Jailbroken devices can give rise to security threats for users and organizations alike. Learn how to prevent, detect and remove jailbreaking on enterprise iPhones.
Users might choose to jailbreak their mobile devices for a number of reasons. But when these devices access corporate data, detecting and remediating them is imperative.
Jailbreaking is a process that removes some of the built-in security restrictions from an iOS device. A user might do this so they can download apps from outside the official Apple App Store or make unauthorized customizations. If the user performs any work tasks on their device, however, jailbreaking can expose their organization to threats like malware and data breaches.
To mitigate the risks that jailbreaking poses, IT administrators must have a plan to detect and address compromised devices within their fleets.
How to detect jailbroken devices
The easiest way to tell if an iPhone is jailbroken is to use the device. From this perspective, the following signs can indicate jailbreaking:
Unauthorized app stores. The presence of package managers or unauthorized app stores is the most obvious sign of jailbreaking.
Unexpected screen modifications. A jailbroken iPhone might have extensive customizations, such as completely redesigned icon layouts that the user didn't set up.
Performance issues. Unexplained battery drain, performance degradation and overheating can all indicate unauthorized modifications.
Update failure. Many jailbroken devices run older iOS versions, as updating the OS can reverse the jailbreak. The inability to update to the latest version of iOS can indicate a jailbreak.
Of course, in most cases, users jailbreak their own devices and are aware of their compromised status. IT admins are the ones who usually need to be on the lookout for jailbreaking, but they don't always have the direct access to look for these signs.
Still, there are some effective methods admins can use to spot compromised iPhones within an organization. MDM, Apple security features and manual scans can all help IT detect jailbreaking.
Jailbreaking can leave iPhones more vulnerable to key mobile security threats.
MDM compliance settings
Most MDM software includes jailbreak detection as a core platform feature. For corporate-owned devices, MDM tools can enforce automatic compliance policies. For example, if the tool detects a jailbroken device, the tool can automatically quarantine or wipe the device.
Managed Device Attestation
MDM tools have traditionally checked for jailbreaking by examining files and settings on the device itself. This method isn't foolproof, as the compromised operating system of a jailbroken device can't reliably report on its own security status.
Apple's Managed Device Attestation feature addresses this risk by using the Secure Enclave in iPhones to cryptographically verify hardware authenticity and management status. When triggered by an MDM server, the device contacts Apple's attestation service to generate a certificate validating its identity, serial number and security state. This feature works on iPhones with an A11 Bionic chip or later.
Manual detection
While MDM software can be highly effective at detecting jailbroken iOS devices, it's not an infallible technology. There are also situations where a specific device in an enterprise fleet is not properly enrolled in MDM and, as a result, is not subject to inspection.
A basic but effective manual detection approach is to physically access a device and scan it for files or directories that typically indicate a jailbreak. Users commonly download a new package manager, such as Cydia or Sileo, to jailbreak their devices. If either is present on a device, a jailbreak has most likely occurred. With Cydia in particular, the presence of directories such as /private/var/lib/apt/ is another indication of a jailbreak.
How to fix a jailbroken device with MDM
Using MDM tools, IT can remediate jailbroken devices in three steps. The first step is risk assessment, which involves isolating the device and auditing its activity. Next, IT must move on to remediation workflows, resetting and securing the device. The last step is to verify that the device is safe and jailbreak-free.
1. Risk assessment
After the MDM detects a jailbroken device, IT should contain and assess the risk right away. First, isolate the device. To prevent data leakage, MDM administrators can review network access to the jailbroken device through conditional access policies.
Next, audit device activity. Review MDM logs for the device to identify suspicious app installations or abnormal data access patterns.
2. Remediation workflows
Once IT has contained the initial risk, the next step is to determine the origin of the jailbreak and limit the possibility of reoccurrence. For corporate-owned devices, admins should use MDM to force a remote factory reset. This action restores the device to a default iOS state.
