Jamf outside of school hours

JuanmaRico
New Contributor

Hello

First of all, sorry if this is already solved in some other thread. I have not found it.

It turns out that in my son's school they force me to install on his computer the JAMF application to know what he does during school hours. But it so happens that I don't want them to be able to know what my son (or whoever may use the computer) does outside of school hours. I assume that the hours when the application works can be configured in the application. But since they are the ones who install it, and I don't have administrator permissions on it, I can't know if they set it up correctly or not.

What options do you recommend me so that this does not happen? I had thought of creating a virtual machine and have them install the application on that machine. Another option I had considered was to install a second operating system on an external hard drive, and outside school hours boot the computer from it. But maybe I am making my life too complicated and there is a simpler option, such as creating two users, and that the application is only installed to work with one of the two users. But as they haven't installed it yet I don't know if that's possible.

Best regards and thanks

1 ACCEPTED SOLUTION

AJPinto
Honored Contributor III

I usually avoid end user question and issue situations, but I'll make my 2 cents known on this one. 

 

If this is your personal device, remove it from Jamf. Now. Honestly, you will need to reinstall macOS to be sure anything Jamf did to the device is undone, this sucks but there is no way around it.

 

There are different enrollment states. This device is most likely managed, not supervised. This limits what of the MDM framework will be able to do. For example, they cannot force OS updates, or see what apps are being used using the MDM framework. Jamf will still have root access and can install literally any applications they want including security and monitoring tools. As Jamf has root access, it's not limited to monitoring your sons account, it can see any account on the device and install tools that and see any files on the device. The Supervised vs Managed limitations are far more important on iOS than they are macOS as having root access closes most of the gaps.

 

As far as options:

  • If you use a VM, they will know; or at least they should know. But this is not a bad idea.
  • You can partition the drive and have a separate OS installed that your son uses for this purpose and boot to your "personal" OS when you want to use the device.
  • The correct path for full device management, they need to furnish your son a device.
  • If they don't want to furnish a device, they need to look in to proctoring software that lets them record the screen, and you can close it at the end of the day. Managed Chrome Identities and Managing Chrome is another option.

 

They are trying to be cheap and save a buck by monotiling your device rather than furnishing one. This is one of my pet peeves with BYOD.

View solution in original post

3 REPLIES 3

AJPinto
Honored Contributor III

I usually avoid end user question and issue situations, but I'll make my 2 cents known on this one. 

 

If this is your personal device, remove it from Jamf. Now. Honestly, you will need to reinstall macOS to be sure anything Jamf did to the device is undone, this sucks but there is no way around it.

 

There are different enrollment states. This device is most likely managed, not supervised. This limits what of the MDM framework will be able to do. For example, they cannot force OS updates, or see what apps are being used using the MDM framework. Jamf will still have root access and can install literally any applications they want including security and monitoring tools. As Jamf has root access, it's not limited to monitoring your sons account, it can see any account on the device and install tools that and see any files on the device. The Supervised vs Managed limitations are far more important on iOS than they are macOS as having root access closes most of the gaps.

 

As far as options:

  • If you use a VM, they will know; or at least they should know. But this is not a bad idea.
  • You can partition the drive and have a separate OS installed that your son uses for this purpose and boot to your "personal" OS when you want to use the device.
  • The correct path for full device management, they need to furnish your son a device.
  • If they don't want to furnish a device, they need to look in to proctoring software that lets them record the screen, and you can close it at the end of the day. Managed Chrome Identities and Managing Chrome is another option.

 

They are trying to be cheap and save a buck by monotiling your device rather than furnishing one. This is one of my pet peeves with BYOD.

Thank you very much for your response. We have made an appointment at the school and we are going to present our doubts.

David5vor12
New Contributor II

I really wouldnt be to concerned about this. Check the MDM Profil in the system preferences to get a better understanding of settings / restrictions set by the school. If you think any of them are unnecessary or malicious, ask the school about it.

That being said, if you don't trust the school enough to manage your device responsible or if you have reasons to believe that teachers are spying on your child via the MacBook.. then change the school.