Can JAMF see my files and log keyboard presses?

mimosa09
New Contributor

The company i work for (as a contractor) is requiring me to install JAMF on my *personal* laptop and iMac because of "compliance requirements". While i would usually refuse on principle (since these are my own devices), i am enjoying my job so i'm not really planning to challenge it.

As these are my personal devices, i do my banking and have my personal data on them so i'm wondering what can they actually access through JAMF. IT told me they will not have access any personal data, and that i can continue using my personal AppleID but after reading what i could find online, i am starting to doubt that.

Another reason is they are refusing to buy the apps i purchased that speed up my work, but they don't consider essential. So if i create a new AppleID, i would lose access to my music and all the apps that i use daily (both for work and my own use).

I wonder what is the actual capability of JAMF and what will they be able to access. Will they be able to access my photos, browser history, record keypresses etc? I don't think they will waste their time spying on me, but considering privacy and security implications, should i just accept it and take their word, or refuse on basis of a privacy and security risks? Thanks.

3 REPLIES 3

TrentO
Contributor II

On macOS, Jamf runs as the root user and has access to anything the root user would. It can run arbitrary scripts and access mostly any data. There are some restrictions around MDM commands for "non-supervised" devices but recent macOS considers all user enrolled devices as supervised by default. In general BYOD macOS is a bad idea. 

On iOS, it's more in line with what the company is telling you. With a BYOD enrollment a "work" partition is created and they only have access to that. 

sdagley
Esteemed Contributor II

@mimosa09 Personally I'd recommend purchasing a separate Mac to use for any activities related to your contracted work, and tell the company that's the only Mac you'll enroll in Jamf Pro. As @TrentO describes there's currently no concept of BYOD enrollment for macOS, and I would not want to deal with whatever "security" products this company would want to install once your personal Mac is enrolled with their Jamf Pro environment (and based on the fact they have that requirement makes me think there's going to be several of those).

AJPinto
Honored Contributor III

JAMF is a Management platform. What it can do and what they do with it are different. Though I would assume the worst as nothing is stopping them. My suggestion is to never mix work and personal. Either your employer needs to provide you a device for them to manage, or you need to get a device just for work. You could also look in to creating a macOS Virtual Machine and having them manage the VM instead of your host OS.

 

GitHub - insidegui/VirtualBuddy: Virtualize macOS 12 and later on Apple Silicon

 

This is what JAMF can see. Though keep in mind JAMF can install tools that can see far more. JAMF itself cannot see your keystroke, but it can install something that can. JAMF can also run script to see any files on your device.

Data Collection - Jamf Pro Security Overview 10.44.0 or Later | Jamf