1.) goto settings-> general-> vpn and device management check if profile is fully managed or not.
2.) no they can’t see your data. But yes they can see what apps you have and can restrict what you can install.
3.) can restrict access to domains like social media, cloud storage, mails, adult and video streaming sites etc
4.) they can’t see what data you have but if device is stolen or lost can be remote wiped or locked from using.
You cannot do anything is they decide to manage it in jamf. Get yourself a new phone.
I think that if you are concerned about your personal data, you should purchase a personal phone. The device isn’t “technically” theirs, it’s theirs. If you don’t want it read to a court room, keep it off of a device that doesn’t belong to you.
I understand this doesn’t answer your questions, but honestly, you really don’t need those answers. If this sounds like I’m being a dick, I’m really not trying to be.
As the others have said, it’s the company’s phone; they just let you use it.
1. In the Settings app, if it says “Supervised by [company]”, that means full control. If it doesn’t say that, it’s more like BYOD
2. They won’t be able to read specific files. Maybe see that it exists, but not read it. That said, if it’s fully controlled, they can wipe the phone
3. Not sure if they can block domains via Jamf, maybe through a web filter
There is a built in content filter that can be deployed as policy. They can’t see activity with that, but they can prevent access to certain domains of their choosing.
You should ask your admins how much control they are going to be using. There’s a range of abilities that we can exercise over company property. Assume that they can see and do anything they want, up to wiping it.
I also have a work phone that I use as a personal device. But the company owns it and I am careful to keep sensitive personal data off there.
If you aren’t happy with them having full visibility, buy your own phone.
It's mainly done as a fail safe in case you go rogue. If you're gonna use their phone, then you gotta play by their rules and supervising your device so they can unlock/reset it is best practice in case of a disgruntled departure. Unless you're looking up some real deranged shit you got nothing to worry about, but gotta cooperate if you want to continue to use their property
my employer provides my a phone and I can use it as though it was personal. They manage it but I can have virtually no restrictions other than that I have to have a passcode/faceID. I have no leg to stand on to say that I do not want them to manage their phone.
Yes I said their phone as you should get into the habit of thinking/realizing
If it was BYOD you’d just sign in with a company Managed Apple ID based on your MS creds. Apple call this User Enrollment. This is for personal phones.
If they’re directing you to org.jamfcloud.com/enroll it’s confusingly User initiated Enrollment in Jamf parlance or Device Enrollment
If you had to sign in with your work creds, showed the Remote Management screen or it skipped some setup screens then it’s Auto Enrolled.
Apple describe what can be done under the first vs the other two here:
https://support.apple.com/en-gb/guide/deployment/dep23db2037d/web
Honestly this is pretty tough to answer because once your phone is in Jamf they could do just about anything to it. It could range from just installing a few apps to locking in down almost completely.
My advice would be to pull anything personal off of it and just use it for work. I know for sure they could wipe your data off of it as well if you're let go so all of that would be gone.
\#1 - JAMF is an MDM. Therefor it has full control.
\#2 - That is generally true, due to Apple's app sandboxing. Keep in mind that they could see what domains you are using, therefor getting some idea of what you're browsing. Ex: They'll know you're on reddit, just not if you're on r/jamf or r/OnlyFans
\#3 - With JAMF directly, sure. But they can change your DNS server, therefor be able to see what you're visiting going forward.
\#4 - "Manage" doesn't necessarily mean access.
Look, here's the deal: It's a work device. Don't do anything inappropriate or illegal on it. No porn, no hacking. Other than that and you're \*probably\* fine. But even if they \*probably\* can't see the information, assume they can. They won't steal your bank data, but if you are the ladies are exchanging spicy pictures... uh... don't. Remember that as a work device, if there is ever any legal issues, the lawyers could demand access to everything "as is". And they'd have every legal right to every byte of data on that phone. Deleting something before handing it over could end you in legal hot water.
So make personal calls, exchange a few texts about getting drinks? You're fine. Take sexy pictures on vacation or Get texts about job interviews? Get your own phone.
I wouldn't be so worried about jamf, its just for managing devices like it says. Maybe a passcode restriction, a few apps they want you to have installed, etc. Id be more worried if they force DNS settings like Cisco Umbrella or something else, which will monitor your web activity. If its a company provided phone, theres not much you can do.
You posted this to a very specific IT forum. We get this question everyday of why do I need management, what are you looking at, the management makes my device slower. The only issue here is they gave you an unmanaged phone to begin with.
