I’m about 4 months into a new job and I do everything via laptop. It’s a good sized company, about 400 employees I think. I got a request from IT for a meeting to transition from JAMF to Desktop Central, which is affecting everything. I had no idea about JAMF though, it was never mentioned in my onboarding. Trying to look up info on these two brought me to basically “they can see absolutely everything you do.” But it’s not too clear to me the extent involved here. Any IT folks with knowledge about this? Researching into it, fucking every company with remote employees is getting into this. Feels like a massive surveillance transition unrolling in real time and it seems real bad

Edit - are there any ways I can effectively prevent them from doing this? Dummy activity scripts? VPNs?

Double edit — it is indeed a work laptop issued to me

  • CellularArrest [any]
    ·
    edit-2
    3 years ago

    I do everything via laptop.

    Yours or theirs?

    If it's yours, I'd ask them to issue a laptop for work and wipe everything on your existing setup.

    If they issued you one, do not use it for anything personal and (I'm paranoid -- maybe this part isn't necessary) turn it off when you're done using and put it inside of something.

    • Mardoniush [she/her]
      ·
      3 years ago

      This. Also ffs separate your shitposting and org work systems too.

  • effervescent [they/them]
    ·
    3 years ago

    If your IT department is half-competent, you’re talking access to your screen at all times, remote access with admin privileges, and logging of all network activity. You may as well assume it contains a keylogger too. Seconding all other advice to quarantine that shit hard

  • staplegun [none/use name]
    ·
    3 years ago

    Honestly, trying to coexist with software whose purpose is to track your activity is more trouble than its worth. There's a reason why the solution to malware infections is to flatten the entire system and reinstall; there's just so many moving parts to keep track of. Your best options to isolate your home/work environments are (in ascending order of security):

    1. Use a VM
    2. Dual booting
    3. Get those fucks to issue you a work laptop
  • PorkrollPosadist [he/him, they/them]
    ·
    edit-2
    3 years ago

    I guess first I'd try the social route. Talk to your manager and see if it is possible to opt out of this shit. If that doesn't work, I'd see if you can get them to issue a laptop for work. Fucking hell if I'm installing some Pinkerton ass software on my personal machine. Failing that, I'd create a work environment quarantined inside of a VM and only use that VM for work.

    Alternately, if it is a work-issued laptop that you want to use for shitposting, experiment with creating a backup image of the hard drive and see if you can boot it inside a VM. If you can get that working, you can probably wipe the thing and keep your works stuff isolated inside the VM. If they need to inspect the machine you might have to pull an all nighter returning it to a normal state though.

  • CthulhusIntern [he/him]
    ·
    3 years ago

    I don't know if my company just poorly implements JAMF (it wouldn't be the only system they've poorly implemented), but in my company, the only thing JAMF can do is see who a company device is registered to, its serial number, turn on "lost mode" (it's deactivated until an employee brings it to us) and wipe it.

    • red_stapler [he/him]
      ·
      edit-2
      3 years ago

      JAMF needs to talk to Apple in order to do anything more than you described, so they're probably just using JAMF standalone which is pretty basic.

  • red_stapler [he/him]
    ·
    edit-2
    3 years ago

    Any IT folks with knowledge about this?

    I'm relatively new to Apple and JAMF administration; but in my experience it kinda depends on if the device is supervised or not. On a supervised device you can see how long someone has been active in Chrome but not see if what they're posting on Hexbear is cringe or based. If it's user-enrolled for like a BYOD type of policy you can only really see the things you've pushed out and wipe that portion of the device.

    edit MacOS is infinitely more of a pain in the ass to administer with JAMF, so it definitely depends on how experienced your admin is.

    edit edit Also fuck JAMF I'd rather use InTune at least I know what the fuck I'm doing in Microsoft menus.