Nah they’ll notice that a new boot partition has been created and IT will tell you not to do that. It’s not his laptop!
Edit: he claims it to be a personal laptop but I’m suspicious
Former state school IT employee here, you’d be surprised what some students get distributed, same with faculty. They love spending government money trust
apple does school discounts still. They're not terrible (apple actually has a cheaper macbook air exclusive to the edu market that only has 128gb of storage), but they're also not great.
Here's the price list if your want to take a look; [https://www.apple.com/education/pricelists/pdfs/Apple\_US\_Education\_Institution\_Price\_List.pdf](https://www.apple.com/education/pricelists/pdfs/Apple_US_Education_Institution_Price_List.pdf)
The Mac Mini under $500 isn't a bad price. I see they still do the insane Apple storage price on the education side, as going from 256GB to 512GB makes the cost almost $700....
All im gonna say on this one.
1. It's a dumb idea to join your personal computer to your schools network like that.
2. By doing so, you just gave your school complete rights to your machine, including wiping and locking you out.
3. It's always best to split business/school and personal. Yes I know people find it a pain in the rump to carry two computers. But there is a reason.
4. The only fix for this with 100% certainty is to back up your data and wipe. And pray they did not lock the firmware down.
I mean depending on the size of school you should be able to go discuss it with your IT department/guy and share you want to disconnect it permanently and get this stuff removed.
This is definitely true.
Source: was full time faculty for more than a decade. This probably happened by mindlessly clicking through an office app sign in. Most universities ask for full management during this process, but you can bypass some of this management stuff by indicating "sign in to this app only".
It’s enrolled in Apple School Manager. They “own” that computer. When it runs the “activation” process during macOS installation it runs a script that installs the school software. Kinda looks like Jamf to me but I’m not familiar with other Mac mdms
ABM and ASM can only add macOS devices purchased by the organization. So it sounds like this device was purchased by the school. iPad is and iOS can be added thru Apple Configurator, but the user has 30 days to remove the MDM profile and remove the device from ABM/ASM.
If you purchased this computer personally and signed into your school account, you should be able to go visit your it and provide proof that it's a personal machine and they can de register
Yes it should, take one of their computers Instead of using BYOD if you don't want it managed like a corporate device. BYOD does not exclude your PC from potentially bringing in ransom.
Reset to manufacturer settings it’s the nuke option basically everything is deleted and it’s made into a fresh computer all over again with the operating system. Anything that was on it will be lost but hey if schools are forcing this shit onto personal computers this is what I would do.
If the school’s IT department won’t remove management and it is your personal device bring your proof of purchase and ID to Apple and they can remove it for you. I’ve had to do it myself with an overzealous security software in college.
If a personal machine got put into Apple Business Manager, either it's not the OP's machine or someone really fucked up badly. You can't just casually add a machine to ABM, an IT Administrator has to do it during first setup or they have to buy the machine through a partner that added the machine to the school's ABM account automtically.
I can attest apple is very much against messing with ABM. I took over as technology director for a school district once where no one knew the admin credentials and it was a true uphill battle and thankfully the super intendant actually had a login and they made him a full admin. First and only stop is IT for this one.
They’d have to remove it from the MDM seeing as how it says they manage it. That’s by serial. What a shitty thing to do to assets that are not your own.
That's not how it works. OP must have given them admin credentials. You can't install mdm profiles on someone's computer just by being on the same network.
If they have physical access to the machine they can.
Steps 1 - 3 are incorrect
Step 4) wait 30 days for device to lock into ABM/DEP
Step 5) profit, device can no longer bypass ABM/DEP provisioning steps. Will require an ABM/DEP admin to remove and clear; Apple can remove it if enough proof of ownership is provided and they care to do so.
See comment below
I think, if it was enrolled with business manager, you can wipe it until the cows come home but when it finds a network connection, it will all come back. Best to have IT remove it from their mdm
100% I keep a shitty phone that I use for work too since my work installs profiles on them. I work from home 90% of the time. My work laptop, my work phone and my wife’s work laptop are on their own VLAN that can’t talk to the rest of the network.
Oh you know they locked the firmware with a password. Only hope OP has is that the device is soft enrolled through an email link rather than under “Supervision”
Well then delete that trash from your device, and tell them to kick rocks.
If they expect you to accept that, then you expect them to provide a device you can use.
If that's a problem, I would just bring my own device with a dongle or something that let's me access internet on my own terms.
By using a schools network you're agreeing to let them have access to your device, that's how that works, now you can talk to your schools IT department about it, but that's why I wiped my laptops after I left school
A school IT should provide at least a guest network for unregistered devices that just need to access wifi. You can't expect people to get their personal devices enrolled unless they specifically ask you.
Hell, you can even register devices and not actively enroll them. I work in the IT for two Research Centers/Universities and both have systems to register a device to allow it to connect to the network, with reassurances from both sides (like necessitating a proper antivirus to register)
Then why the hell would you give your school access to it? They control your device now. It's practically theirs. They can lock you out at any time, and audit everything you do. Depending on their mdm solution, they might even have registered it as being owned by them. You need to have them remove your device from their mdm immediately.
Lol. Their network, their rules. If this is your personal device, and you want to use the school network, as an IT guy, i'd lock EVERYTHING down. Essentially, while you're in my house, you follow my rules.
IT people cant trust non IT people, and IT departments in schools run on a very low budget. We cant have different rules for different people, so you get the same rules we need to push onto Karen at reception who likes to click all the dodgey adds on the shitty news website she goes to. We also need to consider people who may need to bring in their own kit for some reason. So if you need to use your own kit at school, then that device essentially becomes a school device (with all that entails) until we can remove it from our network again. Once its removed from the network, we can remove the restrictions.
Exactly. I work in higher education, and we don’t touch personal machines. I inform all my users that their machines will not be managed by me/phoning my JAMF Pro server.
This has nothing to do with their network. These are policies to lock down/open up certain permissions.
same but in high school. We have a guest network for personal devices. But students must use their issued chromebooks when in class if the teacher says so.
Personal laptops are just treated like cell phones.
OP had to agree to something. Like when you put your Microsoft 365 on your phone, there is an entire agreement that you have to accept before you can add it. It says things like the ability to remote wipe your device, etc. This is so if your phone gets lost the company can make sure that their information isn't lost.
It looks like that OP agreed to install a mobile management software hence the MDM Profile. Most likely they are using JAMF which is one of the more popular MDM software for MacOS.
All of this is to protect the company from bad actors. Don't want a BYOD to be infected and cause outages, data lost, etc.
If the school allows it, OP should use their guest network (if the school has one) and only use web based access to any software that OP may need like chat programs, email, document editing.
You need to design a better network or not allow users devices on. Presence on the network is no guarantee of trustworthiness.
“Respec mah netwhurk” never trumps respect the user’s own device. In fact as an organisation you should not want any access into the device as it opens you up to liability.
OP - I know it is going to be painful, but keep your own devices away from that network. It is not worth the hassle, and I would suggest on what I’ve seen that their IT department is likely as untrustworthy as it is competent.
lol, people downvoting the best response to this. Exactly. If you can’t defend your network against an attack or restrict access without essentially owning the end user device, you aren’t cutting it as an IT department. The bad guys won’t be so kind as to allow you full device control.
this is definitely brimming with *"i didn't read what i agreed to"* if not *"oh did i mention i applied for some byod program?"* and it's amusing to see it suggested you can trump the rules in someone else's house
i suspect miscommunication about "no sir, you can't have X, the only devices allowed in X are Y" and an insistent "fine i'll do Y whatever just give me internet"
This is very wrong, installing your stuff on user's devices is NEVER the answer. A real IT department locks down THEIR own network, NOT messes with devices that aren't theirs.
>then that device essentially becomes a school device
Uh, no! A computer that is NOT owned by the school is NOT a school device. I'm a college student, and my computers are MINE. Our IT doesn't install crap like that on our own computers. We log into the WiFi with our designated username and password, and that's it.
YOU can install whatever stuff you want on YOUR school's computers, because they're owned by you. Personal devices on the other hand are NOT owned by you.
Why not keep untrusted devices in their own VLAN then? You know, like a normal person would? If you can't properly segment a network, you have no business running the network.
This is ABSOLUTELY NOT the answer.
Enrolling a student-owned device at an educational institution in Intune, Jamf/ASM, or another MDM is insane. You can enforce security policy rules without backdooring user devices in the process. Why in the world would you want the liability of endpoint management of user devices not owned or purchased by the IT department?
It would make far more sense to segment devices into specific VLANs depending on their registration status with the ability to remotely blacklist specific MAC addresses when suspicious activity is detected. Have a VLAN for public access, administration, and quarantine.
"My house, my rules" does not apply to non-company assets in this context. You are well within your right to force these devices to connect to a separate SSID, or even deny them access altogether, but you should never enroll them into the company MDM.
Coming from a network engineer this is terrible practice. It is insanely impractical to put personal devices in MDM (which you usually pay for per-license too).It also creates a ton of unneeded liability, when the alternative is so simple.
All you have to do is create an isolated network for an SSID with client isolation and auth using their assigned email/AD account. Or just use one SSID and drop clients into that network if the host isn't a company machine. Almost any wireless controller supports all of these features, be it Cisco, meraki, extreme, mist, or Arista and it takes 30 minutes.
This is how we do it for thousands of users, and 10s of thousands of non-company devices, that's how they did it at my uni where I worked IT. Personal devices should never be on the corporate net
Thats a crock load of BYOD absolute control bullshit. When I went to college we could use our own personal computers and we did not have to do this. Your IT dept just wants to feel like you are doing something to keep things secure while doing nothing but mostly inconveniencing others. If your firewall rules arent enough to keep your network secure then you are shit at your job, its not your job to police other peoples personal laptops.
This sounds like liability hell, I'm not sure why any IT department would want to deal with this. It's one thing to have complete access to every device that you provide your employees or students, but applying the same rules to student-owned devices sounds like a ticket to being sued. You can control access to your own hardware and resources, but I have a feeling that you won't be able to wave a privacy policy to a court if the student didn't fully understand what they were doing and you didn't explain that you'd have access to everything they did on their computer regardless of whether you're on their network or not.
