A lock-state transition telemetry, special access or privileged interaction capability, security-sensitive framework use, and immediate downstream activity while the user-interaction context is weak or inconsistent. This yields stronger coverage on Android than iOS.
| Data Component | Name | Channel |
|---|---|---|
| Protected Configuration (DC0115) | android:MDMLog | Biometric, credential, lockscreen, trust-agent, Smart Lock, or device-admin-related protected device configuration changed |
| Application Permission (DC0114) | android:MDMLog | Application gains or is observed with elevated interaction capability such as accessibility, overlay, device admin, notification access, or other authentication-adjacent special access |
| Application State (DC0123) | MobileEDR:telemetry | pplication or service remains active, foregrounds, or overlays during device locked state or immediately at unlock transition with weak recent user interaction context |
| Field | Description |
|---|---|
| TimeWindow | Maximum allowed time between locked-state boundary, suspicious app/framework activity, and unlock transition. |
| AllowedAppList | Approved apps permitted to hold accessibility, overlay, device-admin, or other authentication-adjacent special access. |
| ForegroundStateRequired | Whether a benign authentication-adjacent app is expected to be visible in the foreground during unlock-related operations. |
| RecentUserInteractionWindow | Time threshold for treating the unlock as user-driven based on touch, motion, or interaction context. |
| ExpectedUnlockPopulation | User or device groups expected to use alternative lockscreen workflows, enterprise trust agents, or kiosk-like modes. |
| TrustedDestinationAllowList | Expected destinations contacted immediately after legitimate unlock by enterprise apps. |
| UplinkBytesThreshold | Threshold for suspicious immediate post-unlock outbound traffic. |
| SensorUseAllowList | Apps expected to access camera or other sensors near the authentication boundary. |
Defender correlates an iOS-specific reduced-confidence chain where a supervised or managed device transitions from locked or inactive state to interactive or application-active state with weak evidence of expected user authentication, often accompanied by abnormal protected posture change, trust-state change, unexpected app wake, sensor use, or immediate downstream communication. Because direct visibility into lockscreen bypass mechanics on iOS is limited, the analytic prioritizes strong device-state effects and post-unlock behavior rather than pretending to observe the exact bypass method.
| Data Component | Name | Channel |
|---|---|---|
| Protected Configuration (DC0115) | iOS:MDMLog | Passcode, biometrics, attention-aware authentication, or supervised-device lock policy changed in a way that weakens or alters the authentication boundary |
| Application State (DC0123) | MobileEDR:telemetry | Application wakes, becomes active, refreshes, or foregrounds immediately after locked or inactive state transition with weak recent user interaction |
| Field | Description |
|---|---|
| TimeWindow | Maximum allowed span between locked or inactive device state, suspicious app/service activity, and interactive transition. |
| AllowedAppList | Apps allowed to wake, foreground, or access protected resources near legitimate authentication events. |
| SupervisedOnly | Whether the analytic should only apply to supervised devices with high-confidence MDM policy telemetry. |
| RecentUserInteractionWindow | Time threshold for treating the transition as expected and user-driven. |
| ExpectedUnlockPopulation | User or device groups expected to use atypical enterprise lockscreen workflows, kiosk-like modes, or accessibility accommodations. |
| SensorUseAllowList | Apps expected to access camera or biometric-adjacent resources near the authentication boundary. |
| TrustedDestinationAllowList | Expected destinations contacted immediately after legitimate app activation post-authentication. |
| UplinkBytesThreshold | Threshold for suspicious immediate outbound traffic after suspicious unlock-adjacent activity. |