Does JAMF have the ability to access and view my files or log keyboard presses?

kevinmessi
New Contributor

Hello All,

My current company is mandating that I install JAMF on my personal laptop and iMac due to "compliance requirements." While I am inclined to reject this request based on principle (since these are my personal devices), I am enjoying my job and do not plan to challenge it.

However, since my personal devices contain sensitive information such as my banking credentials and personal data, I am concerned about the extent to which JAMF can access them. The IT team has stated that they will not be able to view any personal data and that I can continue to use my personal AppleID. Nevertheless, after researching the topic online, I am starting to have reservations about these assurances.

4 REPLIES 4

sdagley
Esteemed Contributor II

@kevinmessi Do you use your personal Mac to access corporate systems? If so your employer has a justification, but my opinion is that I would never allow my employer to enroll my personal Mac in their organizational MDM simply because macOS does not offer the same segregation of managed and personal spaces that iOS and iPadOS do. If they won't provide a company computer I'd recommend using another personal Mac dedicated to your work, and if you do have to use a personal computer as a condition of your job you should consult someone familiar with the tax laws for your locale to see if it's a deductible expense.

Tribruin
Valued Contributor II

I will echo all of what @sdagley  said about not mixing personal and business on your personal Mac. I woudl also say, if your company won't provide the tool (a mac) that you need to do your job, then I would question your management. 

But, also, to answer your initial question, Jamf does not alone have the ability to read your keystrokes nor can it read files directly. However, it is a tool for managing your computer, which includes installing software. Some of the software may be able to see what you are doing. For example, it is very common to have network monitoring software that captures you network activity. Also, security software can monitor the files created and wiped on your computer. So, it is possible for your employer to see what you are doing on your computer. 

foobarfoo
Contributor

As enrolling a macOS device into JAMF gives the JAMF admin the ability to run ANY code as root on the device, such tools could be easily and silently deployed through JAMF pro. How likely that is, is another question/discussion. But as a rule of thumb, don't enroll macOS devices with anything unless you want to give the admin potentially full access.

This also applies to iOS and Windows devices (regardless of MDM/tool) because there is no proper hardware/OS supported zoning to separate data and privilegies. The only acceptable and fairly mature solution so far is the Android for work profile, which does sandboxing and separation properly.

Tribruin
Valued Contributor II

You are incorrect about iOS. IOS support User Enrollment, which segregates work and personal data on a single phone by using a Managed AppleID for enrollment. It does not allow the MDM vendor to see anything on the personal side (except for the basic phone details.) Please review this document:

https://support.apple.com/guide/deployment/user-enrollment-and-mdm-dep23db2037d/web