MDM on personal iPhone - Businesses, unauthorized developer activity HELP!

Check out post by JMurphyCO and his responses. One guy had a very concise list (which I

thought impossible) that lists both issues and fixes (for some things). It sounds like many ppl here are IT/Tech/Security. The others tell ppl they are paranoid. Yet over 5,200 had read my original post a while back!

You guys are describing, almost exactly, my life for the last two years. I am not in IT but have worked with computers for my career as an artist and let’s just say I’ve been on a Mac since the the first Macs were out and I drove my Mac IIci to college and I’ve bricked and rebuilt more OS’s than I can remember. I have so many screen shots almost identical to the above and the settings toggling back in front of your eyes! Ha! People do call you crazy. I’ve wiped these machines and bought new ones. I’ve been told “it’s not possible” and then had Apple days later push major OS updates (remember the huge Webkit update!) I also have theories as to why money has not been taken, although it’s possible there hasn’t been the opportunity to steal a large enough sum. But moreover I feel it’s probably tactical or botnet.

Thanks for the tips. I would add that I can reiterate that I’ve found that our printer has always been implicit whenever we get it back online. Fancy new routers have not changed the situation. Samsung smart TV browser catch will always fill back up and eventually CPU will fill up. Apple senior advisors have told me that they can only help me with as much as they are trained in doing. I have escalated to engineers but it was beyond me which are the correct logs that are the “smoking guns” and furthermore I started to feel like they string me along as their research animal. (Free Apple bounty?) Now I can also vouch for above mentioning of IOkit, SDK, WebKit, AppStore Connect, use of Game Center and Health/Apple Watch, etc, But there have been at the point of all new Apple ID’s, unfortunately I have one member of my family who needs to have their computer reset by a corporate entity each time so the method above seems unattainable if everything needs to happen in lockstep. We had come very close to resetting every device all at once a year+ ago, but not to the DFU level and not to mention firmware of every other mfr.

also want to note that to me (very abstractly) basically all XCode dev stuff all goes back to IOkit stuff (Spotlite helperUtility is the real brains) , and it’s in the CFBundle (your lovely bad Certificates that allow you to let the floodgates open in any web browser- it doesn’t matter as far as I can tell, and also WindowManager because like DarkAqua and FauxDark Aqua, we know you’re supposed to be there but you are complicit right, parent proces - ???). Watch the SQLite databases for everything. I wish I could read it all and figure it out. (although it’s very MDM to slow updates… regardless) there is a propensity to keep everything legacy or roll a few things backwards, like having to manually update every app and OS, (sort of a version of classic ‘slowly gaining permissions’). I’ve found old modern scripts (sometimes supposed to be there) but then seeming active and logs of ACP (affordable cable-my address is not enrolled), and old firmware on our devices and Mac address changes on our LAN, and really the craziest things.

Anyways thanks for the validation. I’m coming close to the full DFU resets and new Apple Id’s. IDK if it was mentioned, but there is a good help page on Addigy’s website about briefly disabling SIP (system integrity) and the correct terminal commands to wipe any previously existing MDM programming before reenabling it. It might be a good step before the DFU reset or (in my case) between DFU resets!

I’m just now seeing this thread and have had the same horrific experience! I have not been through all of the posts yet before my urge to comment because you describe the mental stress this has caused. Going on two years now trying to figure this out on my own and in my own time has been a lonely journey for the simple fact that it’s “too much” for most people because if you mention why you always have an updated email address or why you did not get their message or email you get the crazy raised eyebrow look and seen as insane!

it can not be ignored because it effects your life every day! I have lost access to email accounts and social media profiles and accounts yet I see them show up and have no access to them at all! When I communicate to the source nothing is ever done.

Apple is always friendly and trys but after they learn the scope of the problem, I don’t hear back or I get disconnected.

i have developer privileges I should not and did not know until things began really messing up and strange email accounts and media profiles were created using my identity. Apple ID has been stolen or I get locked out and have had no choice but to wipe device and reset. With 4 iPhones now and a MacBook Air M1.

I could go on and on about all of the things I have found out but no one would listen.

I have recently discovered too the nfc technology and how it can transfer data between devices without needing power or to authorize connection like Bluetooth. It runs on minimal charge and low latency. Can’t transfer large amounts of data at a time but if you set up a automation triggered to pull at certain times throughout the day it can pretty much act as a monitor of your data flow building a entire investigation of your every move.

creepy?? **** yeah and I’m still stuck and without control over my own privacy and I can’t communicate normally because of it. It has really taken over my world and it is disgusting!

I don’t understand why it is happening to me personally either. I want to know if anyone with same experience has found more of us struggling with this and if there is a forum.

