Manuel Configuration Profile Install

Overview

Evidence: Manuel Configuration Profile Install Description: Filter MDM Clients Events Category: System Platform: macos Short Name: mcpi Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): No

Background

Mobile Device Management (MDM) configuration profiles control system settings, security policies, and restrictions on macOS. The mdmclient process manages profile installations. Manual profile installations (not pushed by MDM) can indicate unauthorized system modifications or security policy bypasses.

Data Collected

This collector gathers structured data about manuel configuration profile install.

Collection Method

This collector uses the macOS 'log' command with predicate-based filtering to extract manual configuration profile installation events from the MDM daemon over the last 3 days. Log entries are parsed from JSON format and stored in the unified_logs table with PredicateType='Manuel Configuration Profile Install'.

Forensic Value

Manual MDM profile installations are suspicious and can indicate privilege escalation, security policy bypass, persistence mechanism installation, or unauthorized system modifications. They reveal configuration changes that may enable malicious activity, disable security features, or establish attacker persistence.