I usually avoid end user question and issue situations, but I'll make my 2 cents known on this one.
If this is your personal device, remove it from Jamf. Now. Honestly, you will need to reinstall macOS to be sure anything Jamf did to the device is undone, this sucks but there is no way around it.
There are different enrollment states. This device is most likely managed, not supervised. This limits what of the MDM framework will be able to do. For example, they cannot force OS updates, or see what apps are being used using the MDM framework. Jamf will still have root access and can install literally any applications they want including security and monitoring tools. As Jamf has root access, it's not limited to monitoring your sons account, it can see any account on the device and install tools that and see any files on the device. The Supervised vs Managed limitations are far more important on iOS than they are macOS as having root access closes most of the gaps.
As far as options:
- If you use a VM, they will know; or at least they should know. But this is not a bad idea.
- You can partition the drive and have a separate OS installed that your son uses for this purpose and boot to your "personal" OS when you want to use the device.
- The correct path for full device management, they need to furnish your son a device.
- If they don't want to furnish a device, they need to look in to proctoring software that lets them record the screen, and you can close it at the end of the day. Managed Chrome Identities and Managing Chrome is another option.
They are trying to be cheap and save a buck by monotiling your device rather than furnishing one. This is one of my pet peeves with BYOD.
I usually avoid end user question and issue situations, but I'll make my 2 cents known on this one.
If this is your personal device, remove it from Jamf. Now. Honestly, you will need to reinstall macOS to be sure anything Jamf did to the device is undone, this sucks but there is no way around it.
There are different enrollment states. This device is most likely managed, not supervised. This limits what of the MDM framework will be able to do. For example, they cannot force OS updates, or see what apps are being used using the MDM framework. Jamf will still have root access and can install literally any applications they want including security and monitoring tools. As Jamf has root access, it's not limited to monitoring your sons account, it can see any account on the device and install tools that and see any files on the device. The Supervised vs Managed limitations are far more important on iOS than they are macOS as having root access closes most of the gaps.
As far as options:
- If you use a VM, they will know; or at least they should know. But this is not a bad idea.
- You can partition the drive and have a separate OS installed that your son uses for this purpose and boot to your "personal" OS when you want to use the device.
- The correct path for full device management, they need to furnish your son a device.
- If they don't want to furnish a device, they need to look in to proctoring software that lets them record the screen, and you can close it at the end of the day. Managed Chrome Identities and Managing Chrome is another option.
They are trying to be cheap and save a buck by monotiling your device rather than furnishing one. This is one of my pet peeves with BYOD.
Thank you very much for your response. We have made an appointment at the school and we are going to present our doubts.
I really wouldnt be to concerned about this. Check the MDM Profil in the system preferences to get a better understanding of settings / restrictions set by the school. If you think any of them are unnecessary or malicious, ask the school about it.
That being said, if you don't trust the school enough to manage your device responsible or if you have reasons to believe that teachers are spying on your child via the MacBook.. then change the school.