MDM on personal iPhone - Businesses, unauthorized developer activity HELP!

Under your services, the calendar configuration relates to the MDM per Apple. Search on first line under Apple or search on Apple MDM with the exact calendar words. Have you looked up each service with MDM and Apple added?

Calendar declarative configuration for Apple devices

Use the Calendar configuration to provide account settings for connecting to a CalDAV-compliant server. These accounts are added to an iPhone, iPad, or Mac enrolled in a mobile device management (MDM) solution.

According to my sources, there is apparently a glitch in the forum software that is sending out notifications from the original post whenever you post in a thread. So, no AgentDragonfly has not posted since April but you may be getting notifications that they have. The issue has been brought to the attention of the appropriate authorities.

Well, now I’ve been blocked from the reply button! This is another common symptom with other sites as well. But for now, your name pops up requesting help, so I can respond. Could you please respond to the post by “FunnyHoneyBunny”? It sounds like someone who has access to her network has been compromising her iPhone. In her case (or anyone really) a new phone won’t help if it’s MDM due to the geofencing. Also, any device inside the network is trusted by default, even IoT that don’t have passwords! All the culprit needs initially is the PIN to compromise the device, then make a full copy in a couple of minutes. Saved passwords, unencrypted is bad as well. Many apps designed for companies can monitor almost all activity. Downloaded apps “shared” as “family” in the same network is also a method used to install (hidden) apps. I hate to see the struggles of so many. At the same time, I don’t have to hear “that’s impossible”, YES, it is very possible! I wonder if there could be a rogue MDM on the dark web? My windows computers are destroyed, so I can’t look on my iPhone. My situation is getting worse, including home break ins, theft (more very personal items than items of value), some things I dare not say! I also live alone like “FunnyHoneyBunny”, but who then is on her network? If it’s not an MDM, I would think a reformat would take care of it, along with resetting passwords and white listing devices on the router? She does not want to backup to the iCloud. That is not required. She could back up addresses and photos first, then reformat the device but choose not to backup apps. Purchased apps could be restored! Now, let me see if I can post. This site is very helpful for me as well, so I hate the “reply” button no longer works (unless I go to another computer on another network). I really wish Apple would help with this issue, so many ppl have tried so many things, like me, reformatting, new devices, changing IDs, anything! But the MDM uses the serial number, so doing the things I’ve done does not help. The geofencing adds new devices. And to anyone, I gather the MAC computer (which I don’t own) is required to administer the MDM, but what/how is the geo fence set if you remove all devices if no serial number to connect with?

Ok, I was incorrect about the Wi-Fi and serial number being the same as a user pointed out. But the MDM uses the serial number and a beacon to find your device, and it scans your network using “geofencing” to detect any new devices. I’ve heard all the “impossible” comments as well, they have no clue! I’ve had my devices reformatted and bought new ones (new everything at one point), but since someone had one of my devices (now two since earlier last month) and was apparently using a MAC computer (required) to remotely install the MDM on my new devices, it didn’t help. And, it’s a free app. But there are other “entities” looking at the dangers of this program if in the wrong hands. You have to search a bit, but it’s out there. I’ve also seen GitHub and Python, along with many new scripts under shortcuts and programs the programs always get hidden after installation. I’ve wondered if there could be a tool or method to compromise the MDM on the dark web? I’d been in Information Security for about 30 years (CISSP, CISA, CISM) in one form or another, but I’ve never seen anything that compromises so quickly (3-5 minutes). If I still had the same job and title, I’m sure I’d be able to get it removed. But due to unfortunate ongoing surgeries, I’m no longer in security.

mine sends out fake emails as well, and automatically deletes needed ones. I likely mentioned this already, but go to a public network, your email account, and view source. I was surprised to see settings that created a fake page (JavaScript) and hide auto deletions and hidden folders. My banking page is also fake. I read on Apple documentation (I think that was the source), that the MDM does not use Safari, but instead it uses web clips to show pages. This allows considerable actions and views, like view source, tool bars, headers.

You mentioned FaceTime, FaceTime was used to contact Apple for over an hour using my phone number. Apple won’t accept FaceTime. So it was not actually FaceTime, but actually a “feature” under accessibility options that permits you to enter another phone number and impersonate the victim. There is usually a history, if not deleted. But check the numbers used if the access looks like a phone call. It also allows incoming calls, but they disable my phones when using this method. It seems like I saw something about beta somewhere, but don’t recall exactly where I saw it.

