Here's Why You Shouldn't Use iPhone Mirroring on a Corporate Mac

[Sowelu]

Apple really outdid themselves with the iPhone Mirroring icon.

I guess their creative options were limited, it's not like there was an object they could've used, like, oh, I don't know, an iPhone, to make a clever boxed, tile version of the device for an icon.

They apparently hit the same limitations while creating the calculator app icon. Again, how could you possibly take calculator shapes, buttons and aesthetic and make a nice tile app icon out of it. Just impossible.

 

[scrapesleon]

don't do it those people are always watching your screen at work

 

[Iconoclysm]

Uh, why? Apple’s security failure in this instance has literally nothing to do with the EU.

I suppose a company choosing to abuse the flaw might fall afoul of GDPR’s privacy protections, depending on why they’re gathering the data and what they do with it, but that has nothing to do with Apple.

Though I suppose the way you misnamed the EU shows clearly enough that you are only posting in bad-faith, without having any actual argument.

This is not a "security failure". These security tools have access to the devices by design - at most you could call this a "reporting failure".

 

[Daul]

Why on earth would you be signed in to your personal iCloud account on a work computer? This would also expose your browsing history and other things that aren’t their business.

 

[foobarbaz]

If your work computer and your personal iPhone are signed into the same Apple ID, that Mac already has access to ALL OF YOUR STUFF -- texts, files, browsing history and even your ****ing iCloud Keychain.

There is no "security failure" here whatsoever, except on the part of any user stupid enough to set up a machine they don't own with access to all their personal information.

Except all that access can be turned off, can't it?

 

[Lyrics23]

This is not a "security failure". These security tools have access to the devices by design - at most you could call this a "reporting failure".

The article states that Apple is reportedly working on a fix. You don’t start fixing things unless there’s something there to fix.

 

[Amazing Iceman]

Yeah, don’t ever do this. I work in IT and most of the folks on my team don’t even own a personal computer… they use their corporate Macs for everything and have iMessage and photo sync, etc, to their personal Apple IDs, which I think is insane... at any time, Legal could show up and image their disks (we have all FileVault keys escrowed to our MDM).

They don't understand that if there's a legal case against the business and the company computer gets subpoenaed, his personal device information will appear and they may have to surrender their device as part of evidence.
Keep your personal data away from work devices.

 

[Jehuty74656]

Correct me if I'm wrong, but don't you need to be signed into your personal Apple Account on the work machine in order to connect to your phone, which is signed into your personal account? I have two accounts on my MacBook and my work account doesn't see or interact with my phone at all.

 

[Jehuty74656]

Keeping work and personal devices/data separate is always a wise idea, in my opinion, including and beyond this specific security issue.

I like the concept of iPhone mirroring to my personal Mac, but I don’t use it as much as I thought I would. It’s not hard to just pick up the phone. Where I see iPhone mirroring as beneficial is when one is using Vision Pro.

That part. And every time I've tried to use it because my phone was in another room, it tells me I need to unlock the phone. So what's the point?

 

[OS X Dude]

JAMF doesn't pick up any of these as installed applications. Neither does Crowdstrike.

It very much could with Extension Attributes or via a script.

Also, Jamf is not an acronym 😉

 

[ignatius345]

Except all that access can be turned off, can't it?

No, it cannot. If you link your iCloud account to the computer your employer owns and controls then they can choose to turn on or off syncing as they see fit. All your photos and texts and passwords and everything else can be synced at your employer's discretion. You could temporarily disable syncing if you wanted, but it could also be turned right back on again.

 

[maxoakland]

This is an insane security breach. I can't believe Apple would do this

 

[Daul]

Except all that access can be turned off, can't it?

Why do it at all? There is no good reason to sign in to your personal account on a work computer in the first place.

 

[pugdude1321]

People using work machines for personal use, or even worse, asking questions about using personal machines for work use and companies wanting to "install tools" on it comes up all the time in Apple subreddits and it boggles my mind how many people have no concept of security, privacy, or anything like that. It's insane.

 

[CharlesShaw]

I won't even allow my corporate computer on my personal network, let alone log into it or connect anything personal.

 

[drcre8tive]

Just create an Admin level user account for yourself; unless your corporate IT people are Jason Bourne level super-nerds, you have nothing to worry about.

 

[H2SO4]

People using work machines for personal use, or even worse, asking questions about using personal machines for work use and companies wanting to "install tools" on it comes up all the time in Apple subreddits and it boggles my mind how many people have no concept of security, privacy, or anything like that. It's insane.

