7 Replies Latest reply: Sep 26, 2013 10:59 AM by rccharles
brandonmilwaukeeWI Level 1 Level 1

My library circulates iPad 2 devices to students. In the past we have been able to let people check them out and enter their own apple ID.  When the devices come back, we just erase everything and rebuild from an image in Configurator.  Now (found this in testing) in iOS7, when someone enters their appleID into iCloud on the device, it asks them if they want to turn on location services (for Find My iPad).  If they do this, then we are unable to erase the iPad when it is returned.  It asks us for that student's Apple ID password, which we don't have, of course.

 

I wanted to make sure that this scenario didn't happen in real life, so I enabled restrictions on the iPad and turned off location services.  Locked it down to not allow changes.  I thought I was set!  Nope.  When someone enters that Apple ID into iCloud, restriction or no, it turns on Find my iPad if they tap 'yes' to the prompt.  It totally bypassed the restriction.

 

At this point, I'm not actually going to be able to let anyone borrowing these iPads to log into iCloud, unless I can figure out some other way to allow it.  Any thoughts?  Anyone else seeing this?

 

Thanks,

 

Brandon


iPad 2
Reply by Michael Black on Sep 26, 2013 9:19 AM Helpful

You could disallow changes to accounts in settings, which would stop them from creating any email accounts at all, including iCloud.  If they cannot create an iCloud account, they cannot set up find my iPhone and thus cannot initiate the Activation Lock feature.

 

They would be restricted to using Safari and web email accounts only.

 

Alternatively, set up your own Library iCloud account on each one first, enable find my phone, thus initiating Activation Lock but now tied to your specific AppleID and Password.  Then enable restrictions, and lock down account changes.

 

Now they cannot change the iCloud account (or any account), they cannot restore the device to override that either.

All replies

  • nsdjoey Level 3 Level 3

    Hey Brandon,

     

    I haven't seen this or tried it either, but have you tried using the new Apple Configurator v1.4 which was released yesterday? Wonder if that has some new restrictions that could help prevent this from happening.

    https://itunes.apple.com/us/app/apple-configurator/id434433123?mt=12

     

    ~Joe

  • brandonmilwaukeeWI Level 1 Level 1

    Joe,

     

    Yeah, I'm using 1.4.  Plenty of new restrictions, but none applicable to this situation.  I'd hoped to not have to make this jump yet, but as I was supervising a new device, configurator had it locked in to performing an OS Update.  The option to "never update" was totally greyed out. :/    The kicker is that the requirement for the AppleID is more annoyance than anything else.  It's still possible to put the ipad into DFU/Recovery mode, connect to iTunes and totally bypass supervision and erase the iPad.  It just takes way, way longer and brings the whole 'mass rollout' thing to a screeching halt. 

     

    Thanks,

     

    Brandon

  • CraigMN Level 1 Level 1

    can you lock it so they can't make changes to location services?

  • brandonmilwaukeeWI Level 1 Level 1

    Yes, you can.  But signing in with your Apple ID bypasses it for this purpose. Even though the option is 'greyed out', you can actually see the "Find My" device toggle tick over to green (active).  It's just locked in the 'on' state then. 

    I guess the worst part about it all is that this is just friction to actual theft. Anyone can bypass it with 10-15 minutes of very simple work.  The work just makes the management of large numbers of devices time consuming. Unsupervise and resupervise one ipad?  20 minutes.  Do the same for 20 ipads?  That's the bulk of an 8 hour work day.  AND I've not been able to use Configurator to unsupervise/resupervise more than one iPad at a time successfully.  It's great for automating image restores, but not so much on other things.

  • Michael Black Level 7 Level 7

    You could disallow changes to accounts in settings, which would stop them from creating any email accounts at all, including iCloud.  If they cannot create an iCloud account, they cannot set up find my iPhone and thus cannot initiate the Activation Lock feature.

     

    They would be restricted to using Safari and web email accounts only.

     

    Alternatively, set up your own Library iCloud account on each one first, enable find my phone, thus initiating Activation Lock but now tied to your specific AppleID and Password.  Then enable restrictions, and lock down account changes.

     

    Now they cannot change the iCloud account (or any account), they cannot restore the device to override that either.

  • brandonmilwaukeeWI Level 1 Level 1

    Yes - This is exactly the way that I used to set up the iPads.  The problem was that people primarily used these to send emails, visit websites, and access their iCloud documents.  Doing anything that made it more difficult to get documents onto or off of the iPads made them really not particularly useful in an educational environment.  Thanks for the thought though.  If all else fails, I can return them to this sort of configuration.  I'm hoping that I won't have to, though.

  • rccharles Level 6 Level 6
    expertise.classicmacos
    Classic Mac OS

    There is a way of staying with ios 6.x. 

     

    see the post by arizonacat and others in this thread.

    https://discussions.apple.com/thread/5337442?tstart=0

    Robert