Does anyone know if a company laptop they sent through Apple Business has MDM enabled and how trackable are they (besides remote disable)? Does it have key logging, screen capture, etc vs. something that doesnt come from Apple directly where apps such as Jamf are installed?
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
MDM based MBPs
- Thread starter SDAVE
- Start date
- Sort by reaction score
Keylogging is not a feature of MDM, nor is screen capture by default. This doesn't mean that the owner/administrator of the computer hasn't added such features but it's not a standard part of Mac device management.
We use Apple School Manager to enroll all our Apple devices into DEP.
Requires that enrollment occur online so if the device never got internet access, it won't activate.
We use Mosyle MDM to manage them.
We don't have the ability to see keystrokes, but can remotely view, locate, and control/lock/remote wipe, etc...
Requires that enrollment occur online so if the device never got internet access, it won't activate.
We use Mosyle MDM to manage them.
We don't have the ability to see keystrokes, but can remotely view, locate, and control/lock/remote wipe, etc...
Do you mean they can remotely add it once the laptop is unwrapped and opened for the first time? Even tho it came from Apple factory?
Apple does not have any APIs built in MDM for keylogging, but the employer can in fact remotely add applications that provide those features.
Remotely pushing Apps, configurations and updates is one of the features of MDM. Most enterprises have remote updates for their PCs. MDM is what apple provides, so that businesses can manage Macs much the same way.
Yes, direct from Apple if it enrolled in corporate DEP then upon connection to the Internet, your device will state that it will enroll in the company's MDM.
If the company uses MDM and has already added the serial number of the Macbook to the system, then it would activate once connected to the internet the first time. Any third-party apps like keyloggers would be something the company would have to add themselves.
I didn't think it was possible, but googling it, does seem to indicate that its possible.+
Yes, any: app, restriction, appearance, access, passwords - are all controlled by pushing out the commands from our MDM manager.
Our enterprise deployment of thousands of Apple devices is to safeguard the organization's network, allow access for certain staff and to protect certain classes of people.
I don't look at it as if it's an intrusion as I use it for work.
If I want to use it for personal, I'd pull out my personal devices.
If you're worried about what your employer might be putting on a company-owned MacBook without informing you, then get your OWN personal MacBook, and conduct all your personal business on that one.
Them tracking my time + taking screenshots. It's not about having a separate laptop for personal, I do already.
I have personal machines. It's more about seeing if they are tracking my time and taking screenshots and/or adding a keylogger.
If you are the only employee in the company, you have a legit concern for a bored IT person. Otherwise, they are typically far to busy to 'stalk' you or even know to 'stalk' you as your device is just a number on the list.
Company owned devices can and should be monitored for the security / safety of the company.
Cool thing about MDMs and Apple. If purchased through the Apple Business Manager the serial numbers automatically get uploaded, so the device can be shipped directly to the company user and everything will automatically install when the user turns it on and connects it to WiFi for the first time. If stolen and wiped, the MDM will auto reinstall when the device boots back up. The only way to remove the MDM is for the company to release it from DEP.
Side Story:
We had one of our devices 'accidentally' arrive to an unknown user. We removed all apps and placed a wallpaper with our company name and contact number and asked for them to give us a call.
960 wrote:
"We had one of our devices 'accidentally' arrive to an unknown user. We removed all apps and placed a wallpaper with our company name and contact number and asked for them to give us a call."
So... why did you leave off the ending?
Did the "unknown user" ever contact you?
What was the resolution?
"We had one of our devices 'accidentally' arrive to an unknown user. We removed all apps and placed a wallpaper with our company name and contact number and asked for them to give us a call."
So... why did you leave off the ending?
Did the "unknown user" ever contact you?
What was the resolution?
I do not remember if we recovered that specific device or not; we had just shy of 100,000 devices.
I do vividly remember a device a sheriff went to recover. The sheriff called from the doorway of a very nice house on the water ( we sent the sheriff a satellite image of the house and the approximate location of the device within the house ), when a gentleman answered the door he clearly stated he was a lawyer and asked why would they 'steal' something, they had multiple laptops, smart phones, digital pads, ect. I rang the device and could hear it over the sheriff's phone, at that point the lawyer immediately became very apologetic and stated his son was currently out on bond ( or something like that ) for theft. The call ended and we recovered the device. I do not know if charges were made, but have a feeling they were not.
Most often we just locked down the 'forever borrowed or friend loaned' devices and kept a tracking script on them that updated from time to time. In 15+ years we had less than 100 or so 'borrowed' devices and only recovered about 10-20 of them ( most of those recovered through pawn shops ). I assume that once we locked them down with the little message that they now own a bricked GPS tracker, they threw it away.