Detecting unauthorized MDM or stalkerware on iOS without Mac

Tools for detecting unauthorized MDM profiles or stalkerware on iOS without a Mac?

Hello everyone,

I am looking for developer tools, diagnostics, or forensic methods to detect potential stalkerware, spyware, or unauthorized Mobile Device Management (MDM) profiles on an iOS device.

Here is my current situation and constraints:

  • No macOS Access: I do not have a Mac, so I cannot use Xcode, Apple Configurator, or Mac-specific forensic suites.
  • Previous Amnest MVT check: I have looked into Amnesty International's Mobile Verification Toolkit (MVT), but I am looking for alternative methods or logs that can be analyzed directly on Windows/Linux or on the device itself.
  • History: The current iPhone was set up using data migration from a previous Android device. It appears that an unauthorized MDM profile or configuration may have carried over or compromised the environment.


My questions for the developer community:

  1. Are there any legitimate open-source or developer tools available for Windows/Linux to dump and analyze iOS system logs (syslog), crash reports, or active configuration profiles for anomalies?
  2. How can I verify if an invisible or deeply embedded MDM/enterprise configuration is restricting specific bundle IDs (like messaging apps) without Xcode?
  3. Are there specific iOS diagnostics modes (outside of standard Sysdiagnose, which is hard to parse without Mac utilities) that I can leverage to find signs of tampering?

Any guidance on APIs, documentation, or third-party developer tools would be highly appreciated. Thank you

iPhone 16 Pro Max, iOS 26

Posted on Jul 1, 2026 9:25 PM

Reply
45 replies

Jul 2, 2026 2:54 AM in response to doakshore

Hello doakshore, welcome to the Apple Support Community!

To detect MDM or spyware on iOS from Windows or Linux without a Mac, the best option is to use the Libimobiledevice open source toolkit (including idevicesyslog) to extract and analyze system logs, or to use the iMazing utility on Windows, which integrates a compromise indicator analysis tool (IoT) similar to MVT. Note that an MDM profile cannot be completely invisible and must appear in Settings > General > VPN and device management; if this section is empty, no profile is active. If you suspect a persistent infection from your old Android, the ultimate solution is to restore the iPhone to new via iTunes on Windows without reinjecting your backup. Have a nice day :)

Jul 4, 2026 7:59 AM in response to batorousseauevan

Thank you so much for the detailed replies! I really appreciate the specific tool recommendations, and I will definitely put them to the test. If any other tools or methods come to mind, please feel free to share them!


To give more technical context: I have already escalated this with Apple Support and discussed it with various IT specialists, but we are all a bit stumped. A standard wipe is unfortunately not working as expected. Every time I attempt a DFU restore, the process crashes and fails to complete. When it reboots, it always forces the exact same previous account/environment setup.


Furthermore, I noticed that one of my Passkey's has stopped working from my iCloud Keychain, and neither Apple Support nor the backend service provider has been able to give an answer as to why or how that happened.


To be clear, I am not entirely sure what the root cause is. Whether it is an unauthorized Mobile Device Management (MDM/DEP) profile, some form of spyware/stalkerware/shadow-IT, or something else entirely. Visually, there is nothing suspicious showing up in the enrollment or settings menus. In fact, during my discussions with Apple Support, even their team was completely left speechless by this behavior. The device is NOT jailbroken, as I have never done anything like that myself.


Ultimately, my main goal here is to perform digital forensics. I want to extract raw data and analyze these anomalies to understand exactly what is going on, rather than just trying to bypass the issue.





[Edited by Moderator]

Jul 3, 2026 9:22 PM in response to doakshore

This looks rather more like a device reset is ahead, or there’s a hardware problem, and how (or even if) profiles are involved here is decidedly not obvious.


The -18 error is usually a network or connectivity problem of some sort, or the activation server is offline or inaccessible, or maybe the local network router is confused, or the hardware has failed.


Given all that’s reporting, this reeks of bad hardware.

Jul 4, 2026 10:23 AM in response to MrHoffman

The device was bought secondhand from Reseller company.

I also need to add some important context regarding security: my old phone number (which is no longer in use because it was compromised multiple times) was never used directly on this specific device. However, the online account associated with that data leak was previously logged into this phone.

The situation is highly complex, and at this point, I honestly feel I might need a reliable digital forensics tool to get to the bottom of this.

Thank you! Also, I have tried restoring via iTunes, but I've had to switch entirely to the new Apple Devices app. My iTunes doesn't recognize the iPhone at all. No matter what I do, the device simply refuses to show up there.




[Edited by Moderator]

Jul 4, 2026 10:24 AM in response to doakshore

The device was bought secondhand from Reseller company.

I also need to add some important context regarding security: my old phone number (which is no longer in use because it was compromised multiple times) was never used directly on this specific device. However, the online account associated with that data leak was previously logged into this phone.

The situation is highly complex, and at this point, I honestly feel I might need a reliable digital forensics tool to get to the bottom of this.

Thank you! Also, I have tried restoring via iTunes, but I've had to switch entirely to the new Apple Devices app. My iTunes doesn't recognize the iPhone at all. No matter what I do, the device simply refuses to show up there.


According to the iMazing tool, there is no MDM (Mobile Device Management) or DEP (Device Enrollment Program) active on this phone. Do you have any insights or ideas on what could be causing this? Could it potentially be a hardware issue?"




[Edited by Moderator]

Jul 4, 2026 7:00 AM in response to MrHoffman

I agree, it's definitely pointing towards hardware. I'd love to hear your thoughts on a few things:

  1. Worst-case scenario: What kind of damage are you suspecting, and what do you speculate is the absolute worst outcome here? Which specific component do you think is failing?
  2. Diagnostics: I’ve already run Apple’s self-diagnostics, but are there any other tools you’d recommend? What exactly should I be testing right now?
  3. Repairs: This issue has caused a slight dent in my setup's reliability/image, and I'm unsure if it can even be fixed. Do you know if anyone actually takes these specific cases in for a proper hardware investigation?

I'd really appreciate your insights on this!

Jul 4, 2026 7:41 AM in response to doakshore

I usually skip the whole part about buying used Apple gear from resellers other than Apple, or buying used gear without a warranty from a trustworthy seller.


With too many resellers and with too many third-party “refurbs”, that’s too often buying somebody else’s problem gear, and too often with no warranty.


Which is where this case seemingly is. I’d suspect the previous owner probably chased these issues, gave up, and replaced it.


Repairs in recent years are either depot repairs, or the gear gets replaced with refurbished devices. But that usually also involves a warranty of some sort, as repairs are expensive and can still be problematic.

Jul 4, 2026 8:18 AM in response to MrHoffman

Thank you! I usually buy my devices new, but this time I made an exception and bought my gear from a reseller. It was a trusted one, Swappie. It's a really huge company in Europe, and I think I got a model with depot parts or software... This is, like, a really great thing, that first the journey with those Androids is what it is, and then this comes along, so yeah..


I don't know if I can find a way to report this somewhere, because the company's needs to take responsibility for these devices and refurbished devices. They can cause serious harm if they aren't investigated thoroughly before selling. Every defective model belongs in the trash now, not sold...

Jul 4, 2026 9:49 AM in response to doakshore

  • If you are going to rely on data provided by a third party, you will have to refer to that Developer for information. Just because a tool is not able to identify the Proximity Sensor does not mean there is a problem with the sensor on the device, it could just mean that the tool is unable to read it. The use of iMazing has always been problematic and I don't think you would find anyone here that would recommend it, just due the number of issues reported and the fact that it can root your device.
  • For the Windows use of iTunes, it has been deprecated on Windows in favor of the use of Apple Devices. Support is limited and updates continue with the Apple Devices app.
  • If you are using a VPN on your PC or iPhone, that can certainly cause problems with verification of updates and restores when connected to the computer. Most PC's also run Antivirus software that will also be problematic. Apple provides a Support Article here on the use of a VPN and the issues it may cause when connecting to Apple Servers. Likely the cause of you -18 error and others.

If your device has network connectivity issues, check for VPN and other third-party security software - Apple Support

  • If your device has a Hardware issue, the repair usually is a Logic Board replacement as there are very few components that are individually replaceable by Apple. You would need to schedule an appointment with Apple for diagnostics. It certainly may be the case that there is a hardware problem, but that is the sellers responsibility to make that right for you and there are some that would not do that or care after they have received your money. Reporting a company would be done by a Consumer Protection Agency, usually a Government agency in your region.
  • I see nothing that has been reported where there is any invisible MDM or compromise of any kind.
  • Analyzing log files always turns out to be a fruitless effort. Even if it was possible that a nefarious process was running on your iPhone, they certainly would not be leaving breadcrumbs of their activity by logging what it is doing. The System is not going to have any sort of log saying a breach was found. Logs are useful to Apple when multiple users are reporting the same issue and the logs can be used for comparative purposes to identify bugs, but not so much for a forensic analysis.


My recommendation is cut your losses now and purchase a new one from Apple where you may be able to trade in that phone if Apple will accept it. Use the in-store trade in option so you will get an immediate value and not be surprised by a devaluation if you had sent it in for a trade in. I am sure you won't get what you paid for, but it may offset some of the costs of the new phone. Also with that new device, do not use a VPN and do not connect it to a computer using iMazing.

Jul 4, 2026 10:01 AM in response to Mac Jim ID

In short: Losing the phone itself is a minor issue. The real loss is the data. What are my options? Will they even look into a single consumer's case unless many people are affected?


Also, what kind of evidence or data would I need to provide to file a consumer protection claim, considering the retailer is the one who messed up badly here? 


I originally switched to iPhone specifically for privacy and I actively use Lockdown Mode, so it's a shame the trusted retailer caused this situation.

Jul 4, 2026 11:49 AM in response to doakshore

doakshore wrote:
In short: Losing the phone itself is a minor issue. The real loss is the data. What are my options? Will they even look into a single consumer's case unless many people are affected?

Anything that has been synced to iCloud is safe and a most data is viewable and downloadable through web access. Also when you get a new device, that data will sync seamlessly back to that device.

