MDM enrollment processes present on my iPhone without my authorization

If you open Settings > General > VPN & Device Management, if you don't see anything listed there you DON'T have an MDM installed on your phone, period. Whatever 3rd party you're using is suspect as there are no tools, which can accurately read the file structure of an iPhone. I'd say you're letting some 3rd party tool spook you.

000over_it000 wrote:

No disrespect intended, but my online research shows that there are ways a device can be compromised remotely and MDM enrollment occurring as a result. Everyone is so quick to say that Apple devices are impossible to compromise, and that's simply not true. Further, there is no scenario that I can find that MDM-related processes would be listed without MDM enrollment.

Regarding the file structure, it's a .csv file.

Sorry, but your online research has either failed you or your are being mislead by someone that does not know what the are talking about. The processes you identified are normal processes that are supposed to appear on your iPhone and they do not mean your device has been enrolled in any sort of MDM software. If you here looking for a scenario where those MDM processes are found on a device without any MDM enrollment, you can look no further than mine here with these 4 screenshots, and NO my device is not being managed either.

iPhone malware exists; exploit tooling. It’s exceedingly expensive tooling and targeted, based on available information. Those that meet this are likely targeted by a well-funded adversary, and the assistance necessary for these cases is well outside of what can be offered around here. Deeply intrusive details, discussions, and suggestions that are likely not suitable or appropriate for posting here.

Or some of the usual ominous and scarily-worded log chatter is happening, and is getting misinterpreted. The hooks for MDM are always present and often chattered about in the logs and telemetry, too.

As for things that look like MDM but are not (I am quite surprised you have not already found this particular information too, given your research), we do get to discuss cellular carrier offload networks around here, each time somebody discovers that detail. Which the reporter can variously then reject. These carrier offload networks show as managed Wi-Fi networks.

Where to go next? I’d suggest acquiring and reading a book on collecting and presenting digital forensics, and also seriously consider acquiring the Mac OS and x OS Internals book (three volumes) by Jonathan Levin. These to provide a basis for both collection, and for understanding the normal chatter within an iPhone.

Servant of Cats wrote:

Re: “I truly wish I could afford to go buy a bunch of books on how to collect and decipher sysdiagnose logs”

I doubt if there are such books available to the general public, even through Apple’s Developer program and online Developer documentation. Something meant only for Apple and/or carriers to use might well have references to things that only employers with access to source code and development tools would have a chance of fully understanding.

The internals book mentioned earlier is the closest I’m aware of, and that can provide some grounding in the many subsystems.

I’m not sure there can even be documentation for the logs. Not current, and not complete.

The logs can be useful for some tasks. Crash-restart-loop apps, for instance.

For finding compromises, manual log scans are closer to trying to find a needle in a haystack, without knowing what the needles even look like, and with ever-increasing haystacks. And haystacks with actual needles can be disappeared.

That’s a vanishingly unlikely finding without other evidence, or foreknowledge of known patterns, or scanning tools and a large dataset and a whole lot of computes and context.

I would not be concerned by that entry.

Again, looking for issues in analytics and telemetry is like looking for an unknown number of needles in an ever-increasing number of haystacks, without knowing what the needles look like, or even if there are any needles. And any actual needles can potentially decide to delete the relevant logs, too.

Here? Looks like something tried certificate pinning, and failed.

Certificate pinning was a popular technique for a while, but can get apps into trouble because, well, it can malfunction:

https://blog.cloudflare.com/why-certificate-pinning-is-outdated/

That particular TLS access malfunctioned, though I don’t know whether the failure was due to an app bug, an iOS bug, a certificate error, a privacy feature, web server issue, or otherwise. That particular Charger host seems to be associated with tracking of access to Charter services, and potentially involving cellular offload, though I’ve not particularly researched that host.

Carriers routinely use cellular offload (to Wi-Fi), which shares some underpinnings with and can show up with the appearance of an MDM profile in the Wi-Fi settings, but is not an MDM profile. I don’t know off-hand if Charter uses cellular offload, but do see they have been deploying CBRS and private LTE networking and carrier-like services.

The developers of the code involved can look into this and into their code if they're inclined, and if they are reviewing analytics and telemetry (optionally) made available by users to Apple, and from there to app developers.

TO;DR: That is not an MDM issue, and not related to MDM profiles. Not overtly, at least. And not something I'd be concerned about, absent some overt misbehavior with some app or service. Logs can be and often are filled with benign and “normal” failures.

Contact apple tech support immediately or take it to your nearest apple retailer for the Genius Bar for further diagnostics thank you for choosing apple

000over_it000 wrote:

I have one device: this iPhone. I don't share, pair or sync with anything or anyone. I don't even know how Bluetooth gets paired with iCloud, because I've never used Bluetooth myself, but that's one constant I see, even though it remains toggled off on my iPhone.

