I am trying to perform acquisition of an IOS device that has an InTune policy applied. I have the device and the organization have removed the InTune restrictions however, I cannot get the prompt 'Trust this Device' to appear. The device registered the USB connection, begins to charge and the folder showing the amount of GB usage appears on my desktop, its empty but I know the device is being recognized.
Working with the organization, they have a setting with DEP enabled with a config of 'Sync with computers: Deny All'. We believe the only way to undo this config is a factory reset, which obviously we want to avoid.
My current forensic tool provider says there is no work around for this in their product, wondering if anyone has any suggestions?
Interesting discussion. If Microsoft Intune policy is applied to an iOS device, that can significantly complicate forensic extraction — especially when corporate‑managed protections and restrictions are in place. Modern iOS encryption (with Secure Enclave or similar) already makes full logical or physical extraction very hard without passcode or exploit, and layering Intune’s Device/App policies means some data might be inaccessible or wiped automatically.