MDM?

Hello - I think someone got admin access to my iPhone and MacBook in 2015. Long story. After I learned of the security problem, my MacBook wouldn’t start. The laptop fan wasn’t even on, but it had an active session on my home router with UPnP IGD UDP 53167. It’s local IP address was 192.168.1.11:16402. The connection terminated when I removed the MacBooks battery. 

    Anyway, I occasionally look back at logs and stuff from 2015. It was a tough time, and I suspected someone was messing with me via MDM. So, I looked through a MacBook log that  l saved from December 2015. This caught my attention:

12/20/15 10:26:21.371 AM UserEventAgent[197]: user agent networkd:

built Aug 22 2015 17:52:51

And I found an old email delivered to me on Aug 22, 2015 around 6:30 pm. And it had a PDF file attached to it. So, I connected my iPhone to my desktop and monitored it with Apple Configurator. I opened the PDF, and the iPhone did this:

Aug 1 18:30:13 XXXXX-iPhone CacheDeleteAppContainerCaches[1917] <Notice>: Managed personas: <private>

And a lot more delete app container caches. I mean a lot! I’ll spare y’all the incredibly long log. Here’s some more entries that look like MDM enrollment:

Aug 1 18:30:14 XXXXX-iPhone identityservicesd(IMFoundation)[51] <Notice>: Created connection to com.apple.idsremoteurlconnectionagent.embedded.auth service: 0x13df8c580

...

Aug 1 18:30:14 XXXXX-iPhone IDSRemoteURLConnectionAgent(IMFoundation)[2010] <Notice>: Created XPC service with name: com.apple.idsremoteurlconnectionagent.embedded.auth (Connection: 0x100f13810)

...

Aug 1 18:30:14 XXXXX-iPhone mDNSResponder[116] <Notice>: [R5653] DNSServiceCreateConnection START PID[2011](IMRemoteURLConn)

...

Aug 1 18:30:14 XXXXX-iPhone identityservicesd(ApplePushService)[51] <Notice>: <private> making delegate (<private>) calls to deliver message 2888089500 <private> for topic com.apple.madrid

Aug 1 18:30:14 XXXXX-iPhone identityservicesd(ApplePushService)[51] <Notice>: <private> calling <private> connection:didReceiveIncomingMessage:

Aug 1 18:30:14 XXXXX-iPhone identityservicesd(IDSFoundation)[51] <Notice>: Received message for topic com.apple.madrid with command 100

Aug 1 18:30:14 XXXXX-iPhone apsd[98] <Notice>: Looking up connection on peer: 4f897c0  found <private>

Aug 1 18:30:14 XXXXX-iPhone apsd[98] <Notice>: <private> informed that <private> acknowledges incoming message with guid <private> tracingUUID (null)

...

Aug 1 18:30:14 XXXXX-iPhone identityservicesd(CommunicationsFilter)[51] <Notice>: identifier:0x13df6d9c0, isEmail:0 isPhone:1

Would a 5 year old script be able to enroll my new iPhone? I hope not! It looks like the Apple push certificate has expired:

Aug 1 18:30:14 XXXXX-iPhone identityservicesd[51] <Notice>: Missing decryption keys, need to query {underLimit: YES, remoteURI: <private>, localURI: <private>, service: com.apple.madrid}

Aug 1 18:30:14 XXXXX-iPhone identityservicesd[51] <Notice>: Forgetting peer tokens for URI: <private> from URI: <private> service: com.apple.madrid

Aug 1 18:30:14 XXXXX-iPhone identityservicesd[51] <Notice>: Forgetting session tokens for URI: <private> from URI: <private> service: com.apple.madrid

...

Aug 1 18:30:14 XXXXX-iPhone identityservicesd[51] <Notice>: => Expired status -- returning unknown {URI: <private>, fromURI: <private>, difference: 647513.100344, timeNeeded: 28799.966020}

In early 2016, I found this article:

https://blog.rapid7.com/2015/11/26/reduced-annoyances-and-increased-security-on-ios-9-a-win-win/

It’s based on Jonathan Zdziarski’s work at the time, and it was a method to prevent iOS from trusting new enterprise application certificates. I don’t know if it still works. And I looked through CVE details, and I couldn’t find MDM enrollment through a PDF. 

Any idea how I can find out what MDM “solution” this was and who registered it? I’m looking for more info than a suspicious email from someone I knew. Thanks in advance.