I'm a developer and my company wants to install JAMF on my Mac

Pankh
New Contributor

I don't do anything nefarious, illegal, or morally questionable on my work macbook. But because it was issued to me to work on at home, and I'm expected to take it everywhere, it feels like it's sort of "mine", even though I don't own it. I have pics of my family on it, I have hobbies I use it to work on, etc.

My company wants to rollout JAMF to all Macs. Some of us have taken a closer look at the binary and seen some things we don't like (possible remote control of the camera, for one?), and then there are the inevitable scuffles with the sysadmins that are looming large (sorry guys, I know devs are assholes). I'm just not a fan of the idea of a process running on this machine that a) gives root access to someone else and b) eats CPU like it was just rescued from a desert island.

28 REPLIES 28

swapple
Contributor III

We have those discussions all the time with users and it all really boils down to some simple stuff.
1) It is a company asset and not yours. Most likely the code you submit is scrutinized way more than your computing habits.
2) Jamf is also compliance reporting so while you do not do anything nefarious, the audit team that is auditing the company does not believe you but a Jamf report can verify that and the auditors will not fine the company $$$ due to an asset they saw in the purchase audit not being reported in the asset audit.
3) Jamf does not hog the CPU and if it does, please report it to the IT department so they can look into it and make it stop.
4) Voice any concerns you have after Jamf has been installed to the IT department and let them address it. The company has to balance out protecting their asset with employees being able to do their job.
5) Don't make this "you vs the company". If you really feel like the company is spying on you, you should probably leave. The company has to protect itself and with more people thinking their computers don't need to be monitored, the more vulnerable they become. Monitored <> spying.
6) Your choice to put personal data/pics/hobby stuff on a company asset is your choice. You making that choice does not make it any more your computer. Review the company handbook to see what is allowed on your computer. If the company is fine with that, they probably are not looking that close at your computer other than it is powered on and has the latest update.

hjcao
Contributor

I feel like this post pops up every once in awhile with the exact same wording and you get the same types of answers every time. It boils down to this:

  1. It's not your machine, no matter how much personal info you put on it.
  2. If you don't like your company's policies, find a new company.

genode
New Contributor

[]

It isn't the attitude that "admins" have.  It is that WE are the ones responsible for security.  You're bypassing the management controls that your employer put in place, potentially due to regulatory requirements.  This will get you fired in my workplace, and quite likely?  Me along with you.  

Don't do this.

Taylor_Armstron
Valued Contributor

It isn't yours.

End of story (sorry)

easyedc
Valued Contributor II

While I respect this statement, at some point, someone will.

I don't do anything nefarious, illegal, or morally questionable on my work macbook.

They're not after you, they're protecting everyone as a whole.

mike_paul
Contributor III
Contributor III

For added clarity, Jamf does not have the ability to control or use your camera. That is not part of the product anywhere. It actually goes against some of our core ideas of personal data protection. Jamf does have the ability for your IT admins to remotely connect to your computer but depending on that users permissions or if you are running macOS 10.14+ (maybe earlier) there is no way to remotely connect to your screen session and see what you are doing unless you click "Share Screen" on the prompt saying a user wants to connect to your computer and this only works if you are on the same network or VPN'd in to the network. There are no built in methods to access your photos or really any of that personal data type things and more and more those things are protected from access from most systems due to new PPPC/TCC security implementations from Apple. Also the fact that you take the computer with you everywhere means that the organization can say based off of inventory reporting that you are encrypted or meet other security requirements and even possibly remotely wipe or lock the computer if needed. All of these are needed things for many organizations from a legal standpoint to help protect intellectual property. Gotta protect that data.

Canniff
New Contributor III

Yeah, not your laptop mate. Put a little piece of postit note over the camera if it makes you feel better. If its any consolation we have Munki installed on our laptops and to my slight horror it apparently logs our location with a python script called pinpoint. So I troll my sys admin and modified the location to always show I'm inside the Tardis in London.
Google maps link to Tardis

Emmert
Valued Contributor

Taking images from the iSight remotely is trivial... and while not built into Jamf, I assume they put an admin account on your MacBook before they gave it to you? Or is your local admin account the only thing there and they're not backing you up or administering you in any way whatsoever? We don't even grant our users local admin access, but that's a rare-ish scenario from what I understand.

If it's the case that they're not really managing the computer in any way then you're long overdue for some kind of organized management whether it be Jamf, some other MDM, or some home-brewed combination of things.

Anyway to address your point, The Company could use ARD or any number of things to install something like imagesnap to your computer, run it silently from the command line, then copy the result back. I suspect this has been possible since the introduction of the original white iMac that had an iSight.

You'd see the green light for it blink of course, but if you were not using the computer you might not notice it.

This really doesn't address the underlying question, but these are theoretically your colleagues and you should trust and work together with them. Ask yourself, "Is This Good for the Company?"

e7f475e33e68469e9b48819ea66b357e

Emmert
Valued Contributor

Offtopic, but why is every capital letter weirdly slightly bold in this forum? ABC Crimson Tide Is My Favorite Movie

djdavetrouble
Contributor III

We have this issue with developers (surprise!). Guess what they download everything under the sun if allowed to (keygens, trial software, hacked software, PUAs). On the machines that we actually can keep enrolled, detections are through the roof for PUAs and the like. Are you working on financial software, educational software, healthcare software on a non compliant machine? Thanks for putting the entire company, product, AND customers at risk. This is exactly how some major intrusions happened.