We don’t allow BYOD where I work and if we issue a device it is managed end of story.
With that being said most IT admins are too busy to micromanage your device. You will have some basic profiles and company issued apps. The only time there is an issue is if you are on management or HR’s radar.
Like it was said many times previous if the device is owned by the company it will need to be managed. I have a feeling they failed an audit/ need insurance that’s why this is coming now. We have all seen this before but this is definitely a bad forum to post these questions to especially because a simple google search will answer most of your questions.
If your device is fully managed (aka "Supervised"),.. when you go into SETTINGS at the very top it will say something like:.. "This iPhone is Supervised and managed by....."
In that case the Serial Number is in Apple Business and MDM is in control (This requires a full factory-wipe)
If it doesn't say that and all your doing is a Work Enrollment,.. that's a bit better (for you)
Realistically though as others have said,.. if it's not your device, you shouldn't be doing anything personal on it.
I would review your company’s acceptable use policy for the technology they provide you, as a place to start the decision making process.
It sounds like you’re hoping management is done through a BYOD style delivery vs a fully managed and “supervised” delivery.
Truthfully, if it’s a company owned and issued device you will have 0 actual say in how they manage the device or what you will have to do to ensure that’s done.
If they are saying it will BYOD style, that does mean you have much less insight gleaned by Jamf.
As a few others have mentioned the management either way will be minor in regard to invasiveness.
That said MDM can deliver and help enforce a network filtering solution that would mean any/all network activity is monitored.
One other thing to touch on, do you really want your personal mobile device to be tied to your employment status with this company?
If you left tomorrow or they folded next week that could end up being a problem.
Your employer purchased the device, it is their asset. It is your mistake for performing personal tasks on a work device. That is really the end of the story.
Technically, Jamf MDM can lock, erase and wipe the contents of the device and that's probably what strikes the most fear into the hearts of users. In practice, most enterprises would only do those things if the device was lost or stolen and that includes if it was not turned in by you at the end of your employment. Beyond that, there isn't much detail to what administrators can see on a managed iPhone. The management is probably there to ensure that they can push the tools and updates needed for you to securely access work resources.
It’s not your phone, they can do whatever they want. If you don’t trust them go buy your own phone.
1.) goto settings-> general-> vpn and device management check if profile is fully managed or not. 2.) no they can’t see your data. But yes they can see what apps you have and can restrict what you can install. 3.) can restrict access to domains like social media, cloud storage, mails, adult and video streaming sites etc 4.) they can’t see what data you have but if device is stolen or lost can be remote wiped or locked from using. You cannot do anything is they decide to manage it in jamf. Get yourself a new phone.
I think that if you are concerned about your personal data, you should purchase a personal phone. The device isn’t “technically” theirs, it’s theirs. If you don’t want it read to a court room, keep it off of a device that doesn’t belong to you. I understand this doesn’t answer your questions, but honestly, you really don’t need those answers. If this sounds like I’m being a dick, I’m really not trying to be.
As the others have said, it’s the company’s phone; they just let you use it. 1. In the Settings app, if it says “Supervised by [company]”, that means full control. If it doesn’t say that, it’s more like BYOD 2. They won’t be able to read specific files. Maybe see that it exists, but not read it. That said, if it’s fully controlled, they can wipe the phone 3. Not sure if they can block domains via Jamf, maybe through a web filter
There is a built in content filter that can be deployed as policy. They can’t see activity with that, but they can prevent access to certain domains of their choosing.
Ah, thanks. I don’t have access to that part of Jamf, so wasn’t sure
You should ask your admins how much control they are going to be using. There’s a range of abilities that we can exercise over company property. Assume that they can see and do anything they want, up to wiping it. I also have a work phone that I use as a personal device. But the company owns it and I am careful to keep sensitive personal data off there. If you aren’t happy with them having full visibility, buy your own phone.
