You can make a difference in the Apple Support Community!

When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

MDM on personal iPhone - Businesses, unauthorized developer activity HELP!

I am a personal 'User' I have cycled through many hours and days with support. No one knows what is going on. Most likely because I am never able to speak with someone that understands the Enterprise platform. I feel this is happening via my carrier- but Fraud sent me to Tech support. Tech support told me my phone is hacked and to file a police report.

In combination I suspect that MDM is a gateway for an external developer to access my phone via various methods: webkit, Xcode, Apple Store Connect, SDK

I am about 99.99% sure I know why, but that is something that I will not disclose because most likely all of my activity is monitored; despite the very strict privacy settings I try to maintain.


Symptoms:

  1. My apps will sometimes tell me they did not come from the App Store (Maps, FindMyiPhone, etc..)
  2. When I make an attempt to chat with Apple support I receive a message to Use Messages to Connect with Business. When I have my iPhone in LOCKDOWN mode I receive a message that I cannot use Messages for Business when my device is locked down.
  3. I only have one device. However, I am sharing across devices- many times or I have the option to. The choice is not grayed out.
  4. I am unable to perform an Emergency Reset because I am usually sharing something - Notes, Home, Health, Books....
  5. I do not use iCloud Drive due to multiple security concerns. Almost every time that I double check those settings apps show that they are using iCloud Drive. (Game Center, Health or Fitness, Notes, Books, Apple Support, Wallet) While clicking to turn OFF syncing I have had a battle with it changing right back before my eyes. (I have screen recordings)
  6. Game Center will come on even though I have strict Screen Time settings.
  7. I am generally either sharing, or my phone is gathering data from Health; even though that privacy option is supposed to keep that from happening.
  8. Sometimes I am unable to even sign out of my phone due to 'restrictions'.
  9. I have 'Share with Family' sometimes

*Those are only a few symptoms. That is minus the horror I see from the extraction of information I backed up into Kali Linux

As I have mentioned I have spent many many many hours with Support. One Senior Director did spend time Googling the services that show up in my Analytics. I have even uploaded screen shots and documents, but I never heard back.

I REALLY REALLY need help here.

I will add attachments. They won't be nearly the amount I have. I am begging!!!



iPhone 13, iOS 16

Posted on Apr 2, 2023 2:32 PM

Reply
Question marked as Top-ranking reply

Posted on Apr 3, 2023 6:45 AM

Sadly, there doesn't seem to be any help and the ones that will respond, will tell you you are either crazy or you can't be hacked unless you have your device to someone.


For what it is worth I have been dealing with this and here is what I have learned; you need to delete your old apple id's and confirm that they are deleted. You may not be logged in to any (neither was I) but it has something programmed into the IOKIT boot so you cannot reset the NVRAM properly, leaving find my process to look as if the activation lock is on.


Make appointments for each apple product to have a firmware/software update through DFU mode and make sure it is DFU because a factory restore will not remove the cache that is lingering in the files. This should all be done at the same time otherwise it will talk to the other device and reestablish itself.


The factor reset you are doing doesn't work because it does not empty the trash and it seemingly blocks any terminal command to do so as well.


Before you boot up your computer(s) & phone(s) delete and confirm you have deleted all of your previous apple id's. Write down the code it provided to delete the id because chances are you will have to call to

confirm its deletion.


If you have a google ID, check to see if you are enrolled in any trial based workspace or fire base programs. Workspace allows device control as well.


I have changed our TV's and printers but it still seems to latch on to any printer so now we do not print. Debilitating to say the least.


I believe that there are enough of us out there to confirm that this problem exists but apple will not respond until they have fixed it. I know it sucks. Two factor everything and I wouldn't suggest any external usb or thunderbolt security keys.


I also would not suggest any products other than apple. That will only make your situation worse.. even the keyboards because it will load a generic driver onto your device. Only use apple wires as well. I am definitely not an apple advocate, only sharing what I have come to accept and learn.


You may have to go line by line in settings on your iPhone to turn off everything that you do not use and if there is an arrow on it, click to make sure there is not an opportunity to bypass your defaults. The Mac computer is the same and there are probably about 100 Plists that will try to alter your default settings so do not take anything for granted until you have clicked through it all. Plists are just preference and apple will tell you that it does not mean that they are being used. That is absolutely correct but the Plists I have seen start with NVRAM and a fmm (find my

mac activation) which is huge problem.


for whatever reason it uses nfc and mdm BUT mdm does get removed later on during the process. It keeps respawning. So it isn't necessarily MDM as much as it is trying to be so I presume that there is some detail in the MDM program that helps it get what it needs.


