Location Tracking: Remote Device Management Services

ID Name
T1430.001 Remote Device Management Services
T1430.002 Impersonate SS7 Nodes

An adversary may use access to cloud services (e.g. Google's Android Device Manager or Apple iCloud's Find my iPhone) or to an enterprise mobility management (EMM)/mobile device management (MDM) server console to track the location of mobile devices managed by the service.[1]

ID: T1430.001
Sub-technique of:  T1430
Tactic Type: Post-Adversary Device Access
Tactics: Collection, Discovery
Platforms: Android, iOS
Version: 1.0
Created: 05 April 2022
Last Modified: 21 October 2022


ID Mitigation Description
M1012 Enterprise Policy

If devices are enrolled using Apple User Enrollment or using a profile owner enrollment mode for Android, device controls prevent the enterprise from accessing the device’s physical location. This is typically used for a Bring Your Own Device (BYOD) deployment.

M1011 User Guidance

Users should protect their account credentials and enable multi-factor authentication options when available.


Google sends a notification to the device when Android Device Manager is used to locate it. Additionally, Google provides the ability for users to view their general account activity and alerts users when their credentials have been used on a new device. Apple iCloud also provides notifications to users of account activity such as when credentials have been used.