Skip to content

Instantly share code, notes, and snippets.

Last active Oct 22, 2021
What would you like to do?
Apple Device Enrollment Program (DEP) - ByPass MDM Policy using Checkra1n exploit


  • Install a socket daemon to multiplex connections from and to iOS devices, run: brew install usbmuxd
  • Start the socket daemon iproxy 2222 44
  • Install checkra1n exploit locally, run: brew install checkra1n
  • When SSH password authentication is requested, use: alpline.

Wipe iPad and restore Firmware

  • Clear all settings, or use DFU to clear and restore the iPad: (Use iTunes to restore (and wipe) the iPad)
  • When the iPad returns at the 'Hello' screen, exploit using checkra1n, run: open /Applications/
  • Follow its instructions, until returning at the 'Hello' screen.

Initial Setup - Checkra1n booted

  • Create a new profile at /private/var/containers/Shared/SystemGroup/, by copying the file through SCP. Notice the essentials in the profile: ConfigurationWasApplied, CloudConfigurationUIComplete & PostSetupProfileWasInstalled

cat > ${TEMPFILE} << _EOF
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "">
<plist version="1.0">
    <string>Skip this step</string>

scp -P 2222 -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null ${TEMPFILE} root@localhost:${DESTFILE} && rm ${TEMPFILE}
  • Now complete the iPad setup throught its user interface, it should not ask for a remote management profile, until it is wiped clean.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment