MDM on personal iPhone - Businesses, unauthorized developer activity HELP!

You can’t get rid of it unless you get a subpoena. Be very specific on data you need (they keep it for 10 years). It is likely the person you suspect. The MDM has a “geo fence”, or designated area that basically is used to scan the area around your house. Anything new automatically gets scanned and installed. There have been many reported cases of this same issue! Look at any “hidden” apps downloaded since it started, I didn’t know you could hide apps! You will likely see the Configurator. Or MDM, plus several other apps, such as remote access. I had to get help from Apple to view hidden apps. Apple also provides scripting tools, so SSH (used for remote access) CMD and so on can be purchased in the App Store. They say you must be a company or school to purchase this? It goes by the serial number which is also the Wi-Fi address, so unless the person/installer removes it, it will come back! Most of the script is stored in the cloud. You can see some of the scripts under shortcuts (JavaScript). I’m not an expert with coding, but like you, I gave it a try. It’s been two years now, and things get worse as time goes by. They even used Siri to search communities for posts.

T3ddy19 wrote:

You can’t get rid of it unless you get a subpoena.

How does a request for documents (or a request for someone to appear in court) remove anything from your phone?

It goes by the serial number which is also the Wi-Fi address,

Device serial numbers are not WiFi addresses.

They even used Siri to search communities for posts.

Siri does not have that capability.

I had the “receive a message that I cannot use Messages for Business” as well! It’s at least good you only have 1 device. It does get installed on everything!

Apple keeps all data for 10 years, but they normally won’t provide info on this subject and will dispute evidence you submit. Although sometimes a rare representative will provide info.

Report this to IC3.gov, they are all over the security risks with the MDM, but your devices will prevent you from sending. Be aware that everything you say or do is monitored, and fake sites are common (go to another computer that is not yours then look at differences in pages), like no header footer data on web sites, no tool bars, no details on senders or fake emails.

There have been many attacks on Apple devices lately, search on NYC iPhone “rings” stealing iPhones, or Pegasus and iPhones.

My system settings change back right away as well.

I'm sorry you are going through this ****. I’ve never seen anything like this before. I was in Information Security for most of my life, but the Apple devices had just hit the market.

Ive been trying to “fix” it for two years and it gets worse, I even unplugged my internet! Then, a mostly hidden hotspot was added, the IP resolved to Apple! Come to find out, the MDM comes with the option of a Wi-Fi hotspot. It’s sort of hidden. Go to Wi-Fi, (with no Wi-Fi turned on) turn Wi-Fi on, then click edit, if you have one, it will show up as “managed” no option to delete. Inexpensive devices (under $100) are available on Amazon. It will detect Wi-Fi hotspot connections. This has also been used to track me in my car and break into my home.

I did suspect someone that I had been rather fond of, and kept hoping they would stop before taking further action. That has been foolish on my part. I’ve lost a lot of equipment, experienced fraud, spent $ on tools, new devices, “experts”, stolen snail mail, stolen iPads (I did learn who had the iPads), hacked home alarm, house vandalism and so much more! Oh, if you think someone has been in your home, they likely have (they know where you are) invest in a couple (or more) cameras that don’t use Wi-Fi or any electronic communication methods, as they will get hacked otherwise.

I’ve heard the Sheriffs Department will help (some will) and assist with a subpoena (much cheaper than an attorney). Some states allow a DIY subpoena, but keep data, like your changes (that’s hard to explain unless you make a video), and keep in mind, it does sound crazy! And try to use words a 15 year old could understand. The police are usually not information security experts, they have other big jobs to do. I’m a seasoned IT certified security pro, and most have looked at me like I have 2 heads. There were some YouTube videos on recent hacks and “rings” of ppl across the country, I think, look up NYC, WSJ, iPhones Attorney General. Also search on iPhone compromise and Pegasus, it also takes over devices.

