Hacktricks-skills macos-mdm-enrollment-research

Security research skill for understanding and testing macOS MDM/DEP enrollment vulnerabilities. Use this skill when investigating MDM security, analyzing DEP enrollment processes, researching mobile device management attack surfaces, or conducting authorized penetration testing on macOS device enrollment systems. This skill covers binary instrumentation techniques, DEP profile analysis, and MDM security assessment methodologies.

install

source · Clone the upstream repo

git clone https://github.com/abelrguezr/hacktricks-skills

manifest: skills/macos-hardening/macos-red-teaming/macos-mdm/enrolling-devices-in-other-organisations/SKILL.MD

source content

macOS MDM/DEP Enrollment Security Research

A security research skill for understanding and testing vulnerabilities in macOS Mobile Device Management (MDM) and Device Enrollment Program (DEP) enrollment processes.

⚠️ Legal and Ethical Notice

This skill is for authorized security research and penetration testing only.

Only use on systems you own or have explicit written authorization to test
Unauthorized access to MDM systems may violate computer crime laws
This research should be conducted in controlled, isolated environments
Always obtain proper authorization before testing any organization's MDM infrastructure

Overview

This skill covers research into macOS MDM/DEP enrollment vulnerabilities, specifically the ability to retrieve enrollment profiles for arbitrary serial numbers through binary instrumentation. The research is based on Duo Labs' MDM research.

Key Concepts

Device Enrollment Program (DEP): Apple's program that allows organizations to automatically enroll devices into their MDM solution.

Mobile Device Management (MDM): Systems that manage and configure mobile devices, installing certificates, applications, WiFi passwords, VPN configurations, and other sensitive data.

The Vulnerability: Only a serial number belonging to an organization is needed to enroll a device. If the enrollment process isn't properly protected, attackers could potentially retrieve sensitive organizational data.

Core Components

System Binaries Involved

Binary	Function	macOS Version
`mdmclient`	Communicates with MDM servers, triggers DEP check-ins	Before 10.13.4
`profiles`	Manages Configuration Profiles, triggers DEP check-ins	10.13.4+
`cloudconfigurationd`	Manages DEP API communications, retrieves enrollment profiles	All versions

DEP Check-in Process

cloudconfigurationd

sends encrypted, signed JSON payload to

iprofiles.apple.com/macProfile

Payload includes device serial number and action "RequestProfileConfiguration"
Uses "Absinthe" encryption scheme (complex, internally documented)
Utilizes
```
CPFetchActivationRecord
```
and
```
CPGetActivationRecord
```
from Configuration Profiles framework

CPFetchActivationRecord

coordinates with

cloudconfigurationd

through XPC

Research Methodologies

Method 1: Proxying DEP Requests

Approach: Intercept and modify DEP requests using tools like Charles Proxy.

Limitations:

Payload encryption prevents modification without decryption key
SSL/TLS security measures complicate interception
```
MCCloudConfigAcceptAnyHTTPSCertificate
```
can bypass certificate validation but not payload encryption

When to use: Initial reconnaissance, understanding the request/response flow.

Method 2: Binary Instrumentation (Recommended)

Approach: Use LLDB to attach to

cloudconfigurationd

and modify the serial number in memory before encryption.

Requirements:

System Integrity Protection (SIP) must be disabled
LLDB debugger access
Understanding of macOS system processes

Process:

Attach LLDB to
```
cloudconfigurationd
```
process
Locate where the system serial number is fetched
Inject arbitrary serial number into memory before payload encryption
Trigger DEP check-in to retrieve profile

Advantages:

Avoids entitlement and code signing complexities
More reliable than proxy-based approaches
Can be automated with Python LLDB API

Potential Impacts

Information Disclosure

By providing a DEP-registered serial number, sensitive organizational information can be retrieved:

Certificates: Organization's code signing and authentication certificates
Applications: List of managed applications and their configurations
WiFi Passwords: Network credentials for organizational networks
VPN Configurations: Remote access setup and credentials
Configuration Profiles: Device management policies and restrictions

Attack Surface

This vulnerability represents a dangerous entry point if:

Serial numbers are leaked or can be enumerated
MDM enrollment isn't properly protected
Organizations don't monitor for unauthorized enrollment attempts

Using the Automation Script

The

lldb-instrumentation.py

script automates the binary instrumentation process.

Prerequisites

# Install LLDB (usually included with Xcode Command Line Tools)
xcode-select --install

# Disable SIP (requires reboot)
# Reboot into Recovery Mode (Cmd+R)
# Terminal > csrutil disable
# Reboot

Running the Script

python scripts/lldb-instrumentation.py --serial-number <TARGET_SERIAL> --output <OUTPUT_FILE>

Script Capabilities

Automatically attaches to
```
cloudconfigurationd
```
Locates serial number in memory
Injects arbitrary serial number
Triggers DEP check-in
Captures and saves the retrieved profile

Security Recommendations

For Organizations

Monitor Enrollment Logs: Watch for unexpected enrollment attempts
Protect Serial Numbers: Treat serial numbers as sensitive information
Implement Additional Authentication: Don't rely solely on serial number verification
Regular Security Audits: Test your MDM enrollment process regularly
Use Apple Business Manager: Properly configure device ownership and enrollment

For Security Researchers

Obtain Authorization: Always get written permission before testing
Use Isolated Environments: Test in controlled lab settings
Document Findings: Keep detailed records of your research
Responsible Disclosure: Report vulnerabilities to affected organizations
Stay Updated: MDM security evolves; keep research current

References

Related Research Areas

MDM profile analysis and extraction
macOS system binary reverse engineering
DEP API communication protocols
Mobile device security assessment
Enterprise device management vulnerabilities

Troubleshooting

Common Issues

LLDB cannot attach to process:

Verify SIP is disabled:
```
csrutil status
```
Ensure you have appropriate permissions

Check if

cloudconfigurationd

is running:

ps aux | grep cloudconfigurationd

Serial number injection fails:

Verify the target serial number format (10 characters, alphanumeric)
Check memory addresses are correct for your macOS version
Ensure the process hasn't been updated since your research

No profile returned:

Confirm the serial number is actually registered in DEP
Check network connectivity to Apple's servers
Verify the MDM server is responding correctly

Version Compatibility

macOS Version	`mdmclient`	`profiles`	`cloudconfigurationd`
< 10.13.4	Primary DEP trigger	Secondary	Active
≥ 10.13.4	Legacy	Primary DEP trigger	Active
All	Present	Present	Primary target

Next Steps

After understanding the vulnerability:

Set up a test environment with your own MDM and devices
Run the automation script to verify the technique works
Analyze retrieved profiles to understand what data is exposed
Document your findings for your organization's security team
Implement mitigations based on your research

Remember: This skill is for authorized security research only. Always operate within legal and ethical boundaries.