That's only half the story, the other half don't care about their employer.

 

[Vulkan]

This was patched for 18.1 and 15.1... If you use JAMF you can patch your fleet with a config profile:

Preference Domain: com.apple.applicationaccess

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
    <dict>
        <key>allowiPhoneMirroring</key>
        <false/>
    </dict>
</plist>

 

[svish]

Hopefully Apple fixes this issue soon.

 

[whitedragon101]

Also be careful using the new passwords app on a corporate Mac. It will ping every website you have ever had a password for to get its icon. Including ones your company may be blocking and logging wink wink nudge nudge nudge.

 

[amartinez1660]

Agreed big time with everybody suggesting to never ever do this nor log anything personal on a work computer, true that sometimes for a brief period a specific situation might be “convenient”… take the long friction way anyways. Even ask for time off to go do the personal chore that can only be done from a personal device.

I take a more defensive approach: in this day and age where companies are even starting to use AI -to evaluate employees gaits and face expressions from cameras- that alert on mood and other emotional states? can bet they will use absolutely anything they can find to make a decision behind our backs.

For whenever they have to decide to lose some weight company wide or settle a problematic situation, any information they find about us, can be used against. Maybe there are some text messages mentioning political stances that happen to trigger a higher up? Maybe hints about retiring early or looking for opportunities? An app that hints of a kid soon on the way?

A company will of course always conveniently say that they don’t, it’s the only legally abiding statement to publish… but trust is problematic nowadays and isn’t a two way street anymore. All the thousands of employees that get laid off every month for the last couple of years have trusted and lost.

 

[star-affinity]

don't do it those people are always watching your screen at work

Not necessarily.
I'm an IT admin at work and while Jamf is installed on every computer we can't do that without a users' consent. Apple has also been pretty serious in later macOS versions making sure the user allows ”screen recording”. This isn't something that (to my knowledge) can be worked around by IT.

No, it cannot. If you link your iCloud account to the computer your employer owns and controls then they can choose to turn on or off syncing as they see fit. All your photos and texts and passwords and everything else can be synced at your employer's discretion. You could temporarily disable syncing if you wanted, but it could also be turned right back on again.

No control over a personal iCloud account just because we have control over some aspects of the computer.

I asked ChatGPT if a Jamf admin has any control over personal iCloud data

”No, as a Jamf admin, you do not have direct control over a personal iCloud account that a user has logged into on their Mac. Jamf primarily manages the device and its settings, apps, and configurations, but it doesn’t grant access to or control over a user’s personal iCloud account.

What Jamf Can Do:

• Device Management: Jamf can manage settings, software, profiles, and configurations on the Mac itself, including enforcing security policies (e.g., password requirements, encryption).
• Application Control: You can control what apps are installed on the Mac or push apps to the device, but you don’t have access to user-specific app data (like files stored in iCloud).
• Restrictions: Depending on your organization’s policies, you can enforce restrictions related to iCloud usage on the device, such as disabling iCloud Drive, iCloud Keychain, or iCloud Backup. However, these are device-level controls, not direct access to iCloud accounts.

What Jamf Cannot Do:

• iCloud Account Access: You do not have access to personal iCloud data (like photos, documents, backups) stored in the user’s iCloud account.
• Personal Data: Jamf does not give you control over or visibility into the user’s personal data in iCloud, such as iCloud Drive files, photos, or personal emails.

If needed, you can restrict certain iCloud functionalities on managed devices, but you can’t view or manipulate a user’s personal iCloud account contents directly.”

Again, just because IT admins have access to and control over some data on a business owned computer (we can in Jamf for example see what apps are installed on a computer) it doesn't mean everything is accessible by the IT admins.

 

[ignatius345]

Not necessarily.
I'm an IT admin at work and while Jamf is installed on every computer we can't do that without a users' consent. Apple has also been pretty serious in later macOS versions making sure the user allows ”screen recording”. This isn't something that (to my knowledge) can be worked around by IT.


No control over a personal iCloud account just because we have control over some aspects of the computer.

I asked ChatGPT if a Jamf admin has any control over personal iCloud data

”No, as a Jamf admin, you do not have direct control over a personal iCloud account that a user has logged into on their Mac. Jamf primarily manages the device and its settings, apps, and configurations, but it doesn’t grant access to or control over a user’s personal iCloud account.

