SOLVED

Intune iOS Jailbreak false positives (Resolved)

Iron Contributor

Recently we have witnessed a few detections of Jailbroken devices marked noncompliant by the Compliance policy but after the next Check-in or Compliance check the devices return to compliant state.. We have not had any detections for a long period and now got a few during a brief period which is quite worrisome regardless of reasons.

 

There are only a few possibilities what it could be related to:

  1. User has actually Jailbroken their device (not the case for my users)
  2. Intune has changed their detections with errors (did not spot relevant changes)
  3. Apple has changed something in their latest OS update (not likely as it is not wide spread)
  4. Some sort of malicious activity from advanced threat actors (highly unlikely)

 

There is no commonality between the devices either, there are various models of iPhone and iPad with different operating systems versions. And the users are not even in the same network or region. 

 

There are also big problems with compliance reporting over various reports, device Overview might have a status of Compliant but looking under the Device compliance menu for a specific device it might report the device as Not Compliant and that status is not just lingering for a brief time after Check-in and violation clear.. it has stayed like that for a time now..

 

I have contacted Microsoft Support regarding this but no word just yet, so not sure if I am the only one or is it some sort of blunder from detection side. Any ideas? 

4 Replies
best response confirmed by Alo Press (Iron Contributor)
Solution
Got some additional information on this and it looks like its a client side detection bug and the issue should most likely be fixed by Monday. Until then its possible to give the policy a grace period or any turn off the detection etc, up to everyone to decide.

This might mean that there is good change of required update for the Company Portal app.

Hope this information helped.

We also saw this on a few devices starting Wednesday, May 5th.  Un-enrolling and re-enrolling into Intune fixed the issue for us.

 

Microsoft has told us they have no idea why it's happening and have not heard of any other customers reporting this.  Did you get any confirmation of how/when the bug was going to be fixed?

 

@Alo Press 

Hello @JaimeH_TS 

 

Thanks for replying! 

 

Yeah, we luckily only had very few devices falsely reporting Jailbroken status and we also re-enrolled some of them where others reported Compliant after a Compliance check and a Sync. I can also confirm that the issues started around 4th of May (or at least our first detection), I would guess after some sort of update either on the server side or Intune app (4.16.0) even though it looks like the last change has been on the 30th of April, which could have led Jailbroken status pop up significantly sooner but who knows. It could also be related to some Apple security updates that were released on the 3rd of May.

 

I talked to a Support guy who was already familiar with the situation and the issue was being worked on. From what I could gather they actually had done a hotfix on the server side to avoid further false reporting and were actively working with the issue, hopefully getting it fixed by Monday. I would keep an eye on the App Store for updated client for "fixed" status but some of this is just guessing, since there is no notice in the Intune Service Health page.

 

As far as I could tell there is actually some sort of bug with a Jailbroken status detection but not sure if it was actually on Microsoft part or there was something funky with Apple, did not dig around too much after talking to support.  

 

Hope this helps!

Mobile Application Management (MAM) users targeted with an App Protection Policy on iOS devices can't access some apps
 
IT254590, Microsoft Intune, Last updated: May 9, 2021 10:18 PM
Start time: April 7, 2021 10:00 PM, End time: May 9, 2021 9:35 PM
Issue type: Advisory
StatusService restored
User impactMAM users targeted with an App Protection Policy on iOS devices couldn’t access some apps.
 
Latest message May 9, 2021 10:18 PM
 
Title: Mobile Application Management (MAM) users targeted with an App Protection Policy on iOS devices can't access some apps
User Impact: MAM users targeted with an App Protection Policy on iOS devices couldn’t access some apps.
More info: Users may have seen the following error message on iOS devices: “Alert - This app cannot be used because you are using a jailbroken device. Contact your IT administrator for help.”
Impact to users was varied. In some instances, users may have been asked to re-enroll the application. In another, users may have been denied access to corporate resources.
Final status: Following the deployment of our fix, we've confirmed that impact has been resolved.
Scope of impact: Your organization was affected by this event, and any user targeted with an App Protection Policy on iOS devices may have experienced impact.
Start time: Wednesday, April 7, 2021, 10:00 PM (7:00 PM UTC)
End time: Sunday, May 9, 2021, 9:35 PM (6:35 PM UTC) Root cause: A recent update to the Microsoft Intune App Protection SDK introduced an issue that mistakenly marked iOS devices as jailbroken.
Next steps: - We're reviewing our update procedures to better understand the App Protection SDK issue and to help identify similar issues during our development and testing cycles.
This is the final update for the event.
1 best response

Accepted Solutions
best response confirmed by Alo Press (Iron Contributor)
Solution
Got some additional information on this and it looks like its a client side detection bug and the issue should most likely be fixed by Monday. Until then its possible to give the policy a grace period or any turn off the detection etc, up to everyone to decide.

This might mean that there is good change of required update for the Company Portal app.

Hope this information helped.

View solution in original post