I can post some screenshots as well

A version number that only exists for

Android…

Also, look into AWS Snowball. It’s a device used to mirror your phone and control it. It’s produced by Amazon. I found this out after talking to Coinbase and they sent me a follow up email with Snowball Phone in the subject. It uses Wickr as well.

I called Coinbase and asked they said they could not talk about it because it was internal Coinbase information… Super sketchy.

Something similar has happened to me. I’ve been compromised since 2022. This is a growing and ongoing problem. Help is extremely hard to find.

You are quite correct, fortunately no one has accused me of being crazy as I’m a psychologist.

I guess what we have to remember is these discussion forums are answered by fellow Apple users and not Apple staff. So we may not find much support.

Whatever this is extremely insidious, my sharing is all disabled on my iPhone yet it is constantly searching for powered and unpowered devices nearby. I can see the data usage does not add up to the user activity. I feel sick to think how long it was on there without knowing and what it has captured of my children as it’s a part of their daily lives too.

It is something akin to the Mac Dirty Cow, although what is done after it is exploited I suppose may vary, there are actions being performed on my devices that I cannot find references to anywhere.

I have been going through this type of situation for 2 years 8 apple ids 3 carriers

3 brand new apple devices and one Mac Pro all infected the same way . I have tried everything once I put my name and dob in device it’s a dead ringer I cannot stop sharing with note or home. But I’m sure if all the users with the same problem can get help because as consumers we have rights

Part 3, they have also done Siri searches on community! I was not aware Siri could do such things. My scenarios like health data is just like yours! Same with all, Game Center, iCloud (which I never used before), also frequent views of calendar, photos, notes and more. Plus many scripts under shortcuts. Beware of running these scripts. You can view them by clicking on the ellipse or “…” note that some words may sound innocent, but the actual full coding is usually stored in a cloud (not iCloud). Some of these scripts also allow full remote control. SSH over port 22 was used to access the network, I gather to expand beyond what the MDM could do, such as installation of a hidden key-logger, found in registry of a windows PC.

I would not openly identify who you suspect, it is perfectly legal (from what I understand, but I’m not an attorney) to identify a suspect, but you might be wrong, and you don’t want to damage someone’s reputation (or I don’t). Especially if you once cared for this person. It’s likely someone you were very close to at some point, and they could have had a key to your home.

So read, study, beg for help, hire pros, new equipment and you will be wasting time and money! Although I’ve learned more than I ever wanted to know about Apple security.

Oh, another “hacking event” with Apple seemed to show up as a 44 page document on my iPhone (were they helping me? Not sure. But it was a guy named Hinchy (I think) vs NYC, this guy was selling Spyware under the guise of Parental Control Software, a 44 page document. He was fined $440k in court. And I should add that I can’t delete notes anymore, the options are removed.

Anyway, with so many issues it’s hard to stay focused. The point of the summarized and difficult to find hacking incidents is to provide absolute proof to authorities in hope of getting this to stop.

So, collect data, document, locate hidden apps, (many are free and impossible to remove). Try to provide brief summarized readable by anyone information (you can add details behind that data) by category (email, apps, settings, rogue connections, unwanted changes, if applicable fraud, credit card applications (freeze credit) and so on. Most people don’t read more than the first page! Keep in mind that everything is monitored. Apple must keep data for 10 years, some for 20 even though most reps deny that fact. After you have a reasonable amount of data, provide this info to local authorities. But first find out if the local Sheriffs Department will help, I’ve read they are more likely to help with a subpoena than police. The subpoena will not be accusatory or cause the attacker to get charged, but you could request a restraining order.

And, scan house for active devices, almost all IoT contain no security or very little, my Rokus were compromised! The data was viewable on the router. Check out Wi-Fi connections listed under Wi-Fi. There is a way to view the password on devices that have previously connected, look that up I don’t want to post here! Look for rogue managed hotspot, include that with documentation. Anything that has been brought into your home is likely compromised, even things that were not set up. Smart TVs and sound bars for TVs can be compromised. Go to a public network and look at your email and accounts, view source, I’ve found many pages of creation of a fake email “pass through” page that restricts the view source function on MDM. Keep in mind that public Wi-Fi is generally not safe. But at this point you are already compromised. The MDM uses “web clips” you may have noticed this being used under certain apps, some are valid, some are not. But the MDM does not use Safari to browse, it uses web clips! This enables site blocking, removal of tool bars, and fake pages.

On email, in Apple and other mail, there are automatic deletes, password resets, security vender emails, monitoring alerts, much more! Especially if a premium support option has been added. Look at shortcuts, fake emails can be sent from shortcuts with your email address. Under shortcuts, go to the bottom, type in email or message, one will say send email or message, try sending yourself one, see results. Beware of executing any script, many do much more than what’s stated, search on bottom for ssh, if it’s been used, it will show up. Apple apps provides programs that allow the user to create scripts using several different programming languages. Search on App Store to see this app. It’s not the library, but the one that specifically provides the ability of SSH, CMD, and others.

