User profile for user: CondePrinceDuSang
CondePrinceDuSang Author
User level: Level 1
26 points

Unusual Plist File Related to TouchID on Non-TouchID MacBook

Hello,

I have come across something quite puzzling on my MacBook Pro (2015 model), the device does not have TouchID capabilities, yet I found a plist file named com.apple.managedclient.profileplugin.TouchID. This seems unusual because TouchID hardware isn’t present on this model. The latest update on the MacBook was 2 weeks ago and its version is now MacOS 12,7.


Details:

  • The plist file is associated with managing TouchID settings, though no physical TouchID sensor exists on the MacBook.
    • The plist entry details are as follows:CFBundleIdentifier is com.apple.managedclient.profileplugin.TouchID
    • BuildMachineOSBuild and DTXcode indicate it was compiled with Xcode version 13.3.

Given that this MacBook never had TouchID, I'm concerned about the security implications of this file.


I found out that the MacBook had been compromised by individuals who had kept the device in their possession for months; via malicious MDM installation, virtual machines (Ubuntu, Kali Linux, via Parallel Desktop), AppleID and iCloud compromise etc...


However, I did factory reset the device since, reinstalled a clean OS and changed the Apple ID on the device.


The discovery of this (recent) plist file is concerning.


What does entail the mention of a managed client profile plugin for TouchID? I assume that it suggests that the plist file is associated with a configuration profile that manages TouchID settings (Again, the MacBook was bought brand new and was enrolled in any management program by me).


Could it be maybe a virtual TouchID?

What would be the security risks?

what does mean key>DTXcode</key> <string>1330</string

Thanks in advance


****DISCLAIMER**** I respectfully request that comments be limited to polite, accurate, helpful, positive entries. Anyone with the usual arrogance, disrespect, insensitive, counter-productive arguments, REFRAIN yourselves from posting here.



Earlier Mac models

Posted on Apr 14, 2024 11:00 AM

Reply

Similar questions

8 replies
User profile for user: Grant Bennet-Alder
Grant Bennet-Alder
User level: Level 10
140,783 points

Apr 14, 2024 11:59 AM in response to CondePrinceDuSang

When you install an instance of MacOS on a particular machine, it is identical to the standard same-version of MacOS installed on ANY machine. MacOS code does not modify itself, and is NOT tailored to your specific hardware.


After MacOS 11 Big Sur, the System is on a crypto-locked Volume that is not writeable using ordinary means, and any changes that appear will cause your Mac to alert you very quickly.


There are also likely hundreds to thousands of plist files that may do nothing at all for your particular use.


If you are not seeing any gross symptoms, you are not likely to be having any problems worth worrying about.

Reply
User profile for user: CondePrinceDuSang
CondePrinceDuSang Author
User level: Level 1
26 points

Apr 15, 2024 9:14 PM in response to Mac Jim ID

I ran EtreCheck on two of my MacBooks. I must say, the results were rather surprising! On the MacBook that the attackers had access to and that contains among other compromises 10 (unknown, unauthorized) configuration profiles, the report did find some issues, but nothing missed completely some of the obvious signs (including the configuration profiles ), however on a newer MacBook, yes presenting signs of malicious management as well but that I didn't think was deeply affected, EtreCheck raised massive alarms and populated a lengthy major red flags. For privacy security, I would prefer not to share the report publicly. I send the reports to your support.

Reply
User profile for user: CondePrinceDuSang
CondePrinceDuSang Author
User level: Level 1
26 points

Apr 14, 2024 3:39 PM in response to Mac Jim ID

Thank You for Your Answers!

I appreciate the insights, but I believe it's critical to address the presence of the managedclient.profileplugin.TouchID on a MacBook Pro (early 2015) that is not part of any managed environment and notably, does not support TouchID hardware.

This situation could potentially point to leftover artifacts from unauthorized modifications or an attempted setup by unauthorized parties, especially given the device's history.


Typically, plugins like this are used to extend or modify the behavior of system services according to specific management policies. The fact that it's linked with TouchID—a feature that my MacBook does not support—adds an additional layer of concern. Is it possible that this was intended to intercept or emulate authentication processes, which could pose a significant security risk?


I may be reading too much into it, but I've conducted experiments that increase my concern. Each time I pressed the TouchID on my more recent MacBook, log activities related to com.apple.sharing.SDRemoteInteractionAgent were generated, indicating changes in UI lock status—locked and unlocked—regardless of the Wi-Fi connection status.


Moreover, I've discovered inexplicable entries related to AutoUnlock on both the 2015 and 2021 MacBooks, despite never having paired them with an Apple Watch. Combined with unknown and invisible keychain and HomeKit paired identities and a history of device compromise, these observations heighten my concerns about the security of my devices. (See attached)


Regarding configuration profiles, I found user configuration profiles listed in the System Report under ManagedClient and Profiles (one of my MacBooks has 10 profiles), rather than under System Preferences where one might expect to find legitimate system management profiles.


These findings are disconcerting, and I'd like to understand whether these could be indicative of deeper security issues.

Reply
User profile for user: Mac Jim ID
Mac Jim ID
User level: Level 9
61,544 points

Apr 16, 2024 6:39 AM in response to CondePrinceDuSang

CondePrinceDuSang wrote:

I ran EtreCheck on two of my MacBooks. I must say, the results were rather surprising! On the MacBook that the attackers had access to and that contains among other compromises 10 (unknown, unauthorized) configuration profiles, the report did find some issues, but nothing missed completely some of the obvious signs (including the configuration profiles ), however on a newer MacBook, yes presenting signs of malicious management as well but that I didn't think was deeply affected, EtreCheck raised massive alarms and populated a lengthy major red flags. For privacy security, I would prefer not to share the report publicly. I send the reports to your support.

The EtreCheck report contains no personal information. You will see that even your drive names are redacted. It was created by a fellow user here in the forums for exactly that reason. Hopefully it provided enough information for you to be able to solve the issue independently.

Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

Unusual Plist File Related to TouchID on Non-TouchID MacBook

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up