Mobile Device Management (MDM) solutions
When connecting MOBILedit Forensic to a device with a Mobile Device Management (MDM) solution installed, data could be deleted from the device.
Law enforcement and investigators in the corporate and private sectors should consider this.
When examining a mobile phone, it is crucial to establish whether or not a Mobile Device Management (MDM) solution is installed or operating on the device. MDMs are used in Enterprise environments to manage company endpoint device configurations, allowed applications, and security. Assets can be tracked and remotely wiped if stolen, missing or if there is unauthorised access.
Each MDM behaves differently due to the admin policies set by the organisation deploying the MDM. It is possible that by connecting an MDM device with MOBILedit Forensic, the device could become locked, factory reset or have data deleted.
Depending on the settings of the MDM solution, events could be triggered through actions and processes that MOBILedit Forensic takes to extract and analyse data from a device. Alternatively, the restrictions in place by the MDM may not allow MOBILedit Forensic to perform a complete extraction and analysis if the connection is possible.
If working on a suspect device, a “volunteered” device or at the request of the device owner, you should contact the owner or MDM administrator and ask them to change the settings on the device you are examining.
There are two currently known options:
Allow installation of the app globally or on a specific device
Add subject phones to a group and temporarily lift restrictions.
This is to allow the correct functioning of MOBILedit Forensic without jeopardising the data. If this is not possible you may need to research the MDM online or, contact the MDM developer.
If you need further advice you should contact technical support.
Some of the known issues are:
MOBILedit Forensic connector causes data loss.
Application downgrade cannot be completed due to restrictions in creating ADB backups.