I thought I would run out of space, so continued. Show recent “in the news”attacks on IOS and other devices, this will help with local authorities to understand this is a huge issue! Look at Wiggle dot net, this will provide network activity, the source, connectivity (bluetooth, Wi-Fi and so on) and if you create an account, a must, your specific data. You will likely see a spike in network activity. I was most surprised to see the volume of Bluetooth activity, unaware that one BT connection could attach to and take over 8 devices! This started after unplugging my network, with help from the hidden hotspot, and I found several things in my home, Wi-Fi connected smart bulbs, altered door bell, more. The Wi-Fi must be on for detection. And in my car, it must be moving prior to detection.

if you suspect someone, you are likely correct. I’m almost certain the first MDM must be installed locally, with device in hand. After the first install, the rest can be remotely installed. BTW, there are methods to look at more data on the device, I’ve not tried it, but it requires a working device and Intune (I think).

Id also try to ask the person you suspect if they are doing it, and request them to stop before taking it further, if you care about this person. The subpoena will tell you who/where/when, then a lawyer would likely be required. Or you could get a restraining order. I don’t want to cause harm to the suspect, and I’ve already been told the who/where part. In addition my nieces Apple account was on one of the missing iPads! So if someone is within or around your network I guess they can install on other devices within the designated area? I’m really not certain exactly how her Apple ID was compromised? It had my account on it. And worse, some installed malware contains other bad activities, of which I have no way of knowing which malware is doing this or how. WiGLE dot net shows some info on this. They can also completely control your phone, (and email), block phone calls, make phone calls with your number, using accessibility apps, switches, any number can be added and make and receive calls (if you find your phone not working). These calls will show up in history under FaceTime, but when you look, history is quickly deleted. There are other apps that do this as well. Unlike years ago, when spoofing or faking a phone number, this allows 2 way communications! I suspect they could receive authorization codes as well. My screen has shown “a new iPad/phone” has been added to your account, but they don’t show under devices. Once or twice I saw the missing device listed, called Apple, they “untrusted” it, but the individual called support the following day and added it back!

Part 3, they have also done Siri searches on community! I was not aware Siri could do such things. My scenarios like health data is just like yours! Same with all, Game Center, iCloud (which I never used before), also frequent views of calendar, photos, notes and more. Plus many scripts under shortcuts. Beware of running these scripts. You can view them by clicking on the ellipse or “…” note that some words may sound innocent, but the actual full coding is usually stored in a cloud (not iCloud). Some of these scripts also allow full remote control. SSH over port 22 was used to access the network, I gather to expand beyond what the MDM could do, such as installation of a hidden key-logger, found in registry of a windows PC.

I would not openly identify who you suspect, it is perfectly legal (from what I understand, but I’m not an attorney) to identify a suspect, but you might be wrong, and you don’t want to damage someone’s reputation (or I don’t). Especially if you once cared for this person. It’s likely someone you were very close to at some point, and they could have had a key to your home.

So read, study, beg for help, hire pros, new equipment and you will be wasting time and money! Although I’ve learned more than I ever wanted to know about Apple security.

Oh, another “hacking event” with Apple seemed to show up as a 44 page document on my iPhone (were they helping me? Not sure. But it was a guy named Hinchy (I think) vs NYC, this guy was selling Spyware under the guise of Parental Control Software, a 44 page document. He was fined $440k in court. And I should add that I can’t delete notes anymore, the options are removed.

Anyway, with so many issues it’s hard to stay focused. The point of the summarized and difficult to find hacking incidents is to provide absolute proof to authorities in hope of getting this to stop.

So, collect data, document, locate hidden apps, (many are free and impossible to remove). Try to provide brief summarized readable by anyone information (you can add details behind that data) by category (email, apps, settings, rogue connections, unwanted changes, if applicable fraud, credit card applications (freeze credit) and so on. Most people don’t read more than the first page! Keep in mind that everything is monitored. Apple must keep data for 10 years, some for 20 even though most reps deny that fact. After you have a reasonable amount of data, provide this info to local authorities. But first find out if the local Sheriffs Department will help, I’ve read they are more likely to help with a subpoena than police. The subpoena will not be accusatory or cause the attacker to get charged, but you could request a restraining order.

And, scan house for active devices, almost all IoT contain no security or very little, my Rokus were compromised! The data was viewable on the router. Check out Wi-Fi connections listed under Wi-Fi. There is a way to view the password on devices that have previously connected, look that up I don’t want to post here! Look for rogue managed hotspot, include that with documentation. Anything that has been brought into your home is likely compromised, even things that were not set up. Smart TVs and sound bars for TVs can be compromised. Go to a public network and look at your email and accounts, view source, I’ve found many pages of creation of a fake email “pass through” page that restricts the view source function on MDM. Keep in mind that public Wi-Fi is generally not safe. But at this point you are already compromised. The MDM uses “web clips” you may have noticed this being used under certain apps, some are valid, some are not. But the MDM does not use Safari to browse, it uses web clips! This enables site blocking, removal of tool bars, and fake pages.