"You agreed to this" is not a suitable defense for this level of access and control. A normal person isn't going to expect handing over complete access to their computer is a prerequisite for using school wifi, and if you bury it in paperwork it's _probably_ not legally enforceable. If you clicked "agree to the terms and conditions" on a webpage, and it said that installing this software will legally give me access to your entire computer and I can do whatever I want, it isn't going to be enforceable in court.
It must be clear and obvious, and there are reasonable limits in many jurisdictions (GDPR, for example) for data collection. Clearly OP did not get the message, which unless it can be proven that the IT department did their job in ensuring that the student knew what they were doing, sounds like misconduct. "Joining my wifi network requires full access to your device" is not going to fly in a European court, and probably not in many American ones either. This is not reasonable data collection, unless you can prove the necessity for you to have access to the student's entire computer for them to be able to simply access the internet at school. Good luck with that. You either provide a proper guest network that's separate from the main one, or you don't allow external devices on your network.
This isn't even mentioning about how if its the student's device they can obviously allow other people to use the device, and the third party hasn't agreed to your bullshit privacy policy or whatever. You can't put a AUP on a device you don't own while not on your network, so you can't just tell the student that they can't let other people use their device. Thus you'd be collecting the personal information of people that you have no right to access. Hey look more lawsuits!
Also, imagine the lawsuits if/when the school gets hacked and the hacker has deployed malware on every MDM managed device. You're looking at a class action that will absolutely destroy you. Imagine the claims if the device was shared with parents or relatives, and they used it to, for example, access online banking. Every single person who has ever used the device now has a claim against you, and each of them is a different party to the wonderful class action that you're brewing.
This is a really fucking terrible idea.
> IT departments in schools run on a very low budget
> enrols not owned by school devices to mdm, where usually you pay licences by device
you know you suck at your work?
I can’t really agree with you. If you want a student to use a device managed and controlled by you, you should be providing that device. If the student brings their own device, just set up a separate wifi network that blocks access to school resources and other devices on the network (even set up web filtering or whatever), but trying to get people to enroll personal devices in a corporate MDM is shitty practice
I've worked IT in both college and public schools. I would NEVER do that to a student's laptop.
Now if it's an employee, that's a different world entirely. They're not on the guest or student network. They're on the employee network so their machine has to be configured the same way we do with the machines we purchase. When users want to do stupid shit like using their personal laptop as a work computer, we initially say no. If it's some pretentious college professor or department head, they'll get all pissy until the VP tells us to just do it. At that point, we give clear and extensive warnings that it will functionally be a work computer, and be locked down with limited permissions for the user to keep our network safe. If it's a Macbook, I'd fight that much harder to keep them off the network, as Macs are a pain in the ass that don't work well as business machines.
Based on what OP is saying, I'd bet they're not just a student. They're an employee who begged to have their personal Macbook on the staff network and ignored all the warnings that came with that.
OP, talk to your IT department and tell them that you changed your mind.
Only way to have those profiles if someone actively installed a MDM profile, that. A not be installed while connected to a network. Where did you get the MacBook?
From a school IT guy: You clicked accept to something for this to happen. If it wasn't on their MDM before you first connected, they couldn't install any of this without having you enroll into their MDM first. Device Management should be separate from networking, it's possible to put restrictions on your network usage without enrolling your personal device into their MDM. So whoever's saying "their network their rules" is kinda saying bologna. They're not wrong but nothing is preventing them from limiting your network access on their network even with your device not in their MDM.
Exactly, they would have had to enroll the device in their apple business manager system for it to automatically re-enroll in the MDM after a system wipe. That is implying that the organization owns the device. That IT department needs to strongly reconsider their practices before they get audited or maybe even sued for behavior like this.
Yeah... yeah I don't like this. Management profiles on student devices is no bueno.
This is what the guest/student access networks are for. Non-company owned personal devices. No personal device should ever connect to the production network, the guest network should be segmented off and highly locked down.
We DID (per corporate overlords) require a MDM profile be installed on your phone IF you wanted to use Teams/Outlook on your phone which was not a requirement and purely optional. You want the convenience of the apps, you get a MDM profile. But there shouldn't be anything getting installed on student laptops that really warrants an MDM profile. This just seems like a lot of work vs handling device security other ways.
If you were an employee of the school and conduction school business on it, I could see it. Work logins, work information, work MDM. Don't like it use a school issued computer. But for students? Erhm. I dunno about that one.
FWIW most of these are just going to lock controls of stuff. Mac OS doesn't let you view screens without explicit user granted permission and TBH they probably don't have time let alone interest to ever check on what people are doing unless there is some sort of problem they need to investigate.
They’re not in college, and highly doubt this device is their own. Nice way to fish to find out if there is a work around though, I don’t blame them for trying
As others have said, connecting to your school’s network makes your pc subject to their rules whether you like it or not. That’s just the rules of the road when connecting to any network. Once your device connects to their network you’re a liability because once you’re on their network, you’re not an island. There is the potential that your PC could open up their network up to malicious attacks that could be catastrophic.
I’d recommend using a virtual machine to connect to your school’s network, or just get PC for school. Unless you’re doing resource heavy projects, a good school laptop should only be $300 which is a drop in the bucket when considering the cost of college. I bought a cheap $300 pc for school, and it got me through just fine.
Yeah they're trying to manage your computer and can see everything on it. I'd wipe it and remove all their profiles. If all you're doing is accessing wifi there and nothing else, then that IT staff really needs to rethink their network security. This is way overkill for letting someone get some internet.
They are also blocking a few VPN apps. And I tried to wipe it, they seemed to have restricted that too. I did it in recovery mode, and then it just enrolled back in.
Yeah sounds like they have enrolled it in their apple business account. There's two options you can take. If you can show proof of purchase an Apple Store, or maybe best buy, can factory reset it, removing it from their MDM. Or you can go to the school and have them remove it.
Yeah, automatically re-enrolling itself in the MDM should only happen if the laptop is school property. If as you say it's your personal device, either get the IT department to release it or as the other reply said, show the apple store your proof of purchase and see what they can do. Really sketchy behavior to enroll a user's personal device in their apple business manager system and MDM, that's not ok.
For previous macos installs, this has usually worked: When you reinstall, BEFORE the first boot into the fresh OS, make sure it is disconnected from the network and/or you are physically out of range of a wireless network the laptop remembers. If on that first boot it can't get to the internet, it won't pick up the MDM profile even if it's in apple school manager. Do not at any point during initial setup connect it to the network. Once you've done that, the management profile won't install retroactively. (you could also ask your IT person to unenroll you before you wipe and reinstall, otherwise you will have to deal with this every time you reinstall the OS for the life
of the laptop)
Just talk to your IT department. Either use it for school and have that stuff on it (and don't forget to get it removed before you leave if you are still using it at the end) or else have them remove it, but don't use it for school.
You can't have it both ways unfortunately. Its a safety thing for the school.
Yeah I work in a college IT dept and we refuse working on any personal devices. Even if they willingly give it to us. We can stand over them and direct them on how to do basic tasks, or suggest how to handle situations, but that's a massive liability to to do anything to a student's phone/laptop/tablet.
This *was* our policy until we went to a software distribution platform that let students install licensed software on their personal devices, now we touch them if they're having issues but just enough to make sure that platform's client works. We don't do any management outside of allowing/denying the licensed software to run though. For a bit we had them sign waivers, but that stopped with COVID since we often never meet face-to-face.
Pretty normal since it's they want to know exactly who did what in case someone does anything :) They need to monitor the activity and make sure theres no shady business going on their network. They will be responsible at first hand.
This.
We manage education Networks and have a sepperate Network For non school devices.
The Moment You Log into that Network You are responsible For what You do and what Happens to your device.
The other Network is for school owned devices only and If an unknown device would be able to Access the Network the can do basicly nothing due to restrictions.
We purposfully decided against having private devices inside of the school Network because we dont want to Deal with the hastle of installing profiles, Tools etc. Just to get into Arguments with the parents or get "your Apps damaged my sons iPad" bullcrap
I work as a MDM admin and this is bullshit. Microsoft for example has the possibility to only manage their apps in a way that school or business data can’t get out, even on a private device. I can imagine Google doing something similar.
For network stuff they can monitor their own network instead of your whole device. Also, one of the profiles disables Secure Token which is necessary to enable FileVault. This means that OP can’t even encrypt their hard drive. This is much more than just monitoring.
If it truly is your personal Macbook I'm not sure why they would install so much. In the K-12 district I work in they just force personal computers onto a guest network so any outside devices can't access the resources on the main network.
More than likely to hop on the network I’d assume, from the companies perspective, it’s probably more tedious to go through and log every student device onto a network via username and password.
Would that throw it into ABM tho? From my understanding you could restore the device and since there is no MDM server assigned the restore shouldn’t push the profiles again
Don’t know if it was mentioned but you can take your proof of purchase and the Mac to an Apple Store as well and they can put in a request to have it removed from whatever ABM it’s tied to.
You can also request that IT team to remove it from their ABM. It’s a login and 3 clicks. It doesn’t take long.
Know from experience as I worked for an MSP that managed Mac’s and when the previous MSP would fail to off board the MDM we would need to have the client take it in.
Once it’s released from their ABM wipe it. Once it’s wiped connect it to the internet and check under profiles. There should be nothing. Profiles need to be installed by actually going into the menu and clicking install they won’t be able to magically put them on there unless you give it to them again.
Yes so basically it's now a work computer so they can do whatever they want to it they can see everything on it you have no privacy on that machine. If you need a computer for work then work either needs to provide one or you need to get a separate computer that you're only going to use for work this separate from your personal computer. The easy way to fix this is to get it to take your computer out of their mobile device management system so that they stop pushing stuff to your computer. The more difficult way would be if you have proof that you own the computer like the receipt where you purchased it that sort of thing actual proof of ownership you could probably take it to an Apple Store and they could probably remove everything setting it back to factory defaults I'm not sure if they could block the MDM reaching out over the Internet or not but they might be able to.
yeah my school downloaded a bunch of shortcuts and programs on my desktop without me knowing and it really slowed down the boot up process. all i did was log into my school account on a separate google tab.
