What can MDM do with a Mac?

Question

Level 3

852 points

What can MDM do with a Mac?

My new employer gave me a MacBook which is enrolled in the Jamf MDM. I wonder what are the limits to which macOS (it’s the latest Mojave) allows a remote admin to control the laptop. In addition to the installed profile, there’s also the admin user account which, I suppose, can be remotely logged into.

I do understand they can lock or erase the machine, or remotely change my account’s password (it uses Active Directory), so I don’t put any personal data on the computer.

But there are certain areas I’m not sure about. Specifically, I’d like to learn whether MDM can turn on (1) camera, (2) microphone, (3) location services, (4) screen recording, or (5) keyboard logging without my knowledge or permission.

Since I bring the computer home, I don’t want my employer (or anyone) to be able to spy on me, or know where I live.

Also, can the Jamf profile be used to intercept and decipher HTTPS traffic?

MacBook Pro

Posted on Sep 3, 2019 10:36 AM

Reply

Answer 1

Tesserax

Level 10

158,322 points

Sep 3, 2019 10:43 AM in response to YakovM

Since this is your employer's property, you will need to ask their IT department, what the restrictions are for using it. Typically, they provide this information to you as part of an agreement to use the device. By default, your employer already knows where you live, and other personal data that you provided them as terms of your employment. If you are concerned about them "monitoring" your use of this device, then use it only for work purposes ... or any other use that they permit.

Also, if your employer provides you with VPN access back to the workplace, they will be monitoring any traffic across that VPN interface. Bottom line? You are guaranteed NO PRIVACY using a work-provided device.

Reply

Answer 2

YakovM Author

Level 3

852 points

Sep 3, 2019 11:00 AM in response to Tesserax

Thanks for your quick reply.

I understand this device is not owned by me, and its owner is rightful to monitor it in certain ways. But there’s a line for how far this monitoring can reasonably go. For example, turning on the camera arbitrarily can be justified under no law or common sense—it’s not monitoring; it’s spying.

So I guess there should be some Apple-set boundaries for how much a remote admin can do with a managed device.

And regarding the traffic question, I was talking about my home Wi-Fi. Is it possible to use a management profile to sniff network traffic locally, decipher it, and send it somewhere else?

Reply

Answer 3

Sep 3, 2019 11:09 AM in response to YakovM

It is up to your employer what they do with their computer. If you don'rt want them to use the camera maybe put a sticky note over the camera so that they at least will not see you. If you don't like the employer's rules for their equipment you do have an option, quit.

Reply

Answer 4

YakovM Author

Level 3

852 points

Sep 3, 2019 11:18 AM in response to BobTheFisherman

I appreciate your unsolicited advice. However, I doubt any employer will tell you outright they reserve the right to spy on you. So it’s not about what they say in their rules; it’s about what they can do without you knowing.

My question was strictly technical: whether there are limits of remote management, imposed by Apple, and, if they exist, what those limits are.

Reply

Answer 5

YakovM Author

Level 3

852 points

Sep 3, 2019 11:38 AM in response to Tesserax

I am really grateful for the time members of this forum spend on trying to help others; no kidding here. It’s just that phrase about quitting sounded pretty hostile. Like, I know I can switch jobs, or keep the work laptop at the office, or do something else. But in the end, what I tried to figure out was what the employer can do, and not what I should.

Reply

Answer 6

Sep 3, 2019 11:47 AM in response to YakovM

This is what I responded to "...what the employer can do, and not what I should." Again, the employer can do whatever he wants. If he wants to snoop on your network he can. If he wants to use yoiur camaera he can. If he wants to store data on your computer he can. If he wants to listen in he can. If he wants to ....

Ask your employer what they can and will do. How would we know?

Reply

Answer 7

babowa

Level 9

78,568 points

Sep 3, 2019 11:47 AM in response to YakovM

what I tried to figure out was what the employer can do,

That is a legal and/or ethical question, not a technical one. No idea where you are located, but you need to check what is allowed and what is not in your country.

Reply

Answer 8

YakovM Author

Level 3

852 points

Sep 3, 2019 11:56 AM in response to BobTheFisherman

Because MDM is not some mysterious black box but a tool developed by Apple. So clearly apps that make use of the MDM APIs (like Jamf) are not omnipotent; there are limits to what MDM enables remote admins to do, and those limits are set by Apple.

Reply

Answer 9

YakovM Author

Level 3

852 points

Sep 3, 2019 12:37 PM in response to babowa

Indeed, there are many ready-to-use solutions, but most of them, if not all, rely on the profile infrastructure built into macOS and other Apple platforms, and the Device Management framework developed by Apple.

Reply

Answer 10

Tesserax

Level 10

158,322 points

Sep 3, 2019 1:12 PM in response to YakovM

After re-reading some of my replies, I can see where you might feel that way. I really wasn't trying to be argumentative, just wanted to inform you with what the possibilities were ... as I have worked at a large Aerospace firm. Today's realities tend to "force" employers (& us) to be ever so more vigilant to thwart data loss or becoming victims to "bad actors." This usually shows up as increased security measures that could directly affect an employee ... so I can fully understand.

Reply

Answer 11

Sep 3, 2019 11:41 AM in response to YakovM

An employer can do whatever they want to with their assets, within the law. If you want to know the legal implications of using a company computer maybe consult a lawyer.

Reply