The defender observes a newly enrolled or recently activated device presenting abnormal integrity, hardware-backed attestation, or firmware/build relationships at the management plane, followed by privileged or system-context access to protected resources or framework paths, and then outbound communication inconsistent with setup state, lock state, or recent user interaction. The causal sequence is strongest when the device has not yet reached a normal trusted posture but still exhibits system-level capability use or network activity.
| Data Component | Name | Channel |
|---|---|---|
| Application Permission (DC0114) | android:MDMLog | Device enrollment or compliance event shows failed or degraded verified boot, hardware-backed attestation mismatch, patch/build/baseband inconsistency, or unexpected device property drift near first contact |
| Application State (DC0123) | MobileEDR:telemetry | Protected resource use or privileged framework access occurs while device is locked, before normal setup completion, or from an app/service not in foreground and not on approved preload list |
| OS API Execution (DC0021) | MobileEDR:telemetry | Privileged or OEM-context framework/API use tied to telephony, device policy, accessibility, overlay, input injection, package visibility, or protected settings modification from an identity not expected for the device model or approved image |
| Field | Description |
|---|---|
| TimeWindow | Correlation window between enrollment/posture anomaly, privileged capability use, and network egress. |
| AllowedOEMComponents | Approved system identities, preload packages, and OEM services differ by model and fleet. |
| AllowedDestinations | OEM update, activation, MDM, and enterprise service destinations vary by environment. |
| ForegroundStateRequired | Some protected resource access may be legitimate only when the app is foregrounded. |
| RecentUserInteractionWindow | Defines how close resource access must be to user interaction to be considered expected. |
| EnrollmentGracePeriod | Initial setup/update behavior may generate benign network or configuration drift for a short period. |
| UplinkBytesThreshold | Size threshold for suspicious outbound transfer from a device in abnormal posture. |
| ApprovedImageBaseline | Known-good build fingerprint, patch, boot state, and baseband combinations vary by device fleet. |
The defender observes a device at activation, supervision, or enrollment time with unusual management-plane posture, inventory, or trust characteristics and then relies primarily on downstream network effects and device state inconsistencies rather than direct low-level process telemetry. On iOS, the most reliable sequence is supervision/attestation or inventory concern near first contact followed by network egress or protected-state behavior that is inconsistent with lock state, setup phase, or expected managed app activity.
| Data Component | Name | Channel |
|---|---|---|
| Application Permission (DC0114) | iOS:MDMLog | Supervised enrollment, activation, or inventory event reveals unexpected device property relationships, anomalous managed posture, unexplained configuration drift near first contact, or identity/inventory characteristics inconsistent with approved procurement baseline |
| Network Traffic Content (DC0085) | VPN:MobileProxy | Supervised or newly activated device initiates outbound connections to destinations outside Apple, MDM, update, or enterprise-managed baselines while locked, with no recent user interaction, or before expected app enrollment completion |
| Application State (DC0123) | MobileEDR:telemetry | Managed app or device-originated network activity occurs while the device is locked or before expected managed app initialization sequence, inconsistent with expected background refresh baseline |
| OS API Execution (DC0021) | iOS:unifiedlog | Supplemental anomaly in baseband, IOKit, accessory, security, or activation-related subsystem logging temporally adjacent to suspicious posture or network behavior |
| Field | Description |
|---|---|
| TimeWindow | Correlation window between enrollment/inventory concern and suspicious network activity. |
| SupervisedRequired | Most strong posture and inventory analytics require supervised iOS devices. |
| AllowedDestinations | Apple, MDM, update, enterprise, and managed SaaS destinations vary by organization. |
| BackgroundRefreshBaseline | Expected background network behavior varies by managed app set and policy. |
| ActivationGracePeriod | Benign activation, restore, and setup traffic can be noisy immediately after provisioning. |
| RecentUserInteractionWindow | Defines how recently the user must have interacted for activity to be considered expected. |
| InventoryDriftTolerance | Tuning for acceptable changes in inventory/configuration during upgrades or replacements. |