User profile for user: CondePrinceDuSang
CondePrinceDuSang Author
User level: Level 1
26 points

Suspicious Processes, Files, and Configuration Profiles Found on MacBook - Need Help Investigating

Hello,


I recently discovered several suspicious processes, files, and configuration profiles on my MacBook, and I need help understanding what's going on and how to address these issues.


1. Suspicious Processes in Activity Monitor:

I noticed several unusual processes running in Activity Monitor, including:

- remotemanagementd

- ManagedSettingsAgent

- containermanagerd

- ManagedConfigurationFilesSubscriber

- ManagementTestSubscriber


2. Files Found Using lsof:


I ran the 'lsof' command to gather more information about these processes and found the following relevant files:

(see screenshot attached)


The output reveals files related to remote management, MDM, and configuration profiles.


3. Suspicious User Configuration Profiles under ManagedClient and Profiles in SystemReport:


While investigating the unusual processes, I found suspicious configuration profiles under ManagedClient and Profiles in the System Report (not in System Preferences). I ran the command 'sudo profiles show -all' in Terminal to gather more information about these profiles. Here's the relevant output:

(see attached)


Key observations:

- There are 10 configuration profiles installed, all with "digital_health_restrictions" in their profile identifiers and UUIDs.

- None of the profiles have a proper name, configuration description, or organization specified.

- All profiles have "removalDisallowed" set to FALSE and "installedByMDM" set to FALSE.

- The profiles seem to restrict access to various system settings and applications.


I'm concerned that these processes, files, and configuration profiles may be malicious or unauthorized, as I did NOT install them myself, that my MacBook has officially NEVER been enrolled in and they don't seem to be part of a legitimate setup.

For context, a bad actor had access to the MacBook and had installed method of compromise. I did already factory reset the MacBook and reinstall a clean OS, however, these malicious compromise seem to persist.


1. How can I safely remove these elements without affecting my system's stability?

2. What steps should I take to investigate how these items were installed on my MacBook?

3. Should I be concerned about any other potential security threats related to these findings?


Any insights, suggestions, or resources you can provide would be greatly appreciated. I want to ensure my MacBook is secure and free from any unauthorized or malicious processes, files, and configuration profiles.


Thank you in advance for your help!



MacBook Pro (M1, 2020)

Posted on Mar 7, 2024 7:53 PM

Reply
Question marked as Top-ranking reply
User profile for user: steve626
steve626
User level: Level 6
13,953 points

Posted on Mar 7, 2024 8:13 PM

CondePrinceDuSang wrote:

Hello,

I recently discovered several suspicious processes, files, and configuration profiles on my MacBook, and I need help understanding what's going on and how to address these issues.

1. Suspicious Processes in Activity Monitor:
I noticed several unusual processes running in Activity Monitor, including:
- remotemanagementd

For context, a bad actor had access to the MacBook and had installed method of compromise. I did already factory reset the MacBook and reinstall a clean OS, however, these malicious compromise seem to persist. 
remotemanagementd(1)					    BSD General Commands Manual 				      remotemanagementd(1)

NAME

     remotemanagementd -- MDM Version 2 protocol daemon

SYNOPSIS

     remotemanagementd

DESCRIPTION

     remotemanagementd handles HTTP communication with an Mobile Device Management (MDM) Version 2 server, delivering configuration information to
     the local Device Management daemon (dmd), and sending status messages back to the server.


You definitely have MDM. Someone had access to the Mac? A "bad actor?"


Did you acquire this Mac new from Apple?


How did you "factory reset?" Did you do this:


What to do before you sell, give away, trade in, or recycle your Mac - Apple Support


And if you did, did you migrate your account files back after the clean install? If you did, you may have migrated back the MDM.


If you followed the above link and still have MDM even before creating other than a generic admin user, with nothing else done to the blank Mac, then you need to schedule service with Apple.

View in context
2 replies
Question marked as Top-ranking reply
User profile for user: steve626
steve626
User level: Level 6
13,953 points

Mar 7, 2024 8:13 PM in response to CondePrinceDuSang

CondePrinceDuSang wrote:

Hello,

I recently discovered several suspicious processes, files, and configuration profiles on my MacBook, and I need help understanding what's going on and how to address these issues.

1. Suspicious Processes in Activity Monitor:
I noticed several unusual processes running in Activity Monitor, including:
- remotemanagementd

For context, a bad actor had access to the MacBook and had installed method of compromise. I did already factory reset the MacBook and reinstall a clean OS, however, these malicious compromise seem to persist. 
remotemanagementd(1)					    BSD General Commands Manual 				      remotemanagementd(1)

NAME

     remotemanagementd -- MDM Version 2 protocol daemon

SYNOPSIS

     remotemanagementd

DESCRIPTION

     remotemanagementd handles HTTP communication with an Mobile Device Management (MDM) Version 2 server, delivering configuration information to
     the local Device Management daemon (dmd), and sending status messages back to the server.


You definitely have MDM. Someone had access to the Mac? A "bad actor?"


Did you acquire this Mac new from Apple?


How did you "factory reset?" Did you do this:


What to do before you sell, give away, trade in, or recycle your Mac - Apple Support


And if you did, did you migrate your account files back after the clean install? If you did, you may have migrated back the MDM.


If you followed the above link and still have MDM even before creating other than a generic admin user, with nothing else done to the blank Mac, then you need to schedule service with Apple.

Reply
User profile for user: Owl-53
Owl-53
User level: Level 10
103,141 points

Mar 8, 2024 2:36 AM in response to CondePrinceDuSang

User wrote " I recently discovered several suspicious processes, files, and configuration profiles on my MacBook, and I need help understanding what's going on and how to address these issues."


It is possible that the machine was recently acquired from who knows who and they had Not Un-enrolled this computer from a Mobile Digital Management Service ( MDM ) like Jamf or other like MDM Service


Even if you were to Totally Reformat the drive to Zero and reinstall the Operating System again from scratch.


If the Serial Number of this computer is still registered with the MDM Service, they can still remotely reinstall there MDM service back onto the computer.


Until such time as the computer serial number is removed from the MDM there is little any of use can do to remedy this situation



Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

Suspicious Processes, Files, and Configuration Profiles Found on MacBook - Need Help Investigating

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up