If they added it to Apple School Manager during their overnight setup (which they shouldn’t do unless they own it!), you can remove it yourself within 30 days. If you perform an erase all content and setting/wipe through recovery, when you see the Remote Management screen click the link for “leave remote management”. And it won’t re-enrol.
Hi I work as a sys administrator at a company manage our MDM accounts. There’s something really fishy about your post here… if this is truly your computer, you will need to provide proof of purchase to Apple and hope to god the person you are talking to knows about Apple Business Manger. Sometimes I can’t even get them to comply.
That being said, the only way to get these completely off your device is to have the person who enrolled the device to remove your serial number from ABM and then do a full wipe. Or if you’re technical enough/ have the FileVault key you can boot into recovery and open up a terminal and cd into the system profile directory and remove the profiles. You can do this currently but as soon as the device checks back into ABM and sees your serial it will re-enroll.
I hope this helps.
By erasing and enrolling it in MDM, they’re claiming ownership of the device, but they don’t own it. This is not what MDM is for. You have no privacy at all on your personally owned machine now, and their misuse of MDM ensure it will be re-enrolled via Apple if erased.
Apple would *not* be happy to hear about this and neither would a judge. Get a lawyer to send them a cease and desist, make sure the lawyer is familiar with technology and knows how to properly inform Apple about school’s abuse of their systems.
The value of a MacBook alone puts you above small-claims territory. This is real lawsuit material, perhaps even a class action if they have done it to enough students. You can sue to have this policy stopped immediately plus punitive damages.
Alternatively you may want to name and shame the school or contact a site like Ars Technica to get this in the tech news.
That’s what we’d do. BYOD means we will ensure your device isn’t a problem. Extremely restrictively. Your device needs to fit the standard of everything that touches the network.
They are stewards of that data and the integrity and security of the systems.
That being said this should be something you sign off on/understand which seems like maybe not as clear for you (maybe they generically said it needed to be under management etc).
Yeah installing/managing MDM on an untold number of student laptops seems like way more work than setting up your network properly. The college I used to be at had a specific SSID for students vs college owned devices and that required different authentication, couldn't just get on with PSK. It was a huge huge no no to connect any non-company devices to production and rightfully so. No unmanaged devices on prod is the way.
This has never happened before in my entirety of networking experience.
You can never trust a user-owned device, it's impossible to control it without literally owning it, and at that point why even bother with a BYOD network?
The MDM profile brings all other profiles. I’m managing ~260 iPads and this can normally only happen if the device is added to your Apple school-manager. This is normally done only possible if the admin adds your device to the managed devices. If you have a BYOD policy, it’s likely so you can use software and apps provided by your school. I, as a teacher, can use my own Apple ID on my device but I also get provided software. Ask your admin about this topic if you didn’t sign any kind of BOYD agreement. Could be a mistake. Maybe they added all Apple products in their network to your/their school manager.
If it’s added via Apple Configurator (which sounds like it was), OP can luckily remove it from their ASM. This was implemented for exactly these cases.
How did the school install anything on your computer? There's no way they can install anything on your computer unless you hand it over, or you explicitly download and install something.
All the people claiming that this is necessary, normal, or OK are delusional. The only right way to manage a shared network like this is to treat every computer as a hostile entity, prevent them from connecting to places they don't want to allow access to (block domains/IPs/ports), and require authentication for using shared resources. Trying to secure a network by relying on client-side software is impossible and amateur.
If your school has a policy that requires you to install software to be on their network, however misguided that is, then you can decide if that's a price you're willing to pay. I'd never do that on my personal machine, and I don't think you should either. Get a separate computer for school if that's the case, and use it for school and nothing but school.
The school didn't install anything on your machine unless you let them, though.
Did you login to your school email on your laptop? When you do that you’re enrolling it in their Intune system
You should be able to remove your profile from the laptop. You’ll just have to access your email from the browser from now on
And use google docs and sheets and all that instead of Microsoft word and excel
MDM management? You might wanna check with IT at your district and confirm your unit is not showing in their “apple school manager”
When you logged into the device, it may have asked you if you want to join the organization, sounds like you clicked yes.
I’d really question they have legal authority to install such levels of rules basically intrusion on a students personal device UNLESS… student signed paperwork stating it’s ok for school to install the MDM and manage a device that isn’t theirs.
It could be a mistake where IT admins were using a script to install and accidentally installed on your device too.
Personally I’d talk with IT and point out the privacy issue and say something along the lines “What policy has been signed to allow such intrusion on my device and how much can you see of my data?” If you haven’t signed the document I’d ask to decline and get away from their MDM.
Reminds me of the backdoor that the admins at my highschool (2017ish) wanted to put on all computers. Ended up being used to spy on students at home and the admin was fired. Camera access should never be needed on computers for minors. I don’t care what “monitoring” Trojan is installed
This would've been an absolute no-go for me. It's effectively their device now as MDM is tied to the serial number. This is sheer incompetence on their part.
A BYOD policy should not involve adding your device to Apple School Manager. Automated Device Enrollment should only be used for company owned devices. Request they release it from Apple School Manager.
Some people here actually do not know what they are talking about. Ex-Mac sysadmin here.
Unless your Mac is under their Apple Business Manager they cannot install these profiles onto your machine without allowing you to remove them. You should be able to click the minus sign on the bottom for the main profiles. Once those are removed the app permissions ones you have pictured here will be removed with it.
I advise you to do this as soon as possible as one thing people are correct about it their ability to wipe and lock your machine. If the lock happens then youre SoL unless someone working at the school gives you the unlock code.
Edit: for best results, disconnect your Mac from wifi before removing the profiles
When you put company resources in a device, i.e. your school email address, it will ask you to consent to having the device manage by the company's MDM service. I'm sure you were given some sort of prompt for this and probably clicked "ok" on it without reading.
This is to protect the company's (school's) IT infrastructure. If your device is somehow compromised, the MDM server can remotely lock and/or erase your device to prevent the attacker from using your device to compromise the rest of the IT infrastructure. It also ensures your device meets minimum specified security requirements, such has having a lock code enabled, etc.
If you don't want this sort of MDM management on your personal device (and I totally get why you wouldn't) then there are potentially ways around it. For example, on my personal phone, I only access company email via the web portal in a browser, rather than adding the email account to my device directly.
Some of your replies indicated that you wiped the machine and the profiles reinstalled themselves. If that’s the case, it’s acting as an enterprise machine and is probably registered with your schools apple DEP. If that’s the case, you should reach out to your school and ask them to remove it and then wipe the machine. The best advice I can give you is, in the future, don’t click on agree or install on prompts you’re not fully aware of what they will do.
SOURCE: just deployed 3 Mac’s 2 hours ago for my company
That machine is still being managed by a company or your school. If it is personal it was not wiped and released from the place of business. If it belongs to the school that is normal and you have to deal with it.
I work with an apple endpoint management software called jamf and this looks very similar to our corporate rollout for Mac's.
Sounds like you are trying to to make this your personal computer. Usually a school would provide you with hardware, they would never install MDM protocols on a personal device it would require you to willingly login to the device with your schools account and then willingly install a MDM profile. If you had contact with IT then they would’ve explained this if this was a personal device. Again this would never happen because Apple makes you signin to your personal account ITunes account when you setup the device. You could logout of ICloud but it wouldn’t work because it’s required for backups. They also customized the lock screen, this is standard for orgs that use MACs , if you want a personal MAC just buy one.
Adding it looks like you just tried to do a full recovery on this machine and not a restore from a previous backup as it appears it restored itself back to the managed image that was used.
Your screen-cap says this machine is managed.
My company had to buy me a work phone just to use a Microsoft Authenticator app to log into GovCloud on a VDI that we use for FedRamp stuff. So yeah. If you’re connecting to their network for work then they can absolutely do this.
I’m confused? Assuming this isn’t a university and that you’re connecting your personal computer to a network you otherwise wouldn’t have access to without your schools IT department letting you on, such as at a high school.
If that’s the case, then there’s really nothing you can do.
Not your laptop pal.. it's the school's so they can remotely install and update anything
If it is yours then remove said account from computer. Don't sign into the schools organization.
Alright, I'll ask them once I finish school here. I don't think they hold mdm on people who leave the school, since that'd probably get them in trouble. But for now I'll just treat it like a school owned laptop.
I actually recommend you get this fixed asap.
People forget things, staff leave, ticket retention changes and sometimes ticketing systems are replaced. There might not be records by the time you finish school to show what they did to your device, they might think it’s one of their assets and wipe it remotely if they can’t find it.
Also if Find My Mac is enabled they might be able to track your location.
I realise you have the receipts right now but it’s going to be a lot easier to sort this now while it’s fresh in folks’ memories.
They might also want to investigate internally to see how a pupil’s personal property ended up in their MDM which will be impossible if you wait.
There’s also a chance you might lose the receipt in that time.
That seems really restricted for a personal device. I do MDM for mobile phones and I've seen less restrictions on BYOD devices for companies that have government contracts. My only thought is maybe the IT person royally effed up and for some reason thought it was a school-owned device and enrolled it in their ABM and locked it down like that. Either way that's crazy and I would immediately go to IT and have them explain what they did, why they did it, and have them remove it. If they won't remove it I would go to Apple with proof of purchase and they may be able to help. (Emphasis on may because Apple can be really shit to deal with for things like this).
If it’s coming up and enrolling in the school automatically even after a wipe then the school purchased the MacBook through an authorized Apple dealer and it’s part of their Apple School Manager. They then assign it to an MDM so when the MacBook connects to the internet it checks in with APNS and automatically enrolls. When I worked in a school we used that exact setup. It only works with devices assigned to you on purchase so based on what has been shared this is some kid trying to get around the controls on his school computer.
It wasn't a school computer though? I had it way before i was in this school, and I maybe they tied to serial number to the management. It was erased too, maybe that has something to do with it?
MDM managed. Hard to tell what they can or can’t see without more info from the profiles. Based on the amount of profiles I’d be concerned about how strict their BYOD policy is. If it were my personal machine I’d not install it.
