originally Posted by WelshDog View Post
 

One thing that is interesting about this program is each kid will also have an Apple ID.  There is another big source of potential trouble for the district and Apple.

Why?    

 

Quote:
Originally Posted by sflocal View Post
 

 

"Complaints"??  I'll fix that.  Go buy your own f#!king iPad then.  You're given one (technically for free for school use) and suddenly they feel they should do what they want with it?

If I were their age, I'd probably do the same thing and hack it simply because of my curiosity and challenge.  However, I'd expect them to clamp down on it if word got out.  It's an expectation simply because... it's not mine!!

During the school day, I think the students should be restricted.   You don't want them using Facebook or watching YouTube videos when they're supposed to be paying attention to a lesson.     But I don't understand restricting the devices when they're not in school because most of the students probably have other devices at home anyway where they can access anything they want anyway.

 

If this were elementary or junior high school, I could understand the concerns.    But these are high school students and some of those seniors may even already be 18.    Instead of restricting the use of these devices, the school system should be teaching kids how to use them responsibly.    The kids should be taught about the dangers of putting too much personal information out there, the dangers of "sexting", how anything you say or do online can haunt you for the rest of your life, the effects of online bullying, etc.     They should have to take an exam on those issues and only then be issued a machine.     And they should take the machines away (at least for a time) from anyone who violates the account or security restrictions on the machines.  

 

Quote:
Originally Posted by rob53 View Post

The blame is on the IT managers not the students. Proper configuration of an MDM system would have kept them out. The MDM has a separate admin password for all system changes. This is inexcusable. I'd bet the IT managers and techs (if they had any) never read the manuals.

That's probably the case.    I bet this was about "oh, we'll get the kids iPads and then they'll have technical knowledge and will be able to get good jobs later in life."     The idiots at the Bd of Ed who decided to do this probably don't understand the difference between designing a device or creating an application and using apps on the device.      If a student doesn't do any studying or preparation in the non-virtual world, they're not going to do any in the online world either.     

post #103 of 110

Sort of OT but we have byod at my workplace.  After they set up my iPhone I couldn't recieve images in text messages.  Since upgrading to IOS7 that restriction disappeared.  I am not telling them!

post #104 of 110
Quote:
Originally Posted by Tallest Skil View Post

Quote:
there's no way they can secure this stuff. they should start being realistic and stop trying to prevent kids from being kids.


IDIOTS !!
Quote:
If a school board is going to use iPads, that's great. But they need to use the devices whole-heartedly. They can't expect to out-smart kids and put silly security settings on - it won't work in this day and age.

There’s something very wrong with you two.
Quote:
Don't sweat TS. He doesn't have a clue on this one. Apple's account team for LAUSD is all over this by now. It won't take much effort for a field service rep to show them the proper way to use Apple Configurator.

Explain what contractual, moral, or ethical obligation Apple has for doing this. 

Did I say anything about Apple not doing it? You should already know the answer to that. In fact, I expect Apple to do something, simply because they’re Apple. But they have no responsibility to do so. Come off it, man.

They likely have a contractural obligation as part of the deal that was signed. Deals this size either have contractural support or at least a long honeymoon support phase. They have a customer service obligation, otherwise the deployment may stop and the devices could go back to Apple. As someone else mentioned, this looks to be a defect with multiple profiles. Apple needs this out of the news ASAP.
post #105 of 110
Quote:
Originally Posted by SpamSandwich View Post
 

IMO, home schooling or work-group style learning is far superior to the traditional American school model. Intelligent students are only brought down by class clowns and social miscreants and creative students who don't fit into a factory-like "educational" setting have little hope of actually learning. 

Home schooling only works when there's a parent who is organized, disciplined, understands the content and has the ability to communicate it.    That's a very small minority especially since most parents in this country were not educated any better than today's kids are.    The advantage of home schooling is that you can accomplish far more in less time because you're basically teaching 1:1.   My granddaughter is home schooled (elementary school) and they tried sending her to a private school last year and the academics even at this expensive school were so bad, they had to pull her out after a month, because she was already at least two years ahead of the other kids.     But there's also a disadvantage to home schooling in that learning how to interact with other kids (especially the miscreants) is a very important skill as well as learning how to act in a group environment.     Kids also tend to behave better with third parties than they do with their own parents. 

