You can make a difference in the Apple Support Community!

When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

MDM on personal iPhone - Businesses, unauthorized developer activity HELP!

I am a personal 'User' I have cycled through many hours and days with support. No one knows what is going on. Most likely because I am never able to speak with someone that understands the Enterprise platform. I feel this is happening via my carrier- but Fraud sent me to Tech support. Tech support told me my phone is hacked and to file a police report.

In combination I suspect that MDM is a gateway for an external developer to access my phone via various methods: webkit, Xcode, Apple Store Connect, SDK

I am about 99.99% sure I know why, but that is something that I will not disclose because most likely all of my activity is monitored; despite the very strict privacy settings I try to maintain.


Symptoms:

  1. My apps will sometimes tell me they did not come from the App Store (Maps, FindMyiPhone, etc..)
  2. When I make an attempt to chat with Apple support I receive a message to Use Messages to Connect with Business. When I have my iPhone in LOCKDOWN mode I receive a message that I cannot use Messages for Business when my device is locked down.
  3. I only have one device. However, I am sharing across devices- many times or I have the option to. The choice is not grayed out.
  4. I am unable to perform an Emergency Reset because I am usually sharing something - Notes, Home, Health, Books....
  5. I do not use iCloud Drive due to multiple security concerns. Almost every time that I double check those settings apps show that they are using iCloud Drive. (Game Center, Health or Fitness, Notes, Books, Apple Support, Wallet) While clicking to turn OFF syncing I have had a battle with it changing right back before my eyes. (I have screen recordings)
  6. Game Center will come on even though I have strict Screen Time settings.
  7. I am generally either sharing, or my phone is gathering data from Health; even though that privacy option is supposed to keep that from happening.
  8. Sometimes I am unable to even sign out of my phone due to 'restrictions'.
  9. I have 'Share with Family' sometimes

*Those are only a few symptoms. That is minus the horror I see from the extraction of information I backed up into Kali Linux

As I have mentioned I have spent many many many hours with Support. One Senior Director did spend time Googling the services that show up in my Analytics. I have even uploaded screen shots and documents, but I never heard back.

I REALLY REALLY need help here.

I will add attachments. They won't be nearly the amount I have. I am begging!!!



iPhone 13, iOS 16

Posted on Apr 2, 2023 2:32 PM

Reply
Question marked as Top-ranking reply

Posted on Apr 3, 2023 6:45 AM

Sadly, there doesn't seem to be any help and the ones that will respond, will tell you you are either crazy or you can't be hacked unless you have your device to someone.


For what it is worth I have been dealing with this and here is what I have learned; you need to delete your old apple id's and confirm that they are deleted. You may not be logged in to any (neither was I) but it has something programmed into the IOKIT boot so you cannot reset the NVRAM properly, leaving find my process to look as if the activation lock is on.


Make appointments for each apple product to have a firmware/software update through DFU mode and make sure it is DFU because a factory restore will not remove the cache that is lingering in the files. This should all be done at the same time otherwise it will talk to the other device and reestablish itself.


The factor reset you are doing doesn't work because it does not empty the trash and it seemingly blocks any terminal command to do so as well.


Before you boot up your computer(s) & phone(s) delete and confirm you have deleted all of your previous apple id's. Write down the code it provided to delete the id because chances are you will have to call to

confirm its deletion.


If you have a google ID, check to see if you are enrolled in any trial based workspace or fire base programs. Workspace allows device control as well.


I have changed our TV's and printers but it still seems to latch on to any printer so now we do not print. Debilitating to say the least.


I believe that there are enough of us out there to confirm that this problem exists but apple will not respond until they have fixed it. I know it sucks. Two factor everything and I wouldn't suggest any external usb or thunderbolt security keys.


I also would not suggest any products other than apple. That will only make your situation worse.. even the keyboards because it will load a generic driver onto your device. Only use apple wires as well. I am definitely not an apple advocate, only sharing what I have come to accept and learn.


