User profile for user: legrandconde
legrandconde Author
User level: Level 1
12 points

Personal Apple ID appears managed by unauthorized MDM

Dear All,


**Only respectful, positive, intelligent contributions are requested. Anything else, abstain**


I have been investigating a compromise of my apple ecosystem via a hidden malicious MDM. Regular checks (settings/profiles etc....) won't bring up much information, but when going into the library folders, the existence of plist configurations file (managed preferences), browsers updaters being managed under Enterprise/companion attribute, user configuration profiles created and not removable, records of Apple Configurator in the unified system logs reveal the hidden nature of this unauthorized management.

Recently I decided to try something and entered my regular appleID in the Device Management pane (no profiles are being shown) and to my surprise, the appleID was accepted, the remote management servers were interrogated and a notification popped up on the screen "Your managed Apple account is already signed..." (see attached).

I thought only work/school type emails could be "managed". Logs from Console also show the same activity



So I then decided to try with the iCloud version of my appleID and here's the notification that I received

As I said before, my apple ecosystem is compromised by someone with previous local access via malicious management installation. I have already tried everything imaginable (factory reset, complete change of accounts, clean OS reinstall and in the case of the screenshots shown), bought brand new MacBooks with appleIDs created from scratch.

Please if anyone has a constructive comment, advice, analysis, I am all ear. Only respectful, positive, intelligent contributions are requested.

Anything else, abstain!

Thank You!

Posted on Dec 13, 2025 1:42 AM

Reply
5 replies
User profile for user: legrandconde
legrandconde Author
User level: Level 1
12 points

Dec 13, 2025 9:49 PM in response to Mac Jim ID

I have tried on different MacBooks belonging to friends with their own AppleIDs and then with their AppleIDs on my MacBook and your assertion seems accurate for the second notification "enter the password....".


However none came back with the first notification "Your managed Apple account is already signed in"....

And one more thing, I had collected logs unified during log stream showing that the appleID had the "MAID" attribute.

Reply
User profile for user: Mac Jim ID
Mac Jim ID
User level: Level 9
60,068 points

Dec 13, 2025 11:47 AM in response to legrandconde

You can't log into a Work or School account with your personal Apple Account, and if you try you will see that exact same message and those logs. Your device is not being managed with any MDM software. The logs are assuming you are attempting to use a managed Apple Account and that will always fail for those exact reasons. The only reason why you would attempt to log in there is if you did have a managed account. It is not used to identify if your account is managed.

Reply
User profile for user: legrandconde
legrandconde Author
User level: Level 1
12 points

Dec 13, 2025 2:05 AM in response to legrandconde

I wanted to add some logs collected from log show on Mac Terminal



Here are some logs collected via log show on Mac terminal

2025-12-12 14:00:37.924980-0500  localhost corecaptured[28452]: (CoreFoundation) Created Activity ID: 0x383f6b, Description: Resetting CFPreferences/NSUserDefaults

2025-12-12 14:00:37.500614-0500  localhost cfprefsd[415]: (CoreFoundation) [com.apple.defaults:cfprefsd] Process 28208 (AppleCredentialManagerDaemon) sent a request related to { com.apple.usb.managed, user: kCFPreferencesAnyUser, kCFPreferencesCurrentHost, /Library/Managed Preferences/com.apple.usb.managed.plist, managed: 1 } (0xbf6ea10e0)


2025-12-12 14:00:37.566226-0500  localhost cfprefsd[607]: (CoreFoundation) [com.apple.defaults:cfprefsd] Notifying observers of { com.apple.imagecapture, managed: 1 }


2025-12-12 14:00:37.568947-0500  localhost cfprefsd[607]: (CoreFoundation) [com.apple.defaults:cfprefsd] Process 757 (icdd) sent a request related to { com.apple.imagecapture, user: ********, kCFPreferencesCurrentHost, /Library/Managed Preferences/*************/com.apple.imagecapture.plist, managed: 1 } (0x844ee32a0)

Reply
User profile for user: MrHoffman
MrHoffman
Community+ 2025
User level: Level 10
144,971 points

Dec 13, 2025 12:35 PM in response to legrandconde

As for the core capture daemon (corecaptured) presumably the that’s a documented part of macOS. Here is the man page:



Or maybe this was a reference to the credential manager daemon? AppleCredentialManagerDaemon is a not-particularly-documented daemon used for securely handling user credentials including passwords, tokens, auto-filled data, and the like. It’s a part of the security subsystem on macOS, iOS, and iPadOS, and gets involved in all sorts of system activities including secure connections and purchasing.


Here is some of credential management: Streamline sign-in with passkey upgrades and credential managers - WWDC24 - Videos - Apple Developer


Reply

Personal Apple ID appears managed by unauthorized MDM

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up