MDM on a personal device

1. Is it possible for them to somehow make my device completely unusable for me, like locking in a way that only they can unlock? Since it's my own personal device, I want to be sure that I can get rid of their access when my job is done.

Yes. The MDM can lock the device, and can make it so you cannot restore it, or if restored can't be setup without going through the MDM. You will need to make absolutely sure, they remove the MDM configuration from the device once you are done.

2. The profile (.mobileconfig) says they have the following rights:

* Erase all data on this computer

* Add or remove configuration profiles

* Add or remove provisioning profiles

* Lock screen

* Change settings

* Application and media management

Are these OS level rights? Let's say I installed two macOS instances and used one of them exclusively for work. If they decide to wipe, does it affect only the work OS or whole disk?

They can wipe the whole disk.

Is there a way to keep a personal, safe OS in the same computer?

Only if you boot externally to the managed OS. If you are booting to the managed version from within the internal drive, they have access to the entire internal drive. If you boot from an external one, they only have access to the drive they boot from and not any other volumes directly as they would need to target the other drive specifically by volume name, which an MDM with no knowledge of it, would likely not do.

Can they change the rights later without my consent?

Yes. They can change any access rights and profile restrictions without explicit consent once the MDM is enabled on the device.

> If you boot from an external one, they only have access to the drive they boot from and not any other volumes directly as they would need to target the other drive specifically by volume name, which an MDM with no knowledge of it, would likely not do.

That's not entirely correct.

Even if booted from an external drive, the MDM console has the ability to run scripts on the target system. That script could easily find the path of additional connected drives:

ls /Volumes/

and the rest is history.

Ultimately, if you allow the company to install an MDM on your device, you are completely and unequivocally giving them access to the system. There are some plusses to this on their side (e.g. protection against loss or theft of the device or data on it), but there is no distinction between what's personal/private, and what is corporate data.

To my mind, if the company wants you to use an MDM-managed system, they need to provide the hardware as well as the software.

Additional thought/Edit:

If you're a contractor, consider the fact that the client installing an MDM on your device would give them access to any data associated with other customers of yours. That alone should be reasonable grounds for refusal (or for them to provide you with a system to use) on the grounds that you're protecting your other clients, just like you would protect this one by not giving other clients access to this client's data.

Camelot wrote:

> If you boot from an external one, they only have access to the drive they boot from and not any other volumes directly as they would need to target the other drive specifically by volume name, which an MDM with no knowledge of it, would likely not do.

That's not entirely correct.

Even if booted from an external drive, the MDM console has the ability to run scripts on the target system. That script could easily find the path of additional connected drives:

ls /Volumes/

True, but unless the person configuring the MDM knows what additional volumes to target, they probably won't go to that trouble. Yes, the script could list all the volumes and just delete every volume they find, but that seems awfully nasty and I doubt any regular script would go out of its way to delete every other volume, beyond the one they'd want to wipe by default.

Ultimately, if you allow the company to install an MDM on your device, you are completely and unequivocally giving them access to the system. There are some plusses to this on their side (e.g. protection against loss or theft of the device or data on it), but there is no distinction between what's personal/private, and what is corporate data.

To my mind, if the company wants you to use an MDM-managed system, they need to provide the hardware as well as the software.

Additional thought/Edit:

If you're a contractor, consider the fact that the client installing an MDM on your device would give them access to any data associated with other customers of yours. That alone should be reasonable grounds for refusal (or for them to provide you with a system to use) on the grounds that you're protecting your other clients, just like you would protect this one by not giving other clients access to this client's data.

Correct, and I completely agree with points made.

How much do you need this job?

You’re giving their company (theirs, not yours) full access to your gear.

And if they acquire supervisory control, they own the Mac.

As somebody that has done contract work, a non-negotiable MDM requirement means them providing you with their gear, or you using a spare or scratch and potentially-brickable Mac (which gets billed), or preferably a negotiation and written agreement about how this works and how it all untangles.

Them managing and them particularly supervising your gear is a financial contribution by you to them.

I would structure this loan of your equipment to your employer such that the optional return of your gear back to you at the end of the contract is not a monetary loss if it gets bricked or its data collected, and that returning your gear is not an expectation, and would start with no data on the Mac.

Put differently, you are renting your gear here, and should expect it might not be returned in the same condition, and will want to factor that into the rental fee.

BYOD can be a way for a company to avoid paying for its own business activities, shifting those costs onto staff and contractors.

They absolutely should not be allowed to manage your personal computer.

If they're that concerned with data safety, then they should be providing you with a computer purchased by the company.