CGundersen
Contributor III

Speaking generally, I'm always surprised how many folks use their work-issue devices as personal (and the resultant support expectations they have). They seem to feel entitled to it/how it's used. I guess I get the financial/cost saving aspect of it, but I really dig the separation, personally.

jared_f
Valued Contributor

Here is my view: it is company owned and the company gets to install whatever they want on it to manage their asset.

It would be different if it was your personal device, but it isn’t. Have an open discussion with your IT team.

rderewianko
Valued Contributor II

Most IT groups do compliance, can they remote control your computer yes? Do they want to for no reason? no, will they if they're provoked? yes.

End of the day,, you gotta trust your it group todo the right thing.

gregneagle
Valued Contributor

Cannif writes: "If its any consolation we have Munki installed on our laptops and to my slight horror it apparently logs our location with a python script called pinpoint."

Munki doesn't log location.
But your admin is using Munki to install and trigger that "pinpoint" script. Any management tool could be used for that, even Jamf Pro.
In fact, I think with current macOS releases, Location Services can't be used by third-party software without either end-user agreement, or MDM approval (which Munki can't do since it's not an MDM). Jamf Pro can do this, since it contains an MDM...

thebrucecarter
Contributor II

I'm both a developer and one of the local Jamf Administrators, and quite frankly I don't have the time, inclination, or interest to look at anybody's stuff. I have enough to do keeping up with actual work. Additionally, my computers are all enrolled in Jamf for management, just like everybody else's. It's more of a due diligence thing than anything else.

I can't speak to the CPU consumption, my jamfagent is running at 0.0% right now. I guess I would have to catch it when it is doing something, which is pretty infrequent other than checkins.

wmayhone
New Contributor III

Ultimately I'd point to the major thing others have mentioned. It's not your property. It's a device your employer loans you to do your job, and if they allow you to do more with it (use it as a personal device) that's great of them. If you don't like that your employer wants to do something with their property, my advice is to either pull off all of your own data and only keep work data on work devices, or leave for a different employer.

Another point to make is if you were fired on the spot, or the company shut down and said to leave but keep all work equipment at your desk, would you feel obligated to take it because you have stuff on there? Ultimately, if you want a laptop to use as a personal device, buy one.

cwearer
New Contributor

Simply put - that Mac is a company asset, and not a personal asset. No amount of “It feels like mine” changes that. The company has every right to protect their investment in that hardware - and you’re absolutely mistaken if you think your personal data on that asset changes anything.

As far as the CPU strain you’re seeing - alert the IT Team immediately to have them investigate, as that is not an expected behavior.

cwearer
New Contributor

-

cwearer
New Contributor
    -

Alemvik
New Contributor

I prefer having one Mac - I'm lot more productive that way since I only have one to manage and not feeling spied on. My company provided the phones and I wont ever use two (mine and the cie's) phone or one having spywares / tracking. I mostly use open sources stuff and a VPN. I can go without VPN if my cie had/use a global secured git hub - deploying from a dedicated intranet connected computer.

ammonsc
Contributor II

Coming from both a JAMF Admin and a Cybersecurity professional I echo everyone else. It is the companies asset not yours. If you want a non JAMF Mac buy one.

GrahamJ
New Contributor II

Guy made an account almost year ago and post this today. Odd

AdamCraig
Contributor III

Some of us have taken a closer look at the binary and seen some things we don't like (possible remote control of the camera, for one?) this is impossible. You cannot pre-approve camera or microphone access. If I'm wrong please let me know because I have to deploy voip software and getting our users to click the "allow access to microphone" button is surprisingly hard.

GrahamJ
New Contributor II

think you can do it with PPPC tool or something. I also can be wrong.

mm2270
Legendary Contributor III

Nope, for Camera and Microphone specifically, the only options available in the PPPC Utility, and therefore within Apple's MDM framework itself, is Deny. You cannot pre-approve allowing access (just pre-approve denying access) to either of those for any other program or binary.

e3b924708e5a4ccba8873c737fb52e6f

Therefore Jamf cannot give access to these. It may have been able to do so in the past by deploying some 3rd party utility or hack to enable it (it was NEVER something built-in), but with Apple's recent security model changes, even that is now impossible. The user is the only one that can allow it to happen.

mike_paul
Contributor III
Contributor III

With the changes Apple made to user data protections in macOS 10.14+ there is no way to enable camera or microphone for applications remotely, it requires end users allow it via the prompts. The PPPC tool only shows the deny option for Camera and Microphone. Also the Jamf binary never had the ability to enable the camera. There might have been some previous discussion and comments around it but the feature was never added. #rasingthreadsfromthedead

nelsoni
Contributor III

With Catalina, Apple introduced Screen recording in PPPC which also can only be set to deny so now in order to control a Mac remotely the user has to approve the PPPC.