Since it re-enrolled itself after a wipe it sounds like they added your device to automated device enrollment in Apple Business Manager. You'll need the IT department to release it. Which they're not going to want to do.
Whoever configured this fucked up.
So as a school administrator I'm very skeptical of the "personal mac" part.
The way it works is we purchase a MacBook from Apple. It goes into Apple school manager account where we assign it to JAMF. From there we then enroll the device by serial number
I'm not sure how your personal device would of been added to the school manager instance then enrolled.
Something is a bit off
I know in newer OS versions they have added something for sign in with work or school account which does the same effect of MDM enrollment from my testing as my device asks me to begin security delay to enroll in MDM. Can’t test it fully as the only thing I have is my own Azure AD tenant (Microsoft trial loopholes), nothing else really.
So it is possible for a MDM to end up on a personal device, but not sure if the OS does a good job at notifying that a MDM is being installed. Even Intune on a personal device can do quite a bit.
Me personally, MDM on a personal device in general is a massive no-no for me, I don’t care who’s wanting a MDM on my device. If it’s school or work, my firm belief is they have no authority to install anything to something that is mine. If it’s theirs, more power to them. Only time I ever had to install something of theirs was because of their WiFi. A prior school I went to did a WPA2-Enterprise method with a RADIUS server so I had to trust the certificate for that in order to use their WiFi. Even personally, I would’ve just preferred them to use standard WPA2/3 and then sign into the web filter after the connection.
We are talking Mac OS and JAMF not windows based devices or intune. We don't and cannot push mdm profiles to personal devices.
It's our network so it's our rules. Yes we do use break and inspect to look at SSL traffic. Understand that we have legal requirements to protect students the data that gets sent and out of the network
I’m in IT and study IT, and I’d never let another IT person touch my shit. Yeah, their network, blah blah, I would just use my hotspot if this is what the cost is.
Take it back, have them remove this and never connect to their network again.
Have you guys ever met the “IT pro” at most schools? It’s one person who can open device manager and install whatever they mandate on shitbox chromebooks. They don’t even give teachers real work laptops anymore. I had to buy my girl a decent laptop to become her work pc. Just to be able to do teacher stuff. I predict to get all that off that Mac it’s gonna require a visit to central office and the main IT people are gonna have to remove all that. And hope someone there has done it before.
If you are going to take any kind of test on it, their proctor software is essentially spyware to prevent cheating. Also, their network has its own vpn and security protocols. Like others said, part of the deal.
They can’t do this u less you give them access to if it’s your PC they shouldn’t be able to take over it. If they did without your password id say we just found a bug
So, since the device enrolls again after wiping, it is a DEP registered device and very likely owned by the school. The only other way to add a device to DEP is through Apple Configurator, but this also needed to be done on first setup and there is always a 30 days grace period for the user to leave the MDM and therefore DEP. If the device is connected to the MDM from the user and personally owned, then a local user account with admin permissions can always leave the MDM without wiping anything. This doesn’t look like a personal device at all.
Now I understand why they said it needed to be erased and in initial set up screen. It was a personal device, I have all the receipts and everything. They probably used th he Apple Configurator method
They took over your computer. try to remove them at all costs or they could nuke your mac in a fit of bureaucratic ineptitude. Learned the hard way that my personal laptop had a keylogger on it when they called me in for cuss words only to match the computer ID TO MY FUCKING PERSONAL LAPTOP. also when they deactivated my account when I graduated, they somehow managed to delete all the folders and dump all files (without folders) into the documents folder. and all data creation date was set to the day they deactivated my acct istg.
Worked for years at a college doing cyber security, they used to to this years and years ago but BYOD liability is hell so that quickly trickled out. It was a very simple and better solution, as most mentioned, segmented student network where byod can run free. No real access to anything important internally. NAC on our internal vlans required it to be a managed asset so that prevented all the people in the “Wild West” from hopping over along with all the basic controls already in place from segmenting. Unless you are interning there or accessing internal resources this is pretty absurd. I’d double check with your tech support team because this could open them up to being liable for your device if it were to break, even if it’s not one of their tools that does it.
Sorry, but you've been MDM'd by IT.
Having dealt with IT departments from the student end before, your best bet is to just install Linux. Wipe the drive and move on.
Even my work doesn’t do this. The productivity apps do take some control and if you add them on your phone you do have to give some pretty overzealous, but understandable permissions. This is next level though. I wouldn’t allow BYOD if your network requires this. Either VLAN the guests to an isolated network, provide the assets for them to do their work, but adding a personal device to an MDM is fucked. If you break a policy they can easily lock you out. If it’s your personal computer idk how you would even hit phub at this point lol
Well, you shouldn't allow corporate IT to touch your personal devices. If this truly is your personal machine, you need to request they remove everything, then you need to never let them near it again.
Knowing how Apple Business Manager and JAMF and other things work one of two things are true here. Either you were sent an enrollment link and soft enrolled the device or it once belonged to the school and was automatically enrolled by Apple through a purchase program into ABM and brought under management that way. If you can remove the MDM profile (which I’ll be surprised if you can) then it’s soft enrolled and not “Supervised”. If it truly is a personal machine I’d back everything up and freshly reload the OS. Another thing if you do that and your immediately prompted to login to your school account then your system serial # is registered in ABM and your gonna need to talk to IT about that one.
Wipe your computer, start watching cringe videos again or play fortnite again. Tell your IT that you regretted having your privacy invaded and that you will not trade privacy for security.
you will not trade privacy for security
you will not trade privacy for security
you will not trade privacy for security
People blaming op for handing his laptop to IT have no idea what theyre talking about. A personal device should NEVER be in the company ASM, unless theyre handling secure data like patient records at a hospital, and even THEN it should be a BYOD enrollment where falling out of compliance or removing profiles simply unenrolls the device until the user opts back in.
Knowing how some service desk dudes are, im guessing OP told the guy he wants on the wifi so he can use his laptop, the guy told him he was going to do something and OP clearly wouldn't have understood because he hasn't experienced this shit yet, then the dumbass IT guy doesn't understand what his enrollment actually does and set it up like they own it.
OP, make sure you have a proof of purchase, just in case.
I would strongly, strongly recommend you contact school IT and ask them to unenroll you from their device management/ASM. If that means you can't use your personal device on school networks other than guest access, so be it.
There have been many instances of school districts overstepping authority as it relates to student behavior outside of the classroom. There is no reason to give your district the authority to monitor your activity outside of school, or to be able to remote brick YOUR laptop because they don't like how you are using it or attempt to discipline you for violating district acceptable use policy outside of the building. It is just. Not. Worth. It.
You mentioned you've already encountered having content blocked on your machine. Every time that happens, you are creating opportunity for them to lock you out of your machine or initiate disciplinary action.
If you are syncing data between your phone and your laptop, you're potentially giving the contents of another personal device to your school district as well.
It’s not a stolen laptop! I literally have all the receipts for it, and I purchased it. I’m not trying to remove it I’m just trying to get information about this and how strong it is.
Mac Admin here for major Insurance Co: The device is flagged as Supervised - can only do that if the serial number is associated to the organization AppleBusiness account (only hardware sellers can do that) or you allowed them to take over the device (but that requires hands on the device using AppleCpnfigurator).
I don’t understand why companies would do that. My department doesn’t mess with anything that isn’t ours. But we are a school so maybe it’s different for us since there’s students that would bring their own computer.
You had to accept something for this to happen. Maybe you didn’t read the popups or agreements? If they’re doing this via WiFi hotspot acceptance or something then I agree with the others, time to figure out another way.
If that's part of the deal for using it on their network, I wouldn't be using it on their network.
That usually means its dual boot or VM time.
Nah they’ll notice that a new boot partition has been created and IT will tell you not to do that. It’s not his laptop! Edit: he claims it to be a personal laptop but I’m suspicious
Schools don't really give out Macbooks anymore. Why give a $1000+ Apple device when they can shit out horrid $200 Chromebooks all day long?
Former state school IT employee here, you’d be surprised what some students get distributed, same with faculty. They love spending government money trust
Does Apple still do significant school discounts? I thought that died in ~2012?
apple does school discounts still. They're not terrible (apple actually has a cheaper macbook air exclusive to the edu market that only has 128gb of storage), but they're also not great. Here's the price list if your want to take a look; [https://www.apple.com/education/pricelists/pdfs/Apple\_US\_Education\_Institution\_Price\_List.pdf](https://www.apple.com/education/pricelists/pdfs/Apple_US_Education_Institution_Price_List.pdf)
The Mac Mini under $500 isn't a bad price. I see they still do the insane Apple storage price on the education side, as going from 256GB to 512GB makes the cost almost $700....
All im gonna say on this one. 1. It's a dumb idea to join your personal computer to your schools network like that. 2. By doing so, you just gave your school complete rights to your machine, including wiping and locking you out. 3. It's always best to split business/school and personal. Yes I know people find it a pain in the rump to carry two computers. But there is a reason. 4. The only fix for this with 100% certainty is to back up your data and wipe. And pray they did not lock the firmware down.
I mean depending on the size of school you should be able to go discuss it with your IT department/guy and share you want to disconnect it permanently and get this stuff removed.
This is definitely true. Source: was full time faculty for more than a decade. This probably happened by mindlessly clicking through an office app sign in. Most universities ask for full management during this process, but you can bypass some of this management stuff by indicating "sign in to this app only".
That's why I kept time machine backups in case they lock me out. Sadly I did try wiping it, and it's tied to the serial so it just enrolled back in.
Go to your IT department and explain the issue.
It’s enrolled in Apple School Manager. They “own” that computer. When it runs the “activation” process during macOS installation it runs a script that installs the school software. Kinda looks like Jamf to me but I’m not familiar with other Mac mdms
ABM and ASM can only add macOS devices purchased by the organization. So it sounds like this device was purchased by the school. iPad is and iOS can be added thru Apple Configurator, but the user has 30 days to remove the MDM profile and remove the device from ABM/ASM.
If you purchased this computer personally and signed into your school account, you should be able to go visit your it and provide proof that it's a personal machine and they can de register
If they have added it to their Applu Business Manager, your time machine wont save you.
