AirWatch MDM and E3 Forensic Platform iOS Acquisitions

Written by Amber Schroader

April 3, 2020

When dealing with mobile devices and digital forensics one of the most frustrating barriers is a mobile device management (MDM). An MDM allows IT administrators to configure managed mobile devices, install or remove profiles, remove passcodes, and begin a secure erase of the device. MDM usually consists of a server and client components. The server component is under the control of an IT administrator whereas the client component is a service installed on a mobile device. MDM is required to be protected on the device by the hardware (e.g. Samsung Knox). Regarding Apple Computer devices, MDM is a part of the operating system since iOS 6. The MDM can cause issues in the acquisition of mobile devices without doing some adjustments to your procedures to allow the communication to happen with the device. 

Mobile device management (MDM) is an industry term for the administration of mobile devices, such as smartphones, tablets, and laptops. MDM is usually implemented with the use of a third party product that has management features for particular vendors of mobile devices.  -Wikipedia

During the device enrollment process, a Device Management profile is installed on an iOS device. The profile can be viewed through Settings -> General -> Device Management menu (see Figure 1). If there are no profiles installed, the Device Management menu item may be absent.

Figure 1. Device Management settings

After pressing the Restrictions, a list of installed restrictions appears (Figure 2).

The restrictions installed on the device are configured remotely by the IT administrator from the Server side. The administrator may add or remove restrictions remotely without the need for device re-enrollment. The restrictions, which are displayed in Figure 2, prohibit making iCloud backups, syncing keychain, and sharing management documents using Airdrop. The diversity of the available restrictions is pretty wide and they may affect the amount of data obtained from a device as well as the success of the overall data acquisition process.

VMWare AirWatch® MDM is now considered the leader in Enterprise Mobility Management. We are proud to announce that Electronic Evidence Examiner 2.5 (E3 v2.5) is now capable of obtaining data from iOS devices managed by AirWatch MDM. The device acquisition workflow becomes straightforward if the MDM administrator disables restrictions for the time of the investigation. However, one of our E3 customers experienced the issue with an iPhone 7 running iOS 13 where some restrictions remained on the phone due to some glitch after the security restrictions had been disabled by the MDM administrator. We adapted E3 2.5 to account for such unexpected behavior to get as much data from the managed devices as possible.

Figure 2. The installed restrictions on the device

Regarding AirWatch MDM, profiles can be either encrypted or unencrypted. This option is set by the administrator through the Workspace One UEM web site. This option is located at Devices -> Devices Settings -> Apple Profiles (Figure 3), and it is encrypted by default. If this option is changed, it will have no effect on the already enrolled devices.

Figure 3. Profile encryption settings managed by IT Admin

If the profile is encrypted, the MDM forbids users from making unencrypted backups via iTunes. If a backup password has not been set on the device, iTunes will ask to set a new password at the first attempt of backing up the device (Figure 4).

Figure 4. Setting password with iTunes while backing up data of the device managed by MDM

To proceed with the backup, a user needs to type the password twice into the form. Be sure to remember the password since you will need it to acquire the device via E3. Please, pay attention to the fact that once you have set the password, you will not be able to remove it from the device because the Encrypt local backup option becomes disabled (Figure 5).

Figure 5. The disabled Encrypted local backup option if MDM profile is encrypted

After setting the password, the device can be acquired with E3, which will ask for the password on starting the logical acquisition (Figure 6).

Figure 6. E3 asking for the password to start logical acquisition of the device

If the MDM profile is unencrypted, no additional actions are required. The acquisition of devices with unencrypted profiles should follow the traditional workflow. The MDM device options were accessible and streamlined in the 2.5 release version of the E3 Forensic Platform. 

Forensic-Impact Articles

The Role of Psychology in Digital Forensics

The Role of Psychology in Digital Forensics

 Written by Riley Anne JohnsAs more people depend on technology for both personal and professional endeavors, digital forensics has never been more important. Digital forensics is a branch of forensic science specifically focused on cybercrime, using computer evidence...

Waze Data in Smartphones

Waze Data in Smartphones

According to Wikipedia Waze is: Waze is a GPS navigation software app and a subsidiary of Google. It works on smartphones and tablet computers that have GPS support. It provides turn-by-turn navigation information and user-submitted travel times and route details...

iOS Backup vs iCloud          How can you compare?

iOS Backup vs iCloud How can you compare?

When you process an iOS device there are multiple locations that will provide you the data you are looking for. It is important to understand where you can see the differences in those data sources. Depending on your process checklist you might choose a different data...