Hi all,
I’m not a developer, but I’m hoping someone with iOS system or network experience can help me understand some very persistent and unusual behavior on my iPhone. I’ve gathered system logs and app-level diagnostics and would really appreciate insight from anyone familiar with daemons, VPN tunnels, or MDM behavior on Apple platforms.
Summary of Issues Over Time
- March 2025: Most apps begin logging out automatically when closed
- April 2025: Passwords across apps and browsers begin failing
- May–June 2025: Gmail password reset emails stop arriving (even though other email works)
These symptoms suggest something affecting secure sessions, DNS routing, or background data handling. I began running diagnostics and found unexpected system and network behaviors:
Examples:
- com.apple.mobile.lockdown.remote.trusted
- file_relay.shim.remote
- pcapd.shim.remote
- webinspector.shim.remote
- bluetooth.BTPacketLogger.shim.remote
On a normal, non-jailbroken device, I wouldn't expect so many .shim.remote or .diagnostic services to be active. Is this expected on iOS 18.5?
The binary /usr/sbin/scutil appears to be missing.
This breaks commands like:
- scutil --dns
- scutil --proxy
- scutil --nc list
On a standard iOS device, is it even possible for scutil to be removed or disabled?
App Behavior and Config Locking (Cloudflare WARP Log) From the logs of the Cloudflare WARP app (not enterprise-managed):
- The app repeatedly forces VPN tunnels to reconnect or restart by injecting dummy URLs (force OS to restart the network extension process).
- It tries to load policy configuration from MDM and Teams APIs (even though no MDM appears in Settings).
- Many config items are marked as:
locked: true, visible: true
including:
- DNS logs
- Fallback DNS
- Trusted WiFi settings
- The account is labeled as: WarpAccountRole.child which may explain some restrictions — but I’ve never set this manually.
This seems more advanced than what the standard WARP app does. Could a provisioning profile or side-loaded config be applying these?
Key Questions for the Community
- Are ~50 remote diagnostic services (.shim.remote) normal on iOS 18.5 stock devices?
- Could a VPN app (e.g. WARP) or hidden config enforce flow-switching across interfaces like ipsec, awdl, and pdp_ip, even when not visibly active?
- Can a provisioning profile or managed config enable services like file_relay, pcapd, or webinspector silently — without any visible MDM profile?
- Has anyone seen scutil or other network tools missing on a stock iPhone? What could cause this?
- Does WARP in MASQUE mode normally lock DNS settings and force tunnel restarts — or could this indicate tampering?
If anyone on iOS 18.5 / iPhone17,1 can share their remotectl_dumpstate output, I'd love to compare.
Happy to share sanitized logs or run more tests if helpful. Thank you for any insights — especially from those familiar with internal services, VPN frameworks, or supervised profiles.
linkText](https://www.example.com/)