Apple Intelligence is now available on iPhone, iPad, and Mac!
I have found that I have hidden unremovable MDM profiles in my iPhone and iPad. Can someone tell me how to get rid of them and who installed them?
I found payload manifests and profile content/restrictions in the log folder MC State in a sysdiagnose that I ran on both devices. An example:
iPhone 14 Pro Max
Watchlistvictim wrote:
Will you explain what information needs to be presented from a device being managed beyond the cellular Wi-Fi and carrier settings—and what makes the information provided inconclusive?
Scroll up and read the posting I was replying to.
As part of acquiring evidence of compromise, that usually involves familiarity with the platform, familiarity with what is normal and expected (such as routine log chatter), and gathering details of what is not normal. There are books and classes on those topics; on the platform, and on forensics.
Will you explain what you mean when you say mysteriously managed?
Devices purportedly managed by unknown or unidentified or suspected others, while lacking visible installed profiles, and lacking carrier profiles. That would include the “hidden unremovable MDM profiles” mentioned earlier in this thread.
and what you mean by generic, ominous and scarily-worded details?
Misgivings manifesting from misinterpretations of the mundane, mostly.
What would make this a result of the information being in a log?
See the original post above.
Further complicating these discussions, iPhone, iPad, and Mac are most definitely not invulnerable, compromises can exist, and forensics investigations typically require direct device access, time and effort, and may well find no evidence, that investment may well not resolve anything.
In short: Proving a negative—that a device is not somehow compromised—is basically impossible.
Or sometimes there is some other security or privacy issue involved, such as concealed cameras or compromised passwords or cellular trackers or otherwise. Or the purported perpetrator is simply gaslighting their intended victim, possibly based on other sources of information.
While Apple products are not invulnerable, compromises are by no means easy. And that the exploits involved are exceedingly expensive—full exploits with persistence are worth a couple of million dollars each, and their usage is typically targeted, based on available info. If you’re being targeted by folks with the level of resources that entails, you’re probably going to have a bad day, and you’ll accordingly want and need personally-tuned and tailored help with your security.
Watchlistvictim wrote:
Will you explain what information needs to be presented from a device being managed beyond the cellular Wi-Fi and carrier settings—and what makes the information provided inconclusive?
Scroll up and read the posting I was replying to.
As part of acquiring evidence of compromise, that usually involves familiarity with the platform, familiarity with what is normal and expected (such as routine log chatter), and gathering details of what is not normal. There are books and classes on those topics; on the platform, and on forensics.
Will you explain what you mean when you say mysteriously managed?
Devices purportedly managed by unknown or unidentified or suspected others, while lacking visible installed profiles, and lacking carrier profiles. That would include the “hidden unremovable MDM profiles” mentioned earlier in this thread.
and what you mean by generic, ominous and scarily-worded details?
Misgivings manifesting from misinterpretations of the mundane, mostly.
What would make this a result of the information being in a log?
See the original post above.
Further complicating these discussions, iPhone, iPad, and Mac are most definitely not invulnerable, compromises can exist, and forensics investigations typically require direct device access, time and effort, and may well find no evidence, that investment may well not resolve anything.
In short: Proving a negative—that a device is not somehow compromised—is basically impossible.
Or sometimes there is some other security or privacy issue involved, such as concealed cameras or compromised passwords or cellular trackers or otherwise. Or the purported perpetrator is simply gaslighting their intended victim, possibly based on other sources of information.
While Apple products are not invulnerable, compromises are by no means easy. And that the exploits involved are exceedingly expensive—full exploits with persistence are worth a couple of million dollars each, and their usage is typically targeted, based on available info. If you’re being targeted by folks with the level of resources that entails, you’re probably going to have a bad day, and you’ll accordingly want and need personally-tuned and tailored help with your security.
SashaSun1981 wrote:
Did you ever get an answer to this?!
Cellular carriers can have profiles for carrier-associated Wi-Fi networks used to offload cellular networks when available,
and other managed profiles will typically show up in settings,
and second-hand iPhone and iPad and Mac can sometimes arrive with profiles when the equipment was improperly released from supervision or was stolen,
and logs and telemetry are routinely filled with ominous and scarily-worded and utterly-benign messages.
Do you have particular symptoms or issues or concerns?
Related reading: Personal Safety User Guide - Apple Support
Run Safety Check described there, as a starting point.
That’s a less-than-readable dump of a binary-formatted plist file. Format it, and have a look.
https://medium.com/@karaiskc/understanding-apples-binary-property-list-format-281e6da00dbd
Formatting options include /usr/libexec/PListBuddy, etc.
I don’t expect that is anything untoward, given the reported location.
CCGE wrote:
Again, not a very helpful answer. Can someone else explain to me why there are hidden configuration profiles on my devices, and how I can get rid of them? My devices have never been managed since purchased new from Apple, and now this
None of what has been presented clearly indicates there is anything being managed. Nothing of what has posted supports the conjecture.
So yes, my reply was unhelpful.
For the goal of proving a device is being mysteriously managed—beyond the cellular Wi-Fi and carrier settings for used for carrier apps and such—the information provided is inconclusive at best.
And given that this info is in a log, there are all sorts of generic and ominous and scarily-worded details shown in those.
Again, not a very helpful answer. Can someone else explain to me why there are hidden configuration profiles on my devices, and how I can get rid of them? My devices have never been managed since purchased new from Apple, and now this
Will you explain what information needs to be presented from a device being managed beyond the cellular Wi-Fi and carrier settings—and what makes the information provided inconclusive?
Will you explain what you mean when you say mysteriously managed? and what you mean by generic, ominous and scarily-worded details?
What would make this a result of the information being in a log?
Did you ever get an answer to this?!
Hidden MDM profiles in iPad and iPhone
