How can I get rid of unauthorized MDM connotations @Roikins

MDM can be remotely installed without user consent if the business purchased the device. This protects the business from device theft by employees. MDM cannot be remotely installed without user consent if the business did not purchase the device. User consent or physical access to the device is required to install MDM when the business did not purchase the device. Manually installed MDM is always removable by the user. If you do not see Profiles in System Preferences on macOS or a MDM profile in Settings > General > VPN & Device Management, then you are not managed by MDM. Period.

celliott147 wrote:

Devices that aren't purchased through an authorized reseller for enrollment by the business itself can't be enrolled in ABM without physical access to said device. Period. A device that is enrolled with physical access can be removed by resetting the device to new within 30 days. In order to have an ABM instance, one must have a legitimate business registration with D-U-N-S. This further limits bad actors. Your biggest risk to having a device enrolled in management that you can never get out of is going to a non-Apple Authorized Service Provider to service your phone or purchasing through a non-Apple Authorized Reseller. If you purchase and service through authorized channels, your risk is effectively 0.

And additionally, having the original purchase receipts available is typically considered sufficient proof of ownership that Apple will reset devices. And again, management profiles are shown in settings, not hidden.

A developer account doesn't manage a device. An enterprise account does. If you reset a device to factory settings and don't see a remote management screen come up when you try to set the device up, it is not managed by MDM and cannot be managed by MDM without physical access to the device or your explicit actions to install the profile.

What you could be experiencing is a compromised Apple ID. In that case, iOS 16 has a feature called Safety Check that you should use immediately along with immediately changing your password.

If you think your Apple ID has been compromised - Apple Support

How Safety Check on iPhone works to keep you safe - Apple Support

Change your Apple ID password - Apple Support

Automated enrollment can ONLY happen on devices purchased through Apple's Business management program (formerly the device enrollment program).

If you bought your device(s) directly from Apple or from an authorize retailer, the ONLY way for an MDM to get installed is for you, or someone with physical access to the device and your Apple ID and password to install it.

You cannot have a MDM remotely installed on your device. Nor can you be enrolled in a developer program at Apple without your Apple credentials. (even if you are enrolled in such a program, and a configuration profile was installed, it would indicate Apple, Inc Further, a MDM cannot migrate anything on your device to anyone else.

If you think your Apple ID has been compromised - Apple Support

You're only displaying a certificate, not a profile. Where di you go in settings to find that certificate? You should just be able to toggle it off or remove it.

ClusterConifertree wrote:

Are companies able to communicate and see other devices on home networks?

Apps can request access to a local network yes, as many apps would be less useful without access to, for instance, printers or external displays.

Reviewing this thread, it’s not clear if there’s even provisioning happening here, past a stale certificate from what looks to be an MDM vendor, and a Microsoft Google account display from somewhere else, and an entirely benign and default Directory Utility display.

In other threads, there have been apparent cases of folks that have purchased pre-provisioned iPhone, iPad, Mac equipment (whether that was from a fraudulent sale or from an improperly-decommissioned device?), and there are certainly ways to get provisioning profiles loaded, and not the least of which are some semi-common scams that claim the target user needs to also accept and have the profile loaded for using some app.

If there’s been a breach sufficient to load a management profile, then the usual response is to wipe and reload with current versions and to change all passwords to new and unique values, migrating only documents and preferences and not apps, and related security- and privacy-focused steps. Loading a rogue profile is not a “hey, cute” breach, it’s a security-catastrophic breach.

Neither macOS, nor iOS, nor iPadOS are invulnerable to breaches and exploits, though breaches of current versions without user involvement—phishing scams, shoulder surfing, gaslighting, etc—are fairly rare. If you’re a higher-profile target of some organization with a whole lot of money, sure, but securing against that is also a whole ‘nother discussion. And those more expensive exploits don’t typically use profiles, from what little has been seen. Profiles… are usually either sketchy equipment purchases, or decommissioning mistakes by the seller or a previous employer, or jailbreaks or phishing, or are otherwise and regrettably loaded by user.