Bluetooth pairing of some devices is shared across devices using the same Apple Account, and that uses iCloud.

Apple AirPods Pro for instance, are Bluetooth devices with pairing shared across all iPhone and iPad and Mac devices associated with the same Apple Account.

While you have one device and no MDM payloads visible, others can or do have multiple devices, and can have AirPods Pro, and others have either business or local or personal MDM payloads loaded, and the support for those and other features is built into all. Telemetry includes that supporting infrastructure.

000over_it000 wrote:

No disrespect intended, but my online research shows that there are ways a device can be compromised remotely and MDM enrollment occurring as a result. Everyone is so quick to say that Apple devices are impossible to compromise, and that's simply not true. Further, there is no scenario that I can find that MDM-related processes would be listed without MDM enrollment.

Regarding the file structure, it's a .csv file.

Nope. But I'm not going to argue with you. I've been on this forum for over 15 years every day and daily someone comes here believing they've been hacked somehow, when they simply haven't been. You're relying on a 3rd party tool which can't offer anything useful or realistic. iOS is a sandbox operating system, meaning its pretty impenetrable. You can believe what you want to believe.

The only issue you've mentioned is the inability to backup to iCloud. See this for help --> If you can't back up to iCloud - Apple Support

If that doesn't help, you should hire a forensic specialist since you're convinced you have MDM on your iPhone. This is a user to user only forum. We can't see or test your phone.

000over_it000 wrote:

It's unfortunate that questions by consumers who maybe aren't as tech-savvy as some others, but have a legitimate concern nonetheless, get defensive and/or insulting responses on this forum. ...

This is your definitive home for online research for iphones.

If you don't have a profile in settings you don't have MDM installed.

000over_it000 wrote:

Forgive me for jumping to conclusions based on my limited knowledge of iPhone processes. To the average person, it's alarming to see processes running that you as a consumer don't use, which is apparently the norm in iOS. In my own defense, I am perhaps a little presumptuous here because I opened up my new Gmail account yesterday, which I've used once for email purposes, and found that there are 66 services listed in my Google Takeout, two of which are developer-related.

Every modern non-trivial platform has similar logs.

Every modern platform.

Including a feature phone, cars, pretty much everything with a microprocessor, and certainly anything with networking. Computers are increasingly now themselves networks of microprocessors and puddles of firmware all over, and the “simple block diagram of a computer” representation hasn’t been nearly representative of reality since the 1980s or so. Commercial social media platforms, and immense targeted-advertising ubiquitous-tracking platforms including Google, too.

You think all of that doesn’t have logs just filled with cryptic and obscure data?

Picking but one of these previous examples, an average car in 2020 reportedly had over 200 million lines of source code, features an on-board communications network, and myriad sensors and actuators, remote networking, rolling code processing for locking, the dashboard displays and even apparently “simple gages” are computerized, terrestrial digital and satellite radio, GPS navigation, variously with RFID networking for keyless start, driver assists and semi-autonomous systems. Some of these vehicular computers and computer systems function largely independently such as the sensors and processing for anti-lock braking, while others operate in concert. Firmware and processors and logs everywhere.

You can get a better understanding of Apple software platforms and jargon using the resources cited previously, if you prefer that.

The “am I hacked?” is fundamentally unanswerable. There’s always one more system or one more subsystem or one interface or one more potentially-compromised subsystem. Always. Proving a negative — some non-trivial gizmo is not compromised — is difficult at best, or impossible.

That leaves each of us with choices. Choices including fear, acceptance, and understanding. And that lattermost one — broad and deep understanding — hasn’t been possible since the Renaissance or so.

Normal log chatter across all devices, and which can be verified with web searches, and with comparisons across other of your disparate-sourced phones.

Another example: just reset your phone and everything will… - Apple Community

See the forensics and particularly the internals books mentioned earlier in this thread as a source of background information. That foundational knowledge can either help assuage you, or can help you identify vulnerabilities or compromises, should you encounter those.

You can verify unrestricted access, by selecting a different Wi-Fi network: forceWiFiToAllowedNetworksOnly

Or by reading the MDM docs, and implementing MDM on your device, and then comparing. Apple Configurator 2 app is available for Mac (free), and there are other ways to construct MDM payloads.

You believe yourself an immensely valuable target too, and such cases just not going to get resolved around here.

But given your unshakable beliefs of compromise here, why do you even still have and use this gear?

Throw away all your hardware. Erase and deactivate all or your online accounts, including your Apple ID. Don't use the internet for banking or other wise. Wait a year or so and then create a new online identity (if you dare).

What else do you want us to suggest?