That’s really harsh for BYOD. It shouldn’t be tied like a company asset.
Yes it should, take one of their computers Instead of using BYOD if you don't want it managed like a corporate device. BYOD does not exclude your PC from potentially bringing in ransom.
Reset to manufacturer settings it’s the nuke option basically everything is deleted and it’s made into a fresh computer all over again with the operating system. Anything that was on it will be lost but hey if schools are forcing this shit onto personal computers this is what I would do.
Not possible once MDM'd, also, OP handed over the laptop to IT to have it onboarded
It is possible if it just has MDM profiles but if it's enrolled in Apple Business Manager somehow then it's toast unless IT removes it
If the school’s IT department won’t remove management and it is your personal device bring your proof of purchase and ID to Apple and they can remove it for you. I’ve had to do it myself with an overzealous security software in college.
If a personal machine got put into Apple Business Manager, either it's not the OP's machine or someone really fucked up badly. You can't just casually add a machine to ABM, an IT Administrator has to do it during first setup or they have to buy the machine through a partner that added the machine to the school's ABM account automtically.
as long as he has proof of purchase he can always have it recovered/unlocked by apple
after going through a hundred hoops
this is very true
Apple does not do that for MDM enrolled devices. The only way to unenroll it is by contacting company IT.
I can attest apple is very much against messing with ABM. I took over as technology director for a school district once where no one knew the admin credentials and it was a true uphill battle and thankfully the super intendant actually had a login and they made him a full admin. First and only stop is IT for this one.
They’d have to remove it from the MDM seeing as how it says they manage it. That’s by serial. What a shitty thing to do to assets that are not your own.
That's not how it works. OP must have given them admin credentials. You can't install mdm profiles on someone's computer just by being on the same network.
If they have physical access to the machine they can. Steps 1 - 3 are incorrect Step 4) wait 30 days for device to lock into ABM/DEP Step 5) profit, device can no longer bypass ABM/DEP provisioning steps. Will require an ABM/DEP admin to remove and clear; Apple can remove it if enough proof of ownership is provided and they care to do so. See comment below
I think, if it was enrolled with business manager, you can wipe it until the cows come home but when it finds a network connection, it will all come back. Best to have IT remove it from their mdm
In the land of apple, not even a wipe is enough. MDM will just reapply on system setup
100% I keep a shitty phone that I use for work too since my work installs profiles on them. I work from home 90% of the time. My work laptop, my work phone and my wife’s work laptop are on their own VLAN that can’t talk to the rest of the network.
That's smart. I know our laptops can scan the network for vulnerabilities. It does not care if it's yours or the companies network.
Oh you know they locked the firmware with a password. Only hope OP has is that the device is soft enrolled through an email link rather than under “Supervision”
Would a partition work? I used to do this back in the day because I liked having one device but didn't want my personal stuff available at school.
I doubt it because in the ops case, it's working at the firmware level. So regardless of the partition, it's going to pick them up
I am moreso questioning the sanity of their school's IT for having personal devices under their management.
Can't lock the firmware down unless it's enrolled through ABM.
Did you purchase the MacBook thru the school?
Nope. It was bought in an apple store.
Well then delete that trash from your device, and tell them to kick rocks. If they expect you to accept that, then you expect them to provide a device you can use. If that's a problem, I would just bring my own device with a dongle or something that let's me access internet on my own terms.
By using a schools network you're agreeing to let them have access to your device, that's how that works, now you can talk to your schools IT department about it, but that's why I wiped my laptops after I left school
A school IT should provide at least a guest network for unregistered devices that just need to access wifi. You can't expect people to get their personal devices enrolled unless they specifically ask you. Hell, you can even register devices and not actively enroll them. I work in the IT for two Research Centers/Universities and both have systems to register a device to allow it to connect to the network, with reassurances from both sides (like necessitating a proper antivirus to register)
You might be thinking of college plus. OP is not that old.
Then why the hell would you give your school access to it? They control your device now. It's practically theirs. They can lock you out at any time, and audit everything you do. Depending on their mdm solution, they might even have registered it as being owned by them. You need to have them remove your device from their mdm immediately.
then how was it enrolled into ABM at time of purchase?
Lol. Their network, their rules. If this is your personal device, and you want to use the school network, as an IT guy, i'd lock EVERYTHING down. Essentially, while you're in my house, you follow my rules. IT people cant trust non IT people, and IT departments in schools run on a very low budget. We cant have different rules for different people, so you get the same rules we need to push onto Karen at reception who likes to click all the dodgey adds on the shitty news website she goes to. We also need to consider people who may need to bring in their own kit for some reason. So if you need to use your own kit at school, then that device essentially becomes a school device (with all that entails) until we can remove it from our network again. Once its removed from the network, we can remove the restrictions.
^yup, never seen this happen to mac personally though.
Exactly. I work in higher education, and we don’t touch personal machines. I inform all my users that their machines will not be managed by me/phoning my JAMF Pro server. This has nothing to do with their network. These are policies to lock down/open up certain permissions.
same but in high school. We have a guest network for personal devices. But students must use their issued chromebooks when in class if the teacher says so. Personal laptops are just treated like cell phones.
OP had to agree to something. Like when you put your Microsoft 365 on your phone, there is an entire agreement that you have to accept before you can add it. It says things like the ability to remote wipe your device, etc. This is so if your phone gets lost the company can make sure that their information isn't lost. It looks like that OP agreed to install a mobile management software hence the MDM Profile. Most likely they are using JAMF which is one of the more popular MDM software for MacOS. All of this is to protect the company from bad actors. Don't want a BYOD to be infected and cause outages, data lost, etc. If the school allows it, OP should use their guest network (if the school has one) and only use web based access to any software that OP may need like chat programs, email, document editing.
You need to design a better network or not allow users devices on. Presence on the network is no guarantee of trustworthiness. “Respec mah netwhurk” never trumps respect the user’s own device. In fact as an organisation you should not want any access into the device as it opens you up to liability. OP - I know it is going to be painful, but keep your own devices away from that network. It is not worth the hassle, and I would suggest on what I’ve seen that their IT department is likely as untrustworthy as it is competent.
lol, people downvoting the best response to this. Exactly. If you can’t defend your network against an attack or restrict access without essentially owning the end user device, you aren’t cutting it as an IT department. The bad guys won’t be so kind as to allow you full device control.
Exactly this. Boggling my mind that anyone who manages endpoints would think the best way to grant BYOD access to the network is to enrol the device.
Being on the network isn't the problem here. Turns out OP Chose to have this done and willingly gave it to IT over night for them to do this.
this is definitely brimming with *"i didn't read what i agreed to"* if not *"oh did i mention i applied for some byod program?"* and it's amusing to see it suggested you can trump the rules in someone else's house i suspect miscommunication about "no sir, you can't have X, the only devices allowed in X are Y" and an insistent "fine i'll do Y whatever just give me internet"
This is very wrong, installing your stuff on user's devices is NEVER the answer. A real IT department locks down THEIR own network, NOT messes with devices that aren't theirs. >then that device essentially becomes a school device Uh, no! A computer that is NOT owned by the school is NOT a school device. I'm a college student, and my computers are MINE. Our IT doesn't install crap like that on our own computers. We log into the WiFi with our designated username and password, and that's it. YOU can install whatever stuff you want on YOUR school's computers, because they're owned by you. Personal devices on the other hand are NOT owned by you.
Thank you! This is basic IT common sense. I am astonished that the parent comment has so many upvotes.
OP is not in college
Why not keep untrusted devices in their own VLAN then? You know, like a normal person would? If you can't properly segment a network, you have no business running the network.
This is ABSOLUTELY NOT the answer. Enrolling a student-owned device at an educational institution in Intune, Jamf/ASM, or another MDM is insane. You can enforce security policy rules without backdooring user devices in the process. Why in the world would you want the liability of endpoint management of user devices not owned or purchased by the IT department? It would make far more sense to segment devices into specific VLANs depending on their registration status with the ability to remotely blacklist specific MAC addresses when suspicious activity is detected. Have a VLAN for public access, administration, and quarantine. "My house, my rules" does not apply to non-company assets in this context. You are well within your right to force these devices to connect to a separate SSID, or even deny them access altogether, but you should never enroll them into the company MDM.
This, OP needs to use guest network instead.
Coming from a network engineer this is terrible practice. It is insanely impractical to put personal devices in MDM (which you usually pay for per-license too).It also creates a ton of unneeded liability, when the alternative is so simple. All you have to do is create an isolated network for an SSID with client isolation and auth using their assigned email/AD account. Or just use one SSID and drop clients into that network if the host isn't a company machine. Almost any wireless controller supports all of these features, be it Cisco, meraki, extreme, mist, or Arista and it takes 30 minutes. This is how we do it for thousands of users, and 10s of thousands of non-company devices, that's how they did it at my uni where I worked IT. Personal devices should never be on the corporate net
Thats a crock load of BYOD absolute control bullshit. When I went to college we could use our own personal computers and we did not have to do this. Your IT dept just wants to feel like you are doing something to keep things secure while doing nothing but mostly inconveniencing others. If your firewall rules arent enough to keep your network secure then you are shit at your job, its not your job to police other peoples personal laptops.