The shared cache you are seeing is at best guess, all of the info it has collected on you and will keep looping together. This is just a guess but I have been watching it on mine as well. I could 100 percent be wrong but I believe the cache is what keeps this process communicating between devices.


There are enough of us out there with this problem. I am sure that we have a common thread but I have no idea what it could be. I just know that no one is going to help me or my family and I am just going to have to do my best to keep my kids safe.


I could bring a new computer into this house and within ten minutes watch it try to harvest my old apple ids, while Bluetooth sniffing and try to connect to something nonstop. Eventually, it gets back in and the new id becomes corrupt, I delete it and start again hoping the last apple update resolved this issue. Two years later and I am headed back to the Apple Store today to pick up a couple of devices.


I wish someone had better news for the both of us but this is the best advice I can give you.

Similar questions

160 replies

Jul 24, 2023 10:54 AM in response to AgentDragonfly

I thought I would run out of space, so continued. Show recent “in the news”attacks on IOS and other devices, this will help with local authorities to understand this is a huge issue! Look at Wiggle dot net, this will provide network activity, the source, connectivity (bluetooth, Wi-Fi and so on) and if you create an account, a must, your specific data. You will likely see a spike in network activity. I was most surprised to see the volume of Bluetooth activity, unaware that one BT connection could attach to and take over 8 devices! This started after unplugging my network, with help from the hidden hotspot, and I found several things in my home, Wi-Fi connected smart bulbs, altered door bell, more. The Wi-Fi must be on for detection. And in my car, it must be moving prior to detection.


if you suspect someone, you are likely correct. I’m almost certain the first MDM must be installed locally, with device in hand. After the first install, the rest can be remotely installed. BTW, there are methods to look at more data on the device, I’ve not tried it, but it requires a working device and Intune (I think).


Id also try to ask the person you suspect if they are doing it, and request them to stop before taking it further, if you care about this person. The subpoena will tell you who/where/when, then a lawyer would likely be required. Or you could get a restraining order. I don’t want to cause harm to the suspect, and I’ve already been told the who/where part. In addition my nieces Apple account was on one of the missing iPads! So if someone is within or around your network I guess they can install on other devices within the designated area? I’m really not certain exactly how her Apple ID was compromised? It had my account on it. And worse, some installed malware contains other bad activities, of which I have no way of knowing which malware is doing this or how. WiGLE dot net shows some info on this. They can also completely control your phone, (and email), block phone calls, make phone calls with your number, using accessibility apps, switches, any number can be added and make and receive calls (if you find your phone not working). These calls will show up in history under FaceTime, but when you look, history is quickly deleted. There are other apps that do this as well. Unlike years ago, when spoofing or faking a phone number, this allows 2 way communications! I suspect they could receive authorization codes as well. My screen has shown “a new iPad/phone” has been added to your account, but they don’t show under devices. Once or twice I saw the missing device listed, called Apple, they “untrusted” it, but the individual called support the following day and added it back!

Aug 13, 2023 8:58 AM in response to T3ddy19

Printers tvs phones laptops , routers, Chromebook tablets. You car!!


Anything with wifi or Bluetooth. My ex added me to his business cloud and created fleet device management. I can’t get away from it. I have no money to keep replacing devices only to have them reinfected within day or days.

This tech is being used to abuse other people it needs to be fixed so it can’t. It’s being used maliciously as much as it is for legit business purposes. :(


apple help us in Canada. We have no cyber laws!

Sep 27, 2023 5:19 PM in response to Community User

Add me to the list. My suspect has two businesses and I suspect I’ve been made an employee; workspace accounts I don’t have. Google chat I don’t use. iMessage for business. Contact your administrator. Devices restricted to only using data turn in Bluetooth or tethering by themselves. Some have even switched to wifi on their own. Desktops iPhone laptop Chromebook kindle tablet printer. Even my headphones want to connect to a Bluetooth headphone device that nobody here owns. Sometimes it’s it unconnected by tablet and the prompt to pair with unknown device appears.

3 years, 14 phones, 3 laptops 3 routers, two printers, and a smart TV.

we are not crazy. We need help from authorities. Apple needs to be help accountable; when I request a super call they are blocked from calling me and still there’s no problem?!

I’m from Canada. No cyber laws. Police called me delusional. Avoided my reports. Refused to investigate. I page to hire a PI at the time of about 5g if ever want this to end. I’ve been told by a woman’s abuseOrganization is the only way to get a personal stalker because of the above statement; no knowledge or laws for cyber security and victims of these crimes. It’s someone we know. Especially if no random and just torment.

