Removing Corporate data from BYOD Macs

adl-gavinator
New Contributor III

Can someone tell me if its possible to remove company data only from a Mac computer when we want to unmanage a device from Jamf?

 

the use case is if a user who has been working for the company, using their personal Mac, wants to now leave and get their device unmanaged by us.  It seems the only options available are a full wipe, which aint gonna go down well with a user and their personal machine.  Or running the sudo jamf removeFramework command, which seems to only remove the profiles and configs, but not the apps and their data.  

 

I am specifically thinking about Outlook for Mac and OneDrive for Mac.  We cannot be in a situation where we are relinquishing management of a personally owned Mac but then leaving our corporate IP (Intellectual Property) on the device.  Surely if Jamf are offering their service to enterprises this must be an option somewhere?

In todays data security centric world it must be an option.  Microsoft does this well with App protection policies...

 

4 REPLIES 4

scottb
Honored Contributor

Well, it's not that simple, but you can do a lot with MS apps/Data using this tool.  We've also scripted removal of data which we use as well.

Office Reset Tool 

AJPinto
Valued Contributor

Yuck. Not a good position to be in. If you are doing things apples way you can separate corporate and personal data. This requires the use of a Managed AppleID if I am not mistaken. We do not allow BYOD with Mac for obvious reasons so I have never had to deep dive these functions. If you are bringing in personal devices and treating them like enterprise owned devices there is no way to make sure all cooperate data has been removed. Users can save emails, and take screenshots and save anything anywhere they want. Tell your employer to stop being cheap and provide corporate own Macs lol, problem solved.

Managed Devices and Corporate Data (apple.com)

adl-gavinator
New Contributor III

Thanks for the suggestions @AJPinto and @scottb .  I think what I'm going to do is configure some sort of notice when a user enrolls that says something like, if you enrol your personal Mac, be aware that your device may be subject to a wipe if deemed necessary.  I did a bit more research on this.  From a Microsoft perspective I believe Azure Information Protection (AIP) is what modern enterprises would use.  For the MacOS platform however, I believe AIP does not exist yet.  RMS (Rights Management Service) does and this can be used to honour AIP tags, but you cannot classify documents (apply data tags) from what I have read. 

 

Its more of a philosophy thing. Apple views user data, security and privacy are paramount. Apple strongly believes the users are in control of their devices. You cannot Manage an Apple product with Microsoft tools or manage MacOS with a Windows Mentality. 

 

Yes, Microsoft uses Azure Information Protection. It is a Microsoft platform after all. MacOS is not a Microsoft platform and will likely never support AIP though submitting a feedback request would not be a bad idea. Maybe using Office online and disabling downloads would be a better solution, make people edit their docs in an Azure controlled space.

 

Apple does things in their own way. Apple handles data segregation between personal and enterprise data with managed apple ID's. This is no different than how Microsoft is doing it with AAD. You tie all your cooperate data to the managed appleID, they user uses Apple Mail, Pages, ext. When you terminate their access everything corp owned from Mail, pages, ext vanishes from the device. Maybe the best option is looking for a different solution?