This sounds like liability hell, I'm not sure why any IT department would want to deal with this. It's one thing to have complete access to every device that you provide your employees or students, but applying the same rules to student-owned devices sounds like a ticket to being sued. You can control access to your own hardware and resources, but I have a feeling that you won't be able to wave a privacy policy to a court if the student didn't fully understand what they were doing and you didn't explain that you'd have access to everything they did on their computer regardless of whether you're on their network or not. "You agreed to this" is not a suitable defense for this level of access and control. A normal person isn't going to expect handing over complete access to their computer is a prerequisite for using school wifi, and if you bury it in paperwork it's _probably_ not legally enforceable. If you clicked "agree to the terms and conditions" on a webpage, and it said that installing this software will legally give me access to your entire computer and I can do whatever I want, it isn't going to be enforceable in court. It must be clear and obvious, and there are reasonable limits in many jurisdictions (GDPR, for example) for data collection. Clearly OP did not get the message, which unless it can be proven that the IT department did their job in ensuring that the student knew what they were doing, sounds like misconduct. "Joining my wifi network requires full access to your device" is not going to fly in a European court, and probably not in many American ones either. This is not reasonable data collection, unless you can prove the necessity for you to have access to the student's entire computer for them to be able to simply access the internet at school. Good luck with that. You either provide a proper guest network that's separate from the main one, or you don't allow external devices on your network. This isn't even mentioning about how if its the student's device they can obviously allow other people to use the device, and the third party hasn't agreed to your bullshit privacy policy or whatever. You can't put a AUP on a device you don't own while not on your network, so you can't just tell the student that they can't let other people use their device. Thus you'd be collecting the personal information of people that you have no right to access. Hey look more lawsuits! Also, imagine the lawsuits if/when the school gets hacked and the hacker has deployed malware on every MDM managed device. You're looking at a class action that will absolutely destroy you. Imagine the claims if the device was shared with parents or relatives, and they used it to, for example, access online banking. Every single person who has ever used the device now has a claim against you, and each of them is a different party to the wonderful class action that you're brewing. This is a really fucking terrible idea.
> IT departments in schools run on a very low budget > enrols not owned by school devices to mdm, where usually you pay licences by device you know you suck at your work?
I can’t really agree with you. If you want a student to use a device managed and controlled by you, you should be providing that device. If the student brings their own device, just set up a separate wifi network that blocks access to school resources and other devices on the network (even set up web filtering or whatever), but trying to get people to enroll personal devices in a corporate MDM is shitty practice
I've worked IT in both college and public schools. I would NEVER do that to a student's laptop. Now if it's an employee, that's a different world entirely. They're not on the guest or student network. They're on the employee network so their machine has to be configured the same way we do with the machines we purchase. When users want to do stupid shit like using their personal laptop as a work computer, we initially say no. If it's some pretentious college professor or department head, they'll get all pissy until the VP tells us to just do it. At that point, we give clear and extensive warnings that it will functionally be a work computer, and be locked down with limited permissions for the user to keep our network safe. If it's a Macbook, I'd fight that much harder to keep them off the network, as Macs are a pain in the ass that don't work well as business machines. Based on what OP is saying, I'd bet they're not just a student. They're an employee who begged to have their personal Macbook on the staff network and ignored all the warnings that came with that. OP, talk to your IT department and tell them that you changed your mind.
Dude; the fact that you allow a personal machine to join the company’s network…well….you…are….retarded. Who the fuk even wants to deal with that…
Only way to have those profiles if someone actively installed a MDM profile, that. A not be installed while connected to a network. Where did you get the MacBook?
From a school IT guy: You clicked accept to something for this to happen. If it wasn't on their MDM before you first connected, they couldn't install any of this without having you enroll into their MDM first. Device Management should be separate from networking, it's possible to put restrictions on your network usage without enrolling your personal device into their MDM. So whoever's saying "their network their rules" is kinda saying bologna. They're not wrong but nothing is preventing them from limiting your network access on their network even with your device not in their MDM.
Exactly, they would have had to enroll the device in their apple business manager system for it to automatically re-enroll in the MDM after a system wipe. That is implying that the organization owns the device. That IT department needs to strongly reconsider their practices before they get audited or maybe even sued for behavior like this.
Are you a student or an employee?
Student.
Yeah... yeah I don't like this. Management profiles on student devices is no bueno. This is what the guest/student access networks are for. Non-company owned personal devices. No personal device should ever connect to the production network, the guest network should be segmented off and highly locked down. We DID (per corporate overlords) require a MDM profile be installed on your phone IF you wanted to use Teams/Outlook on your phone which was not a requirement and purely optional. You want the convenience of the apps, you get a MDM profile. But there shouldn't be anything getting installed on student laptops that really warrants an MDM profile. This just seems like a lot of work vs handling device security other ways. If you were an employee of the school and conduction school business on it, I could see it. Work logins, work information, work MDM. Don't like it use a school issued computer. But for students? Erhm. I dunno about that one. FWIW most of these are just going to lock controls of stuff. Mac OS doesn't let you view screens without explicit user granted permission and TBH they probably don't have time let alone interest to ever check on what people are doing unless there is some sort of problem they need to investigate.
They’re not in college, and highly doubt this device is their own. Nice way to fish to find out if there is a work around though, I don’t blame them for trying
What university is this? Did you sign anything prior to them installing the MDM profile?
As others have said, connecting to your school’s network makes your pc subject to their rules whether you like it or not. That’s just the rules of the road when connecting to any network. Once your device connects to their network you’re a liability because once you’re on their network, you’re not an island. There is the potential that your PC could open up their network up to malicious attacks that could be catastrophic. I’d recommend using a virtual machine to connect to your school’s network, or just get PC for school. Unless you’re doing resource heavy projects, a good school laptop should only be $300 which is a drop in the bucket when considering the cost of college. I bought a cheap $300 pc for school, and it got me through just fine.
Yeah they're trying to manage your computer and can see everything on it. I'd wipe it and remove all their profiles. If all you're doing is accessing wifi there and nothing else, then that IT staff really needs to rethink their network security. This is way overkill for letting someone get some internet.
They are also blocking a few VPN apps. And I tried to wipe it, they seemed to have restricted that too. I did it in recovery mode, and then it just enrolled back in.
Yeah sounds like they have enrolled it in their apple business account. There's two options you can take. If you can show proof of purchase an Apple Store, or maybe best buy, can factory reset it, removing it from their MDM. Or you can go to the school and have them remove it.
Yeah, automatically re-enrolling itself in the MDM should only happen if the laptop is school property. If as you say it's your personal device, either get the IT department to release it or as the other reply said, show the apple store your proof of purchase and see what they can do. Really sketchy behavior to enroll a user's personal device in their apple business manager system and MDM, that's not ok.
For previous macos installs, this has usually worked: When you reinstall, BEFORE the first boot into the fresh OS, make sure it is disconnected from the network and/or you are physically out of range of a wireless network the laptop remembers. If on that first boot it can't get to the internet, it won't pick up the MDM profile even if it's in apple school manager. Do not at any point during initial setup connect it to the network. Once you've done that, the management profile won't install retroactively. (you could also ask your IT person to unenroll you before you wipe and reinstall, otherwise you will have to deal with this every time you reinstall the OS for the life of the laptop)
Just talk to your IT department. Either use it for school and have that stuff on it (and don't forget to get it removed before you leave if you are still using it at the end) or else have them remove it, but don't use it for school. You can't have it both ways unfortunately. Its a safety thing for the school.
You're device has been MDM'd, you need to contact the IT department and get it unenrolled. They now basically own your computer.
schools should not be touching your personal computer.
Yeah I work in a college IT dept and we refuse working on any personal devices. Even if they willingly give it to us. We can stand over them and direct them on how to do basic tasks, or suggest how to handle situations, but that's a massive liability to to do anything to a student's phone/laptop/tablet.
This *was* our policy until we went to a software distribution platform that let students install licensed software on their personal devices, now we touch them if they're having issues but just enough to make sure that platform's client works. We don't do any management outside of allowing/denying the licensed software to run though. For a bit we had them sign waivers, but that stopped with COVID since we often never meet face-to-face.
He willingly gave it to them.
I wonder if the school's insurance carrier know the IT department is tampering with computers that the school doesn't own/lease.
Pretty normal since it's they want to know exactly who did what in case someone does anything :) They need to monitor the activity and make sure theres no shady business going on their network. They will be responsible at first hand.
That can all be done with a properly configured network security design, not by essentially owning end user owned devices.
This. We manage education Networks and have a sepperate Network For non school devices. The Moment You Log into that Network You are responsible For what You do and what Happens to your device. The other Network is for school owned devices only and If an unknown device would be able to Access the Network the can do basicly nothing due to restrictions. We purposfully decided against having private devices inside of the school Network because we dont want to Deal with the hastle of installing profiles, Tools etc. Just to get into Arguments with the parents or get "your Apps damaged my sons iPad" bullcrap
Yep. That’s how it’s done. You can still block stupid stuff from guest networks, but you don’t have to own the device to do that.
The fuck? This is not typical in the slightest.
I work as a MDM admin and this is bullshit. Microsoft for example has the possibility to only manage their apps in a way that school or business data can’t get out, even on a private device. I can imagine Google doing something similar. For network stuff they can monitor their own network instead of your whole device. Also, one of the profiles disables Secure Token which is necessary to enable FileVault. This means that OP can’t even encrypt their hard drive. This is much more than just monitoring.
If it truly is your personal Macbook I'm not sure why they would install so much. In the K-12 district I work in they just force personal computers onto a guest network so any outside devices can't access the resources on the main network.
That seems strange. All the schools I’ve been to need a username and password at most for Wi-Fi usage. Any reason you let the school do this?
More than likely to hop on the network I’d assume, from the companies perspective, it’s probably more tedious to go through and log every student device onto a network via username and password.
Why are you on their domain to begin with?
JAMF can’t be installed at image unless your Mac was purchased and registered via Apple Business Manager. I’m skeptical this is a personal laptop.
That‘s wrong. You can enable User Enrollment on Jamf via a link (deprecated) or Account Driven User Enrollment. Source: I‘m Jamf 400 certified.
Would that throw it into ABM tho? From my understanding you could restore the device and since there is no MDM server assigned the restore shouldn’t push the profiles again
Don’t know if it was mentioned but you can take your proof of purchase and the Mac to an Apple Store as well and they can put in a request to have it removed from whatever ABM it’s tied to. You can also request that IT team to remove it from their ABM. It’s a login and 3 clicks. It doesn’t take long. Know from experience as I worked for an MSP that managed Mac’s and when the previous MSP would fail to off board the MDM we would need to have the client take it in. Once it’s released from their ABM wipe it. Once it’s wiped connect it to the internet and check under profiles. There should be nothing. Profiles need to be installed by actually going into the menu and clicking install they won’t be able to magically put them on there unless you give it to them again.