You may have to go line by line in settings on your iPhone to turn off everything that you do not use and if there is an arrow on it, click to make sure there is not an opportunity to bypass your defaults. The Mac computer is the same and there are probably about 100 Plists that will try to alter your default settings so do not take anything for granted until you have clicked through it all. Plists are just preference and apple will tell you that it does not mean that they are being used. That is absolutely correct but the Plists I have seen start with NVRAM and a fmm (find my

mac activation) which is huge problem.


for whatever reason it uses nfc and mdm BUT mdm does get removed later on during the process. It keeps respawning. So it isn't necessarily MDM as much as it is trying to be so I presume that there is some detail in the MDM program that helps it get what it needs.


The shared cache you are seeing is at best guess, all of the info it has collected on you and will keep looping together. This is just a guess but I have been watching it on mine as well. I could 100 percent be wrong but I believe the cache is what keeps this process communicating between devices.


There are enough of us out there with this problem. I am sure that we have a common thread but I have no idea what it could be. I just know that no one is going to help me or my family and I am just going to have to do my best to keep my kids safe.


I could bring a new computer into this house and within ten minutes watch it try to harvest my old apple ids, while Bluetooth sniffing and try to connect to something nonstop. Eventually, it gets back in and the new id becomes corrupt, I delete it and start again hoping the last apple update resolved this issue. Two years later and I am headed back to the Apple Store today to pick up a couple of devices.


I wish someone had better news for the both of us but this is the best advice I can give you.

Similar questions

160 replies

Jul 27, 2023 7:22 AM in response to AgentDragonfly

According to my sources, there is apparently a glitch in the forum software that is sending out notifications from the original post whenever you post in a thread. So, no AgentDragonfly has not posted since April but you may be getting notifications that they have. The issue has been brought to the attention of the appropriate authorities.

Jul 31, 2023 4:17 PM in response to AgentDragonfly

Well, now I’ve been blocked from the reply button! This is another common symptom with other sites as well. But for now, your name pops up requesting help, so I can respond. Could you please respond to the post by “FunnyHoneyBunny”? It sounds like someone who has access to her network has been compromising her iPhone. In her case (or anyone really) a new phone won’t help if it’s MDM due to the geofencing. Also, any device inside the network is trusted by default, even IoT that don’t have passwords! All the culprit needs initially is the PIN to compromise the device, then make a full copy in a couple of minutes. Saved passwords, unencrypted is bad as well. Many apps designed for companies can monitor almost all activity. Downloaded apps “shared” as “family” in the same network is also a method used to install (hidden) apps. I hate to see the struggles of so many. At the same time, I don’t have to hear “that’s impossible”, YES, it is very possible! I wonder if there could be a rogue MDM on the dark web? My windows computers are destroyed, so I can’t look on my iPhone. My situation is getting worse, including home break ins, theft (more very personal items than items of value), some things I dare not say! I also live alone like “FunnyHoneyBunny”, but who then is on her network? If it’s not an MDM, I would think a reformat would take care of it, along with resetting passwords and white listing devices on the router? She does not want to backup to the iCloud. That is not required. She could back up addresses and photos first, then reformat the device but choose not to backup apps. Purchased apps could be restored! Now, let me see if I can post. This site is very helpful for me as well, so I hate the “reply” button no longer works (unless I go to another computer on another network). I really wish Apple would help with this issue, so many ppl have tried so many things, like me, reformatting, new devices, changing IDs, anything! But the MDM uses the serial number, so doing the things I’ve done does not help. The geofencing adds new devices. And to anyone, I gather the MAC computer (which I don’t own) is required to administer the MDM, but what/how is the geo fence set if you remove all devices if no serial number to connect with?



Aug 3, 2023 4:04 PM in response to T3ddy19

Ok, I was incorrect about the Wi-Fi and serial number being the same as a user pointed out. But the MDM uses the serial number and a beacon to find your device, and it scans your network using “geofencing” to detect any new devices. I’ve heard all the “impossible” comments as well, they have no clue! I’ve had my devices reformatted and bought new ones (new everything at one point), but since someone had one of my devices (now two since earlier last month) and was apparently using a MAC computer (required) to remotely install the MDM on my new devices, it didn’t help. And, it’s a free app. But there are other “entities” looking at the dangers of this program if in the wrong hands. You have to search a bit, but it’s out there. I’ve also seen GitHub and Python, along with many new scripts under shortcuts and programs the programs always get hidden after installation. I’ve wondered if there could be a tool or method to compromise the MDM on the dark web? I’d been in Information Security for about 30 years (CISSP, CISA, CISM) in one form or another, but I’ve never seen anything that compromises so quickly (3-5 minutes). If I still had the same job and title, I’m sure I’d be able to get it removed. But due to unfortunate ongoing surgeries, I’m no longer in security.


mine sends out fake emails as well, and automatically deletes needed ones. I likely mentioned this already, but go to a public network, your email account, and view source. I was surprised to see settings that created a fake page (JavaScript) and hide auto deletions and hidden folders. My banking page is also fake. I read on Apple documentation (I think that was the source), that the MDM does not use Safari, but instead it uses web clips to show pages. This allows considerable actions and views, like view source, tool bars, headers.


You mentioned FaceTime, FaceTime was used to contact Apple for over an hour using my phone number. Apple won’t accept FaceTime. So it was not actually FaceTime, but actually a “feature” under accessibility options that permits you to enter another phone number and impersonate the victim. There is usually a history, if not deleted. But check the numbers used if the access looks like a phone call. It also allows incoming calls, but they disable my phones when using this method. It seems like I saw something about beta somewhere, but don’t recall exactly where I saw it.


I have learned there is a history available that can tell you the location of access, although I’m not certain if it’s because they had my stolen devices? A subpoena would be needed. I did see an error in one log that was 313 (I think) and said something like “another person is using your ID or device”. There is so much.


A family members account was also recently put on the most recently taken iPad. Idk how they did that, unless it was from being at my house?


How did you discover your logins were going through APIs like GitHub, Google and so on? Is that info on a MAC computer?


BTW, you mentioned a web site, if you have a web site and company email, you could enroll in the MDM. I’d guess it would not overwrite the current one, but it’s free. You could buy a cheap device, keeping everything offsite with no iPhone, then install the MDM on it.


BTW, checkout LinkedIn and search on MDM with keywords malicious and such. There is more out there. This is not impossible and you are not going insane, unless from the constant bother. Also, check put .gov, MDM, parental, more interesting things.

Aug 5, 2023 5:56 PM in response to JMurphyCO

What a great job you have done in finding all these things! I’ve made some errors when I’ve attempted to respond to ppl, then I get the “junk yard pit bulls” come after me, or the preferred polite responses, some say “impossible!” about error (some are not errors) unless this has happened to you, then one can’t understand the impact. Can you say what you have used (device wise) to detect these things? My devices get compromised as soon as I turn them on (in my house). I also found a “managed hot spot” which I can’t delete. I signal detector goes off if I

type or look at anything. I disconnected my Wi-Fi completely. Then the hotspot appeared, it may have been there before, which would bypass firewall rules, it connects to Bluetooth (up to 8 devices can connect to Bluetooth), and it spreads. When Wi-Fi is on, the IP of the “managed” Wi-Fi appears. My carrier insists there is no Wi-Fi hotspot since I’m not signed up for one, I attempted to install one, and it would not permit, without paying more. As far as the CMD, ssh, sftp and more, well, there is an app for that. Go to shortcuts, add one, clear the bottom section, type in ssh, and see if something appears! I have several of the same issues as you, but I’ve not been able to detect them as devices are disabled or destroyed. It started following a missing iPad, mostly iPad exploits (hidden apps, system settings changes and so on, you know the drill). Then escalated to home alarm hack, home B&E, vandalism, fraud, identity theft and more.


Don’t second guess your sanity, but I understand completely. Many ppl have experienced the same thing. Now, I can’t download the most recent update! Maybe it has something that will help? Have you made any progress? It seems like new devices, or old ones that I’ve not used get compromised within minutes (others have said the same). I’ve seen the MDM (aka Apple Configurator) downloaded, but wonder if it could be a rogue MDM? Perhaps from the Dark Web? It is so technically complex! I’ve been in Security (one form or another including Global IT Security Manager) for about 30 years. I’ve never seen anything with so many facets, not even the APTs. have you looked for NFC? I have a couple in my home, along with other planted devices. There are detectors out there, although the cheapest one would not pick up a NFC, my Wi-Fi also goes off when I’m driving. Also, check out LinkedIn and there is some info there. I really wish Apple would help!

Aug 9, 2023 3:38 PM in response to Inrecoverymode

Good finds! Most if not all people with this hack are users with personal devices. My routers (4 personal, 2 from ISP were taken over). At first, I’d disconnected my internet completely to try to reset the router, but they were getting in anyway. I discovered a “MANAGED” Wi-Fi hotspot with an IP that resolves to Apple. I went through the same thing after a device went missing while I was in the hospital. And it’s hard to prove all the hidden apps! Many are free, so you can’t cancel them. I’d suggest making copies of others issues for the police. I frequently get warnings as well, saying things like “I can’t use messenger when under business management”. They use the Wi-Fi hotspot and Bluetooth to spread to anything in “geofenced” area. Read Apple documentation about what this app does! It can hide almost everything. This seems somewhat new, at least to such a degree of destruction. The police are not technical and even some those that are technical claim it’s impossible. But reading documentation and compare user notes, your notes, and Apple MDM documentation it is obviously very possible. Too bad that people we trust the most would do such things. What does not work: changing password, reformatting, buying new devices, creating a new Apple ID. Good luck!


Oh, IC3 (dot gov) is interested!

Aug 12, 2023 5:41 PM in response to -Hey-You13-

The MDM can do many things per Apple documentation, it can hide apps and features, install other (hidden) programs, and much more. It’s all outlined under Apple MDM documentation. It can revert your devices instantly. It’s the only app I’ve ever seen that comes with a “hide” button. I’m beginning to wonder if it’s a rogue MDM? I’ve been in Security for decades, never seen anything that can compromise any device in minutes? Plus, I don’t know “where” it is stored. At one point, I thought I got rid of everything but apparently I did not. I’ve heard a printer mentioned, I didn’t get rid of that however. I’ve seen ssh being used initially when network was still plugged in, but now I have a rogue “Wi-Fi hotspot” that is managed. Very frustrating.

Oct 12, 2023 3:32 PM in response to AgentDragonfly

i am a personal user as well and i have tried everything! apple store is a waste of time all they did was reset and it was already on there when i booted it.

question....under root trust certificates, do you have a greyed out single certificate that you fid not approve?

they ssy its not possible but i never had the option when i got this phone.

its a digicert root ca and its on all my devices!

Oct 18, 2023 12:12 AM in response to Shewolf1989

Hi folks,


I've spent this whole year to date researching this campaign since I first started noticing non-typical activity on my iPhone, MacBook Pro and Mac mini. I've been using Apple products since the 80's and am fortunate to have never had any issues until now.


First I must preface the rest of this post by saying that some of the behaviours you see are BigTech harvesting user data. This has always been the case and is written into user-agreements you accept upon activation. Add on top of that any app you install will also have its hand in documenting the activities you engage in on your computer, device or 'smart' connected tech as is written their terms (linked on the page) you accept upon downloading and installing. 


You only need to glance over the privacy notice within the apps information on the AppStore to see the scope of what some apps collect. TikTok remains the top of the list closely followed by the big social media brands etc. There are also many apps still on the AppStore who have not updated since Apple introduced mandatory display of the data the app intends to collect, so exactly what they are taking from you remains unknown to its users.


However, while BigTech data extraction is a typical event on tech, data is a trillion dollar business and has undoubtably attracted the attention of bad actors who want a slice of the pie which is why there is a high prevelance of data mining exploits.


I'll reiterate a previous post that agrees, you are not imagining things. Whoever is behind the non-typical activity we are experiencing - likely has MDM-like control over your phone/computer.


You're seeing developer activity because developer mode is what the MDM-like behaviours are implemented through. This is occuring even though you all report there are no MDM certificates installed, the developer mode option isn't activated in settings, you are not enrolled in the beta or developer program and finally, you don't have TestFlight installed.


To date, Kaspersky are the only voice in the threat-hunting world who recently openly declared they no longer believe that Pegasus-style attacks are limited to only a small handful of people. They assert this because they invited comment from the general public regarding the 'Triangulation' attack and were flooded with emails with evidence of similar attacks on civilian devices.


Although much of the detailed information on these attacks are not public, what I have personally observed regarding the permissions attributed to various daemons and processes on iOS and macOS is attributed to the events many of you are seeing too. These are closely aligned to 'Triclops' (the only Pegasus-style survelliance documentation in the public arena) which appears to revolve around developer privileges. While I am not making any claims that what are experiencing is linked to the groups carrying out attacks on high profile targets, I am asserting that there is a group behind this long-running campaign who have leveraged developer privileges for the purpose of data extraction. The vast amount of evidence strongly suggests the three goals are scams, advertising interference and intelligence gathering.


I'll leave it here as I wish to respect the Community Use Agreement, but take heart, the number of people noticing non-typical things on their tech is growing. I look forward to maybe one escaping their clutches and reclaiming my tech, my accounts and just maybe, a little bit of the fun and awe tech used to provide.

Oct 31, 2023 1:53 PM in response to AgentDragonfly

I have some information that might be helpful. After years of looking for answers and getting none I discovered this sys diagnostic test.


https://support.umbrella.com/hc/en-us/articles/4406646902420-How-to-capture-a-sys-diagnose-from-an-iOS-device


I think you’ll be surprised with what it can reveal.


I am having the same problems and more…connected to cameras, speakers, amps, I could go on. Intelligence platforms are running in my analytics. Mobile Obliteration, Pegasus, shim remotes.

I tried to post some pictures here but it’s blocking me. I’ve been making all the same calls to tech supports. No real answers other than yes my device is being remotely accessed. I’ve had a dozen new phones since this began. Everyone of them have the same problems. I have managed to do a couple resets but it was compromised again within a hour. I’m still looking for answers like you.

Do you know of any websites with specific information? I’ve googled many platforms listed in my analytics so I know who it is. Any suggestions for a way to get it confirmed?


Nov 3, 2023 3:12 PM in response to AgentDragonfly

One other method of their intrusion is changing your time zone / date and time to a far earlier date years before you even purchased the device. Installing malicious software then changing the time back to actual current time.


if any of you use iCloud Photos (which isn’t ideal) make sure you go through and check the time stamp / location meta data as I’ve noticed a few of mine were updated to a time and place that iCloud would not recognize thus not including it in the synch so if you restart your device. You’ll lose those photos / videos.


don’t use google photos because they’ll just corrupt your videos (evidence) making them incompatible and useless.


oh and don’t use external hard drives because those will become compromised too lol there’s literally no end. I’ve tried everything and I am not tech savvy what. So. Ever. To the point where I’ve just accepted it and live my life with them watching my every move. It is what it is. The level of intrusion is so sophisticated that it’s almost like it’s out of this world sophisticated. Who knows at this point.

Nov 3, 2023 3:22 PM in response to AgentDragonfly

Looks like my original post was deleted? Idk I’ve never actually posted anything on here before but good thing I saved it before I posted it…


After spending the last year or two google searching anything that seemed fishy in my analytics logs, I’ve finally, finally and finally! Stumbled upon the most solid and concrete description of what’s been happening to me over the past two years with my devices. What a breath of fresh freakin air. 


The process I searched for that brought this thread up was “AppleH13CamIn” found in an analytics log labeled “Stacks-2023-10-18.” 


It is 100% the MDM and what one reply here mentioned as the “Invisible Beta.” Though not so invisible now that I realized they were unable to hide the “Feedback” app in the “Per-app settings” found at the bottom of the accessibility setting. The “feedback” app is usually only available to devices registered to the beta iOS program.  100% using Xcode as their method of hacking. 


From what I gathered, there has to be some sort of hardware issue (either methodically or accidental) that is powering a BT process that keeps this intrusion alive. 


