If they are using a MDM suite of any value, then this is just a misconfiguration; easily remedied. I manage 2000 iPads with MobileIron and this type of bypass is not possible without triggering an alert, at which point they force the offending student to swap out the iPad for another one and apply appropriate disciplinary measures.
They use AirWatch, a great system, and I believe they DO have alerts set up. But what are you going to do? Discipline 300/day every week? This is just a subset of students at 3 of 47 pilot schools. They have only scratched the deployment surface here. They will kill themselves chasing after kids that delete config profiles.
Given the number of sale of iPads to the district it seems like Apple could provide someone to instruct them how to lock it down.
However, at the end of the day it is the district's responsibility.
The only way to truly lock them down is to enable Supervisor Mode and that must be done physically. Each device has to be tethered to its host Mac Computer, from there the profile can be deployed AND HIDDEN. The problem is that this does not scale. You would have to join 600,000 iPads to 30,000 Macs and keep track of which ones are bound together!
Ok.. why these profiles are not password protected against delete? Were they password protected and the students circumvented this security measure?
You cannot password protect 3rd party MDM config profiles. Apple does not allow it as part of their development kit. Anyone can delete the profile and there is nothing they can do about it.
The only way to truly lock them down is to enable Supervisor Mode and that must be done physically. Each device has to be tethered to its host Mac Computer, from there the profile can be deployed AND HIDDEN. The problem is that this does not scale. You would have to join 600,000 iPads to 30,000 Macs and keep track of which ones are bound together!
Umm, no. You don't seem to know anything about MDM on iOS because none of what you said is true.
You cannot password protect 3rd party MDM config profiles. Apple does not allow it as part of their development kit. Anyone can delete the profile and there is nothing they can do about it.
You can most certainly set profiles as being user deletable or not in MDM.
Aren't those profiles kept in Settings and can't they just lock down Settings to prevent this?
There are two profiles installed when you install an MDM for a mass deployment. The first one can be set to non-removable and locked with a passcode, but the second one that handles the custom restrictions can be deleted by the user with the press of a button and there's nothing anyone can do about it because Apple programmed it that way.
Fortunately there is still a setting in there locked by the normal restriction code to prevent account switching which would really wreak havoc (they'd be able to log in under their own personal iTunes account and download apps etc.).
You cannot password protect 3rd party MDM config profiles. Apple does not allow it as part of their development kit. Anyone can delete the profile and there is nothing they can do about it.
^This. The second profile in the MDM install can be deleted by anyone.
If apple adds this touch I'd I think in 2 years it will be "admin. Finger scan required" once even a try is started.
I'm glad I'm not in schools like this, unfortunately last year was the only school I went to that will likely ever add iPads, all the others except 1 a century behind, but one was a Mac pusher, just did not want "mobile"
I take ur point. But not every organization is as smart as Apple. Most have people working for them that have the personalities of dented shit cans. Especially, in IT, and doubly so, in US School districts! I wouldn't trust most of them with a pair of scissors!
Just saying, on big time orders it's worth paying a team a few $100 grand to help get it implemented correctly and avoid the bad press!
Chill, bro!
Don't sweat TS. He doesn't have a clue on this one. Apple's account team for LAUSD is all over this by now. It won't take much effort for a field service rep to show them the proper way to use Apple Configurator.
And I will add that if the MDM profile is removed, the admins will get an email notice as mentioned above but it basically means the device will no longer show up on the tracking provided by the MDM software. That means iPads go missing and start showing up at pawn shops. They probably engraved them, but no big deal for someone who really wants an iPad.
Don't sweat TS. He doesn't have a clue on this one. Apple's account team for LAUSD is all over this by now. It won't take much effort for a field service rep to show them the proper way to use Apple Configurator.
I guarantee you they already know how; they just deployed several thousand devices. There is a security hole that allows the deletion of the second MDM profile regardless of the settings for the first profile.
The blame is on the IT managers not the students. Proper configuration of an MDM system would have kept them out. The MDM has a separate admin password for all system changes. This is inexcusable. I'd bet the IT managers and techs (if they had any) never read the manuals.
I question that this was a security hack. I suspect that the student were probably more knowledgable about how to use the iPads than faculty, staff and parents were, especially those adults that are veteran Windows users. Apple's a great company, but I wish that Apple had seen this possible security breach coming. It would have saved Apple some embarrassment.
More like, "Best evidence yet that restricting YouTube and Facebook is silly." What could they possibly do with access to either that is wrong or that they can't normally do on any other computer?
Clearly you've never let a ten-year-old loose on YouTube to see what happens. Those "related videos" get weird fast.
Layer 7 filtering via signatures from the network gear can detect specific mobile app usage and block it or a properly configured MDM profile or deployment would have fixed this. Further they should be filtering at the network level as well, knowing all to well that it was a target.
If a school board is going to use iPads, that's great. But they need to use the devices whole-heartedly. They can't expect to out-smart kids and put silly security settings on - it won't work in this day and age.
there's no way they can secure this stuff. they should start being realistic and stop trying to prevent kids from being kids.
IDIOTS !!
Originally Posted by kabirrb
If a school board is going to use iPads, that's great. But they need to use the devices whole-heartedly. They can't expect to out-smart kids and put silly security settings on - it won't work in this day and age.
There’s something very wrong with you two.
Originally Posted by Phone-UI-Guy
Don't sweat TS. He doesn't have a clue on this one. Apple's account team for LAUSD is all over this by now. It won't take much effort for a field service rep to show them the proper way to use Apple Configurator.
Explain what contractual, moral, or ethical obligation Apple has for doing this.
Did I say anything about Apple not doing it? You should already know the answer to that. In fact, I expect Apple to do something, simply because they’re Apple. But they have no responsibility to do so. Come off it, man.