What Jamf Can Do:

• Device Management: Jamf can manage settings, software, profiles, and configurations on the Mac itself, including enforcing security policies (e.g., password requirements, encryption).
• Application Control: You can control what apps are installed on the Mac or push apps to the device, but you don’t have access to user-specific app data (like files stored in iCloud).
• Restrictions: Depending on your organization’s policies, you can enforce restrictions related to iCloud usage on the device, such as disabling iCloud Drive, iCloud Keychain, or iCloud Backup. However, these are device-level controls, not direct access to iCloud accounts.

What Jamf Cannot Do:

• iCloud Account Access: You do not have access to personal iCloud data (like photos, documents, backups) stored in the user’s iCloud account.
• Personal Data: Jamf does not give you control over or visibility into the user’s personal data in iCloud, such as iCloud Drive files, photos, or personal emails.

If needed, you can restrict certain iCloud functionalities on managed devices, but you can’t view or manipulate a user’s personal iCloud account contents directly.”

Again, just because IT admins have access to and control over some data on a business owned computer (we can in Jamf for example see what apps are installed on a computer) it doesn't mean everything is accessible by the IT admins.

Correct me if I'm wrong, but it sounds like you're describing one specific scenario where one management platform (Jamf) has limitations on what it can do. Cold comfort if an employer did anything else with their computer like took physical possession of it or used some other tool that gives them more access.

 

[star-affinity]

Correct me if I'm wrong, but it sounds like you're describing one specific scenario where one management platform (Jamf) has limitations on what it can do. Cold comfort if an employer did anything else with their computer like took physical possession of it or used some other tool that gives them more access.

Of course the amount of control a company has over their computers varies, but as far as I'm aware there is no tool that can give access to the data stored in a personal Apple ID.

If we are to trust ChatGPT again to save me from some typing.

”As a Jamf admin, you can reset the password of a macOS user account through Jamf, but resetting the local macOS user account password does not grant you direct access to the user’s iCloud data. Here’s why:

1. Local User Account vs. iCloud Account:

• When you reset the password of a local macOS user account, you gain access to the files stored locally on the Mac, but this does not automatically give you access to their iCloud account.
• iCloud services are tied to the user’s Apple ID, not the local macOS user account. Logging into the local account does not log you into their iCloud account unless you also know the Apple ID password.

2. iCloud Data Access:

• Even if you can log into the macOS user account, accessing iCloud-synced data (like iCloud Drive, Photos, or iMessages) would still require authentication with the user’s Apple ID credentials.
• If you change the local password, macOS may prompt the user (or you) to re-enter their Apple ID password to continue using iCloud services. Without that Apple ID password, the Mac may not sync iCloud data or allow access to certain services.

3. Encryption of iCloud Data:

• Certain iCloud data (such as iCloud Keychain, iCloud Drive, and end-to-end encrypted data) is protected by strong encryption tied to the user’s Apple ID credentials. Even with access to the Mac, you won’t be able to decrypt this information without the Apple ID password.

Conclusion:

While resetting the macOS user account password allows you to access local files on the Mac, it doesn’t grant access to the user’s iCloud account or its data without the Apple ID credentials. To access iCloud data, you would need the user’s Apple ID password or other forms of authorization, which are separate from the local macOS user account.”

But you are right that there are other tools and stuff that might allow more access. But without the Apple ID password you are still limited, I'd say.

I can tell you that even if I were to gain access to the personal data of one of my colleagues computer I would definitely not abuse it and make sure I log out our remove my access from it.

So, I do agree that to be on the safe side it's best that you don't put personal stuff on a employee owned computer, but I just think this idea that the IT department has access to everything and they snoop on you is a conclusion that's lacking in nuance.

 

[SnowCrocodile]

In the US, you have very limited privacy expectation in the workplace and virtually none when connected to company resources.

Any use of company resources for anything other than company business is not allowed in pretty much every company (although the vast majority don't care if you log into your bank or email account at lunch). However, there are limits on what the company can and can't do with employee information that is exposed to them that way. E.g. an employer can't use your login credentials obtained via use of work computers to access your private accounts.

The biggest threat - from my perspective - is not as much the evil corporation logging into my email account (while exposing itself to a massive lawsuit) but a weirdo Joe the IT guy who keeps switching jobs every two years, makes borderline comments about co-workers, and loves bragging about his crypto prowess.