I have learned there is a history available that can tell you the location of access, although I’m not certain if it’s because they had my stolen devices? A subpoena would be needed. I did see an error in one log that was 313 (I think) and said something like “another person is using your ID or device”. There is so much.

A family members account was also recently put on the most recently taken iPad. Idk how they did that, unless it was from being at my house?

How did you discover your logins were going through APIs like GitHub, Google and so on? Is that info on a MAC computer?

BTW, you mentioned a web site, if you have a web site and company email, you could enroll in the MDM. I’d guess it would not overwrite the current one, but it’s free. You could buy a cheap device, keeping everything offsite with no iPhone, then install the MDM on it.

BTW, checkout LinkedIn and search on MDM with keywords malicious and such. There is more out there. This is not impossible and you are not going insane, unless from the constant bother. Also, check put .gov, MDM, parental, more interesting things.

What a great job you have done in finding all these things! I’ve made some errors when I’ve attempted to respond to ppl, then I get the “junk yard pit bulls” come after me, or the preferred polite responses, some say “impossible!” about error (some are not errors) unless this has happened to you, then one can’t understand the impact. Can you say what you have used (device wise) to detect these things? My devices get compromised as soon as I turn them on (in my house). I also found a “managed hot spot” which I can’t delete. I signal detector goes off if I

type or look at anything. I disconnected my Wi-Fi completely. Then the hotspot appeared, it may have been there before, which would bypass firewall rules, it connects to Bluetooth (up to 8 devices can connect to Bluetooth), and it spreads. When Wi-Fi is on, the IP of the “managed” Wi-Fi appears. My carrier insists there is no Wi-Fi hotspot since I’m not signed up for one, I attempted to install one, and it would not permit, without paying more. As far as the CMD, ssh, sftp and more, well, there is an app for that. Go to shortcuts, add one, clear the bottom section, type in ssh, and see if something appears! I have several of the same issues as you, but I’ve not been able to detect them as devices are disabled or destroyed. It started following a missing iPad, mostly iPad exploits (hidden apps, system settings changes and so on, you know the drill). Then escalated to home alarm hack, home B&E, vandalism, fraud, identity theft and more.

Don’t second guess your sanity, but I understand completely. Many ppl have experienced the same thing. Now, I can’t download the most recent update! Maybe it has something that will help? Have you made any progress? It seems like new devices, or old ones that I’ve not used get compromised within minutes (others have said the same). I’ve seen the MDM (aka Apple Configurator) downloaded, but wonder if it could be a rogue MDM? Perhaps from the Dark Web? It is so technically complex! I’ve been in Security (one form or another including Global IT Security Manager) for about 30 years. I’ve never seen anything with so many facets, not even the APTs. have you looked for NFC? I have a couple in my home, along with other planted devices. There are detectors out there, although the cheapest one would not pick up a NFC, my Wi-Fi also goes off when I’m driving. Also, check out LinkedIn and there is some info there. I really wish Apple would help!

I am right along with y'all. I've been thinking I was going crazy now for months and everyone looks at me crazy when I try to explain about my iPhone. I have to go make a report at Sheriff's Dept. I don't have as much loss as y'all do but it has sure taken a toll on my mind and sleep...

Good finds! Most if not all people with this hack are users with personal devices. My routers (4 personal, 2 from ISP were taken over). At first, I’d disconnected my internet completely to try to reset the router, but they were getting in anyway. I discovered a “MANAGED” Wi-Fi hotspot with an IP that resolves to Apple. I went through the same thing after a device went missing while I was in the hospital. And it’s hard to prove all the hidden apps! Many are free, so you can’t cancel them. I’d suggest making copies of others issues for the police. I frequently get warnings as well, saying things like “I can’t use messenger when under business management”. They use the Wi-Fi hotspot and Bluetooth to spread to anything in “geofenced” area. Read Apple documentation about what this app does! It can hide almost everything. This seems somewhat new, at least to such a degree of destruction. The police are not technical and even some those that are technical claim it’s impossible. But reading documentation and compare user notes, your notes, and Apple MDM documentation it is obviously very possible. Too bad that people we trust the most would do such things. What does not work: changing password, reformatting, buying new devices, creating a new Apple ID. Good luck!

Oh, IC3 (dot gov) is interested!

