AN1746: Analytic 1746
On Android, the user can use the device settings menu to view trusted CA certificates and look for unexpected or unknown certificates. A mobile security product could similarly examine the trusted CA certificate store for anomalies. Users can use the device settings menu to view which applications on the device are allowed to install unknown applications.
On iOS, the user can use the device settings menu to view installed Configuration Profiles and look for unexpected or unknown profiles. A Mobile Device Management (MDM) system could use the iOS MDM APIs to examine the list of installed Configuration Profiles for anomalies.
Analyst context for executives and security teams
This analytic is about validating whether iOS devices have unexpected Configuration Profiles installed. For leaders, the value is governance: profiles can materially change device trust, management, and security posture, so organizations should be able to prove which profiles are present, expected, and managed.
Executive priority
Prioritize this as part of mobile device assurance, MDM governance, and compliance evidence for managed iOS fleets. The key business question is whether the organization can inventory and review installed Configuration Profiles quickly enough to support incident response, audit requests, and policy enforcement decisions.
Technical view
For iOS, validate that MDM APIs or device settings review can enumerate installed Configuration Profiles and support anomaly review against an approved baseline. Because no ATT&CK detection logic, tactics, or relationships are supplied, SOC and IR teams should treat this as a coverage validation requirement rather than a ready-to-deploy detection rule.
Likely telemetry
- MDM inventory of installed iOS Configuration Profiles
- Device management records showing expected profiles per user, device group, or enrollment type
- Administrative change records for approved profile deployment or removal
- User- or helpdesk-reported evidence from iOS settings when MDM telemetry is unavailable
Detection direction
- Confirm whether the MDM can list installed Configuration Profiles across the iOS fleet.
- Compare observed profiles against an approved baseline for the device population.
- Tune review workflows to account for legitimate profiles installed by IT, enrollment processes, or approved business applications.
- Investigate unknown or unexpected profiles using device ownership, enrollment status, and recent administrative change context.
- Document blind spots for unmanaged iOS devices or devices not reporting current MDM inventory.
Mitigation priorities
- Maintain an approved inventory of Configuration Profiles by device group and business purpose.
- Use MDM to monitor installed profiles where available.
- Establish review and escalation procedures for unexpected or unknown profiles.
- Include profile inventory evidence in mobile compliance and incident response readiness checks.
- For unmanaged devices, define policy expectations and user guidance for reviewing installed profiles in device settings.
Analyst notes and limits
The official description also references Android certificate and unknown-app installation checks, but the supplied platform field for this object is iOS. This take therefore focuses on iOS Configuration Profiles and treats Android references as contextual text not supported by the platform metadata for this object.
No official detection logic, tactic mapping, technique relationships, or related ATT&CK objects were supplied. Local MDM capability, device enrollment coverage, and approved-profile baselines are required to determine actual defensive coverage.
Analytic 1746
On Android, the user can use the device settings menu to view trusted CA certificates and look for unexpected or unknown certificates. A mobile security product could similarly examine the trusted CA certificate store for anomalies. Users can use the device settings menu to view which applications on the device are allowed to install unknown applications.
On iOS, the user can use the device settings menu to view installed Configuration Profiles and look for unexpected or unknown profiles. A Mobile Device Management (MDM) system could use the iOS MDM APIs to examine the list of installed Configuration Profiles for anomalies.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 13682092b107… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1746Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.