As for these threads… Posting normal, benign, default displays from, for instance, Directory Utility, is counterproductive for claims of breaches. Same holds for posting great swaths of log file chatter, as has happened in other threads around here.

Posting normal log chatter or normal displays and “am I breached?” is sufficiently open-ended to be unanswerable, to be blunt. Not past a generic “probably not”. Proving a negative is… difficult.

If you’re interested in learning more about the operations and internals, the new OS X Internals book (search for “newosxbook”) is a good start. For security, that’s a bit tougher when starting out, but detection is also heavily dependent on knowing what is and is not “normal”, as well as knowing which sorts of breaches are more common, and those that are less common.

Devices that aren't purchased through an authorized reseller for enrollment by the business itself can't be enrolled in ABM without physical access to said device. Period. A device that is enrolled with physical access can be removed by resetting the device to new within 30 days. In order to have an ABM instance, one must have a legitimate business registration with D-U-N-S. This further limits bad actors. Your biggest risk to having a device enrolled in management that you can never get out of is going to a non-Apple Authorized Service Provider to service your phone or purchasing through a non-Apple Authorized Reseller. If you purchase and service through authorized channels, your risk is effectively 0.

You can argue all you want. MDM CANNOT be installed without your permission on an iOS/iPadOS device without physical access or being purchased by the org. Period. This MDM install can also only happen on a device that has not been set up, or has been wiped. It cannot happen to a device that is set up without your permission, and even then, you can remove the profile. Can someone compromise your accounts? Absolutely. It happens all the time. Can they attempt to trick you into installing MDM? Sure. It happens (not very often though).

Handing an unlocked iPhone to another with your credentials, or otherwise authorizing an install is a Bad Idea on a personal device.

Supervised? Your option here is to present proof of ownership to Apple, and ask for help removing a supervised device.

Managed? If this is a managed device, delete the profiles.

Same thing happened to me by a family member. I had a falling out with my brother and Dad. I was running a large department of a family business. All of my children had worked there at one time or another. They also used their own macbooks at work. What I didnt realize was we had given Drop Box full access to our drives. My Dad was upset and thought I was going to take his info on drop box and use it or something so he hired a firm out of india with access to Apple Servers and literally took over all of the devices in my home. I cant even wipe them and reinstall IOS due to the serial numbers being entered on some kind of device management system from Apple. I get a modified version of IOS with all kinds of crap on with stuff showing up having acccess to my drive like BT Server and shenkey etc etc. The only way I can use them is to download Little snitch and block all of the crap that tries to connect etc etc. which is a pain in the ***.

This is not possible without direct admin (including knowing the password) access to your device. If it was, my job managing thousands of devices would be much easier. It's not possible to put a non-verified copy of macOS on your device without physical access to the device to remove the security settings in SIP.

Again, I will point out, as I have many times in this thread, that while something may be compromised, a device CANNOT be enrolled in MDM without your knowledge if you purchase straight from a location like Best Buy or Apple or Amazon. If it was, it would make my job multitudes easier, but it would also sacrifice privacy and security of the user. I manage THOUSANDS of devices for a living. I do this all day every day. It isn't possible. Again, a compromised account, gaslighting, many other things are possible, but a managed iOS/iPadOS device isn't possible. Even if it was, there are controls that limit what can be seen and accessed by administrators remotely.

Not necessarily. If a device is removed from MDM or misses MDM somehow on the setup, it can still be tied to the Apple Business/School Manager. This is what determines ownership and the ability to remotely manage a device without user permission. If a device is not in ABM/ASM, then remote management without user permission or physical access is not possible.

Apple did this by design. Errors happen, but it is incredibly rare. I manage thousands of devices and have for years (almost a decade actually), and I have never seen a device get mistakenly added to my environment. It's not possible to do remotely without the user's knowledge unless the device was enrolled by the reseller. For the reseller to be able to enroll a device, both the org and reseller exchange specific information that allows the information about devices to sync. A random reseller cannot add the device to a random org. If you do get tricked into manually enrolling your device, you can simply remove the profile. Apple has checks and balances both ways. If you bought a device used, you run the risk of getting a device that was stolen, not returned, lost, or improperly released by an org.