Nov 18, 2023 5:28 PM in response to AgentDragonfly

I’ve been dealing with similar since 2019. However I had a group of high tech hackers move in next door.


I’ve called in/went into the provider store too many times to count regarding this “MDM” issue and many of the things you’re dealing with and have been told that yep I can’t be hacked but if you search online with words “hacker placed men on my iPhone”, or “iPhone hacked”, you’ll find legitimate tech sites showing that apple knew about the problem back even as far as 2015.

There is also the issue of some using Microsoft Azure to do some control but if you go onto your Apple ID and search for system status then look for developer status, you’ll see if you’ve been linked to Apple’s business software or schooltime etc. you may get lucky and be able to click and see exactly the developer that is connected to them. That may help.

May 1, 2024 5:30 PM in response to AgentDragonfly

Same here!!! To all of the above. I have been dealing with this since Oct 2022- that I know of!! I’m sure I am targeted as well. Every topic I have raised awareness to was shut down and I was told impossible, even though I can now find proof and articles of things I’ve been saying for years!! We need to get together. My last post got removed so i deleted a lot of it.


I have found several federal laws and cases that will support that not only are our our constitutional rights and privacy laws being violated but also intellectual property protections and trademark. I can go on but let’s see if this posts lol

Aug 9, 2023 3:25 PM in response to Inrecoverymode

The MDM (or mine anyway) installs a MANAGED Wi-Fi hotspot. That will over ride your hotspot. I was glad to see these postings, as I’d never seen anything like this before. I had an MDM installed on my windows PC on another hospital visit. Found vender name, called them, they removed it right away. But it was not as destructive as this one. How horrible someone is doing this to you after you lost your husband! But he could not fix it either. It would have to be removed by installer (likely someone you know) or Apple. And Apple won’t support this Apple developed app! Reformatting, buying new devices, useless. It gets on everything, Windows, Android, Google, router and more. What it can’t do, it downloads another hidden app to do. I’m trying to collect everything to remove from my home, but I can’t tell what “everything” includes. I also read it can be set to prevent scanning apps for Bluetooth, Wi-Fi and such. You have to buy another device for that (with no Wi-Fi). The State Department of Justice and FBI is interested, send info to IC3 (dot gov).


The first install has to be hands on, after that, all can be done remotely. So, if someone knows your PIN, it only takes minutes. It’s likely someone you trusted very much. And, many of the key-loggers that are often used (found one on mine) often contain more malware.

May 25, 2023 7:39 AM in response to AgentDragonfly

Wow! This sounds so much like mine! Either can’t turn off games, or if I turn off, they come right back. There were 87 JavaScripts under shortcuts. There is also “clips” under privacy and security, microphone. Sound became very quiet, have to use speaker, that was the first symptom. Lots of redirect scripts with email to a fake or created site. Email is often deleted, some from 2 more fraudulent sites downloaded and hidden (like the MDM app), 2 banking apps, screen recorder, more! I had 87 scripts under shortcuts! I’d never even looked before. It also turns on family sharing, that permits it to download on one device and then spread to others, including Windows/Android and Roku, Smart TVs. My data is also moved to the iCloud, then transferred from there to another cloud service. If you have a windows device, search on *mdm*.*, make sure “hidden” is checked under view. My iCloud sign on page is also redirected. There is an Apple page where you can see hidden purchases, but it only goes a few months back!


When I deleted 2 accounts and created another, it was gone for about 7 hours, no grayed out options, “clips” or games. But then it visibly showed under purchases and was installed. It gets much worse, identify theft, credit card fraud beyond App purchases (the one on Apple. Alarm system hacking and entering my home. Deleting password reset messages, using my phone number to call Apple, using an Apple feature. It will not go away with a reformat. For the first install, physical access is required (I think). I was in the hospital for about a month when this started, but it could have been sooner. Based on what I’ve read, you should reformat it (unshare) or delete problem apps, several things have to be turned off. Delete your account! You have to set up a new account that does not have your name and address on it! It goes by name and serial number. I’ve not found any solution at all other than what I mentioned. Keep in mind, smart devices, IoT may also be compromised, smart light bulbs (I found one in my house using a detector) and what appears to be NFCs. It also picks up a lot of DECT, smart fridge, Wi-Fi cameras, alarm

system (if Wi-Fi), some TVs, I guess my printer is infected as well.


a lot of things get transferred in the background, like the router IP, although the MDM has options to scan for new devices, phones, PCs and much more. This started Dec 2021 or earlier. I was a former Global IT Security Manager, but I’ve found no way to remove this! It also modifies the router and has a beacon, it appears to allow more hackers? And there is more dangerous activity going on that you can’t see.


they also downloaded Xcode, then hid, and of course JavaScript can be used under shortcuts, they use commands that I’m not able to use? Everything is compromised. I’d like to speak with you to compare notes, although phone, text and even this chat is transcribed. Most security emails are blocked (all read). Text usually makes it but not always. I have about 7 IOS devices, will have to get rid of all of them. Android and Windows get quickly

compromised, MDM and parental controls. Attacker has used Unix and MAC. BTW, the DOJ has the MDM under investigation, it said antitrust as they also used it for parental controls, and said it’s a safety concern! This account will likely be gone soon. Oh, when I bought new devices but didn’t set them up, they were compromised around the time they came in the house! I’ve even unplugged the router, but activity continues.