On email, in Apple and other mail, there are automatic deletes, password resets, security vender emails, monitoring alerts, much more! Especially if a premium support option has been added. Look at shortcuts, fake emails can be sent from shortcuts with your email address. Under shortcuts, go to the bottom, type in email or message, one will say send email or message, try sending yourself one, see results. Beware of executing any script, many do much more than what’s stated, search on bottom for ssh, if it’s been used, it will show up. Apple apps provides programs that allow the user to create scripts using several different programming languages. Search on App Store to see this app. It’s not the library, but the one that specifically provides the ability of SSH, CMD, and others.

And realize even if you harden your firewall this can be circumvented with the hotspot, bypassing rules.

Ok, part 4, if I’m allowed 4 posts.

This is about 1%. Do a wildcard search on you Linux box using MDM, both in files and in root. I know nothing about Linux, but on windows the search would be *MDM*.* then the same for system or root files, but use the % in place of the * then note the location. Other files will likely be listed under the same location. Many may be cab (or cabinet files), most are encrypted.

ok, I’ll try to summarize again:

collect data from all sources. Create a one page summary by category, email, rogue emails (my Facebook account was removed after my address was used to send links to my no longer available contacts, a virus?). Also, look for emails that you did not send, and settings changes on device vs on public. System changes, harder to document, you could use a video. Deleted or offloaded data (check for added cloud services other than iCloud). Look at FaceTime history, I deleted FaceTime and it came back. Rogue hotspots, scan house for Wi-Fi, NFC, Bluetooth, RF and such. Avoid paying large sums to “pros” for scanning. Look at internal images of smart bulbs online. Look at YouTube to see how Wi-Fi can be added to almost anything! Document and provide images for the things you listed above, reference page numbers in summary. Include recent attacks, they are difficult to find, but they are out there. The Attorney General in NYC got a lot of press on his find with Apple Phones. There was another article on YouTube also WSJ and iPhone attacks, but I don’t recall the details. I think if you can provide proof and get authorities interested in what it could do for them it might help, plus, it’s all (mostly) new, except Pegasus which they keep announcing as new but it’s been around since 2015. They will also ask why you think you are a target, implying you are a nobody, why would anyone be interested in your information. There are articles on why ppl are cyberstalkers, look this up to provide an answer. My work history has including a couple of high target risks (such as banking Information Security) which has made me a target in the past, or it could be an X BF or GF. Provide info on why.

I think everything has to go. Unless you are able to get it removed by installer and you trust that it’s really gone. I hate to say that! And I don’t know what “everything” includes! In my case, alarm system, Rokus, PCs, IOS, Samsung TV (research vulnerable TVs). Firewall (id replaced my router/firewall about 6 times hoping to block it before I knew what it was. Avoid using credit cards online, buy gift certificates specifically for Amazon, or other accounts. Watch closely charges on credit cards. Get a list of hidden apps asap, they don’t keep that info for long. It’s also good to keep dates of things happening, but that’s so much!

Some apps seemed to have opened a back door to other attacks, but that’s difficult to determine. If you find a smart bulb or other such device, you might want to call authorities to remove it, if they are willing. Some newer devices will unscrew, but one had a big visible green circuit board and emitted a loud Wi-Fi signal.

Check out devices on you router/Firewall, try to identify unknown devices (if you can access the firewall. Note they may change the name of your Linux box to something else, so get MAC addresses if possible. And, look for NFC, they look like little circles if paper! Lookup online, scanners will pick them up.

I’ve tried everything I can, contacted venders, replaced equipment, bought software, scanned, recorded on cameras. But I’ve not yet completed a report to IC3 dot gov, or finished report to local authorities. 1st, it’s all been very difficult and excessive, second, not wanting to cause harm. But it gets worse, not better at least so far. Also, like others, when I try to get help from various sources, something worse happens again! I wish we could speak in person. Good luck, let me know if you are able to remove this mess. PS, the DOJ and FBI are all over this MDM because it over rides all security and it’s very dangerous. That’s why you must report to IC3!

