Protected Configuration represents security-sensitive device settings, security policies, or operating system configurations that are normally restricted to administrators, system services, or device management platforms.
Monitoring these configurations enables detection of adversaries attempting to weaken device security controls or alter trusted device relationships.
Examples
Android:
iOS:
| Name | Channel |
|---|---|
| android:MDMLog | Biometric, credential, lockscreen, trust-agent, Smart Lock, or device-admin-related protected device configuration changed |
| android:MDMLog | Managed Wi-Fi, VPN, cellular, or location-related policy state remains unchanged while network capability degrades |
| android:MDMLog | Managed storage, backup, enterprise file access, or device policy state remains unchanged while bulk destructive file transformation occurs |
| android:MDMLog | Managed app catalog, enterprise update policy, or trusted distribution posture remains unchanged while a known app exhibits materially different post-update behavior |
| android:MDMLog | Managed app distribution, enterprise catalog trust, and update policy remain expected while a known package exhibits materially different post-install or post-update behavior |
| Application Vetting | None |
| iOS:MDMLog | Developer Mode enabled, supervised-device restriction changed, or trust-related protected device posture changed |
| iOS:MDMLog | Passcode, biometrics, attention-aware authentication, or supervised-device lock policy changed in a way that weakens or alters the authentication boundary |
| iOS:MDMLog | Managed Wi-Fi, VPN, cellular, or location-service policy remains unchanged while device connectivity repeatedly degrades |
| iOS:MDMLog | Managed app distribution, supervised install posture, or provisioning trust context remains expected while a known app exhibits materially different behavior after version change |