Kid takes iPad home. Kid meets pedophile predator on Facebook or Google+ or some other social media site. Kid gets molested or goes missing.
I removed two words ("school issued") from your first sentence. Now, who's responsibility is it? And honestly, how is the "child exploitation" problem solved by keeping technology out of the hands of students?
Over half a million iPads are being issued to students. The part completely missing from this "debate" so far, is that a very large percentage of those student's households already have iPads in them. A large number of those kids might already have one of their own. How are those managed? Who's responsible there, and how is the school issued one any different? If it goes home with the child, it surely is the responsibility of the parent that it is cared for and used "properly", no?
In the end, I agree with the premise that if it's issued for school use, it should be limited primarily to that use. There's no way to police that really, but I still personally think that if managed well it's a great idea and has tons of positive upside.
The "child exploitation" FUD is just sad… so would exercise of that "American Way" lawsuit should it come to that.
Comments
If they are using a MDM suite of any value, then this is just a misconfiguration; easily remedied. I manage 2000 iPads with MobileIron and this type of bypass is not possible without triggering an alert, at which point they force the offending student to swap out the iPad for another one and apply appropriate disciplinary measures.
They use AirWatch, a great system, and I believe they DO have alerts set up. But what are you going to do? Discipline 300/day every week? This is just a subset of students at 3 of 47 pilot schools. They have only scratched the deployment surface here. They will kill themselves chasing after kids that delete config profiles.
Given the number of sale of iPads to the district it seems like Apple could provide someone to instruct them how to lock it down.
However, at the end of the day it is the district's responsibility.
The only way to truly lock them down is to enable Supervisor Mode and that must be done physically. Each device has to be tethered to its host Mac Computer, from there the profile can be deployed AND HIDDEN. The problem is that this does not scale. You would have to join 600,000 iPads to 30,000 Macs and keep track of which ones are bound together!
Ok.. why these profiles are not password protected against delete? Were they password protected and the students circumvented this security measure?
You cannot password protect 3rd party MDM config profiles. Apple does not allow it as part of their development kit. Anyone can delete the profile and there is nothing they can do about it.
IDIOTS !!
Aren't those profiles kept in Settings and can't they just lock down Settings to prevent this?
There are two profiles installed when you install an MDM for a mass deployment. The first one can be set to non-removable and locked with a passcode, but the second one that handles the custom restrictions can be deleted by the user with the press of a button and there's nothing anyone can do about it because Apple programmed it that way.
Fortunately there is still a setting in there locked by the normal restriction code to prevent account switching which would really wreak havoc (they'd be able to log in under their own personal iTunes account and download apps etc.).
Apple really needs to fix that gaping hole.
You can most certainly set profiles as being user deletable or not in MDM.
There are two profiles installed for an MDM. Only the first profile can be set to not delete. The second one cannot be restricted from deletion.
You cannot password protect 3rd party MDM config profiles. Apple does not allow it as part of their development kit. Anyone can delete the profile and there is nothing they can do about it.
^This. The second profile in the MDM install can be deleted by anyone.
I'm glad I'm not in schools like this, unfortunately last year was the only school I went to that will likely ever add iPads, all the others except 1 a century behind, but one was a Mac pusher, just did not want "mobile"
Don't sweat TS. He doesn't have a clue on this one. Apple's account team for LAUSD is all over this by now. It won't take much effort for a field service rep to show them the proper way to use Apple Configurator.
And I will add that if the MDM profile is removed, the admins will get an email notice as mentioned above but it basically means the device will no longer show up on the tracking provided by the MDM software. That means iPads go missing and start showing up at pawn shops. They probably engraved them, but no big deal for someone who really wants an iPad.
Don't sweat TS. He doesn't have a clue on this one. Apple's account team for LAUSD is all over this by now. It won't take much effort for a field service rep to show them the proper way to use Apple Configurator.
I guarantee you they already know how; they just deployed several thousand devices. There is a security hole that allows the deletion of the second MDM profile regardless of the settings for the first profile.
The blame is on the IT managers not the students. Proper configuration of an MDM system would have kept them out. The MDM has a separate admin password for all system changes. This is inexcusable. I'd bet the IT managers and techs (if they had any) never read the manuals.
Please see the responses above.
More like, "Best evidence yet that restricting YouTube and Facebook is silly." What could they possibly do with access to either that is wrong or that they can't normally do on any other computer?
Clearly you've never let a ten-year-old loose on YouTube to see what happens. Those "related videos" get weird fast.
IDIOTS !!
There’s something very wrong with you two.
Explain what contractual, moral, or ethical obligation Apple has for doing this.
Did I say anything about Apple not doing it? You should already know the answer to that. In fact, I expect Apple to do something, simply because they’re Apple. But they have no responsibility to do so. Come off it, man.
Kid takes iPad home. Kid meets pedophile predator on Facebook or Google+ or some other social media site. Kid gets molested or goes missing.
I removed two words ("school issued") from your first sentence. Now, who's responsibility is it? And honestly, how is the "child exploitation" problem solved by keeping technology out of the hands of students?
Over half a million iPads are being issued to students. The part completely missing from this "debate" so far, is that a very large percentage of those student's households already have iPads in them. A large number of those kids might already have one of their own. How are those managed? Who's responsible there, and how is the school issued one any different? If it goes home with the child, it surely is the responsibility of the parent that it is cared for and used "properly", no?
In the end, I agree with the premise that if it's issued for school use, it should be limited primarily to that use. There's no way to police that really, but I still personally think that if managed well it's a great idea and has tons of positive upside.
The "child exploitation" FUD is just sad… so would exercise of that "American Way" lawsuit should it come to that.