Unauthorized MDM and potential DEP abuse on Apple devices

Thedawk916 wrote:

Hi, I have the same thing going on. I found a profile called attwifi.mobileconfig. It was not viewable on vpn and profiles. It has the name att on the title, but the organization is Apple Inc. ..

That is a cellular carrier Wi-Fi offload network, and is a basic part of carrier network provisioning across most (all?) carriers.

Carrier offload started fifteen or so years ago. It is not particularly new.

The Wi-Fi carrier settings data here is from AT&T, too. AT&T uses Wi-Fi network names (SSIDs) attwifi, att-wifi, and AT&T Wi-Fi Passpoint, probably among others.

From Settings > Wi-Fi > Edit for most (all?) AT&T customers:

While that profile shows as an MDM profile and shares the underlying implementation with profiles for managed and supervised devices, it is not an indication of a hack, and not an indication of managed or supervised access of the local device, and not unauthorized or unexpected remote management.

And by your own investigation, for this to be nefarious, what you are reporting would require the compromise of the Apple signing keys!

If you don’t want to offload your cellular traffic over to carrier-provided Wi-Fi via an AT&T Wi-Fi network or an AT&T aligned Wi-Fi carrier such as Boingo, you can remove the SIM or delete the eSIM, and cease using the carrier services. When the carrier profile is then automatically removed, those Wi-Fi networks will also be removed.

As for what you authorized with your agreement with AT&T, check the fine print on the carrier agreement.

If you don’t want the carrier offload, switch to a carrier that does not use that (if you can find one), or negotiate for that removal directly with AT&T.

Overview of carrier offload: https://www.asd-usa.com/blog/carrier-offloading

As for iPhone exploits and the rest, sure, those do exist, and they’re exceedingly expensive, and very much targeted, based on available reporting. While some of you may well be a target, most of you are not, and respectfully, y’all will always also want to look for more mundane explanation for the finding of concern, same as when performing other forms of debugging and troubleshooting. Assumptions can be wrong. Such as in this case, with a carrier Wi-Fi offload.

Actually, you're wrong. Your device can't be added without your consent or cooperation.

Adding an existing device to ABM and to an MDM as a supervised device, which prevents removal, requires complete erasure of the device.

You would either have to willingly provide the device to the employee in question in an as new state or provide them with the device and your credentials in order of them to enroll it.

Playing games with the meaning of the word "unauthorized" as used by the OP doesn't change that fact.

Hi, I have the same thing going on. I found a profile called attwifi.mobileconfig. It was not viewable on vpn and profiles. It has the name att on the title, but the organization is Apple Inc. There is no trust signature. I have spoken to Apple about this and they have forwarded my case to Apple security. It is not apples file. I called ATT, it is not their file. I removed the profile and it came back after an OTA update.

I got tired of everyone calling me crazy and bought a MacBook to diagnose. I extracted an imazing backup and found a lot of things in my logfiles. Create a sysdiagnose file. See if you can find the mobileconfig file and save it to a thumb drive to air gap it. Please email me at d****a@gmail.com

[Edited by Moderator]

Unauthorizedmanagement wrote:

I’m experiencing whats best described as unauthorized MDM (Mobile Device Management) and as well DEP maybe involved as well on my iOS device and spans my entire Apple ecosystem.

No. You are not.

If you're actually having a problem, then describe the symptoms and what you've done to troubleshoot the problem.

Your assessment of what's wrong is nothing but a paranoid fantasy.

There is no such thing as an unauthorized MDM. To install MDM, you either

1. Must purchase the device from Apple or an authorized reseller and have it added to Apple Business/School Manager and have an MDM connected for automated device enrollment
2. Someone must have physical access to your device and must have your passcode/password.
3. Someone must have physical access to your device, your iCloud password (assuming you've set that up), and be in a trusted location (or wait for an hour, again, assuming you set iCloud up), then they have to wipe your device and add it to Apple Business/School Manager manually.

Option 1 cannot be removed by you because you don't own the device.

Option 2 can be removed in Settings > General > VPN & Device Management.

Option 3 can also be removed in Settings > General > VPN & Device Management if it has been less than 30 days since the device was enrolled. You would likely notice if this one was the case as again, at a minimum, it requires the device to be wiped.

These are the only options.

I had an employee set up an MDM without consent and cause havoc on my business. This can only be defined as an unauthorized creation of a MDM. They set restrictions to not allow me to sign out of Apple and Apple itself could not figure out how to fix it. Anyone can believe what they want but facts cannot be argued by those with any intellect.

Jdtaylor21 wrote:

I had an employee set up an MDM without consent and cause havoc on my business. This can only be defined as an unauthorized creation of a MDM. They set restrictions to not allow me to sign out of Apple and Apple itself could not figure out how to fix it. Anyone can believe what they want but facts cannot be argued by those with any intellect.

Then go after your employee for damages. This has noting to do with the original post, which is not based in reality.

If you have MDM installed it will have been done either through an employer/organization, or a profile that you added yourself. There are no hidden MDM profiles, all can be seen in settings.

Inadvertent post to stale thread.

I was not intending to reply to your post. I was simply debunking the statement that there is no such thing as an unauthorized multi device management account shared by another in the thread.

Jdtaylor21

can you tell me how you fixed your issue?

PurrPlexd wrote:

can you tell me how you fixed your issue?

These cellular offload networks are expected and normal.

To remove these Wi-Fi networks, cancel your cellular carrier plan.

I have managed hundreds of thousands of devices in my career. I 100% stand behind my statement.