After the reset, use the MDM to deploy supervised mode on the device. This Apple setting can enable very specific controls on managed devices. Putting the device in supervised mode should help ensure stricter compliance with MDM policies.
3. Post-remediation validation
To make certain the device remains safe, use MDM attestation checks to scan the device again. This process should confirm that the jailbreak has been removed.
How to fix a jailbroken device without MDM
If MDM-based remediation isn't feasible, users can remove the jailbreak on their own and return the iPhone to a standard OS configuration. This is a simple process that involves using native apps and connecting the phone to a computer.
1. Back up the device's data
The first step in a restoration process is a data backup. A user can back up their iPhone using iCloud or a local computer. For an iCloud backup, the user should open Settings on their device and click on their account name. From there, navigate to iCloud > iCloud Backup > Back Up Now.
2. Set up for computer-based system restoration
For a full device reset to remove a jailbreak, computer-based restoration is the most effective option. If the user is running a Microsoft Windows system or macOS 10.14 or earlier, they should make sure they have the latest version of iTunes. For macOS 10.15 or later, they can use the Finder app. To get the best result, the process requires the user to physically connect their iPhone to the computer with a USB.
3. Restore the device
Open iTunes or the Finder app on the computer and find the connected iPhone. After selecting the iPhone, the user should see software and backup information on the screen. Click Restore iPhone. The system should then show one more prompt to confirm that the user wants to restore the device to factory settings. Once the restoration is complete, the device should be jailbreak-free and running the latest version of iOS.
What can IT do to prevent and manage jailbreaking?
There are tools and techniques IT teams can use to address jailbroken devices, but the approach they take depends on a few different factors. To build a jailbreaking mitigation plan, admins must consider the ownership status of their organization's devices and whether they use an MDM platform to manage them.
It's easiest for IT to mitigate jailbreaking on corporate-owned devices that are enrolled in MDM. For these iPhones, admins should take the following measures:
Outline and enforce mandatory compliance. Organizations can and should establish non-negotiable compliance requirements for corporate-owned device use. The requirements should make it clear that jailbreaking violates corporate policy.
Enable supervised mode. Putting a device in supervised mode provides IT with enhanced management capabilities and restrictions. This makes it easier to enforce device compliance.
Set up automatic remediation. Organizations can configure MDM to immediately quarantine or unenroll jailbroken devices. On many MDM platforms, admins can enable settings to remove jailbroken devices from management upon detection.
Organizations can configure MDM to immediately quarantine or unenroll jailbroken devices.
Mitigation can be more difficult in BYOD scenarios. With BYOD iPhones, organizations don't have full control and need to balance security requirements with user privacy. The following practices can help IT manage employee-owned devices effectively:
Detail acceptable use policies. Admins should clearly detail acceptable use policies for BYOD iPhones on the organization's network. Provide straightforward policies that address jailbreaking, making consequences transparent.
Emphasize user education. Having policies is great, but it's equally important that users understand why these rules are in place. Documentation should highlight how jailbreaking creates security risks for both the user and the organization.
Enforce conditional access. With corporate assets -- including applications and network access -- organizations can enforce device-based access controls on BYOD endpoints. Admins can configure systems to deny access to corporate resources for jailbroken devices without controlling the entire device.
Jailbreaking prevention is especially challenging in non-MDM environments. MDM tools help IT restrict what can and can't run on a managed device. Without these tools, organizations don't have the same level of control. However, organizations can still address the risks in a few ways. To mitigate jailbreaking without MDM, IT teams can use the following tactics:
Network-level controls. IT can configurefirewalls and secure web gateways within an organization to block connections to known jailbreak repositories, such as Cydia's Advanced Package Tool servers.
App wrapping. IT administrators can use app wrapping tools as an additional layer to protect against unauthorized applications accessing corporate data and resources.
Sean Michael Kerner is an IT consultant, technology enthusiast and tinkerer. He has pulled Token Ring, configured NetWare and been known to compile his own Linux kernel. He consults with industry and media organizations on technology issues.