The MDM can do many things per Apple documentation, it can hide apps and features, install other (hidden) programs, and much more. It’s all outlined under Apple MDM documentation. It can revert your devices instantly. It’s the only app I’ve ever seen that comes with a “hide” button. I’m beginning to wonder if it’s a rogue MDM? I’ve been in Security for decades, never seen anything that can compromise any device in minutes? Plus, I don’t know “where” it is stored. At one point, I thought I got rid of everything but apparently I did not. I’ve heard a printer mentioned, I didn’t get rid of that however. I’ve seen ssh being used initially when network was still plugged in, but now I have a rogue “Wi-Fi hotspot” that is managed. Very frustrating.

i am a personal user as well and i have tried everything! apple store is a waste of time all they did was reset and it was already on there when i booted it.

question....under root trust certificates, do you have a greyed out single certificate that you fid not approve?

they ssy its not possible but i never had the option when i got this phone.

its a digicert root ca and its on all my devices!

Hi folks,

I've spent this whole year to date researching this campaign since I first started noticing non-typical activity on my iPhone, MacBook Pro and Mac mini. I've been using Apple products since the 80's and am fortunate to have never had any issues until now.

First I must preface the rest of this post by saying that some of the behaviours you see are BigTech harvesting user data. This has always been the case and is written into user-agreements you accept upon activation. Add on top of that any app you install will also have its hand in documenting the activities you engage in on your computer, device or 'smart' connected tech as is written their terms (linked on the page) you accept upon downloading and installing. 

You only need to glance over the privacy notice within the apps information on the AppStore to see the scope of what some apps collect. TikTok remains the top of the list closely followed by the big social media brands etc. There are also many apps still on the AppStore who have not updated since Apple introduced mandatory display of the data the app intends to collect, so exactly what they are taking from you remains unknown to its users.

However, while BigTech data extraction is a typical event on tech, data is a trillion dollar business and has undoubtably attracted the attention of bad actors who want a slice of the pie which is why there is a high prevelance of data mining exploits.

I'll reiterate a previous post that agrees, you are not imagining things. Whoever is behind the non-typical activity we are experiencing - likely has MDM-like control over your phone/computer.

You're seeing developer activity because developer mode is what the MDM-like behaviours are implemented through. This is occuring even though you all report there are no MDM certificates installed, the developer mode option isn't activated in settings, you are not enrolled in the beta or developer program and finally, you don't have TestFlight installed.

To date, Kaspersky are the only voice in the threat-hunting world who recently openly declared they no longer believe that Pegasus-style attacks are limited to only a small handful of people. They assert this because they invited comment from the general public regarding the 'Triangulation' attack and were flooded with emails with evidence of similar attacks on civilian devices.

Although much of the detailed information on these attacks are not public, what I have personally observed regarding the permissions attributed to various daemons and processes on iOS and macOS is attributed to the events many of you are seeing too. These are closely aligned to 'Triclops' (the only Pegasus-style survelliance documentation in the public arena) which appears to revolve around developer privileges. While I am not making any claims that what are experiencing is linked to the groups carrying out attacks on high profile targets, I am asserting that there is a group behind this long-running campaign who have leveraged developer privileges for the purpose of data extraction. The vast amount of evidence strongly suggests the three goals are scams, advertising interference and intelligence gathering.

I'll leave it here as I wish to respect the Community Use Agreement, but take heart, the number of people noticing non-typical things on their tech is growing. I look forward to maybe one escaping their clutches and reclaiming my tech, my accounts and just maybe, a little bit of the fun and awe tech used to provide.

I have some information that might be helpful. After years of looking for answers and getting none I discovered this sys diagnostic test.

https://support.umbrella.com/hc/en-us/articles/4406646902420-How-to-capture-a-sys-diagnose-from-an-iOS-device

I think you’ll be surprised with what it can reveal.

I am having the same problems and more…connected to cameras, speakers, amps, I could go on. Intelligence platforms are running in my analytics. Mobile Obliteration, Pegasus, shim remotes.

I tried to post some pictures here but it’s blocking me. I’ve been making all the same calls to tech supports. No real answers other than yes my device is being remotely accessed. I’ve had a dozen new phones since this began. Everyone of them have the same problems. I have managed to do a couple resets but it was compromised again within a hour. I’m still looking for answers like you.

Do you know of any websites with specific information? I’ve googled many platforms listed in my analytics so I know who it is. Any suggestions for a way to get it confirmed?

