AirWatch MDM and E3 Forensic Platform iOS Acquisitions

Written by Amber Schroader

April 3, 2020

When dealing with mobile devices and digital forensics one of the most frustrating barriers is a mobile device management (MDM). An MDM allows IT administrators to configure managed mobile devices, install or remove profiles, remove passcodes, and begin a secure erase of the device. MDM usually consists of a server and client components. The server component is under the control of an IT administrator whereas the client component is a service installed on a mobile device. MDM is required to be protected on the device by the hardware (e.g. Samsung Knox). Regarding Apple Computer devices, MDM is a part of the operating system since iOS 6. The MDM can cause issues in the acquisition of mobile devices without doing some adjustments to your procedures to allow the communication to happen with the device. 

Mobile device management (MDM) is an industry term for the administration of mobile devices, such as smartphones, tablets, and laptops. MDM is usually implemented with the use of a third party product that has management features for particular vendors of mobile devices.  -Wikipedia

During the device enrollment process, a Device Management profile is installed on an iOS device. The profile can be viewed through Settings -> General -> Device Management menu (see Figure 1). If there are no profiles installed, the Device Management menu item may be absent.

Figure 1. Device Management settings

After pressing the Restrictions, a list of installed restrictions appears (Figure 2).

The restrictions installed on the device are configured remotely by the IT administrator from the Server side. The administrator may add or remove restrictions remotely without the need for device re-enrollment. The restrictions, which are displayed in Figure 2, prohibit making iCloud backups, syncing keychain, and sharing management documents using Airdrop. The diversity of the available restrictions is pretty wide and they may affect the amount of data obtained from a device as well as the success of the overall data acquisition process.

VMWare AirWatch® MDM is now considered the leader in Enterprise Mobility Management. We are proud to announce that Electronic Evidence Examiner 2.5 (E3 v2.5) is now capable of obtaining data from iOS devices managed by AirWatch MDM. The device acquisition workflow becomes straightforward if the MDM administrator disables restrictions for the time of the investigation. However, one of our E3 customers experienced the issue with an iPhone 7 running iOS 13 where some restrictions remained on the phone due to some glitch after the security restrictions had been disabled by the MDM administrator. We adapted E3 2.5 to account for such unexpected behavior to get as much data from the managed devices as possible.

Figure 2. The installed restrictions on the device

Regarding AirWatch MDM, profiles can be either encrypted or unencrypted. This option is set by the administrator through the Workspace One UEM web site. This option is located at Devices -> Devices Settings -> Apple Profiles (Figure 3), and it is encrypted by default. If this option is changed, it will have no effect on the already enrolled devices.

Figure 3. Profile encryption settings managed by IT Admin

If the profile is encrypted, the MDM forbids users from making unencrypted backups via iTunes. If a backup password has not been set on the device, iTunes will ask to set a new password at the first attempt of backing up the device (Figure 4).

Figure 4. Setting password with iTunes while backing up data of the device managed by MDM

To proceed with the backup, a user needs to type the password twice into the form. Be sure to remember the password since you will need it to acquire the device via E3. Please, pay attention to the fact that once you have set the password, you will not be able to remove it from the device because the Encrypt local backup option becomes disabled (Figure 5).

Figure 5. The disabled Encrypted local backup option if MDM profile is encrypted

After setting the password, the device can be acquired with E3, which will ask for the password on starting the logical acquisition (Figure 6).

Figure 6. E3 asking for the password to start logical acquisition of the device

If the MDM profile is unencrypted, no additional actions are required. The acquisition of devices with unencrypted profiles should follow the traditional workflow. The MDM device options were accessible and streamlined in the 2.5 release version of the E3 Forensic Platform. 

Forensic-Impact Articles

How to get started in the field of digital forensics

How to get started in the field of digital forensics

When you think of different career paths in the field of cyber you might not always notice the field of digital forensics. However, if you have a passion for all things digital and keen attention to detail this field could be the perfect place for you where a job is...

Expectations of Facebook Data

Expectations of Facebook Data

As social media continues to rise so does the power of Facebook. If you are not on it personally you are for your business or to connect with people on a hobby. That being part of the Meta universe has become as essential as getting a driver’s license. So, what does...

EMI Shielding & Why You Need It

EMI Shielding & Why You Need It

The topic of Physics may not be the first thing that comes to mind when you think of digital forensics, but it does play a key role in the preservation of your digital evidence. Not every organization is lucky enough to have their lab so isolated that they get no...