I’ve been working on my work-provided macbook, and now they are telling me they need to enroll it in jamf since I got it brand new from apple. I’m a developer and 100% remote, and that means my work and personal life are very blurred currently. I might do 8hs worth of work over 12 hours, while also taking big rests, naps, errands, etc.
My problem is that I love using the same device for those personal things, but I hate the feeling of feeling watched and maybe triggering some alarm. Like what happens if I buy tickets to a play that has nudity in it and I trigger something, or if I research how to take care of weed plants and trigger another. The constant looking over my shoulder feeling and not knowing what I can click and what I can not is stressing.
I could keep my personal computer on the side and constantly switch back and forth, but it’s just too cumbersome. What are my options to protect my privacy while keeping the machine enrolled? Everyone I work with that asked about it says stuff like “Oh yeah they don’t check anything, it’s just for the vpn”, but the fact that they can if they want to worries me.
-
Is using a private VPN (like expressVPN or Nord or something) a good idea? I’d much rather get a warning on the likes of “Hey you’re using a VPN you should stop” rather than “You have read this news article that incites violence you’re fired”.
-
I read that jamf can install many packages that can read/see many different things, how can I see a list of the packages and get information on what each has access to?
-
Is there a web browser I can use which encrypts/protects cache/web browser history and the likes so that a jamf package could not read the contents of those folders and get everything that was visited that way even if it was through a VPN? Is using incognito enough to prevent this?
Honestly, I think you need to have a chat with your InfoSec and IT teams.
Jamf Pro is one of the best device management tools out there. It can make Installation of applications seen as core to your org easier and make updating these core apps easier.
The focus of a lot of these tools are primarily to keep corporate data safe and secure.
Jamf Pro doesn’t really have web monitoring tools as far as I am aware of.
But even if it did, I’ll tell you what I tell my users, unless you are spending your spare time trying to learn how to break into other services or trying to exfiltrate data. We don’t really care.
As long as it is Safe for work, you are free to visit sites. We don’t have time to monitor users, and frankly we don’t want to. We just set up rules to make sure that known threats are blocked and that there are some road blocks or audits for uploading data to unknown destinations.
I think I nice conversation with the team that will be deploying and managing Jamf Pro will help ease your worries and may even help them to better communicate as the project moves forward.
Based on what you have written, I would really recommend you consider keeping your personal and work computing on separate devices.
As others have mentioned, Jamf, in and of itself, does not do a lot of “spying”. Jamf is primarily a tool to provide basic security settings and install packages. However, the “install packages” is what can do much more. Any organization that values security is going to install a good (or bad) security stack. At minimum that will be anti-virus/anti-malware software. It may also include tools to monitor your network activity (and yes, it can read network traffic sent over a private VPN and traffic that is encrypted.) Also, there will be software to look for inappropriate software. You mention Handbrake, yea that would be found and removed really quickly by a competent InfoSec team. Same with TOR browsers and Personal VPNs.
As far as the “We don’t care what you do” usually only extends to doing SFW type activities (browse Facebook, Amazon, etc.). However if you start visiting less appropriate sites (OnlyFans, Guns & Ammo, etc.) at best you will get a nasty gram from IT. At worst, you will get a call from HR.
Just remember, this is work issued and paid for computer. The company you work for expects you to use it in appropriate manner. Use of this computer for an inappropriate manner can, at best, embarrass your company and , at worst, cause significant liability. Imagine if a sales person decides to visit OnlyFans on his off time, forgets to close his browser, then has a Video Conference the next day with a customer? Could be pretty bad for the sales person and the organization.
Jamf Pro by itself can’t track websites that you go to, it can see which apps you’ve installed, but it’s mostly just helping your IT admin ti make your machine compliant.
That being said, there are other tools that can be put in place that can monitor your internet traffic and more intrusive in terms of privacy. I don’t know how your company manages their devices, but I know mine is very lenient on that stuff unless you’ve given them a reason to look into you specifically.
If your company actually plans to be big brother, then you need to find a new job.
As an IT leader, I don’t give a shit what someone is doing on their laptop as long as they aren’t breaking the law or compromising our data.
If the user is screwing around, watching porn and playing games all day, that’s between them and their manager, not me.
Start (!!!) by asking for and reviewing your company’s AUP (acceptable usage policy).
The device doesn’t belong to you so what YOU want to do with it for personal use, doesn’t matter.
Not sorry.
Agreed: Don’t know & don’t care what you do as long as
A. You remember the device was provided for you to do work for the company. Not any personal use. You should expect zero accommodation for your personal needs on that device that aren’t 100% related to work.
B. You adhere to the AUP.
C. You do nothing to possibly compromise (the safety & privacy of) company data.
I don’t know if you’re trolling or joking, but using it for OnlyFans is a hard no. Unless you work in the porn industry and have explicit permission to use it for side work. Seems unlikely.
As an IT Professional who’s overlooked 1000’s of people’s machines over the years. We don’t care one bit. Unless your machine gets flagged for some kind of legal hold, and at that point it’s out of our hands.