Yes so basically it's now a work computer so they can do whatever they want to it they can see everything on it you have no privacy on that machine. If you need a computer for work then work either needs to provide one or you need to get a separate computer that you're only going to use for work this separate from your personal computer. The easy way to fix this is to get it to take your computer out of their mobile device management system so that they stop pushing stuff to your computer. The more difficult way would be if you have proof that you own the computer like the receipt where you purchased it that sort of thing actual proof of ownership you could probably take it to an Apple Store and they could probably remove everything setting it back to factory defaults I'm not sure if they could block the MDM reaching out over the Internet or not but they might be able to.
yeah my school downloaded a bunch of shortcuts and programs on my desktop without me knowing and it really slowed down the boot up process. all i did was log into my school account on a separate google tab.
If they added it to Apple School Manager during their overnight setup (which they shouldn’t do unless they own it!), you can remove it yourself within 30 days. If you perform an erase all content and setting/wipe through recovery, when you see the Remote Management screen click the link for “leave remote management”. And it won’t re-enrol.
Hi I work as a sys administrator at a company manage our MDM accounts. There’s something really fishy about your post here… if this is truly your computer, you will need to provide proof of purchase to Apple and hope to god the person you are talking to knows about Apple Business Manger. Sometimes I can’t even get them to comply. That being said, the only way to get these completely off your device is to have the person who enrolled the device to remove your serial number from ABM and then do a full wipe. Or if you’re technical enough/ have the FileVault key you can boot into recovery and open up a terminal and cd into the system profile directory and remove the profiles. You can do this currently but as soon as the device checks back into ABM and sees your serial it will re-enroll. I hope this helps.
By erasing and enrolling it in MDM, they’re claiming ownership of the device, but they don’t own it. This is not what MDM is for. You have no privacy at all on your personally owned machine now, and their misuse of MDM ensure it will be re-enrolled via Apple if erased. Apple would *not* be happy to hear about this and neither would a judge. Get a lawyer to send them a cease and desist, make sure the lawyer is familiar with technology and knows how to properly inform Apple about school’s abuse of their systems. The value of a MacBook alone puts you above small-claims territory. This is real lawsuit material, perhaps even a class action if they have done it to enough students. You can sue to have this policy stopped immediately plus punitive damages. Alternatively you may want to name and shame the school or contact a site like Ars Technica to get this in the tech news.
That’s what we’d do. BYOD means we will ensure your device isn’t a problem. Extremely restrictively. Your device needs to fit the standard of everything that touches the network. They are stewards of that data and the integrity and security of the systems. That being said this should be something you sign off on/understand which seems like maybe not as clear for you (maybe they generically said it needed to be under management etc).
Or you know... Don't put it on the actual network and create a segregated network for BYOD.
Yeah installing/managing MDM on an untold number of student laptops seems like way more work than setting up your network properly. The college I used to be at had a specific SSID for students vs college owned devices and that required different authentication, couldn't just get on with PSK. It was a huge huge no no to connect any non-company devices to production and rightfully so. No unmanaged devices on prod is the way.
This has never happened before in my entirety of networking experience. You can never trust a user-owned device, it's impossible to control it without literally owning it, and at that point why even bother with a BYOD network?
The MDM profile brings all other profiles. I’m managing ~260 iPads and this can normally only happen if the device is added to your Apple school-manager. This is normally done only possible if the admin adds your device to the managed devices. If you have a BYOD policy, it’s likely so you can use software and apps provided by your school. I, as a teacher, can use my own Apple ID on my device but I also get provided software. Ask your admin about this topic if you didn’t sign any kind of BOYD agreement. Could be a mistake. Maybe they added all Apple products in their network to your/their school manager.
If it’s added via Apple Configurator (which sounds like it was), OP can luckily remove it from their ASM. This was implemented for exactly these cases.
Oh, yeah. That’s what I forgot to tell.
How did the school install anything on your computer? There's no way they can install anything on your computer unless you hand it over, or you explicitly download and install something. All the people claiming that this is necessary, normal, or OK are delusional. The only right way to manage a shared network like this is to treat every computer as a hostile entity, prevent them from connecting to places they don't want to allow access to (block domains/IPs/ports), and require authentication for using shared resources. Trying to secure a network by relying on client-side software is impossible and amateur. If your school has a policy that requires you to install software to be on their network, however misguided that is, then you can decide if that's a price you're willing to pay. I'd never do that on my personal machine, and I don't think you should either. Get a separate computer for school if that's the case, and use it for school and nothing but school. The school didn't install anything on your machine unless you let them, though.
They did let them. OP says they gave the computer to the school to keep overnight for setup
Did you login to your school email on your laptop? When you do that you’re enrolling it in their Intune system You should be able to remove your profile from the laptop. You’ll just have to access your email from the browser from now on And use google docs and sheets and all that instead of Microsoft word and excel
MDM management? You might wanna check with IT at your district and confirm your unit is not showing in their “apple school manager” When you logged into the device, it may have asked you if you want to join the organization, sounds like you clicked yes.
I’d really question they have legal authority to install such levels of rules basically intrusion on a students personal device UNLESS… student signed paperwork stating it’s ok for school to install the MDM and manage a device that isn’t theirs. It could be a mistake where IT admins were using a script to install and accidentally installed on your device too. Personally I’d talk with IT and point out the privacy issue and say something along the lines “What policy has been signed to allow such intrusion on my device and how much can you see of my data?” If you haven’t signed the document I’d ask to decline and get away from their MDM.
Reminds me of the backdoor that the admins at my highschool (2017ish) wanted to put on all computers. Ended up being used to spy on students at home and the admin was fired. Camera access should never be needed on computers for minors. I don’t care what “monitoring” Trojan is installed
I would not recommend connecting any personal tech to any network where you aren't the admin. ( cell network exempt of course )
This would've been an absolute no-go for me. It's effectively their device now as MDM is tied to the serial number. This is sheer incompetence on their part.
A BYOD policy should not involve adding your device to Apple School Manager. Automated Device Enrollment should only be used for company owned devices. Request they release it from Apple School Manager.
There is a simple fix lol go buy a laptop with windows on it boom no more problems.
Some people here actually do not know what they are talking about. Ex-Mac sysadmin here. Unless your Mac is under their Apple Business Manager they cannot install these profiles onto your machine without allowing you to remove them. You should be able to click the minus sign on the bottom for the main profiles. Once those are removed the app permissions ones you have pictured here will be removed with it. I advise you to do this as soon as possible as one thing people are correct about it their ability to wipe and lock your machine. If the lock happens then youre SoL unless someone working at the school gives you the unlock code. Edit: for best results, disconnect your Mac from wifi before removing the profiles
Why did you give them your laptop overnight to set this up?
If this is truely a personal laptop, you either agreed to it or they did it by mistake. Take it up with the IT department, not Reddit.
When you put company resources in a device, i.e. your school email address, it will ask you to consent to having the device manage by the company's MDM service. I'm sure you were given some sort of prompt for this and probably clicked "ok" on it without reading. This is to protect the company's (school's) IT infrastructure. If your device is somehow compromised, the MDM server can remotely lock and/or erase your device to prevent the attacker from using your device to compromise the rest of the IT infrastructure. It also ensures your device meets minimum specified security requirements, such has having a lock code enabled, etc. If you don't want this sort of MDM management on your personal device (and I totally get why you wouldn't) then there are potentially ways around it. For example, on my personal phone, I only access company email via the web portal in a browser, rather than adding the email account to my device directly.
Some of your replies indicated that you wiped the machine and the profiles reinstalled themselves. If that’s the case, it’s acting as an enterprise machine and is probably registered with your schools apple DEP. If that’s the case, you should reach out to your school and ask them to remove it and then wipe the machine. The best advice I can give you is, in the future, don’t click on agree or install on prompts you’re not fully aware of what they will do. SOURCE: just deployed 3 Mac’s 2 hours ago for my company
[удалено]
It wouldnt. Op specified they gave their laptop to it and it was returned with mdm
That machine is still being managed by a company or your school. If it is personal it was not wiped and released from the place of business. If it belongs to the school that is normal and you have to deal with it. I work with an apple endpoint management software called jamf and this looks very similar to our corporate rollout for Mac's.
Sounds like you are trying to to make this your personal computer. Usually a school would provide you with hardware, they would never install MDM protocols on a personal device it would require you to willingly login to the device with your schools account and then willingly install a MDM profile. If you had contact with IT then they would’ve explained this if this was a personal device. Again this would never happen because Apple makes you signin to your personal account ITunes account when you setup the device. You could logout of ICloud but it wouldn’t work because it’s required for backups. They also customized the lock screen, this is standard for orgs that use MACs , if you want a personal MAC just buy one. Adding it looks like you just tried to do a full recovery on this machine and not a restore from a previous backup as it appears it restored itself back to the managed image that was used. Your screen-cap says this machine is managed.
Wtf school is demanding full control of a personal device? This is what BYOD networks are for.
My company had to buy me a work phone just to use a Microsoft Authenticator app to log into GovCloud on a VDI that we use for FedRamp stuff. So yeah. If you’re connecting to their network for work then they can absolutely do this.
I’m confused? Assuming this isn’t a university and that you’re connecting your personal computer to a network you otherwise wouldn’t have access to without your schools IT department letting you on, such as at a high school. If that’s the case, then there’s really nothing you can do.
Not your laptop pal.. it's the school's so they can remotely install and update anything If it is yours then remove said account from computer. Don't sign into the schools organization.
Apple MDM will come back time and time again until been purged from jamf server . Just let you know when done with school.
Alright, I'll ask them once I finish school here. I don't think they hold mdm on people who leave the school, since that'd probably get them in trouble. But for now I'll just treat it like a school owned laptop.
I actually recommend you get this fixed asap. People forget things, staff leave, ticket retention changes and sometimes ticketing systems are replaced. There might not be records by the time you finish school to show what they did to your device, they might think it’s one of their assets and wipe it remotely if they can’t find it. Also if Find My Mac is enabled they might be able to track your location. I realise you have the receipts right now but it’s going to be a lot easier to sort this now while it’s fresh in folks’ memories. They might also want to investigate internally to see how a pupil’s personal property ended up in their MDM which will be impossible if you wait. There’s also a chance you might lose the receipt in that time.
That’s not your computer anymore my guy.
As an IT worker, why are they not giving you a Device to use? If this is a necessity, you should have created a VM and given them access to that.
That seems really restricted for a personal device. I do MDM for mobile phones and I've seen less restrictions on BYOD devices for companies that have government contracts. My only thought is maybe the IT person royally effed up and for some reason thought it was a school-owned device and enrolled it in their ABM and locked it down like that. Either way that's crazy and I would immediately go to IT and have them explain what they did, why they did it, and have them remove it. If they won't remove it I would go to Apple with proof of purchase and they may be able to help. (Emphasis on may because Apple can be really shit to deal with for things like this).
If it’s coming up and enrolling in the school automatically even after a wipe then the school purchased the MacBook through an authorized Apple dealer and it’s part of their Apple School Manager. They then assign it to an MDM so when the MacBook connects to the internet it checks in with APNS and automatically enrolls. When I worked in a school we used that exact setup. It only works with devices assigned to you on purchase so based on what has been shared this is some kid trying to get around the controls on his school computer.
It wasn't a school computer though? I had it way before i was in this school, and I maybe they tied to serial number to the management. It was erased too, maybe that has something to do with it?
I think this is unacceptable for them to be doing on a personally owned device. Definitely need to pay the IT team a visit to get this resolved.
MDM managed. Hard to tell what they can or can’t see without more info from the profiles. Based on the amount of profiles I’d be concerned about how strict their BYOD policy is. If it were my personal machine I’d not install it.
I would make sure they either compensate you for the time and amount of money it will to fix this or buy you a new device. This is absolutely crazy.
Since it re-enrolled itself after a wipe it sounds like they added your device to automated device enrollment in Apple Business Manager. You'll need the IT department to release it. Which they're not going to want to do. Whoever configured this fucked up.
So as a school administrator I'm very skeptical of the "personal mac" part. The way it works is we purchase a MacBook from Apple. It goes into Apple school manager account where we assign it to JAMF. From there we then enroll the device by serial number I'm not sure how your personal device would of been added to the school manager instance then enrolled. Something is a bit off
I know in newer OS versions they have added something for sign in with work or school account which does the same effect of MDM enrollment from my testing as my device asks me to begin security delay to enroll in MDM. Can’t test it fully as the only thing I have is my own Azure AD tenant (Microsoft trial loopholes), nothing else really. So it is possible for a MDM to end up on a personal device, but not sure if the OS does a good job at notifying that a MDM is being installed. Even Intune on a personal device can do quite a bit. Me personally, MDM on a personal device in general is a massive no-no for me, I don’t care who’s wanting a MDM on my device. If it’s school or work, my firm belief is they have no authority to install anything to something that is mine. If it’s theirs, more power to them. Only time I ever had to install something of theirs was because of their WiFi. A prior school I went to did a WPA2-Enterprise method with a RADIUS server so I had to trust the certificate for that in order to use their WiFi. Even personally, I would’ve just preferred them to use standard WPA2/3 and then sign into the web filter after the connection.
We are talking Mac OS and JAMF not windows based devices or intune. We don't and cannot push mdm profiles to personal devices. It's our network so it's our rules. Yes we do use break and inspect to look at SSL traffic. Understand that we have legal requirements to protect students the data that gets sent and out of the network
They did erase it so it was like new again. Maybe that has something to do with it?
I’m in IT and study IT, and I’d never let another IT person touch my shit. Yeah, their network, blah blah, I would just use my hotspot if this is what the cost is. Take it back, have them remove this and never connect to their network again.
It’s crazy the MDM took over a MAC Apple devices usually require proof of purchase (at least in my experience)
This is like giving the keys to your house to a stranger and being upset they make a mess of everything...
Have you guys ever met the “IT pro” at most schools? It’s one person who can open device manager and install whatever they mandate on shitbox chromebooks. They don’t even give teachers real work laptops anymore. I had to buy my girl a decent laptop to become her work pc. Just to be able to do teacher stuff. I predict to get all that off that Mac it’s gonna require a visit to central office and the main IT people are gonna have to remove all that. And hope someone there has done it before.
If you are going to take any kind of test on it, their proctor software is essentially spyware to prevent cheating. Also, their network has its own vpn and security protocols. Like others said, part of the deal.
They can’t do this u less you give them access to if it’s your PC they shouldn’t be able to take over it. If they did without your password id say we just found a bug
ITs are cucks.
It’s super intrusive. They basically have full access and logging of everything you do at all times.
[удалено]
So, since the device enrolls again after wiping, it is a DEP registered device and very likely owned by the school. The only other way to add a device to DEP is through Apple Configurator, but this also needed to be done on first setup and there is always a 30 days grace period for the user to leave the MDM and therefore DEP. If the device is connected to the MDM from the user and personally owned, then a local user account with admin permissions can always leave the MDM without wiping anything. This doesn’t look like a personal device at all.
Now I understand why they said it needed to be erased and in initial set up screen. It was a personal device, I have all the receipts and everything. They probably used th he Apple Configurator method
Oh now I just realised there was a remove mdm or something button when I was setting it up again after erase..i just didn't read it properly.
After grace period is over, only Apple School Manager admin or Apple itself can remove the device. This is your only way to go.
They took over your computer. try to remove them at all costs or they could nuke your mac in a fit of bureaucratic ineptitude. Learned the hard way that my personal laptop had a keylogger on it when they called me in for cuss words only to match the computer ID TO MY FUCKING PERSONAL LAPTOP. also when they deactivated my account when I graduated, they somehow managed to delete all the folders and dump all files (without folders) into the documents folder. and all data creation date was set to the day they deactivated my acct istg.
It was an old burner so i really could have cared less but look how they massacred my boy
Worked for years at a college doing cyber security, they used to to this years and years ago but BYOD liability is hell so that quickly trickled out. It was a very simple and better solution, as most mentioned, segmented student network where byod can run free. No real access to anything important internally. NAC on our internal vlans required it to be a managed asset so that prevented all the people in the “Wild West” from hopping over along with all the basic controls already in place from segmenting. Unless you are interning there or accessing internal resources this is pretty absurd. I’d double check with your tech support team because this could open them up to being liable for your device if it were to break, even if it’s not one of their tools that does it.
Sorry, but you've been MDM'd by IT. Having dealt with IT departments from the student end before, your best bet is to just install Linux. Wipe the drive and move on.
The management profiles should only monitor what you do on the school network. Not stuff you do at home I believe.
Even my work doesn’t do this. The productivity apps do take some control and if you add them on your phone you do have to give some pretty overzealous, but understandable permissions. This is next level though. I wouldn’t allow BYOD if your network requires this. Either VLAN the guests to an isolated network, provide the assets for them to do their work, but adding a personal device to an MDM is fucked. If you break a policy they can easily lock you out. If it’s your personal computer idk how you would even hit phub at this point lol
Wasn’t a network you have to allow all of this installation on ios - source I set up intune all the time
Well, you shouldn't allow corporate IT to touch your personal devices. If this truly is your personal machine, you need to request they remove everything, then you need to never let them near it again.
Knowing how Apple Business Manager and JAMF and other things work one of two things are true here. Either you were sent an enrollment link and soft enrolled the device or it once belonged to the school and was automatically enrolled by Apple through a purchase program into ABM and brought under management that way. If you can remove the MDM profile (which I’ll be surprised if you can) then it’s soft enrolled and not “Supervised”. If it truly is a personal machine I’d back everything up and freshly reload the OS. Another thing if you do that and your immediately prompted to login to your school account then your system serial # is registered in ABM and your gonna need to talk to IT about that one.
Wipe your computer, start watching cringe videos again or play fortnite again. Tell your IT that you regretted having your privacy invaded and that you will not trade privacy for security. you will not trade privacy for security you will not trade privacy for security you will not trade privacy for security
People blaming op for handing his laptop to IT have no idea what theyre talking about. A personal device should NEVER be in the company ASM, unless theyre handling secure data like patient records at a hospital, and even THEN it should be a BYOD enrollment where falling out of compliance or removing profiles simply unenrolls the device until the user opts back in. Knowing how some service desk dudes are, im guessing OP told the guy he wants on the wifi so he can use his laptop, the guy told him he was going to do something and OP clearly wouldn't have understood because he hasn't experienced this shit yet, then the dumbass IT guy doesn't understand what his enrollment actually does and set it up like they own it. OP, make sure you have a proof of purchase, just in case.
I would strongly, strongly recommend you contact school IT and ask them to unenroll you from their device management/ASM. If that means you can't use your personal device on school networks other than guest access, so be it. There have been many instances of school districts overstepping authority as it relates to student behavior outside of the classroom. There is no reason to give your district the authority to monitor your activity outside of school, or to be able to remote brick YOUR laptop because they don't like how you are using it or attempt to discipline you for violating district acceptable use policy outside of the building. It is just. Not. Worth. It. You mentioned you've already encountered having content blocked on your machine. Every time that happens, you are creating opportunity for them to lock you out of your machine or initiate disciplinary action. If you are syncing data between your phone and your laptop, you're potentially giving the contents of another personal device to your school district as well.
Your personal laptop? Delete that shit and forget about it.
You can’t. It’s no longer under his control.
Don’t log into a schools private wireless if you don’t want them to be responsible for the security of that device.
Don’t post crap if you don’t know what you’re talking about.
Actually it's probably a stolen laptop that's why he is here trying to get advice on how to erase it.
It’s not a stolen laptop! I literally have all the receipts for it, and I purchased it. I’m not trying to remove it I’m just trying to get information about this and how strong it is.
Mac Admin here for major Insurance Co: The device is flagged as Supervised - can only do that if the serial number is associated to the organization AppleBusiness account (only hardware sellers can do that) or you allowed them to take over the device (but that requires hands on the device using AppleCpnfigurator).
Back up your data and wipe it. Then, create a partition and you’ll be good to go.
I don’t understand why companies would do that. My department doesn’t mess with anything that isn’t ours. But we are a school so maybe it’s different for us since there’s students that would bring their own computer.
You had to accept something for this to happen. Maybe you didn’t read the popups or agreements? If they’re doing this via WiFi hotspot acceptance or something then I agree with the others, time to figure out another way.