Last week the LA Times reported that students in the Los Angeles Unified School district were “hacking” school-owned iPads to get around usage restrictions. We don’t have many details about the mobile device management techniques the school district is using, but we can still learn a few lessons from this story.
For some background, the school district was in the news earlier this summer when they announced a plan to buy $30 million dollars worth of iPads as part of a much larger technology initiative. The first iPads got rolled out to students just a few weeks ago, apparently with restrictions in place to prevent them from downloading apps and browsing the internet. According to the LA Times, within a week, students were circumventing these restrictions by “delet[ing] their personal profile information.” The initial response from the district was to ban students from taking the iPads home.
Lesson 1: Consumerization and FUIT
Nobody should be surprised that the students were frustrated that they couldn’t install apps and surf the web. Of course school officials are bound by regulations like the Children’s Internet Protection Act, but we can still file this with all of our other anecdotes about the consumerization of IT and FUIT. One of the best quotes from this story came from an official who said, "I'm guessing this is just a sample of what will likely occur on other campuses once this hits Twitter, YouTube or other social media sites explaining to our students how to breach or compromise the security of these devices.” That proves the point that it only takes one person to figure out how to get around IT, and then everybody else can, too.
Lesson 2: Limitations of MDM, and why we need the new device enrollment process
Like I said, we don’t have all of the technical details about what MDM techniques the school district was using, but it sounds like talking the they were using the restrictions capabilities that are a part of iOS MDM configuration profiles. These can easily be used to prevent users from installing apps on their own, to block Safari, and to control many other features.
How is it that these students bypassed the restrictions? When I first read this story, a few possibilities jumped to mind.
First, if the iPads were just being managed over the air with regular MDM, then the students could have removed the configuration profiles at any time. That’s just how it works. When configuration profiles are removed, any other managed settings, apps, or credentials will get removed along with the restrictions, but if you’re a student who just wants to use the iPad to surf the web at home and install the Facebook app (or whatever it is that kids are into these days) then you probably don’t care about missing things like password policies.
Of course we can assume that the school district knew that profiles installed wirelessly are removable, but that’s perfectly fine. If profiles are installed via USB, using either the iPhone Configuration Utility or the Apple Configurator, then they can be locked onto the device or made so that a password is required to remove them. (The Apple Configurator also gives additional options for locking down the device using what’s known as “Supervised” mode. This is pretty common for educational institutions.)
Unfortunately, there’s still a flaw (even with devices supervised with the Apple Configurator.) Even though configuration profiles can be locked in place, the students could still just reformat their iPads in order to remove the profiles. They would also be missing all the educational apps that the school district had preloaded, but at least they’d have their unrestricted iPads.
Fortunately, this flaw can be fixed now. With iOS 7, Apple is introducing a streamlined MDM enrollment process. Using a new service from Apple, institutions can purchase devices and then have MDM enrollment included as a part of the initial device setup process. This works even if a device is reformatted, so there’s no way to use it without MDM configuration profiles and restrictions in place. (You can find more information in this video from Apple WWDC 2013. A free registration is required, but now that iOS 7 is out you don’t have to be part of the developer program to watch the video.)
This new streamlined enrollment process could possibly eliminate the problems that the LA school district is having. I’ll even venture to say that this new process is one of the most important improvements to come with iOS 7.