Skip to content

Instantly share code, notes, and snippets.

@FrankSpierings
Last active Aug 16, 2021
Embed
What would you like to do?
Apple Device Enrollment Program (DEP) - ByPass MDM Policy using Checkra1n exploit

Pre-requirements

  • Install a socket daemon to multiplex connections from and to iOS devices, run: brew install usbmuxd
  • Start the socket daemon iproxy 2222 44
  • Install checkra1n exploit locally, run: brew install checkra1n
  • When SSH password authentication is requested, use: alpline.

Wipe iPad and restore Firmware

  • Clear all settings, or use DFU to clear and restore the iPad: https://www.theiphonewiki.com/wiki/DFU_Mode (Use iTunes to restore (and wipe) the iPad)
  • When the iPad returns at the 'Hello' screen, exploit using checkra1n, run: open /Applications/checkra1n.app
  • Follow its instructions, until returning at the 'Hello' screen.

Initial Setup - Checkra1n booted

  • Create a new profile at /private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/CloudConfigurationDetails.plist, by copying the file through SCP. Notice the essentials in the profile: ConfigurationWasApplied, CloudConfigurationUIComplete & PostSetupProfileWasInstalled
TEMPFILE=$(mktemp)
DESTFILE=/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/CloudConfigurationDetails.plist

cat > ${TEMPFILE} << _EOF
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>ConfigurationWasApplied</key>
    <true/>
    <key>CloudConfigurationUIComplete</key>
    <true/>
    <key>PostSetupProfileWasInstalled</key>
    <true/>
    <key>AllowPairing</key>
    <true/>
    <key>AutoAdvanceSetup</key>
    <false/>
    <key>AwaitDeviceConfigured</key>
    <false/>
    <key>ConfigurationSource</key>
    <integer>0</integer>
    <key>ConfigurationURL</key>
    <string></string>
    <key>IsMDMUnremovable</key>
    <integer>0</integer>
    <key>IsMandatory</key>
    <false/>
    <key>IsMultiUser</key>
    <false/>
    <key>IsSupervised</key>
    <false/>
    <key>OrganizationAddress</key>
    <string>N/A</string>
    <key>OrganizationAddressLine1</key>
    <string>N/A</string>
    <key>OrganizationAddressLine2</key>
    <string>N/A</string>
    <key>OrganizationCity</key>
    <string>N/A</string>
    <key>OrganizationCountry</key>
    <string>N/A</string>
    <key>OrganizationDepartment</key>
    <string>N/A</string>
    <key>OrganizationEmail</key>
    <string>noreply@localhost.localdomain</string>
    <key>OrganizationMagic</key>
    <string></string>
    <key>OrganizationName</key>
    <string>Skip this step</string>
    <key>OrganizationPhone</key>
    <string>N/A</string>
    <key>OrganizationSupportPhone</key>
    <string>N/A</string>
    <key>OrganizationZipCode</key>
    <string>N/A</string>
    <key>SkipSetup</key>
    <array/>
    <key>SupervisorHostCertificates</key>
    <array/>
</dict>
</plist>
_EOF

scp -P 2222 -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null ${TEMPFILE} root@localhost:${DESTFILE} && rm ${TEMPFILE}
  • Now complete the iPad setup throught its user interface, it should not ask for a remote management profile, until it is wiped clean.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment