Unknown configuration Profiles - Managed Client

Those Macs are being remotely managed by someone other than you. The solution is to erase them as you have been doing.

Consider the possibility that your Apple ID has been compromised in a similar manner, which would lead to the ability for someone else to remotely log in and use your Macs, so you need to fix that first: If you think your Apple ID has been compromised - Apple Support, after which you can proceed to erase the Macs and configure them as your own.

When you do that, also consider the likelihood that the wireless networks you have been using have also been compromised. The solution to that is to use network equipment that is exclusively yours to own and control. Use secure wireless passwords (which most people do) and change the default passwords for your wireless routers (which most people don't).

Whereas many people are quickly led to suspect some kind of genius-level "hacking" there are far more common, low-tech means of accomplishing the same thing — from someone looking over your shoulder (possibly using the reflection in a window or mirror or sunglasses or even some shiny object) as you type in personal information such as passwords or passcodes, or artfully concealed tiny cameras. Those don't need any special skills.

Never write down passwords. Anywhere. Ever.

Lots of other suggestions but you get the idea.

And one last question... In the system report of one of my MacBooks, I saw a list of disabled Samsung Software related to Samsung MDM and remote connection (no user consent). Is this a normal occurrence?

No.

The log entry provided above was extracted from a compromised MacBook.The MacBook had been in the hands of bad actors for several months. This entry raises several red flags and concerns about potential malicious activity on the MacBook:

Key Points:

• Suspicious connection: It mentions a connection attempt to "configuration.ls.apple.com," which is not a legitimate Apple domain. This suggests a possible attempt to establish a connection to a malicious server impersonating Apple's configuration server.
• Error message: The error message "NSURLErrorFadLIngURLPeerTrustErrorkey=SecTrust" indicates an issue with the server's security certificate, further reinforcing the suspicion of a malicious server.
• Context: The log mentions "accounts/accounts-with-types-sync," suggesting involvement with account syncing processes. This could be a target for attackers aiming to steal credentials or manipulate account data.
• Other processes involved: The log mentions processes like "accountsdaemon" and "Commenter," suggesting broader system interaction beyond the initial connection attempt.

Implications:

• Potential malware: If one notices the presence of an illegitimate MDM or unauthorized virtual machine, combined with these suspicious logs, it would strongly suggests the presence of malware on the MacBook.
• Account compromise: The attempted access to account syncing processes raises concerns about the security of user accounts and associated data.
• System compromise: The involvement of multiple system processes suggests that the malware could have broader access and control over the MacBook's functionality.

My recommendation is to look for these type of activities on your macOS and IOS devices and take immediate action!

First: you should not be using that Mac in an attempt to diagnose the intrusive event, which I suspect involves the network equipment. In fact you should not be using it at all, until resolving the intrusion to your satisfaction.

Some of the information you posted is innocuous, some of it is not important, but some of it makes no sense. For example the com.apple.networkextension.plist file should be plain ASCII text, but what you posted appears to be some kind of binary encoding. Not much can be inferred from that other than to suggest file corruption, the source of which cannot be determined.

The mere presence of kerberos authenticating to something is not, in and of itself, an indication of anything malicious.

I wish I could help you get to the bottom of what happened, but attempting to do so within the limitations of this website is certain to be counterproductive, and an exercise in frustration at best. You certainly need to enlist the services of a professional with direct, face-to-face interaction.

All I can say in that regard is beware there are plenty of charlatans out there whose sole motivation is to take your money, and anything else they do is secondary to that desire. You might start by asking your local Attorney General's office for help. They may not be interested in helping you, but perhaps they can recommend someone competent who can.

Your concerns almost certainly involve criminal activity (unauthorized tampering with personal computing equipment is a crime in most jurisdictions) and as such go way beyond the scope of this support site. I provided all the technical information I am capable of providing consistent with the intent of ASC, and now you need to proceed accordingly.

Do some research and thoroughly go through other accounts.

I ask because it is possible that someone has gained access to your life via SSO and has been able to maintain persistence using ‘Kerberos’, ‘federation’, etc..

Do you have a Microsoft account? if you do have a MS account you most likely have an Azure account. If you do, then audit any activity. Not only is it possible to set up MDM via MS, but Samsung phones are great at connecting to Microsoft before you even had time to secure all your settings. Additionally,

If you have/ have had an Alexa read the Amazon devices information thoroughly. Even if you no longer have them, or use them. Also check whether you may have a ‘seller’s’ account, or a developer AWS account. That alone is something to find out, but If you have Verizon it is worth noting that they offer a development community via AWS. I doubt that is a factor, but it is information I can offer.

Do you have a Google account? Check if you are part of a ‘workspace’.

Do you have a Facebook account? Google and FB, too, can offer SSO ‘federation’.

I do not know if anyone has a motive to do all that, but those are only a few suggestions regarding the persistence of your situation.

Your assertions seem to be extremely oriented. It's almost like the playbook of "How to compromise 101". Given the extensiveness of the details you recount, it is safe to assume that you kept a documentation, some records of what happened. Please provide some (anonymized) screenshot of Apple devices showing traces of process activities, managed settings or preferences etc... that would sustain your assertions. This way we could all learn something useful to fight back against these evil, heartless people who take advantage of their innocent victims, abuse and ruin lives, simply because access to devices and credential was possible.

In your case, have you had anyone accessed your devices? An employee, friend, maybe a partner? In most of cases, it's ALWAYS someone close who had access, and you should know that they usually do not work alone. They are organized criminals with ties in Europe, West Africa....

As John Galt suggested, I hope you went to the authorities. Once a police report is filed, even if it takes time, whoever is compromising your devices, will be found.

I apologize for the delay.

Yes, unfortunately I have seen this type of compromise. It has, and continues to be happening to me since July 2022.

I definitely could write a book on this.

When this first began no one thought it was true and that it was impossible.

It is like believing in ghosts, except more people believe in ghosts.

I now spend 100% of my time researching everything.

It began with learning about Kerberos, federation, enterprise, MDM, etc... then reading how easy-ish it is to laterally move through a person's life.

I do not feel that takes too much sophistication. I mean, yes, and no.

Once you acquire Kerberos, etc... on one account it only makes sense that a determined hacker would not need to struggle too much.

I said from the beginning that nothing is impossible.

I believe that Verizon is a player because I had questionable features on my line that no one would give me a straight answer about.

Many of my support chats were suddenly disconnected.

The last support call I had with them was supposed to be with the fraud department. However, after 2 hours (two of many many before) I was told that I would have to speak with fraud.

I thought I was. The guy on the phone gave me the number to fraud which was the number I dialed.

Previous support directed me to contact law enforcement. That is ZERO help. Local law enforcement has ZERO clue how to handle 'hacking'.

When my phone was disconnected, without consent, and I had to visit a Verizon store. The manager could/would not confirm if I had always been speaking with a Verizon representative any of the times I called.

Verizon executives have said they will look at me account. After doing so they state there is no fraudulent activity and that they do not assist with hacking.

I am also told that without a court order they will not release my phone and text details due to proprietary concerns.

This was more than just iPhone, a Samsung phone was also involved.

Moving on to one of my recent iPhones.

I had 1st party apps - Find my iPhone, Maps, Notes, Health, Home. All saying they did not come from the app store.

I am unable to perform an Emergency Reset on my phone because I am sharing such features.

I have no other devices and I have uninstalled those apps.

On that note. I am always 'sharing across devices'. I have NO other devices.

I have screenshots, recordings, analytics, backups, etc...

I am not able to receive copies of my support cases. My last phone call with Apple ended with being told that if someone is this determined there is nothing they can really do.

I begged to have an engineer look at my phone, but was told that engineer will not look at my phone. I only asked because the lady at the Apple store told me to be persistent with that request.

Symptoms (only a few):

* Sharing devices

* Apps that did not come from the App store

* Waking up to no passcode set on my phone

* Various contact's information has been changed

* 'Focus' has turned on disallowing communication to anyone aside from 'favorites'. I found that out when I tried to call someone, but was not able to.

* My screentime settings are extremely strict.

I do NOT allow any Game Center activity, but not only do I find that I am connected to Game Center, but my ID is unknown. Additionally, it will sync with iCloud.

I do not have any any any Home devices, but on the list of things you can access without your passcode I am unable to remove the option for Home control.

My privacy selection is to not share Health information, but I still do. The steps the motion, etc... are listed as information on my device.

I can check my privacy settings to change that, which reflect that I already do not share that.

Those are only a very few things I can say.

As I mentioned previously I could write an entire book.

I am 100% sure that I qualify and am capable of working in the cybersecurity industry.

I do not know all the answers, but I learn more of them everyday.

From active directory control, to malicious code, to accessibility settings, to hardware (Bluetooth, etc..), to cellular towers and wireless (same-ish) and more.

I study all of it.

Every setting you can imagine can be worked and is already way ahead of security updates. Security updates are after the fact.

I have and continue to spend my time analyzing and learning.

I have found 'invisible' code when I was running Linux.

I am sorry this is happening.

I am only throwing a few things out there.

I hope that it is helpful.

This all began with RING DoorBell & Security…that and anything Bluetooth remaining in set up mode, all of a sudden.

My RING videos were all saved in OneDrive Folders. Those folders began sharing and I would not be able to delete.

So- we have Amazon (AWS), associated Bluetooth devices always in set up mode.

Those connect MS & Amazon.

I mentioned Verizon.

PS- I no longer use Verizon service. I still have an iPhone from them. It is not signed into & I strictly only use it as an iPod (not iTunes sync). ZERO cellular or WiFi

on that phone, I do not even sign into an iCloud account, or use an iTunes account. Or any other association.

I now have changed service providers - hoping for a chance at change.

I also no longer even try to create emails using ‘Microsoft’, ‘google’, ‘iCloud’, ‘yahoo’, ‘aol’, ‘Hotmail’, ‘live ID’, etc… as an usable email account.

I now use a pretty solid encrypted based account that includes VPN.

I use an account PW & an additional Mailbox PW.

I do not have any Verizon phones that should connect to Verizon Business IP addresses. That includes access to my email account.

However, when I checked the sign-in activity from what are pretty well encrypted ‘email/ drive/ VPN accounts. An IP Address associated with a ‘Verizon BUSINESS IP address’ showed up in my sessions.

Just throwing that out there.

The layers are endless and I feel I have so many ideas to share regarding the way devices can begin spreading.

I just keep hoping I can one day find this will just go away.

I have a hacker that won’t let me get past the activity monitor on my Mac. It won’t let me get past anything and the activity manufacture states a user called like me *** and I’ve noticed usually the user is always my name now it’s not and all the processes aren’t apples anymore.

Help SOS I cannot get into my Mac. It won’t even let me how do I use function keys to get past the first screen he won’t let me get past anything I can sign in with my password I get to my screen but it’s only there for a minute then it leaves in the activity monitor comes up and the user on it it’s not me, and the processes are no longer Apple, and my name is no longer on the user.i