Skip to content
AIR Knowledge Base

Manuel Configuration Profile Install

Overview

Section titled “Overview”

Evidence: Manuel Configuration Profile Install
Description: Filter MDM Clients Events
Category: System
Platform: macos
Short Name: mcpi
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No

Background

Section titled “Background”

Mobile Device Management (MDM) configuration profiles control system settings, security policies, and restrictions on macOS. The mdmclient process manages profile installations. Manual profile installations (not pushed by MDM) can indicate unauthorized system modifications or security policy bypasses.

Data Collected

Section titled “Data Collected”

This collector gathers structured data about manuel configuration profile install.

Collection Method

Section titled “Collection Method”

This collector uses the macOS ‘log’ command with predicate-based filtering to extract manual configuration profile installation events from the MDM daemon over the last 3 days. Log entries are parsed from JSON format and stored in the unified_logs table with PredicateType=‘Manuel Configuration Profile Install’.

Forensic Value

Section titled “Forensic Value”

Manual MDM profile installations are suspicious and can indicate privilege escalation, security policy bypass, persistence mechanism installation, or unauthorized system modifications. They reveal configuration changes that may enable malicious activity, disable security features, or establish attacker persistence.