Unauthorized MDM and potential DEP abuse on Apple devices

I’m experiencing whats best described as unauthorized MDM (Mobile Device Management) and as well DEP maybe involved as well on my iOS device and spans my entire Apple ecosystem. These profiles are not visible within the OS by design, yet they are clearly using Apple’s own iOS frameworks and system-level functions to control the device.

Because the operating system treats these instructions as “normal,” antivirus and security tools will not detect this. In practice, the phone behaves exactly as if it’s functioning properly, while in reality all web traffic is silently routed through attacker-controlled servers. This creates an ongoing vector for additional payloads and compromises.

What makes this especially concerning is that Apple Support does not seem equipped to handle this type of abuse, and the invisibility of the profiles means end users have no way to verify whether their device is enrolled in unauthorized management. If a user suspects their microphones or cameras are active without consent, this could very well be occurring silently at the OS level.

The only current defensive step I can recommend to other users is running a network packet capture to see whether their device traffic is being diverted or proxied in ways they didn’t authorize.

Finally, I’d like to raise a red flag: nearly every discussion thread about this topic in Apple’s forums has been locked or closed without resolution. That lack of transparency does not add up and leaves those of us experiencing this abuse without answers or recourse.

[Re-Titled by Moderator]

Original Title: Unauthorized MDM

iPhone 15 Pro, iOS 18

Posted on Aug 17, 2025 9:40 PM

Top-ranking reply

MrHoffman

Community+ 2025

Level 10

145,527 points

Posted on Oct 26, 2025 6:59 PM

Thedawk916 wrote:

Hi, I have the same thing going on. I found a profile called attwifi.mobileconfig. It was not viewable on vpn and profiles. It has the name att on the title, but the organization is Apple Inc. ..

That is a cellular carrier Wi-Fi offload network, and is a basic part of carrier network provisioning across most (all?) carriers.

Carrier offload started fifteen or so years ago. It is not particularly new.

The Wi-Fi carrier settings data here is from AT&T, too. AT&T uses Wi-Fi network names (SSIDs) attwifi, att-wifi, and AT&T Wi-Fi Passpoint, probably among others.

From Settings > Wi-Fi > Edit for most (all?) AT&T customers:

While that profile shows as an MDM profile and shares the underlying implementation with profiles for managed and supervised devices, it is not an indication of a hack, and not an indication of managed or supervised access of the local device, and not unauthorized or unexpected remote management.

And by your own investigation, for this to be nefarious, what you are reporting would require the compromise of the Apple signing keys!

If you don’t want to offload your cellular traffic over to carrier-provided Wi-Fi via an AT&T Wi-Fi network or an AT&T aligned Wi-Fi carrier such as Boingo, you can remove the SIM or delete the eSIM, and cease using the carrier services. When the carrier profile is then automatically removed, those Wi-Fi networks will also be removed.

As for what you authorized with your agreement with AT&T, check the fine print on the carrier agreement.

If you don’t want the carrier offload, switch to a carrier that does not use that (if you can find one), or negotiate for that removal directly with AT&T.

Overview of carrier offload: https://www.asd-usa.com/blog/carrier-offloading

As for iPhone exploits and the rest, sure, those do exist, and they’re exceedingly expensive, and very much targeted, based on available reporting. While some of you may well be a target, most of you are not, and respectfully, y’all will always also want to look for more mundane explanation for the finding of concern, same as when performing other forms of debugging and troubleshooting. Assumptions can be wrong. Such as in this case, with a carrier Wi-Fi offload.

View in context

17 replies

Mac Jim ID

Level 9

61,058 points

Dec 26, 2025 11:43 AM in response to Unauthorizedmanagement

Unauthorizedmanagement wrote:

I’m finding this profile on my iPad as well and is found in WiFi>edit>managed networks (below known networks)

And is it a cellular iPad?
If so, then does the Managed Network immediately go away when the SIM is removed and restarted?

If the answer to those questions is Yes, then you have found the source and know what you can do to remove them. The location you described is exactly where is see the Managed Network that a cellular service provides.

Dec 26, 2025 12:19 PM in response to Unauthorizedmanagement

Unauthorizedmanagement wrote:

I don’t think what you’re speaking of is what’s being discussed. Legitimate on-boarding of legitimate school and or enterprise profiles is not what I’m speaking. In particular to Mac OS, and iOS MDM has been baked into the OS and the statement I’m making and will make it standing tall is these servers, the process I can’t speak of other than say they are being abused and I recon on a grand scale and that knowledge is either known by Apple to be an ongoing issue or damage control is already set in motion hence all the forum posts I see closed with no resolution. This last sentence pure speculation…

Assuming his is not the carrier offload Wi-Fi network support mentioned earlier in this thread…

A claim involving exploit tooling worth millions is unlikely to be resolved in a forum thread; a thread with no supporting details, with no direct device access, no account access, and no personal context . This is not a strategy for success.

And if you are a target for mercenary tooling, you’ll want to reevaluate the entirety of your data management and personal practices, including whether to replace all of the suspect gear with a feature phone or equivalent.

Unauthorized MDM and potential DEP abuse on Apple devices