One thing i noticed too is, the Rokus on my network were being converted and used as a WiFi 4 protocol hotspot that was acting as a sort of evil twin router and fooling my device into connecting. I live at home and my mom still has an iPhone 6+ that hasn’t been updated since iOS 11? That she refuses to update so I’m practically SOL. 


Someone asked about what the “trial rollout” well here you go: 


stateDbVersion":3,"trialExperiments":"0","trialRollouts":"2","version":"2.4"}


activeTreatments":"100:210304_control,101:210415_control,102:210304_control,103:210304_control,105:210304_control,106:210304_control,107:210304_control,104:210304_control,108:210601_control,109:20419_control","


Count":3,"bug_type":"225","reason":"rejected-config"},"name":"LogRetirement","


Logs are consistently labeled as rejected. Someone mentioned Skywalker is an actual keylogger? I’m seething Skywalker doorbell logs and an unidentified haptic device connected as a home accessory. I don’t even use apple home. 


Logs also detail - HMDRemoveAccessoryPairingLogEvent


There are daily multiple “Hardware data resets” and initial unlocks “after boot” while charging. 


They must be utilizing some sort of stingray to mimic LTE connection. 


This is literally an intrusion from every direction. An intrusion that my neighbors are in on (phone was stolen off my driveway in a nice neighborhood at the end of a culdasac not even 3 minutes after I left it there I see 3 individuals walking way from my house that I’ve never seen before and no phone in sight) 



one thing that helped was create a physical vpn. Modem - bridged router - switch - 2nd router. 


I think they also get in through the power lines. What a freakin mess this world is. So sad really. 



[Edited by Moderator] 


Nov 3, 2023 3:28 PM in response to Watchlistvictim

The stacks log is packed with useful data


example:


This is logged from my “CloudConfigurationDetails”


bplist00Ö

\AllowPairing_ConfigurationWasApplied_CloudConfigurationUIComplete_ConfigurationSource_PostSetupProfileWasInstalled\IsSupervised "<[qžŸ ¢£

¤


this is from a stack labeled MCMeta


bplist00Ô_LastMDMMigratedBuild_LastMigratedBuild_&StopFilteringGrandfatheredRestrictions_ AllowedGrandfatheredRestrictionsU20F75Ñ ^restrictedBool£

[allowiTunes_allowAddingGameCenterFriends_allowAppRemoval(<eˆŽ’¡¥±Ð

â


payload manifest - bplist00Ò_OrderedProfiles^HiddenProfiles ¡_=secure-wifi.spectrum.net.8DE2356F-F195-444A-B534-6E67170C4E73

./1q


I could go on for days about this lol


I think what they do is they partition your operating system into multiple operating systems that synch between each other. So while you’re on one partition. They are on another loading remote content and once you put your device down they synchronize back to their partition that is virtually identical but different logs home screens etc


Nov 8, 2023 9:56 PM in response to JMurphyCO

Hello…did you ever find a solution? I have gone through an iPhone15 (direct from Apple, an IPhone 12. (wiped and reset), a Samsung AOS, a Motorola Pure G, 3 carriers, a windows 10 PC, they have hacked 5 Gmail accounts (also my Apple IDs) and (2) other emails. If that wasn’t bad enough they are spoofing me. They are answering my calls pretending to be me and intercepting outgoing calls and pretending to be tech support for my carrier. I am being served web pages in French. Web pages with errors. I’m also always showing up in New York as my location. They are constantly in my iCloud account doing things like disconnecting my eSim, leaving creepy photos of me. I basically can’t live my life because I’m always trying to get unhacked. My theory that ties all these things together is a Stingray or Dirtbox. They also hacked my ADT panel. I found a known WiFi network that I have never signed into. I never sign into WiFi. Then on my other iPhone I found the same network and D-link. They are constantly using my devices, doing things like downloading music. My PC is terrifying. I think I may have figured out how they exploited it.


Any advice? I can’t trust anything.

MDM on personal iPhone - Businesses, unauthorized developer activity HELP!

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.