How to remove Mobile Guardian (MDM)

Removing Mobile Device Manager (MDM) is simple. You only need some basic knowledge of computers and how mdm works to follow this guide. Most of the time, this is not required to bypass MDM since you could just delete the management profile in settings, but in some cases, the device is setup for cloud enrolment, meaning you can not remove the management profile from settings. This method was discovered on Mar 2022.

This documentation is strictly for educational purposes only.

Prerequisites

  • A working Windows/MacOS computer
  • Any Apple Device with a recent version of iOS
  • Original apple cable (USB A to Lightning recommended)
  • iTunes
  • iBackupBot

Steps for Windows

  1. Disable Find My on your device
  2. Connect your device to the computer and open iTunes
  3. Enter DFU mode on your device
    • Note: If you can not enter DFU mode, use a old cable with USB A instead of USB C
  4. Restore your device
  5. Setup your device until you see the wifi screen. Do not connect to any network!
  6. Download the SUPERVISED.zip from here.
  7. Open the Supervise backup and extract the .zip. 
  8. Install and open iBackupBot.   
  9. In iBackupBot, click "file", "open" and select the folder where the extracted supervise backup is located.  
  10. When the backup is imported, click "+" by Add Supervision, then click "System Files" 
  11. Search for "CloudConfiguration", then right click on "CloudConfigurationDetails.plist" and select "restore selected items to device" 
  12. Make sure to disable "reboot device after restore". Enter the password "1111" and then click on "restore". (If it says restore failed, make sure your iTunes is open as well and connected when pressing restore!)
  13. Now, proceed to continue setting up your device as normal. The MDM profile will still load onto your device. This is expected behaviour.
  14. Now wait for a while for any apps bundled with your MDM to install. This is also required for the organisation wifi profile to load, so that you will be able to connect to your organisation wifi without MDM. If there are no apps downloaded for the next 10mins, proceed on with the next step.
  15. Reboot your device and MDM will be gone!
  • Note: Upgrading iOS will cause MDM to return if don't repeat steps 7-15

Steps for Mac

Tbh you should just use windows.

  1. Disable Find My on your device
  2. Check your MacOS firmware by going click on the Apple logo on the top left hand side of the screen, then clicking on "About This Mac"
  3. Connect your device to the Mac and open finder if your are running version 10.15.7 or later. Otherwise open iTunes.
  4. Enter DFU mode on your device
    • Note: If you can not enter DFU mode, use a old cable with USB A instead of USB C
  5. Restore your device
  6. Setup your device until you see the wifi screen. Do not connect to any network!
  7. Download the SUPERVISED.zip from here
  8. Download and install iBackupBot
  9. If you are running Version: 10.15.7 or later, continue to Step 10. Otherwise skip to Step 18.
  10. Go to the iTunes MacOS download using the link above. Find "click to download" by "Retroactive 1.9" and start the download. 
  11. After downloading, go to your downloads folder, and click on "Retroactive.zip" to extract it.  
  12. Navigate and open the extracted folder, then right click on "Retroactive", and select open.
  13. MacOS will block the app from opening. Click on "cancel", then repeat Step 5 again. 
  14. This time Retroactive will open without fail. If you see the message: "Update to a newer version of Retroactive" simply click on "Run Anyways" 
  15. Click on "install" below iTunes, then click on "continue".
  16. Now iTunes will start downloading. You may be asked to enter your Mac password for security reasons. If so, enter your password.
  17. Once iTunes is installed, you will see a screen which says: "One More Thing". On this screen, select "I don't need to sync with this iPod". Even if you need to sync with an iPod Touch, you can still skip this option. 
  18. Open the Supervise backup and extract the .zip. 
  19. On the Mac itself, open System Preferences>Security & Privacy>Click the lock to make changes. When prompted enter in your passcode to the Mac itself. 
  20. After the lock is unlocked, click "Full Disk Access">"iBackUpBot" and click the check box to tick it. If iBackUpBot doesn't show up, click the "+" near the bottom, navigate to "Applications" and select "iBackUpBot" from there.
  21. Connect your device to your Mac and open iBackupBot. Keep in mind iBackupBot crashes a LOT on Macs. If the app crashes, simply re-load it and repeat the instructions which weren't saved.
  22. In iBackupBot, click "file", "open" and select the folder where the extracted supervise backup is located.
  23. When the backup is imported, click "+" by Add Supervision, then click "System Files"
  24. Search for "CloudConfiguration", then right click on "CloudConfigurationDetails.plist" and select "restore selected items to device" 
  25. Make sure to disable "reboot device after restore". Enter the password "1111" and then click on "restore". (If it says restore failed, make sure ur iTunes is open as well and connected when pressing restore!)
  26. Now, proceed to continue setting up your device as normal. The MDM profile will still load onto your device. This is expected behaviour.
  27. Now wait for a while for any apps bundled with your MDM to install. This is also required for the organisation wifi profile to load, so that you will be able to connect to your organisation wifi without MDM. If there are no apps downloaded for the next 10min, proceed on with the next step.
  28. Reboot your device and MDM will be gone!
  • Note: Upgrading iOS will cause MDM to return if don't repeat steps 22-28

How it works?

Limitations

We know that a device enrolled in cloud MDM will always obtain the MDM profile at setup, and there is no way to bypass that screen. For most MDM like this, once the profile is installed, there will be no way to connect the device to your own computer, since "allow pairing" is false. Therefore, there is no way to backup the iPad or extract the MDM profile after the initial setup. Even restoring the iPad with DFU mode would not remove the profile, since cloud enrolment is connected with your serial number, which could not be changed without special hardware.

The Theory

The folder SUPERVISE contains a encrypted backup of a device that has device supervision enabled (not the same type as cloud enrolment). CloudConfigurationDetails.plist contains data used for managing the supervision state of the device. This file only contains one crucial value for it to work: "supervised = true".

By restoring the device to original state, we essentially remove the MDM profile temporarily, allowing us to connect to our computer. Therefore, we will be able to restore this specific file onto the device, making the device "supervised" before MDM is able to supervise the device. Using this trick, the device will "think" that the device is already supervised, and will not be able to supervise it again when enrolling into the MDM.

The device now enters a "pseudo supervised" state. Configuration files from the MDM server will still be downloaded onto your device, and settings will show that your device is supervised by your organisation. However, on reboot, the previously restored CloudConfigurationDetails.plist kicks in, and replaces the original file, causing previous configuration files to be inactive and hidden.

The hidden state of the configuration profiles is what enables wifi configured via your organisation's MDM profile to still work, even when your device is no longer supervised by your organisation.

17:58 Monday 26 September 2022