Can a hidden VPN or MDM profile be installed without my knowledge on iPhone?

yes It can, have apple check your Serial number, even if that is not listed a managed or supervised does not mean it is not happening, the bad guys can still use reputable 3rd party providers. Try my test - have only one way to verify you apple account -email or cell ( not both ) remove recovery methods such as recovery code ( keep encryption on ) remove recovery contacts ( bad guys can use your recovery codes to lock you out) replace those with physical FIDO security key and a FIDO NFC card -while your keys are active, see how often your device offers to use a key to sing in to anything , if they stop getting prompted to use utilized the key for sign in, then you in all probability have a MDM of some sort. If your devices serial number is not on the Apple list then they are most likely tied to your IMEI, which presents a bigger issue as in that situation, factory reset in recovery will not remove it. Save your critical files , photos , contacts ( review contacts and reduce to known friends and family ) start fresh with a new device - new Apple account - reload necessary contacts, slowly, do but restore the backup , get apps from App Store to ensure your not reloading a spoofed app, no pairing, Bluetooth or Siri until you tested the device and then slowly return to place you feel protected,

I don’t believe these are carrier profiles. I think is government overreach/control as apparently both apple and provider keep saying they don’t see anything on their end. Until several months ago apple told me to go to an authorized repair centre and have them look at it. So I did and they told me to reset to factory which I have then told me to reset to factory with a computer which I have not cause it seems my last two computers are infected with the same thing. I’m sure I know why and what’s happening and it goes far deeper than provider and government. Something along the lines as to why god isn’t allowed in our schools anymore. They keep close eyes on a select few is my educated opinion. Soon I might not have any digital device that connects to the internet. At least without an actual switch. Sorry to be the bearer of bad news but Our privacy is a thing of the past and it’s going to get very much worse in the next year or two! Might want to look into a faraday bag and the bible

There are managed profiles for carrier offload Wi-Fi networks. These are part of carrier provisioning.

As for so-called hidden profiles, nobody has yet shown one (outside Wi-Fi offload), though the latent support for profiles causes lots of log chatter related to MDM and profiles that gets confused as being actual profiles.

As iOS, iPadOS, and macOS all share a common base with Darwin and XNU kernel, references ro other platforms can appear in the logs.

Support for beta testing and AppleSeed and public testing is built into iOS and iPadOS starting around 16.4, as the add-on profiles that were used prior to that were more of a hassle.

Analytics are filled with ominous and scarily-worded references, including to built-in features such as Pegasus, which is unrelated to that other Pegasus. The logs are intended for Apple, and for developers debugging their own apps.

Given this particular case has been ongoing since 2022, it is extremely unlikely to be resolved here, today, and you are unlikely to get any new or actionable suggestions here, today, you have not already received and considered and implemented as appropriate over the years. This includes suggestions such as using recent devices and current iOS and iPadOS versions, keeping an Apple Account secure, two-factor, etc.

And while securing your Apple Account (formerly Apple ID) is something that is appropriate and will always be suggested, that is not related to how profiles get loaded.

For completeness, iPhone and iPad and current hardware can be vulnerable and can be exploited, and do have vulnerabilities, but detecting those exploits requires deeply intrusive data access and personal questions, and that’s just not going to happen around here. Exploits for newer devices and newer iOS are immensely expensive, which means anybody targeted with these exploits is valuable to an immensely well-funded adversary, too. Older iPhone and older iPad and A11 and earlier can be more easily be exploited, given direct access.

ro822 wrote:

yes It can, have apple check your Serial number, even if that is not listed a managed or supervised does not mean it is not happening, the bad guys can still use reputable 3rd party providers. Try my test - have only one way to verify you apple account -email or cell ( not both ) remove recovery methods such as recovery code ( keep encryption on ) remove recovery contacts ( bad guys can use your recovery codes to lock you out) replace those with physical FIDO security key and a FIDO NFC card -while your keys are active, see how often your device offers to use a key to sing in to anything , if they stop getting prompted to use utilized the key for sign in, then you in all probability have a MDM of some sort. If your devices serial number is not on the Apple list then they are most likely tied to your IMEI, which presents a bigger issue as in that situation, factory reset in recovery will not remove it. Save your critical files , photos , contacts ( review contacts and reduce to known friends and family ) start fresh with a new device - new Apple account - reload necessary contacts, slowly, do but restore the backup , get apps from App Store to ensure your not reloading a spoofed app, no pairing, Bluetooth or Siri until you tested the device and then slowly return to place you feel protected,

