Does installing a "profile" invade my privacy?

[MacBH928]

Hello. I am not sure what is a "profile". There is a service called ControlD that install adblocking DNS on your device. For it to work you have to downoad a profile and install it.

I do not know what a profile is, and I was wondering if this has any privacy risk or ability to break HTTPS encryption. Any help is appreciated.

 

[Blue Hawk]

It depends on if you trust the source site you’re downloading it. I would say.

 

[WarmWinterHat]

Hello. I am not sure what is a "profile". There is a service called ControlD that install adblocking DNS on your device. For it to work you have to downoad a profile and install it.

I do not know what a profile is, and I was wondering if this has any privacy risk or ability to break HTTPS encryption. Any help is appreciated.

It might and might not. You can take a look at the profile and it will give you details of what it is doing.

The Control-D profile is routing all your DNS request to their servers and sending the device name so you can track it on the site. It's up to you if you find that acceptable.

 

[960design]

Hello. I am not sure what is a "profile". There is a service called ControlD that install adblocking DNS on your device. For it to work you have to downoad a profile and install it.

I do not know what a profile is, and I was wondering if this has any privacy risk or ability to break HTTPS encryption. Any help is appreciated.

I can do VERY dangerous things if you let me install a profile. As previously mentioned, no worries if you would allow the installer of the profile to visit your home, hold onto your credit cards for the weekend and have access to your bank account username and passwords, otherwise.... not so good.

Just a small aside from what Apple states about configuration profiles. Some of us bad actors have the ability to lock the profile to your device, permanently. You will literally have to throw the device in the trash, restoring, DFU, nothing short of destroying it will remove a locked profile. Fortunately, Apple provides a 30 day window to remove profiles before they lock to your device. They also have an online contact form to remove any such profiles as long as you have proof of ownership of the iPad.

 

[MacBH928]

It might and might not. You can take a look at the profile and it will give you details of what it is doing.

How can I do that?
this is the link to generate profile:

Generate Profile

This endpoint will returned a signed .mobileconfig Apple DNS profile which can be configured on any modern Apple device. 🚧 Non-standard response: This endpoint does not return json on success (only errors). If valid data was provided you will get a binary data as a response.

docs.controld.com

I can do VERY dangerous things if you let me install a profile. As previously mentioned, no worries if you would allow the installer of the profile to visit your home, hold onto your credit cards for the weekend and have access to your bank account username and passwords, otherwise.... not so good.

Just a small aside from what Apple states about configuration profiles. Some of us bad actors have the ability to lock the profile to your device, permanently. You will literally have to throw the device in the trash, restoring, DFU, nothing short of destroying it will remove a locked profile. Fortunately, Apple provides a 30 day window to remove profiles before they lock to your device. They also have an online contact form to remove any such profiles as long as you have proof of ownership of the iPad.

why would apple lock me out of my own device? If I choose to install it I should be able to choose to uninstall it.

 

[Paddle1]

How can I do that?
this is the link to generate profile:

Generate Profile

This endpoint will returned a signed .mobileconfig Apple DNS profile which can be configured on any modern Apple device. 🚧 Non-standard response: This endpoint does not return json on success (only errors). If valid data was provided you will get a binary data as a response.

docs.controld.com

why would apple lock me out of my own device? If I choose to install it I should be able to choose to uninstall it.

I believe that is for business/professional use. For example, If you're in charge of IT in a company you can install a profile to grant or restrict access to something.

For what it's worth, I have used ControlD in the past and not had any problem.

 

[960design]

why would apple lock me out of my own device? If I choose to install it I should be able to choose to uninstall it.

I really do not know how to answer that. In my mind it is kind of like asking why would Ford let someone steal my car if I gave them the keys, or why does Apple not let my device work if I turn it off.

You can install any configuration profile and you have the ability to remove ALL of them within 30 days. Bad actors (anyone) can create profiles that will permanently lock to your device after 30 days. I believe the real reason is to allow companies to add devices purchased outside of company funding. For example, the CEO picks up an iPhone while on vacation in Italy. When they get back to the office they want it to have access to proprietary networks or networked files. IT can send a configuration profile via email, weblink, ect to allow the CEO access. The 30 day window allows the CEO to change their mind, but also prevents them from accidentally removing it from the device 6 months later, while bored on a business trip and forgetting why they added it. IT can always remove these profiles at a later date, but bad actors may not be incentivized to remove it.

From Apple:

 

[NoBoMac]

There is a service called ControlD that install adblocking DNS on your device.

Looks like can manually setup DNS to use their free ad blocking servers. No need to install a profile and possibly open up the device to "bad things".

76.76.2.2
76.76.10.2

Sure, need to add those entries to each new network one connects to, but probably not that big a deal as probably connecting to same networks throughout the week (eg. home, work, favorite coffee shop, gym, etc). So what if briefly connecting to some other network and get an ad or two.

 

[hobowankenobi]

Hello. I am not sure what is a "profile". There is a service called ControlD that install adblocking DNS on your device. For it to work you have to downoad a profile and install it.

I do not know what a profile is, and I was wondering if this has any privacy risk or ability to break HTTPS encryption. Any help is appreciated.

Generally speaking, you can think of Profiles on Apple devices as managed preferences. Typically they are used in organizations to manage devices, primarily to change settings or lock settings (to prevent users from changing settings)

why would apple lock me out of my own device? If I choose to install it I should be able to choose to uninstall it.

Apple would not...the device manager would, assuming it owned and managed by an organization. This is common on enterprise or education devices, as it is not YOUR device. It belongs to the institution, and they can lock it down as they see fit. Same holds true in the MS world as well.

And...there are a couple of levels of profiles.

1. Profiles that you can install and delete manually if you are an admin on the computer

2. Profiles that are created, installed, and managed by an organization on devices that they own.


Profiles can be much more powerful than locally created preferences, so there is a case for use even in small orgs. They are pretty much the only way to set some global preferences for all users on a device too. There are plenty of good and useful ways to explore profile creation and use.

A fun one (for Macs) is this site that will let you build a new default dock preference that can be distributed and installed (and removed) easily by a device admin.

 

[MacBH928]

I really do not know how to answer that. In my mind it is kind of like asking why would Ford let someone steal my car if I gave them the keys, or why does Apple not let my device work if I turn it off.

No its more like, "give me the option to reset the device" . This is pretty dangerous. If anyone can send a profile to anyone and lock their phones its going to be "ransomware galore" .

I think if they want to restrict the user ability to reset the device, there should be some "administered iOS" where you basically give up your rights to the device by installing the "administered" version of iOS.

Looks like can manually setup DNS to use their free ad blocking servers. No need to install a profile and possibly open up the device to "bad things".

76.76.2.2
76.76.10.2

Sure, need to add those entries to each new network one connects to, but probably not that big a deal as probably connecting to same networks throughout the week (eg. home, work, favorite coffee shop, gym, etc). So what if briefly connecting to some other network and get an ad or two.

you are correct. But I noticed that a lot of times youtube thumbnails and media on Twitter do not load or stutter. Somehow if i turn VPN to another country it works fine.

So either my ISP routing sucks, or their free DNS blocklist is too restrictive its messing with the performance of apps/sites. If I choose my own blocklist, I can use a more lenient list.