Troubleshooting iOS 10 Devices with Mobile Device Management Configurations
Update: We have added instructions on how to create an encrypted backup password for an iOS 10 device with MDM profile using iTunes.
iPhones and iPads being managed by Mobile Device Management (MDM) software are becoming more common. If a Profile is installed on a device running iOS 10 that forces encrypted backups to be enabled during an iTunes backup, a different acquisition process is required. We have found a solution in BlackLight 2016 R3 to acquire iOS 10 devices with a Profile installed and encrypted backups enabled. The examiner will need to use BlackLight 2016 R3.1 or Mobilyze 2017 R1 to acquire a device running iOS 10.2 or later.
You can verify a Profile is installed by navigating to Settings -> General -> Profiles. Some MDM’s do not install a Profile, therefore you will not see a Profiles menu item and it is possible you will see Device Management instead.
Devices can have the Force Encrypted Backups flag set without having an actual encrypted backup password configured. This can happen if a device has been configured with an MDM profile, but has never been backed up via iTunes. If the device has never been backed up, a backup password must be configured in iTunes before BlackLight will be able to acquire it. This backup password cannot be disabled in iTunes later, which means the analyst will need to document the password for future reference, and may also need to provide the password to either the device owner or to the controlling IT department.
The analyst can use iTunes to determine if the Force Encrypted Backups flag is set when creating a backup. If it is required, iTunes will prompt the user to create a password for the local backup, and will not allow the analyst to create a non-encrypted local backup. In some cases, iTunes will prompt the analyst to set up the device as a new device or restore it from a backup. To proceed, the analyst will need to choose to set up the device as a new device. In our testing, setting up as a new device has not caused data to be lost or the device to be erased.
Warning: Do not choose to restore from a backup, as this will overwrite the device with the contents of the backup.
1. Open iTunes and select to ‘Set up as new <device> ‘ then click Continue
2. Select ‘Encrypt <device> backup’, create a password, then click on Set Password
3. iTunes will complete a backup of the device which will be stored either in:
- Windows – /Users/<username>/AppData/Roaming/Apple Computer/MobileSync/Backup/
- Mac – /Users/<username>/Library/Application Support/MobileSync/Backup/
After the backup completes, the ‘Encrypt <device> backup’ option will be grayed out and the analyst will not be able to disable it until the MDM profile is removed from the device. Be aware that data could possibly be lost by deleting an MDM profile.
According to Apple’s iOS Deployment Reference document, if the MDM configuration profile itself is encrypted, Force Encrypted Backups will be enabled, regardless of whether or not this restriction has been set in the MDM configuration.
” Force encrypted backups: When this option is off, users can choose whether or not device backups performed in iTunes are stored in encrypted format on their Mac.
If any profile is encrypted and this option is turned off, encryption of backups is required and enforced by iTunes. Profiles installed on the device by Profile Manager are never encrypted.”
If an iOS device is being “supervised” by MDM software such as Apple Configurator, the device cannot be acquired unless it is attached to the supervising computer.
forensics research and development, and corporate investigations, our team understands forensics. Digital Forensics is more challenging than ever before due to advancements in technology. The BlackBag Team exists to find solutions for these challenges, thereby empowering our customers to seek, reveal, and preserve the truth.Meet some of our experts at https://www.blackbagtech.com/company/our-team/
Latest posts by BlackBag Team (see all)
- Triaging with MacQuisition - February 18, 2020
- BlackLight – Ingestion of Cellebrite Mobile Extractions - February 5, 2020
- Getting Through the Data Quickly - December 4, 2019