And realize even if you harden your firewall this can be circumvented with the hotspot, bypassing rules.

Ok, part 4, if I’m allowed 4 posts.

This is about 1%. Do a wildcard search on you Linux box using MDM, both in files and in root. I know nothing about Linux, but on windows the search would be *MDM*.* then the same for system or root files, but use the % in place of the * then note the location. Other files will likely be listed under the same location. Many may be cab (or cabinet files), most are encrypted.

ok, I’ll try to summarize again:

collect data from all sources. Create a one page summary by category, email, rogue emails (my Facebook account was removed after my address was used to send links to my no longer available contacts, a virus?). Also, look for emails that you did not send, and settings changes on device vs on public. System changes, harder to document, you could use a video. Deleted or offloaded data (check for added cloud services other than iCloud). Look at FaceTime history, I deleted FaceTime and it came back. Rogue hotspots, scan house for Wi-Fi, NFC, Bluetooth, RF and such. Avoid paying large sums to “pros” for scanning. Look at internal images of smart bulbs online. Look at YouTube to see how Wi-Fi can be added to almost anything! Document and provide images for the things you listed above, reference page numbers in summary. Include recent attacks, they are difficult to find, but they are out there. The Attorney General in NYC got a lot of press on his find with Apple Phones. There was another article on YouTube also WSJ and iPhone attacks, but I don’t recall the details. I think if you can provide proof and get authorities interested in what it could do for them it might help, plus, it’s all (mostly) new, except Pegasus which they keep announcing as new but it’s been around since 2015. They will also ask why you think you are a target, implying you are a nobody, why would anyone be interested in your information. There are articles on why ppl are cyberstalkers, look this up to provide an answer. My work history has including a couple of high target risks (such as banking Information Security) which has made me a target in the past, or it could be an X BF or GF. Provide info on why.

I think everything has to go. Unless you are able to get it removed by installer and you trust that it’s really gone. I hate to say that! And I don’t know what “everything” includes! In my case, alarm system, Rokus, PCs, IOS, Samsung TV (research vulnerable TVs). Firewall (id replaced my router/firewall about 6 times hoping to block it before I knew what it was. Avoid using credit cards online, buy gift certificates specifically for Amazon, or other accounts. Watch closely charges on credit cards. Get a list of hidden apps asap, they don’t keep that info for long. It’s also good to keep dates of things happening, but that’s so much!

Some apps seemed to have opened a back door to other attacks, but that’s difficult to determine. If you find a smart bulb or other such device, you might want to call authorities to remove it, if they are willing. Some newer devices will unscrew, but one had a big visible green circuit board and emitted a loud Wi-Fi signal.

Check out devices on you router/Firewall, try to identify unknown devices (if you can access the firewall. Note they may change the name of your Linux box to something else, so get MAC addresses if possible. And, look for NFC, they look like little circles if paper! Lookup online, scanners will pick them up.

I’ve tried everything I can, contacted venders, replaced equipment, bought software, scanned, recorded on cameras. But I’ve not yet completed a report to IC3 dot gov, or finished report to local authorities. 1st, it’s all been very difficult and excessive, second, not wanting to cause harm. But it gets worse, not better at least so far. Also, like others, when I try to get help from various sources, something worse happens again! I wish we could speak in person. Good luck, let me know if you are able to remove this mess. PS, the DOJ and FBI are all over this MDM because it over rides all security and it’s very dangerous. That’s why you must report to IC3!

Wow! Finally I feel a tiny bit of validation after finding this thread! Thank you so much to those posting this information! I haven’t read everything yet but I absolutely am going to read every single word. I am so grateful, thank you.

You shouldn’t be looking at or digging into Apple devices analytics when you have zero knowledge on what it really means.

Multiple types of Digicert root CA are normal per Apple. See List of available trusted root certificates in iOS 16, iPadOS 16, macOS 13, tvOS 16, and watchOS 9 - Apple Support

Look into: Monitoring the user's proximity to geographic regions | Apple Developer Documentation

and subsystem responsiveness from system diagnosis

_com.apple.SpringBoard_com.apple.UIKit_ com.apple.app_launch_measurement.com_apple.camera.signposts_com.apple.signpost_emitterÑ_kSTYLatencyThresholdInMs#@@ÐÑÐÑ

èѸ+=`}š¸ÁÂÅÈËÎÑÔ

Could you share the Bluetooth connect script? I’ve seen many connections using a rogue hotspot and Bluetooth. Same thing since 2021. Likely is someone you know and they own a MAC computer.