You can make a difference in the Apple Support Community!

When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: CondePrinceDuSang
CondePrinceDuSang Author
User level: Level 1
26 points

macOS Logs Show "studentd" & "Classroom" Activity on Unmanaged MacBook - Seeking Understanding

Hi everyone,

I'm reaching out to the Apple community today seeking some help interpreting some unusual activity I've noticed in my MacBook's system logs. My MacBook is not enrolled in any management programs or educational institutions, yet I'm seeing entries involving "studentd" and "Classroom" processes.

Here's a summary of the key findings:


Processes: 

  • Logs mention "studentd" and "Classroom" processes, often associated with managed education environments.



Activities:


    • Wireless proximity features involving state changes and potential tracking.

XPC connections to services like com.apple.classroom:General and

 com.apple.identityservicesd.desktop.auth, often used in managed scenarios.  83725 0  studentd: (IMFoundation) [com.apple.IDS:XPC] Created connection to com.apple.identityservicesd.desktop.auth service: 0x13***2e0

2023-12-31 15:59:24.507360-0500 0x4ca4ec  Default   0x694073       83725 0  studentd: (libxpc.dylib) [com.apple.xpc:connection] [0x13****e0] activating connection: mach=true listener=false peer=false name=com.apple.identityservicesd.desktop.auth

  • Task session errors related to Classroom: Reinforcing the possibility of unwanted software attempting to connect to non-existent classroom services.
    • References to "dealing with family members," suggesting potential family sharing or control mechanisms.

Login session state changes for a specific user. 83725 0  studentd: (loginsupport) [com.apple.login:SA_General] SASSessionStateForUser:1302: SA: currentState: 2

studentd: (loginsupport) [com.apple.login:SA_General] SASSessionStateForUser:1302: SA: currentState: 3

  • Network: I've noticed some network path evaluations and connections related to Wi-Fi and Open Directory.
  • Requesting Connection ID: studentd is requesting a connection ID from the Identity Services framework (IDS), used for communication with Apple's messaging and connectivity services.
  • Connecting to Identity Services Daemon: It's establishing a connection to the com.apple.identityservicesd.desktop.auth service, which handles authentication and authorization for IDS features.
  • Connection Completion: The connection is successfully established, allowing studentd to interact with IDS functionality.
  • Setup Complete: studentd has completed its setup with IDS, indicating it's ready to use the services.
  • See below:

 0x694073       83725 0  studentd: (IDS) [com.apple.IDS:Registration] Requesting connectionID 1 usingSync YES

studentd: (IMFoundation) [com.apple.IDS:XPC] Created connection to com.apple.identityservicesd.desktop.auth service: 0x13****2e0

83725 0  studentd: (IDS) [com.apple.IDS:Registration] Setup complete with info

83725 0  studentd: (IDS) [com.apple.IDS:Registration] Dependent devices all disappeared, removing all dependent devices



Context:

    • No enrollment in management programs or educational institutions.
    • No knowledge of installing any related software.
    • Compromise of the MacBooks and previous Apple ID by a bad actor with access to machine and credentials, however remedy solutions (factory reset of devices, complete change of Apple IDs), regular monitoring and implementations of security measures are in place.
    • Presence of unknown user unsigned profiles configurations under managedclient and profiles detected in system report (n10), (nothing in system preference)
    • Integration of classroom with profile configuration found the plist file.
    • Integration of studentd and classroom with Safari browsers (seems to suggest cross device activity)

Concerns:)

  • The presence of these activities on an unmanaged device is concerning and raises questions about potential unauthorized software or monitoring.
  • Lack of transparency in Apple's documentation regarding specific process behavior adds to the confusion.

Seeking:

  • Understanding: Any insights into the meaning and purpose of the reported "studentd" and "Classroom" activity in this unmanaged context.
  • Similar Experiences: Has anyone else encountered similar logs on their personal, unmanaged MacBooks?
  • Recommendations: Advice on how to investigate further and safeguard my system and privacy.

I've attached anonymized excerpts from the relevant logs (without sensitive information) for reference. Any explanations, similar experiences, or suggestions would be greatly appreciated.

Thank you for your time and assistance!

MacBook Pro (M1, 2020)

Posted on Jan 3, 2024 12:59 AM

Reply

Similar questions

There are no replies.

macOS Logs Show "studentd" & "Classroom" Activity on Unmanaged MacBook - Seeking Understanding

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up