Sign in and use iCloud.com - Apple Support


If you were able to perform an iCloud backup on your old device, you can use that backup to restore all the data saved there to your new device.

Restore your iPhone, iPad, or iPod touch from a backup - Apple Support


If you were able to perform a backup using Apple Devices on your PC, you can restore that data to your new phone.

Restore your iPhone, iPad, or iPod to factory settings using a computer - Apple Support


You may also be able to save some data from your iPhone to a USB drive or External Storage.

Transfer files from iPhone to a storage device, a server, or the cloud - Apple Support


Also, what kind of evidence or data would I need to provide to file a consumer protection claim, considering the retailer is the one who messed up badly here? 

It sounds like you are in the EU, so I am not sure which agency would be appropriate in that case. In the US, we would use the FTC but that would be unhelpful for businesses outside of the US.

https://reportfraud.ftc.gov/

Jul 5, 2026 12:38 AM in response to Mac Jim ID

Thank you for your response.I truly appreciate you taking the time to help.


Why I am turning to this community:


This technical assessment is shared because the underlying threat vector is universal, potentially impacting any individual within the mobile ecosystem.

Transitioning to an iOS device was a deliberate choice to establish a trusted baseline, given Apple's focus on privacy and security architecture. Because finding independent firms specializing in rogue consumer Mobile Device Management (MDM) on the open market is exceptionally difficult, the Apple community is the most qualified environment to seek insights on Apple architecture.


To ensure this matter is addressed objectively, this inquiry follows a strictly data-driven approach focused on hard evidence. My immediate objective is to gather forensic-grade data and irrefutable, tool-generated technical logs that can be formally presented to regulatory and law enforcement authorities.


Technical Statement: Scope, History, and Legal Status


  • Objective: Investigate device security, system integrity, and unauthorized persistence
  • Ownership: All devices, accounts, and network services are strictly personally owned and privately purchased. No corporate or enterprise affiliation exists.
  • OPSEC & Data Redaction: All regional markers, localized language strings, and metadata have been intentionally redacted from this report and the attached screenshots to maintain some security (OPSEC) and protect personal anonymity.
  • Current Indicators (iOS):Systemic anomalies observed post-activation prompted formal log requests from financial, insurance, and healthcare providers. Initial reviews confirm unauthorized endpoint interactions, which are now being aggregated for independent audit.
  • Regulatory Status: Reported to Data Protection, Cyber Security Center (Vulnerability Unit), and Telecom Carrier DPO authorities. Jurisdictional allocation is unresolved due to technical complexity; no consumer protection claims are engaged.
  • Current Status (Legacy Android MDM): Authorities have withheld technical data, such as the Android Tenant ID, due to consumer-level limitations. Without this critical identifier, it is highly hypothesized that the persistence migrated to the current iOS device via linked accounts or cloud synchronization. Progression remains stalled due to this jurisdictional deficit.


Incident History & Incident Timeline

  • Verified Android Compromise: Predecessor Android device had a verified, unauthorized enterprise MDM profile. Profile ownership and Tenant ID remain unknown due to local regulatory disclosure restrictions.
  • Deployment Vector Hypothesis: Based on commercial B2B hardware security consultation, the initial Android deployment is hypothesized to have occurred via automated enterprise enrollment (such as Google Zero-Touch). The legacy routing source is suspected to stem from an un-proprovisioned device identifier linked to a previous corporate infrastructure environment.
  • Network Vector (MSISDN): The suspected primary root cause is a verified, compromised legacy phone number (MSISDN). Case escalated to Telecom DPO; findings are pending.
  • Cross-Platform Observations: Identical configuration anomalies and MSISDN-linked behaviors re-emerged post-transition to the current iOS device, raising concerns regarding cross-platform persistence or serial-number-bound deployment (such as rogue Apple DEP).
  • Interface Branding Anomaly: Crucially, despite these forced persistent lock states and active enterprise layers, the device interfaces display no corporate naming conventions, visible tenant branding, or enterprise email addresses. The managing entity remains entirely hidden on the UI level.
  • Diagnostic Constraints: Due to a lack of low-level consumer diagnostic tools, it is unconfirmed if the persistence exists at the hardware/firmware or software/application level. Comprehensive digital forensics is required to isolate the vector.


Technical Requirements

To isolate the root cause (Hardware vs. Software), I require actionable input on the following:

  • Crash Log Analysis: Automated tools or scripts to parse extensive iOS crash logs for anomalies, memory corruption, or unauthorized access.
  • Advanced iOS Diagnostics: Frameworks (beyond standard MVT) to detect low-level system anomalies, configuration profiling, or firmware persistence.
  • Forensic Triage: Recommended independent labs for consumer-level hardware and partition analysis.
  • Keychain Access Group Corruption: Tools or workflows to diagnose the WhatsApp iCloud restore/Passkey failure WhatsApp iCloud backup restore fails, Pas… - Apple Community
  • Administrative Constraints: Methods to diagnose why the official Apple Developer Program automated enrollment continuously rejects government-issued IDs despite multiple support escalations, preventing the activation of local Developer Mode diagnostics.





Detecting unauthorized MDM or stalkerware on iOS without Mac

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.