Live Active security incident? Get immediate response
MITRE ATT&CK® Data Component

DC0115: Protected Configuration

Protected Configuration represents security-sensitive device settings, security policies, or operating system configurations that are normally restricted to administrators, system services, or device management platforms. Monitoring these configurations enables detection of adversaries attempting to weaken device security controls or alter trusted device relationships.

Examples Android:

- USB debugging enabled - Unknown app installation allowed - Developer options enabled

iOS:

- Developer mode enabled - Device pairing trust relationships established - Configuration profile restrictions modified

MobileDC0115Data ComponentObject v2.1 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

Protected Configuration is a mobile ATT&CK data component for security-sensitive device settings and trusted relationships that should normally be controlled by administrators, system services, or device management platforms. For leaders, its value is as an evidence source: if settings such as USB debugging, unknown app installation, developer options/mode, device pairing trust, or configuration profile restrictions change unexpectedly, that may indicate weakening of mobile device security controls or trust boundaries.

Executive priority

Treat this as a mobile device governance and assurance issue. The business question is whether the organization can prove that high-risk mobile configuration changes are monitored, reviewed, and recoverable. This matters for incident triage, compliance evidence, mobile device management oversight, and operational resilience where mobile devices are used for privileged access, field operations, executive communications, or regulated workflows.

Technical view

SOC, mobile security, and IR teams should validate whether they can observe protected configuration state and changes from managed mobile devices and device management platforms. ATT&CK does not provide tactic mappings, platforms, relationships, or detection logic for this component, so teams should build local use cases around the supplied examples: Android USB debugging, unknown app installation, and developer options; iOS developer mode, device pairing trust relationships, and configuration profile restriction changes. The key defensive question is whether configuration drift from approved baselines is captured with device identity, user, timestamp, policy source, and prior/current values.

Likely telemetry

  • Mobile device management or enterprise mobility management configuration state and change logs
  • Device security policy compliance records
  • Operating system configuration and restriction status where available
  • Configuration profile modification records
  • Device trust or pairing relationship records

Detection direction

  • Baseline approved protected configuration states for managed mobile device populations and alert on unauthorized or unexpected changes.
  • Correlate configuration changes with device owner, management status, enrollment state, policy assignment, and recent administrative actions to reduce false positives.
  • Prioritize review of changes that weaken installation controls, enable debugging/developer capabilities, alter profile restrictions, or establish new device pairing trust relationships.
  • Account for legitimate administrative maintenance, testing devices, developer devices, and help desk workflows as expected sources of noise.
  • Validate collection gaps: unmanaged devices, partially enrolled devices, privacy-restricted telemetry, and platforms or OS versions that do not expose the relevant setting may limit coverage.

Mitigation priorities

  • Define approved mobile security configuration baselines and ownership for exceptions.
  • Use device management policy to restrict or govern security-sensitive configuration changes where supported.
  • Require review and documentation for exceptions such as developer devices or troubleshooting workflows.
  • Ensure incident response playbooks include containment and validation steps for devices with weakened protected configurations or unexpected trust relationships.
  • Retain configuration evidence long enough to support audit, investigation, and post-incident review.
Analyst notes and limits

This object is a data component, not an adversary technique. Its main value is helping teams identify the evidence needed to detect attempts to weaken mobile device security controls or alter trusted device relationships. Because no ATT&CK relationships or official detection text are supplied, detection engineering should be based on local mobile management capabilities, policy baselines, and business-approved exceptions.

ATT&CK provides no platforms field, tactics, relationships, aliases, or official detection for this object. Android and iOS examples are present in the official description, but coverage depends on the organization’s device management tooling, operating system support, enrollment model, and telemetry retention.

Official MITRE ATT&CK definition

Protected Configuration

Protected Configuration represents security-sensitive device settings, security policies, or operating system configurations that are normally restricted to administrators, system services, or device management platforms. Monitoring these configurations enables detection of adversaries attempting to weaken device security controls or alter trusted device relationships.

Examples Android:

- USB debugging enabled - Unknown app installation allowed - Developer options enabled

iOS:

- Developer mode enabled - Device pairing trust relationships established - Configuration profile restrictions modified

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
2.1
Created
Modified
Raw hash
4ecdd35f516f6ff9...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 2.1 Current bundle 4ecdd35f516f…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DC0115
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use