Skip to content

Bypassing Pesky MDM App Blocking

January 17, 2023 | 10:22 AM

Jump to How

Apples only (because they are delicious, DUH)

Table of contents

Open Table of contents

Preface

Mobile Device Management (MDM) is a solution that allows organizations to remotely configure and manage devices. This includes updating software and device settings, monitoring compliance with organizational policies, remotely erasing or locking devices, installing apps and blocking apps.

How Does It Work?

MDM works by enrolling devices into a MDM profile, which allows them to receive commands from the MDM server. The URL to the server is specified in the initial enrollment profile and can be accessed through the device’s settings. When the MDM server wants to send a command to a device, it sends a notification through the APNS (Apple Push Notification Service) gateway to the device. This prompts the device to initiate communication with the MDM server by establishing a secure TLS connection to the server’s URL. Once the connection is established, the device authenticates itself to the server using the credentials provided during enrollment. After authentication, the device sends a request payload with an HTTP PUT request, the server will then respond with commands and the device will execute them.

It’s possible to avoid commands sent by MDM server by blocking device to authenticate and connect to MDM server’s URL, this way the device will not receive commands and app blocking can be bypassed.
TLDR: By not allowing the device to contact the control server, we bypass app restrictions.

Why?

This is for students who are annoyed with their organizations blocking utility apps like Blinkshell or bitwarden or even Firefox. (I am not responsible for anything that happens with this!)

How?

Alright, enough said, here’s how to prevent MDM from controlling your apps. There’s many more ways to do this than what I have here, they are just examples of how you can do it.

Prior

to doing anything, go to settings, (on your device duh!) General, Device Management, Mobile Device Management, More Details, and note down the URL under Mobile Device Management (only note down the domain AKA after https:// and before any slashes. e.g: google.com instead of https://google.com/search?q=askew).

NextDNS

This is one of the easiest ways. (Note, disable this when you are not at school or the MDM is not active, there’s a limit of 300k or 200k requests per month)

  1. Go to my.nextdns.io.
  2. Make a new account and log in.
  3. Scroll down to Setup Guide and choose iOS.
  4. Follow the instructions at “NextDNS for iOS” and not “Configuration Profile” as most MDM policies won’t allow you to install them.
  5. Make sure to change your DNS settings as well!
  6. Go back to NextDNS configuration website.
  7. Go to denylist and add your Mobile Device Management URL (if you can’t find it, try the domain of the company of your MDM provider e.g: mosyle.com).
  8. Add a random website that you can access to your denylist as well (e.g: yahoo.com).
  9. Enable NextDNS.
  10. Go to the random website you added and see if you can access, if you can’t then hooray! If you still can access it, make sure that your configurations are correct.
  11. Check your logs to verify for a final time.
  12. Remove that random website you’ve added (if you want to access it that is).

Cloudflare Zero Trust

This is a harder way of doing it but it has it’s benefits and there’s no limit to the number of requests. (If you are from a certain school and you know me, shoot me a message via Teams or iMessage or just ask me IRL and I’ll send you the team name that is already configured so you don’t have to do this)

  1. Go to cloudflare.com and make an account (or click here).
  2. Go to one.dash.cloudflare.com.
  3. Choose a team name (can be whatever you want!).
  4. Choose the free plan.
  5. Go to the Zero Trust dashboard.
  6. Click on Gateway and the Firewall policies.
  7. At “Start filtering your DNS traffic” (DNS / +Add a Policy), click on “Create a DNS policy”,
  8. Give a name to your policy and scroll down to “Build an expression”.
  9. In “Selector”, choose “Domain”.
  10. In “Operator”, choose “is”.
  11. In “Value”, put the domain of the MDM server.
  12. In “Select an action”, choose “Block”.
  13. You can choose whether to display a block page pr not, it shouldn’t matter for this application.
  14. Click on “Create policy”.
  15. Go to “Settings”, then “WARP Client”.
  16. Under “Device enrollment”, click Manage.
  17. Add a new rule and give it a name.
  18. For “Rule action, select “Allow”.
  19. In “Selector” for include, choose “Email” (Or “Email ending in” if you want to share it with your friends).
  20. In “Value”, put your email. (Or if you are using “Email ending in”, put your school’s email domain, e.g: @sillygoosy.ca instead of contact@sillygoosy.ca).
  21. Click “Save”.
  22. Download 1.1.1.1 from the Appstore.
  23. Open it, go to the 3 bars on the top right and click on Account.
  24. Choose “Sign in with Cloudflare Zero Trust”.
  25. Then put in the team name that you chose.
  26. Use the email you put in step 20 (or any email ending in that domain if you used the “Email ending in”).
  27. Test it and you should be done!
  28. ;)

Postface

In conclusion, I hope this guide was easy to follow and helped you. If you have any questions or need further assistance, please feel free to reach out to me
It’s important to note that while this guide can be helpful for most users, it may not be applicable to all situations. I do not encourage the use of this if your plan is to play games all day.