Personal Apple ID appears managed by unauthorized MDM

Question

Level 1

12 points

Personal Apple ID appears managed by unauthorized MDM

Dear All,

**Only respectful, positive, intelligent contributions are requested. Anything else, abstain**

I have been investigating a compromise of my apple ecosystem via a hidden malicious MDM. Regular checks (settings/profiles etc....) won't bring up much information, but when going into the library folders, the existence of plist configurations file (managed preferences), browsers updaters being managed under Enterprise/companion attribute, user configuration profiles created and not removable, records of Apple Configurator in the unified system logs reveal the hidden nature of this unauthorized management.

Recently I decided to try something and entered my regular appleID in the Device Management pane (no profiles are being shown) and to my surprise, the appleID was accepted, the remote management servers were interrogated and a notification popped up on the screen "Your managed Apple account is already signed..." (see attached).

I thought only work/school type emails could be "managed". Logs from Console also show the same activity

So I then decided to try with the iCloud version of my appleID and here's the notification that I received

As I said before, my apple ecosystem is compromised by someone with previous local access via malicious management installation. I have already tried everything imaginable (factory reset, complete change of accounts, clean OS reinstall and in the case of the screenshots shown), bought brand new MacBooks with appleIDs created from scratch.

Please if anyone has a constructive comment, advice, analysis, I am all ear. Only respectful, positive, intelligent contributions are requested.

Anything else, abstain!

Thank You!

Posted on Dec 13, 2025 1:42 AM

Reply

Answer 1

Dec 14, 2025 6:18 AM in response to legrandconde

legrandconde wrote:

I have tried on different MacBooks belonging to friends with their own AppleIDs and then with their AppleIDs on my MacBook and your assertion seems accurate for the second notification "enter the password....".

…

So contact Apple Support, and ask them about the status of this account.

Hopefully poking at this didn’t do what this is supposed to do, and enroll the Apple Account into the company or school.

Reply

Answer 2

legrandconde Author

Level 1

12 points

Dec 13, 2025 9:49 PM in response to Mac Jim ID

I have tried on different MacBooks belonging to friends with their own AppleIDs and then with their AppleIDs on my MacBook and your assertion seems accurate for the second notification "enter the password....".

However none came back with the first notification "Your managed Apple account is already signed in"....

And one more thing, I had collected logs unified during log stream showing that the appleID had the "MAID" attribute.

Reply

Answer 3

Mac Jim ID

Level 9

60,122 points

Dec 14, 2025 8:32 AM in response to legrandconde

legrandconde wrote:

And one more thing, I had collected logs unified during log stream showing that the appleID had the "MAID" attribute.

https://discussions.apple.com/content/attachment/13c91a80-b866-4a4e-8c60-4eb984730fb6

It is not clear why you are now posting logs from 2025-05-03, but I think you may be misunderstanding what you are seeing there. A request has been made using the Function requestMAIDAuthenticationWithManagedAppleID:personaID: ephemeral: requireAppleMAID: completionHandler:

which I would expect to occur when attempting to sign in for a Work or School account. The log shows what each value was used for that request:

requestMAIDAuthenticationWithManagedAppleID: - That is what you see as the Apple ID email address (MAID) that was entered by the user.
personaID: - Is an object of the class type <PersonalID> and None was included in the request.
ephemeral: - Is a type of managed account where the management only occurs when signed in, such as what you would see on the Work or School sign in so it is set to YES. Management restrictions are removed when signed out of the Work or School management.
requireAppleMAID: - Boolean value indicating if the request is for an Apple Account. When signing into the Work or School account, it specifically asks for the Apple Account so you see AppleMAID:YES. With the Work/School sign in it will be using either the Apple Business Manager(ABM) or the Apple School Manager(ASM) which means it would be using a Managed Apple ID(MAID) for that request.
completionHandler: - This is probably the most important part of the request and where you would see the results from the request using those values from above. A completion handler runs on a background thread and will return at a later time so the main thread is not blocked. Nothing in that log shows what was returned from that authentication request.

I am guessing that you thought on that line it was telling you that the email address was a managed account because you saw AppleMAID:YES, and did not realize it was the value used to create the request. The results of the request are not shown and they may not even be logged. The engineers insert the Log command whenever they want to write anything to a log file for debugging purposes and they choose what information they want to include in that log for their own purposes. There is very little user benefit to a log file.

Reply

Answer 4

Mac Jim ID

Level 9

60,122 points

Dec 13, 2025 11:47 AM in response to legrandconde

You can't log into a Work or School account with your personal Apple Account, and if you try you will see that exact same message and those logs. Your device is not being managed with any MDM software. The logs are assuming you are attempting to use a managed Apple Account and that will always fail for those exact reasons. The only reason why you would attempt to log in there is if you did have a managed account. It is not used to identify if your account is managed.

Reply

Answer 5

legrandconde Author

Level 1

12 points

Dec 13, 2025 2:05 AM in response to legrandconde

I wanted to add some logs collected from log show on Mac Terminal

Here are some logs collected via log show on Mac terminal

2025-12-12 14:00:37.924980-0500 localhost corecaptured[28452]: (CoreFoundation) Created Activity ID: 0x383f6b, Description: Resetting CFPreferences/NSUserDefaults

2025-12-12 14:00:37.500614-0500 localhost cfprefsd[415]: (CoreFoundation) [com.apple.defaults:cfprefsd] Process 28208 (AppleCredentialManagerDaemon) sent a request related to { com.apple.usb.managed, user: kCFPreferencesAnyUser, kCFPreferencesCurrentHost, /Library/Managed Preferences/com.apple.usb.managed.plist, managed: 1 } (0xbf6ea10e0)

2025-12-12 14:00:37.566226-0500 localhost cfprefsd[607]: (CoreFoundation) [com.apple.defaults:cfprefsd] Notifying observers of { com.apple.imagecapture, managed: 1 }

2025-12-12 14:00:37.568947-0500 localhost cfprefsd[607]: (CoreFoundation) [com.apple.defaults:cfprefsd] Process 757 (icdd) sent a request related to { com.apple.imagecapture, user: ********, kCFPreferencesCurrentHost, /Library/Managed Preferences/*************/com.apple.imagecapture.plist, managed: 1 } (0x844ee32a0)

Reply

Answer 6

Dec 13, 2025 12:35 PM in response to legrandconde

As for the core capture daemon (corecaptured) presumably the that’s a documented part of macOS. Here is the man page:

Or maybe this was a reference to the credential manager daemon? AppleCredentialManagerDaemon is a not-particularly-documented daemon used for securely handling user credentials including passwords, tokens, auto-filled data, and the like. It’s a part of the security subsystem on macOS, iOS, and iPadOS, and gets involved in all sorts of system activities including secure connections and purchasing.

Here is some of credential management: Streamline sign-in with passkey upgrades and credential managers - WWDC24 - Videos - Apple Developer

Reply

Answer 7

Dec 13, 2025 11:34 AM in response to legrandconde

This mechanism is for enrolling (managing, supervising) a device, not for identifying an enrolled device.

Reply