Bypassing the Enforced MDM on Your DEP-Enrolled iPad

Prerequisites

• You have a non-cellular iOS device (iPad, iPod touch).

• The only tested devices are 6th-generation iPads.

• The device is enrolled in DEP through Apple School Manager or Apple Business Manager and comes with a mandatory MDM profile.

• These instructions assume that the MDM server requires credentials for authentication. If it does not, the attack used to gain persistence may not function or will need to be executed at a different time.

• Data loss is acceptable (this process will involve wiping the iPad, possibly multiple times if you mess up).
• You have a Mac running macOS 11.1 or later.

• You have the latest version of Apple Configurator 2 installed.

• Apple has not yet fixed the Setup Bypass vulnerability or iOS 14.3 is still being signed.

• If this vulnerability is reported or fixed and your device is still on iOS 14.3, you may be able to use Erase All Content and Settings instead of restoring, which is currently untested.
• This method relies on between two and three unpatched/unreported bugs in both iOS and Apple’s activation server backend. Everything works as of 1/15/21 but a patch to either component would make this approach non-functional.
• Updated warning: the second vulnerability (at the very least) has been patched in iOS 14.4. Given that iOS 14.3 is no longer signed, this approach does not work unless your device is running an old enough iOS version.

Wiping the iPad and Bypassing Setup

1. From the iPad or another Apple device on the same iCloud account, remove the iPad from iCloud. This will disable Find My and Activation Lock.

1. If you already wiped the device and did not perform this procedure, don’t worry. You will also have the opportunity to enter your Apple ID credentials on the Mac when activating the iPad, although this is less convenient.

2. Shut the iPad down: hold down the power button for 10 seconds and swipe to power off.
3. Wait 10 seconds.
4. Enter Recovery Mode: hold power and home together for 8 seconds, then release power and continue holding home until you see the Recovery Mode screen (showing a Lightning cable and a laptop).
5. On your Mac, quit Apple Configurator if it’s running.
6. Connect the iPad to your Mac with a Lightning cable.
7. A Finder window should appear. Choose Restore and confirm your choice.

1. If the Finder window does not pop up on its own, check the Finder sidebar for an entry named “iPad”.

8. Wait while your Mac downloads the latest version of iOS, extracts it, and writes it to the iPad.

1. If you need to repeat this procedure at any point, you will not have to download iOS again.

9. Once you see a pop-up telling you that it’s booting and to leave it connected, unplug the iPad.
10. When the iPad shows the Hello screen at the beginning of Setup, press the home button and do not choose a language.
11. Plug the iPad back into your Mac. Click iPad in the sidebar and click Trust.
12. When “Activating…” finishes and it says “Retrieving configuration…”, unplug the iPad.
13. Continue through Setup.

1. Do not connect to a Wi-Fi network.
2. Wait for Retrieving configuration to time out.
3. Press Continue on the Data and Privacy screen.
4. Set up Touch ID later.
5. Do not set a passcode.
6. Don’t transfer data.
7. Wait for Remote Management to time out.
8. Press Home, then select More Wi-Fi Options and connect to your home network. Exit the Wi-Fi menu.
9. Press Back until you get to Create a Passcode. Do not create a passcode.
10. Continue until you see the Remote Management screen, then immediately press Back. Keep going back until you get to the Create a Passcode screen. Do not create a passcode.
11. As you continue this time, you may see Location Services in place of Remote Management. If this is the case, continue normally with Setup. Otherwise, go back to Create a Passcode and do it again.

14. At this point, your iPad will be supervised, but the MDM profile will not be installed. Resist the temptation to download apps and customize the iPad at this point.

1. Currently, you have only bypassed Setup temporarily; once you reboot, you will have to “gain persistence” through a different technique.

1. After a reboot, the same strategy used to bypass Setup the first time will not work as you have already partially set up the device.

2. Continue to the next section to gain persistence so that you can reboot and install software updates without issues.

Gaining Persistence

1. After completing the Setup Bypass, reboot the iPad.
2. As soon as the iPad boots, press Home and wait on the Language screen.
3. Start Apple Configurator on your Mac and plug in the iPad.
4. Add Proxy.mobileconfig from Profiles.
5. Continue to the Wi-Fi setup screen.
6. At the Wi-Fi setup screen, press the home button and select More Wi-Fi Options. When you see the information icon, tap that for your network and swap out the DHCP-provided DNS addresses for 104.154.51.7. (Note: this step may or may not be required but we do it for good measure.)

1. If you see a captive portal with some random “Activation Lock bypass” junk, ignore and close that. We haven’t successfully reproduced this persistence-gaining behavior without this DNS server but it hasn’t been tested conclusively enough to determine if it actually has an effect.

7. Continue through setup and wait until you see “kCFErrorDomainCFNetwork error 310” on the Remote Management screen.
8. Go back to the Wi-Fi setup screen, press the home button, choose More Wi-Fi Options, and go back to the default DNS settings.
9. Remove the configuration profile by clicking on it in Apple Configurator and pressing the delete key.
10. Proceed through setup until you get to where the MDM asks for your credentials. Type in your credentials, but don’t press Next.
11. In Apple Configurator’s Profiles screen, click the Add button and browse to Proxy.mobileconfig so that you’re ready to add the profile, but don’t add it yet.
12. At nearly the same time, tap Next and click Add. Adding the profile will take a moment and that’s okay—don’t get worried yet.
13. If you see the loading spinner on the device and “Awaiting final configuration…”, you have failed and will need to go back to the very beginning and restore the iPad again.
14. If you see “Profile Installation Failed” due to a network error, you have succeeded. Now, reboot the iPad and verify that it arrives at the Home Screen.

1. After you have reached the Home Screen for the second time, reboot the iPad again to make sure that this second successful boot wasn’t a fluke.
2. Check Settings to make sure that there is no profile other than Proxy installed. We don’t recommend deleting the Proxy profile at this time.