What's behind the iPad hack at Los Angeles high schools?
Securing iPads in the field
Today, there’s not much you can do to prevent users from opting out of their MDM profiles and losing some security over iPads. But MDM is only half the story, because it represents only half the security measures.
The other half, Apple Global HTTP Proxy, introduced in iOS 6, could have maintained content filtering at LAUSD high schools, but it didn’t. A plausible reason is that LAUSD appears to have deployed Global HTTP Proxy under MDM, not Apple Configurator.
Global HTTP Proxy needs to be under the supervision of either MDM or Apple Configurator. If it’s under MDM, Global HTTP Proxy vanishes when the MDM profile is un-enrolled. If it’s under Apple Configurator, there’s an option to restrict profiles from being removed. Apple Configurator and Global HTTP Proxy cannot be removed unless the iPad is wiped.
“The biggest takeaway is, if you supervise the device and put [Apple Configurator] on there, you can prevent it from being removed,” explains Thomas Burgess, network engineer at LSDO. “That’s what we do with Global Proxy on our devices.”
So why didn’t LAUSD use Apple Configurator? Apple didn’t really design Apple Configurator for large iPad rollouts. If you deploy iPads with Apple Configurator, iPads become static. For instance, there are no over-the-air configuration capabilities. If changes need to be made to iPads, IT will have to physically touch each device-a near-impossible task in LAUSD’s rollout of tens of thousands of iPads.
Having deployed iPads with Apple Configurator, Burgess lives with this risk every day, albeit a slightly lesser one because LSDO’s iPad deployment is much smaller than LAUSD’s. Luckily, LSDO hasn’t had to make hands-on changes to iPads.
LSDO has faced other issues, such as non-content filtering iPads prior to the release of iOS 6-Global HTTP Proxy and students downloading Snapchat, which lets them share photos or videos and then deletes the content after a certain time. LSDO has had to discipline students for trying to undermine security, as well as tweak user policies.
Finding the teachable moment
There’s no question LAUSD was caught between an un-scalable Apple Configurator and an easily disabled MDM as supervisory options for Global HTTP Proxy. In hindsight, LAUSD should have prevented iPads from leaving the campus in the first place. While on the corporate network, iPads can be watched more carefully and MDM un-enrollment can be flagged and addressed on the spot.
On the other hand, Airwatch CEO John Marshall believes that the security breach, far from threatening, can be a teachable moment. “I think the lesson is, if you’re going to remove the MDM profile, you’ll lose the device for a period of time,” he says. “Part of learning is not breaking policy and becoming a good digital citizen.”
LAUSD’s decision not to use Apple Configurator can be summed up as a case of bad timing. Earlier this year, at its World Wide Developers Conference, Apple quietly unveiled plans for making this dilemma go away.
A summary of the plan is available to developers under non-disclosure, but basically it’s a streamlined device enrollment program. If an iPad is in the program, Apple will auto-enroll the device to the assigned company’s MDM software (along with Global HTTP Proxy) and supervise the iPad, thus taking Apple Configurator out of the picture. Critically, the MDM profile can’t be removed.
But Apple hasn’t shipped the program yet, nor given a timetable for when companies and schools can expect it. For LAUSD, it didn’t come soon enough.