Jamf Nation Community

I feel like this post pops up every once in awhile with the exact same wording and you get the same types of answers every time. It boils down to this:

1. It's not your machine, no matter how much personal info you put on it.
2. If you don't like your company's policies, find a new company.

It isn't yours.

End of story (sorry)

While I respect this statement, at some point, someone will.

I don't do anything nefarious, illegal, or morally questionable on my work macbook.

They're not after you, they're protecting everyone as a whole.

For added clarity, Jamf does not have the ability to control or use your camera. That is not part of the product anywhere. It actually goes against some of our core ideas of personal data protection. Jamf does have the ability for your IT admins to remotely connect to your computer but depending on that users permissions or if you are running macOS 10.14+ (maybe earlier) there is no way to remotely connect to your screen session and see what you are doing unless you click "Share Screen" on the prompt saying a user wants to connect to your computer and this only works if you are on the same network or VPN'd in to the network. There are no built in methods to access your photos or really any of that personal data type things and more and more those things are protected from access from most systems due to new PPPC/TCC security implementations from Apple. Also the fact that you take the computer with you everywhere means that the organization can say based off of inventory reporting that you are encrypted or meet other security requirements and even possibly remotely wipe or lock the computer if needed. All of these are needed things for many organizations from a legal standpoint to help protect intellectual property. Gotta protect that data.

Yeah, not your laptop mate. Put a little piece of postit note over the camera if it makes you feel better. If its any consolation we have Munki installed on our laptops and to my slight horror it apparently logs our location with a python script called pinpoint. So I troll my sys admin and modified the location to always show I'm inside the Tardis in London.
Google maps link to Tardis

Taking images from the iSight remotely is trivial... and while not built into Jamf, I assume they put an admin account on your MacBook before they gave it to you? Or is your local admin account the only thing there and they're not backing you up or administering you in any way whatsoever? We don't even grant our users local admin access, but that's a rare-ish scenario from what I understand.

If it's the case that they're not really managing the computer in any way then you're long overdue for some kind of organized management whether it be Jamf, some other MDM, or some home-brewed combination of things.

Anyway to address your point, The Company could use ARD or any number of things to install something like imagesnap to your computer, run it silently from the command line, then copy the result back. I suspect this has been possible since the introduction of the original white iMac that had an iSight.

You'd see the green light for it blink of course, but if you were not using the computer you might not notice it.

This really doesn't address the underlying question, but these are theoretically your colleagues and you should trust and work together with them. Ask yourself, "Is This Good for the Company?"

Offtopic, but why is every capital letter weirdly slightly bold in this forum? ABC Crimson Tide Is My Favorite Movie

We have this issue with developers (surprise!). Guess what they download everything under the sun if allowed to (keygens, trial software, hacked software, PUAs). On the machines that we actually can keep enrolled, detections are through the roof for PUAs and the like. Are you working on financial software, educational software, healthcare software on a non compliant machine? Thanks for putting the entire company, product, AND customers at risk. This is exactly how some major intrusions happened.

Speaking generally, I'm always surprised how many folks use their work-issue devices as personal (and the resultant support expectations they have). They seem to feel entitled to it/how it's used. I guess I get the financial/cost saving aspect of it, but I really dig the separation, personally.

Here is my view: it is company owned and the company gets to install whatever they want on it to manage their asset.

It would be different if it was your personal device, but it isn’t. Have an open discussion with your IT team.

Most IT groups do compliance, can they remote control your computer yes? Do they want to for no reason? no, will they if they're provoked? yes.

End of the day,, you gotta trust your it group todo the right thing.

Cannif writes: "If its any consolation we have Munki installed on our laptops and to my slight horror it apparently logs our location with a python script called pinpoint."

Munki doesn't log location.
But your admin is using Munki to install and trigger that "pinpoint" script. Any management tool could be used for that, even Jamf Pro.
In fact, I think with current macOS releases, Location Services can't be used by third-party software without either end-user agreement, or MDM approval (which Munki can't do since it's not an MDM). Jamf Pro can do this, since it contains an MDM...

I'm both a developer and one of the local Jamf Administrators, and quite frankly I don't have the time, inclination, or interest to look at anybody's stuff. I have enough to do keeping up with actual work. Additionally, my computers are all enrolled in Jamf for management, just like everybody else's. It's more of a due diligence thing than anything else.

I can't speak to the CPU consumption, my jamfagent is running at 0.0% right now. I guess I would have to catch it when it is doing something, which is pretty infrequent other than checkins.

Ultimately I'd point to the major thing others have mentioned. It's not your property. It's a device your employer loans you to do your job, and if they allow you to do more with it (use it as a personal device) that's great of them. If you don't like that your employer wants to do something with their property, my advice is to either pull off all of your own data and only keep work data on work devices, or leave for a different employer.

Another point to make is if you were fired on the spot, or the company shut down and said to leave but keep all work equipment at your desk, would you feel obligated to take it because you have stuff on there? Ultimately, if you want a laptop to use as a personal device, buy one.

Simply put - that Mac is a company asset, and not a personal asset. No amount of “It feels like mine” changes that. The company has every right to protect their investment in that hardware - and you’re absolutely mistaken if you think your personal data on that asset changes anything.

As far as the CPU strain you’re seeing - alert the IT Team immediately to have them investigate, as that is not an expected behavior.

-

-

I prefer having one Mac - I'm lot more productive that way since I only have one to manage and not feeling spied on. My company provided the phones and I wont ever use two (mine and the cie's) phone or one having spywares / tracking. I mostly use open sources stuff and a VPN. I can go without VPN if my cie had/use a global secured git hub - deploying from a dedicated intranet connected computer.

Coming from both a JAMF Admin and a Cybersecurity professional I echo everyone else. It is the companies asset not yours. If you want a non JAMF Mac buy one.

Guy made an account almost year ago and post this today. Odd

Some of us have taken a closer look at the binary and seen some things we don't like (possible remote control of the camera, for one?) this is impossible. You cannot pre-approve camera or microphone access. If I'm wrong please let me know because I have to deploy voip software and getting our users to click the "allow access to microphone" button is surprisingly hard.

think you can do it with PPPC tool or something. I also can be wrong.

Nope, for Camera and Microphone specifically, the only options available in the PPPC Utility, and therefore within Apple's MDM framework itself, is Deny. You cannot pre-approve allowing access (just pre-approve denying access) to either of those for any other program or binary.

Therefore Jamf cannot give access to these. It may have been able to do so in the past by deploying some 3rd party utility or hack to enable it (it was NEVER something built-in), but with Apple's recent security model changes, even that is now impossible. The user is the only one that can allow it to happen.

With the changes Apple made to user data protections in macOS 10.14+ there is no way to enable camera or microphone for applications remotely, it requires end users allow it via the prompts. The PPPC tool only shows the deny option for Camera and Microphone. Also the Jamf binary never had the ability to enable the camera. There might have been some previous discussion and comments around it but the feature was never added. #rasingthreadsfromthedead

With Catalina, Apple introduced Screen recording in PPPC which also can only be set to deny so now in order to control a Mac remotely the user has to approve the PPPC.