DET0702: Detection of Remote Device Management Services
This detection strategy is about identifying use of mobile remote device management services that can locate managed phones or tablets. For leaders, the bu...
Analyst context for executives and security teams
This detection strategy is about identifying use of mobile remote device management services that can locate managed phones or tablets. For leaders, the business issue is not just mobile administration; it is whether access to consumer cloud location features or enterprise EMM/MDM consoles could expose employee, executive, or operational location data if accounts or admin access are misused.
Executive priority
Prioritize this as an identity, mobile security, and governance control question: who can locate devices, under what approval model, and what audit evidence exists when location services are used. It is especially relevant for executive protection, privacy obligations, incident response scoping, and assurance that MDM/EMM administrative access is monitored rather than treated as routine IT activity.
Technical view
ATT&CK links DET0702 to mobile technique T1430.001, Remote Device Management Services, affecting Android and iOS through services such as Android Device Manager, Apple iCloud Find My iPhone, or enterprise MDM/EMM consoles. Because the ATT&CK object provides no official detection logic, SOC and IR teams should validate whether mobile management and cloud identity logs can show console access, device location actions, account authentication, privilege use, and device-management changes tied to mobile assets.
Likely telemetry
- EMM/MDM administrative console audit logs
- Cloud account authentication and session logs for mobile management services
- Device location request or location lookup records where available
- Mobile device enrollment, ownership, and management status records
- Privileged administrator activity logs for MDM/EMM roles
Detection direction
- Inventory which services can locate Android and iOS devices and confirm whether each produces usable audit logs.
- Baseline legitimate help desk, security, and device recovery workflows so location lookups can be reviewed without generating excessive false positives.
- Alert or review location access involving executive devices, sensitive business units, unusual administrators, unusual source locations, or access outside normal support workflows.
- Correlate MDM/EMM console activity with identity authentication events to distinguish approved administration from suspicious account use.
- Identify blind spots where consumer cloud accounts, personal Apple/Google accounts, or unmanaged devices fall outside enterprise logging.
Mitigation priorities
- Restrict MDM/EMM and cloud location capabilities to approved roles with least privilege.
- Require strong authentication and administrative access governance for accounts able to locate devices.
- Document approved device-location workflows and retain audit evidence for investigations and compliance review.
- Review mobile device ownership, enrollment, and management status so defenders know which devices are visible to enterprise controls.
- Test incident response procedures for suspected misuse of mobile management or cloud location services.
Analyst notes and limits
The supplied ATT&CK object is a detection strategy with no official description, tactics, platforms, or detection text. The practical guidance above is derived from the relationship to T1430.001 and its description of cloud and enterprise mobile management services used to track mobile device location.
Local validation is required. ATT&CK does not specify exact log fields, analytic logic, vendors, thresholds, or guaranteed telemetry for DET0702. Coverage will depend on the organization’s MDM/EMM platform, Apple/Google account model, identity logging, mobile enrollment practices, and retention settings.
Detection of Remote Device Management Services
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Mobile | T1430.001 | Remote Device Management Services Sub-technique | This object detects Remote Device Management Services. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | ba2b583daa63… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0702Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.