Under your services, the calendar configuration relates to the MDM per Apple. Search on first line under Apple or search on Apple MDM with the exact calendar words. Have you looked up each service with MDM and Apple added?

Calendar declarative configuration for Apple devices

Use the Calendar configuration to provide account settings for connecting to a CalDAV-compliant server. These accounts are added to an iPhone, iPad, or Mac enrolled in a mobile device management (MDM) solution.

Skywalker is a key logger! I think that was mentioned in the Hinchy document I mentioned. Info can be found at Sophos (spelling?) as well.

Not surprised, I had a key logger added as well. You should search each item. Although we know the main issue is the MDM which allows remote install of anything, including fake maps! I just saw your services listed. Is your MDM hidden? When it was downloaded, it was the only icon I’d ever seen that included a “hide option”! More of these services look very familiar, as in MDM or Malware. Is “Passcode Settings Provider” something you installed?

It does not remove it from your iphone. A subpoena tells you who/what/when/where. Based on state, you might be able to get a subpoena from the sheriffs dept, or DIY, I don’t recall saying court? It’s not taking someone to court. You could get a restraining order (and request removal). The details would show who installed it.

I was also not aware Siri could do such things, I tried it myself with no results, but the search showed in history? And, Siri does provide web searches, since it was done, yes it can if you have the skill. But I’m not interested in Siri.

But the MDM and compromise has also done many things previously thought impossible.

I’ve already been told considerable information. I’ve not researched Siri or how it conducts web searches, but have received web sites when I tried it. But I’m really not interested in learning how to do web searches using Siri, I’m trying to remove the MDM.

what helpful info have you provided on how to remove the MDM? I thought you requested help, as others have.

Well, you mentioned a hidden hotspot, with a grin.

I also found a managed “hotspot” on my iPhone that resolves to Apple! I searched under Apple, then MDM and hotspot, and there it was, and it’s managed! So I can’t remove it. I only have home devices, never school or work.

I found a managed hotspot that is somewhat hidden, now, it is nearly always on. It connects to other devices using Bluetooth. I can’t delete it. It resolves to Apple (the IP changes). I searched MDM and hotspot on Apple, and it’s an option. I’ve unplugged my network completely, but devices kept communicating, and they still are even though not used in months.

T3ddy19 wrote:

It does not remove it from your iphone. A subpoena tells you who/what/when/where. Based on state, you might be able to get a subpoena from the sheriffs dept, or DIY, I don’t recall saying court? It’s not taking someone to court. You could get a restraining order (and request removal). The details would show who installed it.

All of that is pointless if you don't know who installed...whatever it is you think was installed.

I was also not aware Siri could do such things, I tried it myself with no results, but the search showed in history? And, Siri does provide web searches, since it was done, yes it can if you have the skill.

No, you can't.

what helpful info have you provided on how to remove the MDM?

Start here:

Install or remove configuration profiles on iPhone - Apple Support

Or, do this:

Restore your iPhone, iPad, or iPod to factory settings - Apple Support

I thought you requested help, as others have.

I most certainly don't need the type of help you do.

Questions:

I understand the monitored issue as everything I do is monitored as well. I disconnected my Wi-Fi and an unauthorized “managed” hotspot was added that resolves to Apple, a feature of the MDM. But, I don’t know if you can say, but why would you think this is a developer? The ability to use all the programming methods you mentioned can be downloaded from the App Store! I was surprised to see ssh commands used to hack network when I still had one. In many instances based on reading comments and research it is likely someone you know who has had access to your device, physically in hand, and they know the PIN. Once it’s installed on one device, it can remotely monitor new devices of any type. I found the list somewhere, but it seems to randomly appear. Is there anyone that had access to your device?

Second question, did you get the info on apps listed by making a copy of the device? Or is that something directly from your phone? I’m just curious.

After everything I’ve read and tried, unless Apple will remove (and they won’t) or the installer removes it, I’ve yet to see anything that works. A factory reset does not work. One device was reformatted so many times that it no longer came on. I’ve lost $30k between replacing all equipment, paid “experts”, mitigation and detection techniques, monitoring for fraud, unauthorized software purchases and much more. It did not occur to me that it was an MDM until I found out that purchases could be hidden! Several downloads were “free”. Check your “hidden” purchases asap! They only show history for a few months.