I never thought I’d end up with a fraudulent malicious app(s) that they won’t remove! I actually got an MDM app before, around 2015 (in the hospital again). It had the venders name on it, I called them and they removed it while I was on the phone! Now, 1.5 years, disabled, trying everything, but no help. As a security manager what a horror it would be in an 8,000 user environment, but they likely get help.

Aug 5, 2023 9:02 PM in response to AgentDragonfly

So what is it? I mean is it a person behind it all. I am not that computer literate but I knew something was definitely wrong a few months back. I just recently got back into my Apple ID now I'm locked out of Gmail, Yahoo and Outlook. It has gotten my iPhone SE, 2 iPads and a laptop. I noticed just yesterday I was supposed to get a call back from Apple support and the number was actually blocked in my phone. Now I have to wonder if I spoke to a real Apple representative to start with when they called before or not. I need to get back into my accounts soon... I don't know what to do next...I am totally at a loss. It was my late husband who knew computers not me. I have issues to Personal Hotspot..,actually everything I have heard on here tonight I have same or similar issue.

Dec 6, 2023 11:30 AM in response to EllieDolanStl

EllieDolanStl wrote:

Any advice? I can’t trust anything.

This sounds quite serious so here's my 2 cents.. It's not possible to know what's going on with just the info you provided and anything's possible, but for starters, I do have a question about your statement "They are constantly in my iCloud account doing things like disconnecting my eSim, leaving creepy photos of me". Leaving creepy photos is a fairly uncommon thing to report in these type situations and such an occurrence would no doubt be very creepy. Can you give any other info on this? Are you absolutely positive that you aren't taking the pictures on accident, or moving a file to another location and not realizing it? Have you considered the possibility of medical illness which may make you forget certain actions that you yourself are actually responsible for? Remember it'd be impossible to know unless you do something like set up a camera to record everything for later review. Do you have any reason to believe the government keeping tabs on you? Have you ever done anything that may have been perceived as a potential marker for terrorist activity? Visiting extremist websites, participating in discussions, or share a home network with anyone who may have done something to that effect? Regardless of your own personal beliefs or reason for viewing such content. For example did you have some school assignment related to terrorism and visited a few too many websites in your studies? Consider your value as a target to a state-sponsored actor or any individual..why would they want to do something like this to you? If you can't find a reason like for example you're a high net worth individual, an activist, a potential extremist, you had lots of jilted lovers, etc., then the alternative may very well be that you are mistaken and your brain is understandably misinterpreting things that may be fairly ordinary events as a response to some legitimate things you witnessed that evidence some network intrusion you've suffered.


Take for example the other part of "they are constantly in my iCloud account doing things like disconnecting my eSim". There may very well be a problem with your eSim it could even be hacking related but your eSim and your iCloud account are not of much relation to each other. You may be observing certain events and misunderstanding what is actually happening. It's not going to be possible to know from the info you can provide via this forum but I am fairly certain you are misunderstanding some things and are describing others that are clear evidence of a problem. Knowing the difference can be difficult and is nearly impossible when you yourself are the victim.



Now what can you really do about it? Change all of your passwords to everything and write down your updates on a piece of paper. Then sign out of all your accounts everywhere. You need to take all of your bluetooth and internet capable electronic devices and all files you own and disconnect them from their power source then safely store them for some distant date for possible data recovery or investigation. Contact your mobile phone company somehow like in-person at the store and cancel your phone service and store your phone as well with the rest of the hardware. Physically disconnect all batteries. Be sure you've purged everything for a period of time like a few days to make sure. Move away from any compromised devices outside your control. Purchase new devices once safely away from all other potentially compromised devices and set up new accounts including email. Do not use cloud services to store data. Do not use suggested passwords, eydfcrare too quickly cracked and only provide the illusion of a secure password. Passwords don't need to be extremely complex or overly long, just slightly more complex than the typical suggestions. Minimize exposure to networks and networked devices as much as possible.


