Anyone with admin privileges will be able to access anything on a user's computer regardless of whether they're using remote control software, command line tools, or even management systems like Jamf Pro. That's the nature of support.
Can that support be abused? Yes. This is why you hire trustworthy professionals and you put mechanisms in place to audit what they can do.
This is probably where you'll need to educate your higher-up and your staff.
- Make sure everyone (including those you support) understands Apple's measures to protect privacy.
- From this, your end users should know they can themselves turn off Apple's built-in screen sharing and that no one can remotely turn it back on again without them knowing and approving a connection.
- If your IT person turned it on beforehand without alerting the end user, they should be instructed to stop this practice. It's insecure and, as you can see, leads to a sense of distrust.
- Inform your end user that Jamf Remote Assist sessions are audited. While you can't prevent an administrator from connecting and operating on the computer, you will at least have a record of it when it happens.
- If you're using other remote desktop software, I recommend vetting whether it provides auditing. For example, Apple Remote Desktop doesn't provide centralized auditing. I'd recommend ceasing its use for end user support. It's just fine for managing unattended computers.
- Create a policy for your end users detailing how you'll use remote access software and publish it. (Consider doing this with your end users to address any concerns they may have.) Then hold yourselves to it. No exceptions. Or you're inviting distrust again.
As you can see, I'm approaching this as a people issue not a technical issue. You can't be both an administrator and non-administrator. But you can you can set expectations and use technology to hold yourselves accountable.