I also changed my Apple ID, no activity for several days, then it started all over. Then they use Family Sharing to spread the other apps around.

My Windows PCs all destroyed, and like other posts, it happens within 3-5 minutes, permissions changed, accounts changed or deleted, ability to view event manager removed and so on. Same on brand new devices, I have no Wi-Fi except the “managed hotspot” that can’t be deleted. When it connects, I can view more data, like I normal web page. And likely the scanning list.

I likely mentioned it, but when I was in the hospital an older iPad mini went “missing” another iPad went missing this month. I’ve found the location of both devices. I did not realize how dangerous it was to save passwords, all unencrypted. Now I can’t say that the person that has my devices is the person who installed the MDM without more data, as the subpoena would required to determine The Who that is doing this. I’m disabled from multiple surgeries, now, no TV or Internet to order necessary items. My grocery delivery service was cancelled, and much more. But I’ve seen no evidence of it stopping. This “hope” and the fact that I cared for the person who I suspected. I’m no longer employed due to ongoing hospitalizations. One person mentioned that if $ was involved, Apple would help, NO. It seems as if Apple would have compassion for such an issue, but they don’t.

One thing they said was that “they don’t help with third party apps, but this is an Apple product per the App Store.

And I’ve had and enjoyed my Apple devices since the iPods and the 1st Apple iPad!

I’m not sure if you remove everything (although I’ve tried) if that would help? And I’m not certain what “everything” includes? TV? Printer? Router? The firewall/routers get compromised as soon as I reformat and I’m setting them up offline. I guess that’s the “hotspot”. I can’t even use a Windows PC that is completely offline (or I think it’s offline). They connect with the hotspot, then use Bluetooth to traverse the network. Bluetooth can connect to 8 devices at a time.

Ive also been cyber stalked. Location is turned on, and if I leave my home, people break in the house, even after a lock change. I’ve seen this as well (offline recording devices). It’s been a challenge, especially when trying to recover from multiple surgeries!

I had an MDM once before, in IT, some ppl tend to want to spy on others. But once I found the company name in the Windows file system and called them, they removed it while I was on the phone. A reformat, and no more issues (about 10 years ago). So it is possible to remove it!

I tried writing to the security department, most emails never went through, but this one did. They responded it was not a security issue. The DOJ and FBI disagrees and they are trying to stop it. Thus the importance of submitting a report to IC3. The MDM will likely prevent you from submitting, so you can use a public PC or write by hand. But this product should not be available to the general public!

Ive rambled on too much and had to delete info, so parts may appear broken. Like you, I know they are watching. I also saw a Siri search on my posts (despite what another person said).

Check out “hidden apps” I didn’t know you could hide them! I’ve also seen GitHub and Python (likely the hacked version). Many purchased and “free”‘apps were downloaded. And there is one that provides SSH and other programming capabilities (it’s not the dictionary). I was surprised seeing SSH under Apple Shortcuts used to hack my network using port 22. The network is disconnected, so now (or before?) I have a somewhat hidden managed hotspot with no ability to remove it. I can’t use it, it connects to me. I have a Wi-Fi detector, it’s going off as we speak. It connects via Wi-Fi then connects to multiple devices using Bluetooth. And even if you think you have cut Wi-Fi or Bluetooth, it’s still running. Also, look under shortcuts (don’t run anything as they often reference more dangerous things but the source code is on the web). But previously used scripts, such as SSH will show, I’ll include the pic if the computer God or Devil will permit. There is also a scanning list that shows up sometimes. If I can locate it I’ll post as well. The MDM can compromise just about anything, I tried Android as well.

Second attempt to post. I’d found Termius as another app that was downloaded and hidden. It’s on the App Store, more details on the actual site. A most interesting IT network tool. It’s obviously for IT, and works on anything. I gather since you have a Linux box that you know IT fairly well. Another user pointed out something I said. To clarify, the subpoena will not remove the app, but it should let you know who is connecting. Then you could ask them to stop or get a restraining order to stop. BTW, I have about 30 years of Information Security experience, certified and so on. Corporate systems helped identify things like this and as a Corporate Info Sec Manager, with a dotted reporting line to legal it’s much easier to get help.