This will probably help you but for most people it's nearly impossible. One important thing is that once a device has been compromised there is often nothing that can be done. Maybe this is why you've encountered such little help bout all this. After all, what do you want them to do..give you new iPhones and MacBook Pros?


But really at the end of the day what are these people getting from you? Have they stolen your money? If not, well then your privacy was never really promised anyway. It's the internet, it's inherently insecure. Security is often times severely lacking and falsely claimed so unless you have invested the time and resources to create it and are aware of limitations, it doesn't exist. The lies companies will tell you about the superiority of their products are only lies if know the truth, which few people do and when they learn it it can be shocking and disillusioning. Panicked responses typically makes someone stand out from the crowd and then victim to ostracization.

Feb 23, 2024 12:54 AM in response to AgentDragonfly

You guys are describing, almost exactly, my life for the last two years. I am not in IT but have worked with computers for my career as an artist and let’s just say I’ve been on a Mac since the the first Macs were out and I drove my Mac IIci to college and I’ve bricked and rebuilt more OS’s than I can remember. I have so many screen shots almost identical to the above and the settings toggling back in front of your eyes! Ha! People do call you crazy. I’ve wiped these machines and bought new ones. I’ve been told “it’s not possible” and then had Apple days later push major OS updates (remember the huge Webkit update!) I also have theories as to why money has not been taken, although it’s possible there hasn’t been the opportunity to steal a large enough sum. But moreover I feel it’s probably tactical or botnet.


Thanks for the tips. I would add that I can reiterate that I’ve found that our printer has always been implicit whenever we get it back online. Fancy new routers have not changed the situation. Samsung smart TV browser catch will always fill back up and eventually CPU will fill up. Apple senior advisors have told me that they can only help me with as much as they are trained in doing. I have escalated to engineers but it was beyond me which are the correct logs that are the “smoking guns” and furthermore I started to feel like they string me along as their research animal. (Free Apple bounty?) Now I can also vouch for above mentioning of IOkit, SDK, WebKit, AppStore Connect, use of Game Center and Health/Apple Watch, etc, But there have been at the point of all new Apple ID’s, unfortunately I have one member of my family who needs to have their computer reset by a corporate entity each time so the method above seems unattainable if everything needs to happen in lockstep. We had come very close to resetting every device all at once a year+ ago, but not to the DFU level and not to mention firmware of every other mfr.


also want to note that to me (very abstractly) basically all XCode dev stuff all goes back to IOkit stuff (Spotlite helperUtility is the real brains) , and it’s in the CFBundle (your lovely bad Certificates that allow you to let the floodgates open in any web browser- it doesn’t matter as far as I can tell, and also WindowManager because like DarkAqua and FauxDark Aqua, we know you’re supposed to be there but you are complicit right, parent proces - ???). Watch the SQLite databases for everything. I wish I could read it all and figure it out. (although it’s very MDM to slow updates… regardless) there is a propensity to keep everything legacy or roll a few things backwards, like having to manually update every app and OS, (sort of a version of classic ‘slowly gaining permissions’). I’ve found old modern scripts (sometimes supposed to be there) but then seeming active and logs of ACP (affordable cable-my address is not enrolled), and old firmware on our devices and Mac address changes on our LAN, and really the craziest things.


Anyways thanks for the validation. I’m coming close to the full DFU resets and new Apple Id’s. IDK if it was mentioned, but there is a good help page on Addigy’s website about briefly disabling SIP (system integrity) and the correct terminal commands to wipe any previously existing MDM programming before reenabling it. It might be a good step before the DFU reset or (in my case) between DFU resets!

Apr 4, 2023 11:04 AM in response to celliott147

Unfortunately I have tried everything & Apple Support has had to Google most of the terms I see in my Analytics

I dont live near an Apple store, but if that is a real possible solution I am open to a road trip. I would rather not go on a road trip only to find out not even they can figure it out

In this picture I am sharing ‘Home’ which I do not even have a device, and I uninstalled home. Usually, I am also sharing ‘notes’ ‘books’ and ‘health’ too

Oct 12, 2023 4:38 PM in response to T3ddy19

i have been at this going on three years, boxes of paper and 3 harddrives off laptops that have all this. they are safely stored. the current desktop has it too with a twist... i have no microsoft account but the computer is running an insider copy of windows and so is my hp laptop. i did not do this and cant get rid of it without the email and password i dont know!!!

i also have xbox live, gamebar credentials that get loaded back every day! i have keystroke recorder and today guess what? ... i can type online but the keyboard stops working if i try to search the computer!!!!

MDM on personal iPhone - Businesses, unauthorized developer activity HELP!

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.