Despite being a new user to Wilders, I have learned so much from this site over the last 10 or so years. Now I am facing a privacy (moreso than security) issue that I have never faced before, and it is simply because we are switching over to Apple products in our office. I will describe my hangups and appreciate any advice that you all are willing to give: My limited experience has shown me that Apple computers simply gloss over important security/privacy matters in an effort to be more user friendly. That is - users don't need to know or have access to what is going on underneath the hood so long as the car operates well. Unfortunately, this is the opposite of what I want. I simply do not know how to determine what is installed and/or running on the computer in and of itself (I can always research what is installed/running if I can find it). On a windows computer, I know whether my account has admin access; what processes are running in the task manager; and what services are running. I do not know how to determine any of those things on an Apple - things which I think are simple and critical to understanding what is going on. Next, I am sure Apple has its own remote access ability, just as Windows does, but I am not sure what it is called, how to determine whether it is on, and how to determine who has access to remote into the laptop. Now, for me this information is standard and should be known whether or not someone has anything to hide. But, you may be curious as to the specifics behind my concerns. Its pretty simple: I end up working from home often (we have critical projects that come up at any hour and which require immediate attention). This means I am using my personal network - the same network my family uses. I also travel semi-often for business and of course take the laptop with me. As an anecdote to describe potential concerns of mine, I read a story some years ago of a highschool giving out laptops to their students only to access their webcams from home. I highly doubt my company would do something like that, but if they have the ability to do so, I want to at least know about it. Thanks in advance!
If I say something that goes over your head feel free to come back and ask us for clarification. The LAW is on your employer's side as far as YOU have no expectation of privacy when you are using THEIR computer. The precedent has made its way through the courts in the USA and has been confirmed numerous times. Simple common sense rule: use your work computer for work stuff. Know they can and could see anything they want if their IT dept wants to access work hardware. Lets not beat ourselves up here trying to go all super techie, its not worth it. Just use a personal machine for personal stuff you don't want your employer to see. No exceptions! Now to protect your home network and other devices while the employer's machine is connected is also simple. Many ways to configure that. Super easy is to place the employer machine on a separate LAN on your home network. Do you know what a LAN is? By isolating the work machine on a unique and separate local area network it won't see the other devices, and vice versa. Your home router may offer multiple LAN's in the factory software. We would be glad to look if you gave us a model/make, etc....... Please notice I have avoided my normal tech stuff because I have real fears when a user wants to connect via a work machine AND they want privacy. Its XMAS so ask Santa for a cheap laptop to use personally. my .02
Thank you for the reply, Palancar. The separate LAN comment is much appreciated, that is something I will do. I agree that, if I did not like something my employer did via monitoring a work laptop, my chances of winning in court with a claim that they violated my privacy are very low. Your recommendations as to usage are also appreciated and I agree that they are correct. But, even if I use the laptop for 100% work related things, I still want to know what is going that could effect my privacy when I use it. I am not disputing the fact that my employer will have the technical ability and legal protection to, for example, use the laptop webcam to take pictures of me if they so choose. Instead, I want to be aware of whether or not they are exercising that ability. I have some rights despite being employed, and one of them would be to move to a different corporation for any reason including if my employer for some reason decided to take pictures of me or record my conversations while using their equipment at home. That is, I made the original post to learn how to determine what is happening on the laptop when I am using it. Now, I will learn the system once I receive it (through trial and error, experimentation and research.) But all advice related to this area, specifically with Apple products used by employers, is appreciated.
@Amaterasu - You should operate under the assumption that you have no expectation of privacy there. Are you required to use their device or would you be able to use your own? Your other options are somewhat limited. With regard to their ability to legally eavesdrop on you, I'd imagine they'd run up against wiretapping laws if they tried to listen in to your conversations without your knowledge or consent. Carefully check the fine print of any consent forms or agreements they may have had you sign prior to releasing the Macbook to you but that seems a little far-fetched to me. Also check the wiretapping laws in your state as they can vary widely; some may require both or all parties' consent, others only require one person to be aware (i.e. those doing the tapping.) Forgive me here, I'm falling asleep and can't help myself: I'd caution you against underestimating the work that's gone into OS X/macOS. Not only is it rigorously developed but it's a Unix-based OS designed with specific hardware in mind - users generally don't need to know what's going on because it's designed to be intuitive and designed to work well out of the box, not because it's simplistic or weak software. Further, bloated and overcomplicated systems like Windows aren't any better due to their complications. Quite the opposite, in fact (K.I.S.S.; marketshare isn't the only reason they're the favorite target of online miscreants.) That being said, since Macs aren't nearly as onerous to configure as Windows machines are you should be more than capable of exploring the Macbook in depth. There aren't nearly as many bizarre hiding places and options as you'll find in a Windows machine and there's generally less to be fearful of to begin with (on a factory device, at least.) Do you have the ability to install new software on it? I'd be surprised if so, but if you can you might want to try installing something like Little Snitch or Hands Off! to monitor your outbound traffic. If you're comfortable using Terminal you can try the nettop command as well. Of course, this is assuming that whatever software that may (or may not be) installed is using your network connection consistently instead of just logging and locally saving whatever information it's collecting for later retrieval. Otherwise, just use the stock Activity Monitor and hit up Google for any processes that spook you. [I knew of a website which would spit out descriptors for processes after you uploaded a printout but it's escaping me at the moment. I'll dig around.] You can try checking to see if the Host Protected Area is enabled on the HDD and likewise with the Device Configuration Overlay (both unlikely scenarios for a few reasons but it's worth a check if you're concerned.) Anyway, tl;dr: As a rule, if it isn't yours, it's not trustworthy. Throw a piece of electrical tape over the webcam and maybe keep some music playing if you're especially concerned, but honestly I wouldn't worry too much about it. If they're smart they've got some anti-theft or recovery software installed, but the spy stuff is probably (hopefully) not there.
