Jamf Nation Community

Hi List

Can Casper MDM be configured to detect jailbroken iPads? I saw a comment previously to search for the Cydia app, but that doesn't appear to work, Cydia doesn't appear in the App Inventory list. I have an iPad here that I am happy to test things on if anyone has ideas.

Thanks.

Patrick Lawrence

Interesting idea. Is SSH (port 22) enabled by default when you jailbreak? If so, we can just do a port scan on the wireless network to see which devices have port 22 open and then track down the offenders. Don't even need to login.

Patrick

Could you also look for the Cydia app?

We are going through this too, from what I've heard JB detection is
flakey. A few file changes via ssh and suddenly the device shows as
being un-jailbroken (normal) when in fact it is JB.

John Wojda

Lead System Engineer, DEI & Mobility

3333 Beverly Rd. B2-338B

Hoffman Estates, IL 60179

Phone: (847)286-7855

Page: (224)532.3447

Team Lead DEI: Matt Beiriger
<mailto:mbeirig at searshc.com;jwojda at searshc.com?subject=John%20Wojda%20Fe
edback&body=I%20am%20contacting%20you%20regarding%20John%20Wojda.>

Team Lead Mobility: Chris
<mailto:cstaana at searshc.com;jwojda at searshc.com?subject=John%20Wojda%20Fe
edback&body=I%20am%20contacting%20you%20regarding%20John%20Wojda.> Sta
Ana

Mac Tip/Tricks/Self Service & Support
<http://bit.ly/gMa7TB>

"Any time you choose to be inflexible in your approach to an
unpredictable project you are already building failure into your plan"

John

How I understand it some other MDM providers require you to have their app installed on your device, this app will regularly do "something" to the iPad that it wouldnt normally be able to do (like edit/read a certain file). If this test fails, then the iPad isnt jailbroken, if it succeeds in doing its "something" then the iPad must be jailbroken.

We'll probably just make our kids update their iPads to 4.3.5 (or iOS 5 when it comes out). As far as I am aware you cant go backwards or jailbreak a 4.3.5 device anyway (I could be wrong here).

I am going to look into the port scanning option though.

Patrick.

Every iOS 5 beta has been jailbroken thus far, so don't hold out hope on that route :)

Though, Apple *did* just hire the kid so maybe the rate of jailbreaking will slow down a hair.

j
---
Jared F. Nichols
Desktop Engineer, Client Services
Information Services Department
MIT Lincoln Laboratory
244 Wood Street
Lexington, Massachusetts 02420
781.981.5436

The iPad 2, short of that PDF exploint @ 4.3.3 and 4.3.4 (patched in
4.3.5), has not been JB... my guess is new equipment will use a similar
process.

John Wojda

Lead System Engineer, DEI & Mobility

3333 Beverly Rd. B2-338B

Hoffman Estates, IL 60179

Phone: (847)286-7855

Page: (224)532.3447

Team Lead DEI: Matt Beiriger
<mailto:mbeirig at searshc.com;jwojda at searshc.com?subject=John%20Wojda%20Fe
edback&body=I%20am%20contacting%20you%20regarding%20John%20Wojda.>

Team Lead Mobility: Chris
<mailto:cstaana at searshc.com;jwojda at searshc.com?subject=John%20Wojda%20Fe
edback&body=I%20am%20contacting%20you%20regarding%20John%20Wojda.> Sta
Ana

Mac Tip/Tricks/Self Service & Support
<http://bit.ly/gMa7TB>

"Any time you choose to be inflexible in your approach to an
unpredictable project you are already building failure into your plan"

You can look for Jail Broken package managers like Cydia. If Cydia is
present on your iOS device, it has been jail broken! *Queue Thin Lizzy
music*

-Tom

With regards to the port scanning option, I don't believe ssh (port 22) is enabled by default upon jailbreaking, at least it didn't used to. It requires the OpenSSH package to be installed by the user after the device is jailbroken, but as I said, this was the case when I used to jailbreak iOS 1-3, not sure about the newer methods.

Regards,

Daniel Sung
Junior Systems Administrator
Framestore
9 Noel Street, London W1F 8GH
www.framestore.com

I've tested the new jailbreak here on 5.0 and 5.0.1 on A5 devices. We've found that the jailbreak for iOS 5 isn't possible until the MDM profile is removed. I'm just going to keep an eye on who's devices are showing unmanaged or not phoning home.

Side note: Cydia.app doesn't show up on devices' app inventory in Casper, along with apps installed directly from Cydia. Also, SSH isn't opened by default when Cydia is installed, so the port scanning method seems to be useless.

Any ideas or recommendations would be helpful!

Hmm, why doesn't Cydia show up in the Casper inventory report?

When we were going through this last year, our MDM provider said because Cydia doesn't show up on the devices application list and therefore they couldn't detect if it was running. Seems fishy to me, maybe I will ask them to revisit that question.

Odd that Cydia doesn't show up, so I did some digging. I jailbroke my iPhone 4S a few days ago to poke around. So, stock apps, or 3rd party apps installed by AppStore appear like this (note this is in /Applications):

drwxrwxr-x 37 root admin 1632 Nov 4 08:49 Camera.app/

Cydia (and things installed by it such as Winterboard - a themeing app), on the otherhand looks like this:

drwxr-xr-x 16 root wheel 2108 Mar 26 2011 Cydia.app/

I noticed a listing for Nike.app/ and that's obviously a built-in app but doesn't show on my phone (I presume) because I do not have the Nike pedometer hardware. So, I wonder if something inside the app causes it to not show on an inventory? Does Nike.app show up on anyone's Casper iOS inventories? (We don't do MDM so I can't test.)

That makes sense because Cydia 'roots' your device. So, it looks like all cydia stuff is not only owned by root, but only accesible by root since it is in the 'wheel' group.

I am not in a position to dig through our MDM stuff since I am transitioning here at work and have other stuff that needs to get accomplished. Also, our iOS devices are currently being round up and updated to iOS 5, since we deployed them on iOS 4, so I am not sure what is all out there. I can shoot my iOS person an email though and find out.

I'm looking at a jail broke device right now, and here's what I would do...
Create a smart group.
Edit criteria.
Configuration Profiles....edit, for Profile Name..."has" selection and for the criteria, enter the word jailbrake.

My jail broken device has this profile and the jss can see it and search by it.
This method is how I detect who is not running the current mdm profile in my district.

Edit - spell that jailbreak not jailbrake