Introduction

Mobile Device Management (MDM) profiles are powerful tools used by organizations to manage and secure iOS devices. However, there are situations where developers and power users might need to temporarily remove these profiles for testing or development purposes (for sure). In this guide, I'll share my experience removing MDM profiles from an A12 iPhone XS and a 5th gen iPad using a jailbreak approach.

Prerequisites

Before we begin, it's important to note that this is a procedure that:

• Requires a jailbroken device
• May cause you to lose your jailbreak
• Should only be attempted by experienced users
• Is meant for development and testing purposes (for sure) and should not be used to take over your school or work device
• Requires a brain

I successfully achieved this using a combination of unc0ver and Chimera. This dual-jailbreak approach proved useful because when the profile trust for Chimera was accidentally removed, I could still rejailbreak with unc0ver due to its separate profile.

I had palera1n installed on the iPad though so I had a more straightforward approach.

Understanding the Configuration Files

The core of MDM profile management lies in the following directory:

/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles

Important Safety Steps

Before making any modifications:

1. Install Filza file manager
2. Create a backup of the entire ConfigurationProfiles directory
3. Document all changes you make

This backup is crucial as incorrect modifications could potentially prevent your device from booting, resulting in the loss of your jailbreak.

Required Modifications

Let's examine the key files and necessary changes, you can edit the files with Filza or your preferred .plist editor:

1. CloudConfigurationDetails.plist

This file contains the core MDM configuration settings:

<string>https://XXXXXXXXXXXXX...</string>
<key>ConfigurationWasApplied</key>
<true/>
<key>IsMDMUnremovable</key>
<integer>1</integer>
<key>IsMandatory</key>
<true/>
<key>IsMultiUser</key>
<false/>
<key>IsSupervised</key>
<true/>

<key>OrganizationEmail</key>
<string>[email protected]</string>

Required changes:

• Set the URL to something random or something you control
• Set IsMDMUnremovable to 1
• Change IsMandatory to false
• Change IsSupervised to false
• Update OrganizationEmail to an email you control

2. MDM.plist

This file manages MDM server connections:

<key>CheckInURL</key>
<string>https://garbage.net</string>
<key>IdentityPersistentRef</key>

<key>ServerURL</key>
<string>https://garbage.net</string>
<key>SignMessage</key>
<true/>
<key>Topic</key>

Required changes:

• Modify CheckInURL to point to a non-existent or controlled endpoint
• Modify ServerURL to point to a non-existent or controlled endpoint
• Set SignMessage to false

3. MDMAppManagement.plist

This file handles MDM-managed applications:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>metadataByBundleID</key>
    <dict>
        <key>com.air-watch.agent</key>
        <dict>
            <key>Attributes</key>
            <dict/>
            <key>flags</key>
            <integer>X</integer>
            <key>state</key>
            <integer>X</integer>
        </dict>
    </dict>
</dict>
</plist>

Action required:

• Remove the entire metadataByBundleID dictionary, leaving an empty dict structure

Final Steps

Cleaning Up GUID Files

The final step involves managing GUID.stub files in the directory. These files come in two categories:

1. Legitimate profile stubs (like those from unc0ver or Chimera - if you use them of course)
2. MDM-related profile stubs

To identify MDM-related GUIDs, compare them with a clean device that only has legitimate jailbreak profiles. The GUIDs appear to be deterministic rather than random, making identification possible through comparison.

In my case though, my device was jailbroken with palera1n and I didn't have any legitimate profiles. I just deleted all the GUID.stub files.

PayloadManifest.plist

Remove all GUID references from the OrderedProfiles section of this file and make the dictionary empty.

Results and Verification

After applying these modifications and navigating to the Settings -> General -> VPN & Device Management tab with an active internet connection after rebooting your device should make the MDM profile disappear. However, it's important to note that this is a temporary solution and the profile may be reinstalled through various means, including:

• Factory reset
• Restoring the device
• Device updates
• MDM server reconnection
• Profile reinstallation

The way this workaround works is, it changes the endpoints so that the profile can't be reinstalled and the administrator also isn't notified. Your device will just show up as offline on the MDM interface. Your profile will come back if you factory reset or restore the device. You will be good to use the device without restrictions until that happens though.

Conclusion

While this method successfully removes MDM profiles, you should know that it's not a permanent solution but just a workaround. The procedure requires careful attention to detail and proper backup procedures to prevent potential device issues.

Remember that this is a technique that carries risks, including the potential loss of your jailbreak. Always ensure you have proper backups and understand the implications before proceeding.