Buying A Computer For An Employee

If you want your employee to use full-disk encryption (which is a good idea if there is customer information and similar that you need to keep confidential), FileVault will give you a 20 digit master key for unlocking the drive, which you should write down and keep in a safe place. So if your employee leaves and refuses to talk to you, you can use that master key to unlock the encrypted disk.

And it's always best to have a backup. For $20 you can install Mavericks Server on your computer, buy an external hard disk attached to _your_ computer, and your Mac will make Time Machine backups for everyone in the office. So worst case, if your employee leaves and first smashes up their computer, you buy a replacement computer, and restore from the Time Machine backup.

 

In general I would not be as generous as you with admin rights, but you can end up being a computer tech if there are a lot of changes needed and this doesn't suit the small business. However I don't want pirated, malicious or distracting software on a work computer, not that this stops the disk getting completely filled with music to the point of not working! An alternative approach would be BYOD, and give them a little more money to cover it – this really suits some people. However it depends a lot what kind of business you are in.

If you use iCloud - put Find My Mac on your admin account so that you can use this should the computer need finding/wiping etc.

We have bought a few MBAs and my other advice would be to buy a nice thick neoprene case and consider a keyboard cover (the Moshi ones are easy to type with) as added protection. This gives a message that you want it looked after. I say this after a cracked screen and a cup of tea on the keyboard in two separate incidents in 3 weeks.

Setting up two admin accounts doesn't not mean that the employee cannot remove your admin rights and change your password. So in the end it comes down to knowing the person and the relationship between you. The disk encryption password concept above is a good one.

 

The other issue is Apple and their digital rights management. Lots of stuff is regulated via an AppleID, from messaging to software licenses for stuff bought at the Mac App Store. If you intent was to allow the employee, as an administrator, to also install software and run things under their AppleID, you could have problems once they left. Stuff in iCloud, for example.

Frankly, I dunno how administrators in companies deal with this, but take it into account.

 

You'd create a work-specific Apple ID for the employee in question (e.g., FlintEmp002 (at) icloud.com or employee002 (at) flintanalyticscorp.com), then use it purchase & download work-specific tools.

You wouldn't purchase/download work-related stuff using the employee's personal Apple ID account.

If the employee leaves, the rights are retained by the company.

 

I work for a small software development company, and I just wanted to weigh in that in some situations, granting each user complete administrative access to their system is an absolute necessity. In a previous job, we were on a Windows domain and I needed to contact university IT to install anything. Especially web browsers -- the most important tool in my job as a web developer. It was a huge hassle, resulted in lots of lost time, and that actually was a small part of why I moved on (didn't feel trusted).

Obviously, this does not apply to all industries, but kudos to the OP for at least trying to make it easy on this new person.

I completely agree with keeping a backup. It's more important than being able to access the drive on that laptop. In my current position, all work is saved in a remote Git repository (aka "in the cloud") or on our NAS. It's part of our workflow, we don't email files, we get them from the NAS, so there's no way for an employee to keep work files on their machine locally without a remote copy. There is literally nothing on any of the employee machines that is not copied anywhere else.

For two people, you could look into using Bittorrent Sync, Dropbox, or buying a network hard drive. This way, if the person changed their FileVault encryption keys (it's fairly easy to do) or deleted your account, you would have a copy of their work somewhere else.