I was actually going to suggest the same, but I presumed that they need to use the Macbook for a reason. Unlikely that the company would splurge on new Macbooks unless they were necessary for a particular purpose.
I can't believe OP isn't talking about personal usage. Even through the denial. That's why I suggested a Linux distro on a jump drive.
@Amaterasu http://osxdaily.com/2013/05/17/see-all-running-apps-mac-os-x/ https://discussions.apple.com/thread/1804891?tstart=0 http://www.apple.com/support/macbasics/ Panagiotis
Can I add my obligatory plug to be sympathetic to the employers? Of course, that doesn't apply to all, but most employers are between the devil and the deep blue sea with the demanding and incompatible legislation passed by wonderful lawmakers.
Judging from some of what you said I think you get this, but I'd like to say it anyway. In addition to concerns like these: Rogue employee(s) abusing their power and violating corporate policies Purposefully aggressive device usage/location tracking policies (possibly via anti-theft software) Purposefully aggressive [remote] employee activity monitoring policies there would be other more general ones, such as: At least somewhat legitimate differences in opinion regarding what is/isn't appropriate to use or have enabled on such a device Their failure to appreciate some known security/privacy issues, including those caused by third-party software/services they use. Unknown vulnerabilities and/or other issues Genuine mistakes on their part (configuration or whatever) The company's network/devices being compromised Third-party services the company uses being compromised IOW, even if you somehow knew for a fact that your employer, school, or other device-controlling party is both knowledgeable and has the purest of intentions, it wouldn't be wise to simply assume you are safe. You definitely can't ignore a "they have admin/root [and I do not]" aspect, but arguably you could remove employer intent from the discussion. Which may make some discussions easier.
To be prudent, you must treat the work device as a video/sound recorder and network intrusion appliance that's always on, regardless of what it seems. If it's any consolation, your employer must treat any devices that you bring to work similarly So yes, as @Palancar suggests, setup a separate LAN for work. And if you're paranoid, always use the work device as if videoconferencing was always on. Only in your home office, perhaps. And certainly not where you're discussing work complaints with a partner, or interviewing for another job, or whatever.
It is a work computer, the OP doesn't own it, he just borrows it; so he has no rights on it. He has to only work on it, if he goes on internet with it, it is for his job only, not his leisure. So the privacy issue doesn't really matter, since he aren't supposed to do something private on it. The only problem i can see is do this machine has traffic sniffer or analyzer (like Wireshark or similar) that may log his traffic on his own network? honestly i don't think so.
Apparently, he will be required to have the work provided device at home ("critical projects that come up at any hour and which require immediate attention"). Therefore there may be potential for it to capture information in between periods of work-related use. From within his private home, and on his private network (unless he arranges for an alt). There may also be potential for it to capture information about others in the home (who have not consented to any monitoring). He may have to commute to/from work with the device. In which case there may be potential for the device to capture information during that private time as well. He travels for work and, although such travel is for business purposes, there will be times when he arguably does have a reasonable expectation of privacy. In this case it is a laptop which hopefully can be fully turned off when not in use, and used as little as possible while keeping risks in mind. Note: If wireless interfaces are enabled, potential risks would include capturing info about other wireless devices in the home, car, wherever. Which might occur even when using a private LAN for Internet access. Standard example would be OS and/or browser Geolocation Service phoning home nearby AP info. Which some anti-theft solutions likely can do as well. Ugly examples would include more comprehensive capture of hardware identifiers/info plus wireless traffic (and possibly 802.11 level decryption if pre-shared password is known).
On his home network, his personal devices shouldn't be in the same network group than his working device; from there it shouldn't have any connections between them. The only connection i can see is that the employer's admin get shady and install network forensic/penetration tools and other packet sniffer. If the working device is allowed to be used for leisure (out of working time), then i would do a dual-boot machine.
It seems to me that this is an instance of why it's valuable to segregate your internal local network. And it's not just work equipment, it's visitors with their smart/spyphones, or compromised IoT, IP webcams, Voip adapters..... None of those should get to see your real network.
I have been quite busy over the last couple days but wanted to at least thank everyone for their comments and suggestions. They have been excellent and have sparked other ideas that I would have otherwise been unaware of and thus unable to research. I will try to follow up more specifically later, but I am impressed and humbled by the interest taken in this post and the help offered.
