iOS 13 MDM/DEP Bypass (using Checkra1n jailbreak)

Before anyone comments about this being a bad idea, let it be known that I’m not responsible for any trouble you may get in for doing this. I’m part of the hacking team at my organization, so this is the type of thing I’m supposed to be doing, but unless you are too, I’d probably advise against this.

Using Checkra1n on my iPhone 8 running iOS 13.2.2 (downgraded from 13.2.3), I have successfully found how to bypass organizational MDM (forced through DEP). In my test case, I was using Blackberry’s MDM services, but I believe this should probably work for any MDM provider.

I’m going to leave these instructions relatively vague. If you can follow them, go for it; if you can’t, you probably should not be jailbreaking your corporate device.

NOTE: This is on a device that has been freshly wiped, or at least had the contents of “/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles” removed. If you already have MDM applied to your device, try wiping the contents of that directory and rebooting. It’ll probably reset a lot of settings, but that seemed to remove MDM for me (and allow me to prevent its application) after a reboot.

Instructions

  1. Jailbreak your device using Checkra1n.
  2. On your phone, walk through the “Welcome” wizard, set your wifi, and then when you get to the screen that says “Your organization requires policies” (not verbatim, but that’s the general message), move on to Step 3.
  3. Connect to your device using SSH via iProxy (username is root, password is alpine).
  4. Using SSH on the device, navigate to “/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles”.
  5. Ensure the following 2 files are present: “CloudConfigurationDetails.plist” and “CloudConfigurationSetAsideDetails.plist”.
  6. If not already installed, install the “nano” text editor on your device via “apt” (or use vi, if that’s there by default, which I assume it is).
  7. Using your text editor, modify both “CloudConfigurationDetails.plist” and “CloudConfigurationSetAsideDetails.plist”, making the following changes to both files:
    • NOTE: If any of these variables are not present, you can try just leaving them missing. If that doesn’t work, add them with the values I’ve specified.
    • Change the value of the integer “IsMDMUnremovable” to 0.
    • Change the value of the bool “IsMandatory” to false.
    • Change the value of the bool “IsSupervised” to false.
  8. Restart your device (you can either re-jailbreak it using Checkra1n or just let it boot normally; either should be fine).
  9. When booted back up, walk through the “Welcome” wizard again, and this time when you get to the corporate policy screen, click through it. You should have the option to ignore the policies and not apply them.
  10. That’s it. After you reboot again, the device will still be activated but without any MDM.

NOTE: I wrote this shortly after figuring this process out. It’s possible that the policies will attempt to re-apply periodically and/or after an iOS upgrade, but I don’t know for sure. I’ll edit this post if I find any further info.

Edit: Just found this post, which says that hex-editing the Checkra1n app to increase the max_supported_version number to iOS 13.2.3 should allow devices on the most recent iOS release to be jailbroken without needing to downgrade.

Edit2: I just upgraded to 13.2.3 and my MDM-bypass is still fine (I was not prompted to re-enroll after upgrading).