 

But when it comes down to it, young students do not require an iPad or any other electronic device.    Aside from book bag weight, there is no advantage to reading a book online as compared to reading a print edition.    And the library is free as opposed to having to purchase ebooks.   When kids do research, they should be consulting original sources, not Wikipedia.    It doesn't take a genius to excerpt material out of Wikipedia, which is what most kids wind up doing these days.    And since it's easier for most kids to watch a video than read material, they tend to seek out video material of frequently questionable educational quality.   All of this gets in the way of being an educated person.    What I have seen with my own grandkids is that when they have access to these devices, they very quickly become an addiction.    I see 2 1/2 year olds on the subway with game devices and while their fine motor skills are incredible, they're already absurdly hyperactive.  

 

Where I do agree with you is about the factory like educational system that we still employ.   We really haven't changed our approach to teaching in 70 years.   We still have a teacher at the front of the room lecturing to students sitting at desks and once the students reach middle- or junior high- there is almost no interdisciplinary study so students never understand how everything they're supposedly learning relates to each other.    And while there's a big push to increase the length of the school day, if you have a factory making defective parts, running the factory longer isn't going to help.     This is true for higher education as well.     The only thing we've changed over 70 years is that we've watered-down the material because we want the kids to "feel good".     

post #106 of 110
Originally Posted by Phone-UI-Guy View Post
They likely have a contractural obligation as part of the deal that was signed. Deals this size either have contractural support or at least a long honeymoon support phase. They have a customer service obligation, otherwise the deployment may stop and the devices could go back to Apple. As someone else mentioned, this looks to be a defect with multiple profiles. Apple needs this out of the news ASAP.

 

Oh! Well, that’s another story entirely. If Apple was contracted for tech work beyond that of standard AppleCare (does business have a separate AppleCare; I forget), then sure thing. But if it was just a bulk purchase… And anyway, shouldn’t the local network admin at least know what he’s working with before pushing it all out?

Originally Posted by Slurpy

There's just a TINY chance that Apple will also be able to figure out payments. Oh wait, they did already… …and you’re already f*ed.

 

Reply

Originally Posted by Slurpy

There's just a TINY chance that Apple will also be able to figure out payments. Oh wait, they did already… …and you’re already f*ed.

 

Reply
post #107 of 110
A proper mdm system would allow them to keep the profiles from being deleted as long as the device is setup to be in "managed" mode, right?
post #108 of 110
Quote:
Originally Posted by winterspan View Post

A proper mdm system would allow them to keep the profiles from being deleted as long as the device is setup to be in "managed" mode, right?

 

That is correct...an MDM can be setup so it cannot be removed. The one poster who said they couldn't is full of crap. If it was so easily deleted, then what is the point of forcing it in the first place? He obviously hasn't a clue how to use an MDM, and/or has never used one before. Even with Profile Manager you can setup the profile so it cannot be removed. 

 

You should be using both Configurator and an MDM. Even Apple will tell you this. Configurator will supervise the device which opens up other restrictions. Then use your MDM to manage the device without having to plug in to make changes. Your MDM will allow you do make changes on the fly without needed to plug back into a Mac. 

post #109 of 110

You may want to read the MacWorld piece on this topic: http://www.macworld.com/article/2051343/whats-behind-the-ipad-hack-at-los-angeles-high-schools-.html

Apparently, there was no perfect choice in this particular case.  The next version of Configurator will likely close this little loophole.  

post #110 of 110
Quote:
Originally Posted by Frank Lowney View Post
 

You may want to read the MacWorld piece on this topic: http://www.macworld.com/article/2051343/whats-behind-the-ipad-hack-at-los-angeles-high-schools-.html

Apparently, there was no perfect choice in this particular case.  The next version of Configurator will likely close this little loophole.  

 

Which smart kids will learn to exploit again, of course.

 

The real solution is to have the kids and their parents rent or buy their own equipment. For the demonstrably underprivileged, have them check out in the morning and check back in their iPad at the end of the day.

 

Frankly, the entire public school system amounts to factory era child care + brainwashing. Kids are better off learning at their own pace on their own and in small work groups... just like in life! 

Proud AAPL stock owner.

 

GOA

Reply

Proud AAPL stock owner.

 

GOA

Reply
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: iPad
  • Los Angeles schools halt home use of district-issued iPads after students hack security restrictions
AppleInsider › Forums › Mobile › iPad › Los Angeles schools halt home use of district-issued iPads after students hack security restrictions