Just don’t look up porn or any other fringe content and you’re good.
Why do companies use Jamf?
Main reason is compliance and data security.
If you lose your computer, they are sending a wipe command to wipe the computer of all data, especially where customer data is stored on it.
Make sure anitivirus is installed, turned on and updated.
Make sure software and OS is patched from vulnerabilities. Make sure FileVault is on.
Empowering end users to self service and do things without calling it.
Does IT care what you’re doing on your machine? Short answer is no. If compliance settings and configs are not broken. You will not hear from them.
How you spend your work hours is between you and your manager. Unless your manager goes to IT and HR and ask them to keep you in a short leash then you have nothing to worry about.
Even if your manager goes to IT. They will generally say no unless they get approval from HR as its a privacy thing.
Acceptable use policy is a thing. Burning DVDs and installing Handbreak wouldn’t be an issue in our company. Browsing websites during lunch is a non issue.
If you go to “profiles” under settings you can see what packages have been pushed. From there you can research what is truly on in the background of your computer. Like everyone has mentioned jamf in its self can’t see your web traffic, but it can push something that could.
As a developer, you presumably understand basic security protocols & must have an inkling of an idea for the need to properly supervise a device.
You need to segregate personal from work, like yesterday. If I had one of my users ask me half the things you did you just did I would probably just laugh.
Good luck!
You need a firewall between your digital work life and your digital personal life. Especially if you engage in fringe activities like OnlyFans (fringe, in the sense that these activities are not universally seen as wholesome or benign) you need hard separation between when you do on corporate resources and what you do elsewhere.
This isn’t a Jamf issue. This is a personal data management issue.
Rule 1. Never mix work and personal.
Get a personal device and be done with it. This device belongs to your employer and it’s theirs to manage. Expect nothing done on any corporate owned device to be private.
JAMF is not a monitoring tool but can install monitoring tools. Once a monitoring tool is installed there is nothing you can do to prevent this monitoring and usually can get fired for even attempting to subvert security tools.
Only use your work computer for work. Save yourself the headache. Your office should be set up in a way you should be able to move over to your personal computing device.
Take the guesswork out of the situation. If you only use your work stuff for work you’re upholding the agreement between you and your company. I’m all for sticking it to the man as the next. However, I don’t surf on company owned. I keep all personal logins, and web searches on my personal devices. I have work phone and a personal.
And why don’t you have your own test environment??
The safe for work part is what worries me, there’s slides on the informational security and personal usage that go something like “you can browse social media on your spara time it’s ok” but also something along the lines “Don’t post or access anything that might makes the company look bad”.
And that might be very open to interpretation, I gave a few examples in the post, but I’m a “eat the billonaries and/or hang them publicly” kind of leftist, so that might very well be viewed as inciting violence/not appropiate for work. I’m also a bit on the BSDM scene, which is again, not appropiate for work.
I don’t currently have an OnlyFans accout, but I was about to create one to share some content. What happens if I get an OnlyFans email in my personal account which is logged in my work computer, and the image inside the email has the domain onlyfans.com, even if I don’t click on anything because I can leave it till later, that will still log it in the content filter probably.
I will definitely ask in detail what are they going to install exactly, and how will it all work. But I’m a bit scared to give examples like I’m giving here because it is itself not appropiate for work, I could only say stuff like, “I value my privacy and would like to know what software is installed on my machine please”, but that’s it. I can’t really ask, hey if I watch something that is technically porn on the work computer after work will I get in trouble?
> (and yes, it can read network traffic sent over a private VPN and traffic that is encrypted.)
Thank you! This is very useful information. I absolutely hate needing 2 computers on my desk to be able to take a 5 minute browse the web in pace break, but it is what it is. I got spoiled by working at a few very chill companies that did not do any of this, but switched to a bigger company with a more corporate approach.
So it all depends on the list of packages that jamf ends up installing it. I will try to ask for that to the it department, just to be aware, but I heard there is a tool that tracks which pks are installed by jamf, do you know anything about that?
This is a misguided response. Organizations have the right and the imperative to protect their intellectual property. Doing so means know what is going onto and flowing off of their systems. That can be anything from email and dns filtering to DLP and your standard EDR/AV solutions coupled with IT policy. I’m a principal client platform engineer who guides orgs in implementing all of this tech as an IT consultant across all platforms, as well as IAM, cloud solutions, and automation.
To OP:
The device belongs to your org. Why are you using it as a personal device? Get a personal device. This reads as a person who is concerned about being found out, whether it’s actual work performed, visiting web content that might be looked down upon, or probably just gaming most of your official working hours.
The I don’t give a shit is the sentiment I gathered from most IT people, and in the same position that would be me as well. But content filter blocks can generate notifications, can’t they?
I was thinking of some extreme example that would be obvious, but if I have my personal email logged in and get an onlyfans account email, even if I don’t open it manually, it might be opened if you archive a previous email or something like that. That means basically I can not have my email/web browser account/etc on my work pc, which makes browsing uncomfortable and forces me to have a personal computer on the side.
My real problem is that “fringe” content and not being completely sure about what it is.