If those are presumably just part of the capabilities you expect your adversaries can employ, you should be greatly limiting your use of even your feature phone, and avoid using smartphones and other similarly-connected devices.

This particularly given you believe your adversary both capable of silently remotely supervising devices and those supervised devices will also not be shown as supervised, and capable of silently compromising Apple Account security including overriding security key and recovery key settings.

Given the capabilities you expect your adversaries to employ, you should also be reviewing your own practices and procedures around data management and data storage, and plans for what will be involved should your devices be breached. This would certainly also include reviewing all of your potentially-identifiable communications patterns, and sourcing new and anonymous devices.

Are there people with these or mire likely other similar potential risks? Sure. Particularly if you directly are or are on the path to a person of direct interest to a national security entity, or of interest to those adversaries with access to mercenary exploit tooling. And if that describes anybody reading this, y’all probably shouldn’t be getting your security advice around here or other similar forums, either. Mistakes are bad.

I don’t see any hidden profiles there, past the carrier network provisioning already mentioned.

For issues with Microsoft Windows 11, please check with Microsoft.

Akamai Edge is a well-known and large DNS services provider. I’m u clear why references to that are included here.

This might be an issue with your Apple ID, or an unauthorized configuration profile. It could be a bug in iOS as well.

I would recommend to secure your AppleID (change password, 2FA, check the list of devices associated with your Apple ID > remove unrecognized ones.

Also check for MDM profiles, and last resort, I would recommend to do a factory reset without restoring a backup. Maybe also create a new Apple ID altogether.

To be clear; you have never seen hidden MDM before but many have seen it and patched it , hence iso 18.5 a few days, I am under a do not disclose certain facts but I’ll stay within the boundary, mine is a 3rd party trusted vendor JamP I discovered it , figure out how and wrote the what and the how to stop and submitted for code and review & Bounty, I learned what I know today by being keenly aware , super curious and wait for it- reading the analytics , sometimes had to lookup every single word, but it was not a scary , intimidating extinct cave wall hirogrifics (sp)? They are Data analytics used by anyone wanting to learn the process of collecting, transforming, and organizing data in order to draw conclusions, make predictions, and drive informed decision making. I encourage checking and learning what key call indicators mean . Yes, this is rare, but I am sad and afraid to tell you , it is a fast rising problem, and denying it does nothing to help slow the growth, I hope you never have to deal with anything even remotely ( no pun intended ) similar to this nightmare, but please don’t dismiss me because you have not experienced this life takeover -they divert your life to them ! No worries one day you be interesting enough for you own hacker , I’m sorry , I Kidd…. to keep from crying.

Your suggestion of learning Data Analytics to identify a problem is flawed. If you think you can do that by googling words in the analytics or running them through AI, you would be wrong. JamP is not even a MDM provider and you may be referring to JamF, it is that exact misunderstanding that leads you down a rabbit hole that you will never dig yourself out of. If you honestly think there are hidden MDM profiles, don't you think that they would also not be logging any data to be exposed?

Everyone's Analytic logs have words like "Root", "Hidden Profile", "isSupervised", "stingray". The problem is that you have no idea what they are referring to and googling those words will of course tell you that something may be wrong. It simply is not true and those words appear in those logs because the Engineer chose to log those words and they have been in those logs for years. Some have even been around since the 1970's when UNIX was developed and iOS is based on the UNIX OS and they also appear on MacOS and GNU/Linux based operating systems.

Nope. What it is is rampant, uninformed paranoia.