One other method of their intrusion is changing your time zone / date and time to a far earlier date years before you even purchased the device. Installing malicious software then changing the time back to actual current time.

if any of you use iCloud Photos (which isn’t ideal) make sure you go through and check the time stamp / location meta data as I’ve noticed a few of mine were updated to a time and place that iCloud would not recognize thus not including it in the synch so if you restart your device. You’ll lose those photos / videos.

don’t use google photos because they’ll just corrupt your videos (evidence) making them incompatible and useless.

oh and don’t use external hard drives because those will become compromised too lol there’s literally no end. I’ve tried everything and I am not tech savvy what. So. Ever. To the point where I’ve just accepted it and live my life with them watching my every move. It is what it is. The level of intrusion is so sophisticated that it’s almost like it’s out of this world sophisticated. Who knows at this point.

Looks like my original post was deleted? Idk I’ve never actually posted anything on here before but good thing I saved it before I posted it…

After spending the last year or two google searching anything that seemed fishy in my analytics logs, I’ve finally, finally and finally! Stumbled upon the most solid and concrete description of what’s been happening to me over the past two years with my devices. What a breath of fresh freakin air. 

The process I searched for that brought this thread up was “AppleH13CamIn” found in an analytics log labeled “Stacks-2023-10-18.” 

It is 100% the MDM and what one reply here mentioned as the “Invisible Beta.” Though not so invisible now that I realized they were unable to hide the “Feedback” app in the “Per-app settings” found at the bottom of the accessibility setting. The “feedback” app is usually only available to devices registered to the beta iOS program.  100% using Xcode as their method of hacking. 

From what I gathered, there has to be some sort of hardware issue (either methodically or accidental) that is powering a BT process that keeps this intrusion alive. 

One thing i noticed too is, the Rokus on my network were being converted and used as a WiFi 4 protocol hotspot that was acting as a sort of evil twin router and fooling my device into connecting. I live at home and my mom still has an iPhone 6+ that hasn’t been updated since iOS 11? That she refuses to update so I’m practically SOL. 

Someone asked about what the “trial rollout” well here you go: 

stateDbVersion":3,"trialExperiments":"0","trialRollouts":"2","version":"2.4"}

activeTreatments":"100:210304_control,101:210415_control,102:210304_control,103:210304_control,105:210304_control,106:210304_control,107:210304_control,104:210304_control,108:210601_control,109:20419_control","

Count":3,"bug_type":"225","reason":"rejected-config"},"name":"LogRetirement","

Logs are consistently labeled as rejected. Someone mentioned Skywalker is an actual keylogger? I’m seething Skywalker doorbell logs and an unidentified haptic device connected as a home accessory. I don’t even use apple home. 

Logs also detail - HMDRemoveAccessoryPairingLogEvent

There are daily multiple “Hardware data resets” and initial unlocks “after boot” while charging. 

They must be utilizing some sort of stingray to mimic LTE connection. 

This is literally an intrusion from every direction. An intrusion that my neighbors are in on (phone was stolen off my driveway in a nice neighborhood at the end of a culdasac not even 3 minutes after I left it there I see 3 individuals walking way from my house that I’ve never seen before and no phone in sight) 

one thing that helped was create a physical vpn. Modem - bridged router - switch - 2nd router. 

I think they also get in through the power lines. What a freakin mess this world is. So sad really. 

[Edited by Moderator] 

The stacks log is packed with useful data

example:

This is logged from my “CloudConfigurationDetails”

bplist00Ö

\AllowPairing_ConfigurationWasApplied_CloudConfigurationUIComplete_ConfigurationSource_PostSetupProfileWasInstalled\IsSupervised "<[qžŸ ¢£

¤

this is from a stack labeled MCMeta

bplist00Ô_LastMDMMigratedBuild_LastMigratedBuild_&StopFilteringGrandfatheredRestrictions_ AllowedGrandfatheredRestrictionsU20F75Ñ ^restrictedBool£

[allowiTunes_allowAddingGameCenterFriends_allowAppRemoval(<eˆŽ’¡¥±Ð

â

payload manifest - bplist00Ò_OrderedProfiles^HiddenProfiles ¡_=secure-wifi.spectrum.net.8DE2356F-F195-444A-B534-6E67170C4E73

./1q

I could go on for days about this lol

I think what they do is they partition your operating system into multiple operating systems that synch between each other. So while you’re on one partition. They are on another loading remote content and once you put your device down they synchronize back to their partition that is virtually identical but different logs home screens etc

Park3rr wrote:

<Trial rollout.log>

I’ve attached the trial rollout log that my stacks diagnosis output gave me

Agent Dragonfly, the person to whom you keep replying, hasn't been seen in this thread since early April. I'm not clear what you're expecting will happen as a result of you posting your "output".