Lockdown Mode in iOS 16 – What happens if the device is already managed ?

Apple recently introduced a new feature in iOS 16 called Lockdown mode. This feature is aimed towards the small % of high risk targets of often state-sponsored hacking attempts.

https://www.apple.com/newsroom/2022/07/apple-expands-commitment-to-protect-users-from-mercenary-spyware/

“Apple today detailed two initiatives to help protect users who may be personally targeted by some of the most sophisticated digital threats, such as those from private companies developing state-sponsored mercenary spyware. Lockdown Mode”

While listening to the Security Now podcast with Steve Gibson and Leo Laporte https://twit.tv/shows/security-now/episodes/879 talking about this feature I got curios.

and later when I also read this from apples own statement I had a few question for myself I had to answer.

“Configuration profiles cannot be installed, and the device cannot enroll into mobile device management (MDM), while Lockdown Mode is turned on”

  • What happens to a company owned and already enrolled & managed device if a user turns this feature on ?
  • Will admins be unable to manage the device ?
  • What happens to applications and configurations that is pushed to the device from the MDM (Mobile device management) system ?

As someone who helps large organizations to manage their large fleet of devices I found this really interesting to test out. Not because I think there will be many people actually using this feature but there could be instances where users thinks they need it and just turns it on themself and what happens then from an admin perspective for someone who’s job it is to manage the device.

This article I will go through my first findings to all of those questions and this can of course change over time. Microsoft Intune does not have official support for iOS 16 yet but that does not mean that it won’t work and I found no issues with iOS 16 at all.

Setup

The device I was testing on is a iPad mini (6th generation). The device is registered in Apple Business Manager and being enrolled through Automated Device enrollment (ADE) to Microsoft Intune.

The device is enrolled with “Enroll with User Affinity” and Setup Assistand using modern authentication. Its supervised and locked for enrollment.

From there I deploy a few apps and configuration profiles to the device.

To be able to test the Lockdown feature the device needs to be on iOS 16 Beta. This ment I had to enroll the iPad in to the Apple beta program from the device it self. Its just a matter of going to this URL https://beta.apple.com on the device and login with the apple ID. In this case I was using a managed Apple ID from the organization. The device will download a Management Profile that you need to install and once enrolled you need to restart the device and update to iOS 16.

Turnin on Lockdown mode

Turning on Lockdown mode is as simple as heading over to Settings -> Privacy & Security -> Lockdown Mode -> Turn on Lockdown mode

Once the device has been rebooted you can now see that the Lockdown mode is active by heading back to where you activated it and from here you can also deactivate it again if needed.

Testing management capabilities from Microsoft Intune

At this point the device is enrolled and managed by Intune, a few apps and configuration policies has been applied and the device is running iOS 16 and Lockdown Mode is activated. Now I was curiouse to see what happens to the device if we push new apps or configurations to the device and also what happens to the existing management features we have.

Remote actions

Lets start with the remote actions and management features I’ve tested. From my testing there was no problem at all running any of the features in the list so far. All the remote actions worked as exspected.

ActionStatus
Remote lockOk
RestartOk
SyncOk
Remove passcodeOk
Shut downOk
WipeOk
RenameOk

Configurations

As for configuraiton profiles I found no issues deploying those to a device that had Lockdown Mode activated. I tested a few different once and all of them applied correctly on the device.

Applications

for this section I only tested applications that came from Apple’s Volume Purchase Program. Meaning only apps that are managed by the organization and with its managed apple id. I did not test a personaly apple id and the apps that the user them self can get from the store.

The result here is interesting and differs from the other tests I did. Here we could actually see a difference from when Lockdown mode was turned on/off.

Any app that tries to install before Lockdown Mode was activated Installed successfully, however once Lockdown Mode was activated no apps no longer were able to Install on the device. I tested both required and available apps in Company portal and no apps were able to Install.

Hopefully admins will in the future be able to determine if a user should be able to activate Lockdown mode or not on their company owned device. At this time I was not able to find any settings or mentions of this. I would also like to see a way to Identify If a user have turned on this feature on or not for Supervised devices.

TLDR; Remote actions and configuraiton profiles seems to work just fine. Applications however did not Install after Lockdown Mode was activated.

That’s it for this time, Don’t forget to follow me on twitter @timmyitdotcom

2 comments

  1. Can we turn on the lockdown mode on managed devices with intune/jamf

Leave a Reply