Privacy on a corporate managed mac

[funkylaundry]

My employer has given me a very nice MacBook Pro and I am considering using it as my private computer, since it is more practical only having one laptop.

It should not be a problem with my employer as long as I don't install any pirated software and generally don't use it for illegal activities. The only thing that concerns me is my own privacy, since remote management is enabled so IT admins can go check on my system at will. Additionally, the work account is set up with active directory.

So today I got this idea: What if I set up a separate user, disable remote management for that user and enable filevault for the entire system. That way they should only be able to access my work user, but would they be able to override file access permissions by enabling the root user? I know you can do that without filevault enabled, but would filevault stop them from seeing my files? They still have remote access to one account after all.

 

[grahamperrin]

would filevault stop them from seeing my files?

If any administrator has a FileVault 2 pass phrase for the Mac, and I should expect an employer to take that approach: no.

A 2012 Apple technical white paper: Best Practices for Deploying FileVault 2. Also in the Internet Archive Wayback Machine: http://web.archive.org/web/*/http://training.apple.com/pdf/WP_FileVault2.pdf (I expect the original training document to become outdated before 2018).

 

[hallux]

If you've been given a corporate management Mac that doesn't have FV enabled, your company needs to review their security practices.

That aside, there should be zero expectation of privacy on a company-issued computer. I don't know that you can disable remote management on a user-by-user basis, it's the COMPUTER that is remotely managed/monitored.

 

[Weaselboy]

I know you can do that without filevault enabled, but would filevault stop them from seeing my files?

No it won't.

What kind of files are we talking about? Just some personal documents? What you could do is make an encrypted disk image and put all your personal files inside that disk image and nobody would be able to see the files inside. You would just need to double click the image each time you want to see the files inside and enter the password.

https://support.apple.com/en-us/HT201599

 

[maflynn]

It's not your computer and you may save yourself a lot of headaches if you just consider it a work computer and not use it as your own (since its not your own).

When I had a work laptop, I still used my own computer as I didn't want my personal and business life to intertwine that way.

 

[Fishrrman]

Agree with maflynn above.

Keep a work computer (theirs) for work, and a personal computer (yours) for personal business.

Things will just work out easier that way.