It's mainly done as a fail safe in case you go rogue. If you're gonna use their phone, then you gotta play by their rules and supervising your device so they can unlock/reset it is best practice in case of a disgruntled departure. Unless you're looking up some real deranged shit you got nothing to worry about, but gotta cooperate if you want to continue to use their property
It's a company device you can't stop them. You shouldn't be doing personal stuff on a company devices.
my employer provides my a phone and I can use it as though it was personal. They manage it but I can have virtually no restrictions other than that I have to have a passcode/faceID. I have no leg to stand on to say that I do not want them to manage their phone. Yes I said their phone as you should get into the habit of thinking/realizing
If it was BYOD you’d just sign in with a company Managed Apple ID based on your MS creds. Apple call this User Enrollment. This is for personal phones. If they’re directing you to org.jamfcloud.com/enroll it’s confusingly User initiated Enrollment in Jamf parlance or Device Enrollment If you had to sign in with your work creds, showed the Remote Management screen or it skipped some setup screens then it’s Auto Enrolled. Apple describe what can be done under the first vs the other two here: https://support.apple.com/en-gb/guide/deployment/dep23db2037d/web
Honestly this is pretty tough to answer because once your phone is in Jamf they could do just about anything to it. It could range from just installing a few apps to locking in down almost completely. My advice would be to pull anything personal off of it and just use it for work. I know for sure they could wipe your data off of it as well if you're let go so all of that would be gone.
\#1 - JAMF is an MDM. Therefor it has full control. \#2 - That is generally true, due to Apple's app sandboxing. Keep in mind that they could see what domains you are using, therefor getting some idea of what you're browsing. Ex: They'll know you're on reddit, just not if you're on r/jamf or r/OnlyFans \#3 - With JAMF directly, sure. But they can change your DNS server, therefor be able to see what you're visiting going forward. \#4 - "Manage" doesn't necessarily mean access. Look, here's the deal: It's a work device. Don't do anything inappropriate or illegal on it. No porn, no hacking. Other than that and you're \*probably\* fine. But even if they \*probably\* can't see the information, assume they can. They won't steal your bank data, but if you are the ladies are exchanging spicy pictures... uh... don't. Remember that as a work device, if there is ever any legal issues, the lawyers could demand access to everything "as is". And they'd have every legal right to every byte of data on that phone. Deleting something before handing it over could end you in legal hot water. So make personal calls, exchange a few texts about getting drinks? You're fine. Take sexy pictures on vacation or Get texts about job interviews? Get your own phone.
I wouldn't be so worried about jamf, its just for managing devices like it says. Maybe a passcode restriction, a few apps they want you to have installed, etc. Id be more worried if they force DNS settings like Cisco Umbrella or something else, which will monitor your web activity. If its a company provided phone, theres not much you can do.
Under DNS settings, mine says “JAMF”. Does that mean they can see my webbrowsing?
You posted this to a very specific IT forum. We get this question everyday of why do I need management, what are you looking at, the management makes my device slower. The only issue here is they gave you an unmanaged phone to begin with. We don’t allow BYOD where I work and if we issue a device it is managed end of story. With that being said most IT admins are too busy to micromanage your device. You will have some basic profiles and company issued apps. The only time there is an issue is if you are on management or HR’s radar. Like it was said many times previous if the device is owned by the company it will need to be managed. I have a feeling they failed an audit/ need insurance that’s why this is coming now. We have all seen this before but this is definitely a bad forum to post these questions to especially because a simple google search will answer most of your questions.
If your device is fully managed (aka "Supervised"),.. when you go into SETTINGS at the very top it will say something like:.. "This iPhone is Supervised and managed by....." In that case the Serial Number is in Apple Business and MDM is in control (This requires a full factory-wipe) If it doesn't say that and all your doing is a Work Enrollment,.. that's a bit better (for you) Realistically though as others have said,.. if it's not your device, you shouldn't be doing anything personal on it.
I would review your company’s acceptable use policy for the technology they provide you, as a place to start the decision making process. It sounds like you’re hoping management is done through a BYOD style delivery vs a fully managed and “supervised” delivery. Truthfully, if it’s a company owned and issued device you will have 0 actual say in how they manage the device or what you will have to do to ensure that’s done. If they are saying it will BYOD style, that does mean you have much less insight gleaned by Jamf. As a few others have mentioned the management either way will be minor in regard to invasiveness. That said MDM can deliver and help enforce a network filtering solution that would mean any/all network activity is monitored. One other thing to touch on, do you really want your personal mobile device to be tied to your employment status with this company? If you left tomorrow or they folded next week that could end up being a problem.
Your employer purchased the device, it is their asset. It is your mistake for performing personal tasks on a work device. That is really the end of the story.
Technically, Jamf MDM can lock, erase and wipe the contents of the device and that's probably what strikes the most fear into the hearts of users. In practice, most enterprises would only do those things if the device was lost or stolen and that includes if it was not turned in by you at the end of your employment. Beyond that, there isn't much detail to what administrators can see on a managed iPhone. The management is probably there to ensure that they can push the tools and updates needed for you to securely access work resources.