When dealing with mobile devices and digital forensics one of the most frustrating barriers is a mobile device management (MDM). An MDM allows IT administrators to configure managed mobile devices, install or remove profiles, remove passcodes, and begin a secure erase of the device. MDM usually consists of a server and client components. The server component is under the control of an IT administrator whereas the client component is a service installed on a mobile device. MDM is required to be protected on the device by the hardware (e.g. Samsung Knox). Regarding Apple Computer devices, MDM is a part of the operating system since iOS 6. The MDM can cause issues in the acquisition of mobile devices without doing some adjustments to your procedures to allow the communication to happen with the device.
Mobile device management (MDM) is an industry term for the administration of mobile devices, such as smartphones, tablets, and laptops. MDM is usually implemented with the use of a third party product that has management features for particular vendors of mobile devices. -Wikipedia
During the device enrollment process, a Device Management profile is installed on an iOS device. The profile can be viewed through Settings -> General -> Device Management menu (see Figure 1). If there are no profiles installed, the Device Management menu item may be absent.
Figure 1. Device Management settings
After pressing the Restrictions, a list of installed restrictions appears (Figure 2).
The restrictions installed on the device are configured remotely by the IT administrator from the Server side. The administrator may add or remove restrictions remotely without the need for device re-enrollment. The restrictions, which are displayed in Figure 2, prohibit making iCloud backups, syncing keychain, and sharing management documents using Airdrop. The diversity of the available restrictions is pretty wide and they may affect the amount of data obtained from a device as well as the success of the overall data acquisition process.
VMWare AirWatch® MDM is now considered the leader in Enterprise Mobility Management. We are proud to announce that Electronic Evidence Examiner 2.5 (E3 v2.5) is now capable of obtaining data from iOS devices managed by AirWatch MDM. The device acquisition workflow becomes straightforward if the MDM administrator disables restrictions for the time of the investigation. However, one of our E3 customers experienced the issue with an iPhone 7 running iOS 13 where some restrictions remained on the phone due to some glitch after the security restrictions had been disabled by the MDM administrator. We adapted E3 2.5 to account for such unexpected behavior to get as much data from the managed devices as possible.
Figure 2. The installed restrictions on the device
Regarding AirWatch MDM, profiles can be either encrypted or unencrypted. This option is set by the administrator through the Workspace One UEM web site. This option is located at Devices -> Devices Settings -> Apple Profiles (Figure 3), and it is encrypted by default. If this option is changed, it will have no effect on the already enrolled devices.
Figure 3. Profile encryption settings managed by IT Admin
If the profile is encrypted, the MDM forbids users from making unencrypted backups via iTunes. If a backup password has not been set on the device, iTunes will ask to set a new password at the first attempt of backing up the device (Figure 4).
Figure 4. Setting password with iTunes while backing up data of the device managed by MDM
To proceed with the backup, a user needs to type the password twice into the form. Be sure to remember the password since you will need it to acquire the device via E3. Please, pay attention to the fact that once you have set the password, you will not be able to remove it from the device because the Encrypt local backup option becomes disabled (Figure 5).
Figure 5. The disabled Encrypted local backup option if MDM profile is encrypted
After setting the password, the device can be acquired with E3, which will ask for the password on starting the logical acquisition (Figure 6).
Figure 6. E3 asking for the password to start logical acquisition of the device
If the MDM profile is unencrypted, no additional actions are required. The acquisition of devices with unencrypted profiles should follow the traditional workflow. The MDM device options were accessible and streamlined in the 2.5 release version of the E3 Forensic Platform.
Forensic-Impact Articles
Making an Investigations Sock Puppet
Transcript Hello and welcome to the next edition of, the Forensic Impact blog. I'm Amber Schroader. I have been off the video blog for a hot minute because I have broken my ankle, as you can see by my scooter. This is the best background I can get going right now. So,...
Empowering Small Businesses: The Significance of Data Governance
Guest Blog Post In today's digitally driven world, data is the lifeblood of businesses, regardless of their size. Small businesses, in particular, stand to gain significantly from harnessing the power of data. This article from Paraben Corporation delves into the...
Strengthening Your Career In Digital Investigations
Transcript Hi there, and welcome to another installment of forensic impact. I'm Amber Schroader, and this week I am sharing with you information about strengthening your career in digital investigations. This was a topic conversation that I had with one of the blog...
