School forcing me to install MDM software on privately owned laptop

[HammerheadH]

Hi Guys,

 

Over the past few years, my school has continued to strengthen its I.T policies for devices at the school, and I understand the need to protect the school from security risks. However, it has gotten to a point where you are practically forced into installing ludicrous amounts of software on 100% privately owned devices that we bought with our own money and that a lot of students including myself use for private applications. Failure to sign up your laptop for the school's Mobile Device Management (MDM) system, specifically Jamf, results in being blocked from the school's network, which means no more internet or printing for you. The MDM installation includes software like Crowdstrike Falcon, which cannot be disabled. This has caused multiple issues for me while attempting private application development. You are also unable to uninstall Falcon even with Root access via terminal, even if you've removed your device from the MDM, I really had to pry at terminal and delete program files for a few hours to remove Falcon from my old laptop. 

 

If you take a look at what configuration profiles they've installed on my laptop (Screenshots attached), not only do you notice the number of profiles, but at the very top it says 'This Mac is Supervised and Managed by: ... School', not only this, if you inspect the main MDM profile you'll notice it has permissions to do whatever the dam well it pleases to. I understand why the school is doing what they're doing, but to do so in such an intrusive way on privately owned/purchased laptops also used for non-school purposes seems like they're taking it a bit too far. While I'm no expert when it comes to MDM, I suspect if the school wanted to, they could look at what we're doing on the laptop out of school hours, would they ever do such a thing? I doubt it. But the privacy risk remains whether they abuse the access to our laptops or not.

 

On top of all this about a year ago they started requiring you to create a separate local account to access the school's network, while you may think this is a good idea, the MDM profile is system wide including all the software it installs. The most painful part is that so many applications I use frequently have data that isn't easily accessible, while I may be able to copy over a directory or two, its near impossible to transfer everything I need across to the new account and my laptop's storage constraints make this even harder, last but not least is it's just a hassle alternating between users every day.

 

I'm wondering if anyone has any suggestions of what I could do in my situation, what I.T is forcing us to do just doesn't sit right with me, it feels way too extreme for a secondary school. If they were school owned laptops, sure, I wouldn't have a problem at all, but the problem is they are not. We didn't buy these laptops with the sole intention of being used for school, and that is where the issue lies. Any comments would be greatly appreciated :D

 

(Sorry for the essay but there was a lot to mention)

[rcmaehl]

Just ask them to provide you with a device. Many people do not have privately owned devices that they could install MDM on, and they should have a solution for this. You don't have to provide more detail other than that the original device you had MDM is no longer available (sold, damaged, et al).

[HammerheadH]

12 minutes ago, rcmaehl said:

Just ask them to provide you with a device. Many people do not have privately owned devices that they could install MDM on, and they should have a solution for this. You don't have to provide more detail other than that the original device you had MDM is no longer available (sold, damaged, et al).

Unfortunately (or fortunately I suppose) I go to a private school, they only temporarily give you a Chromebook if your laptop is in for repair, otherwise your directed to the school's laptop portal where you can buy a laptop through the school at a discounted price. The school also allows you to bring a device that was purchased completely separately from the school, I'd say only 25% of students actually purchase their laptop through the school. I also bought my Mac completely privately, even if the school did give handouts I'm willing to bet it won't match my 14" Macbook Pro which I need for my computing classes.

[da na]

Perhaps you could create a second user account on the computer, solely for use for school? You could also dual boot Windows on it and only install the software on Windows... both of those would limit what the school could do with your computer. Typically I'd advise buying a cheap used laptop on eBay and using just that one for school but it looks like you can't do that unfortunately. Pretty scummy of the school to do that.

[HammerheadH]

8 hours ago, da na said:

Perhaps you could create a second user account on the computer, solely for use for school? You could also dual boot Windows on it and only install the software on Windows... both of those would limit what the school could do with your computer. Typically I'd advise buying a cheap used laptop on eBay and using just that one for school but it looks like you can't do that unfortunately. Pretty scummy of the school to do that.

Unfortunately, I've tried VMs and bootcamp, VMs still get blocked by the school's network and Boot Camp is unfortunately unavailable due to my mac running Apple Silicon. The school requires you to use a second user, but making that requirement years after I joined the school and the added hassle of alternating users means it'd be very difficult for me to use and set up a second user with what I've got on my main now. Plus the MDM software is system wide, making a second user almost meaningless, it's just not worth the hassle for such little benefit.

[Levent]

Your school is more controlling than some of the IT companies I worked for lol. I am personally quite anal about keeping work and personal data separate on different devices, this wouldnt fly with me at all. If they want you to limit what you can and cant do on a computer, they better provide the computer.

[XWAUForceflow]

While I fully understand the frustration I completely understand the school. Having a bunch of uncontrolled devices from users who have admin privileges on those devices is a big no-go.

I mean think about it, you have:

a) completely dummy users who click on just about anything and care nothing about security

b) you have a bunch of wannabe 'h4ck3r5' that will try to mess with the school

c) you will have a bunch of kids that actually know what they are doing and will seriously mess with the school

 

That is a complete nightmare for the IT staff, not to mention that those are most likely underfunded and understaffed. Locking down the users devices as much as you possibly can really is the only way they have even a chance of keeping the infrastructure running.

If it would be a public school I'd say they need to provide a device, but seeing it's a private school? I am sure they laid out the rules before you signed up. At this point I would suggest to bite the bullet and simply get a cheap device that you use for school and keep your own device away from it.

Does that suck? Sure, but if I would be responsible for the IT department of the school and I need to allow the students to bring their own devices I would do the same if not more to lock them down.

[HammerheadH]

Just thinking out loud, would sending either the school or I.T a strongly worded anonymous email be worth wild? Just presenting my privacy concerns along with the fact that these are our laptops and respecting that, etc.

[HammerheadH]

7 hours ago, XWAUForceflow said:

While I fully understand the frustration I completely understand the school. Having a bunch of uncontrolled devices from users who have admin privileges on those devices is a big no-go.

I mean think about it, you have:

a) completely dummy users who click on just about anything and care nothing about security

b) you have a bunch of wannabe 'h4ck3r5' that will try to mess with the school

c) you will have a bunch of kids that actually know what they are doing and will seriously mess with the school

 

That is a complete nightmare for the IT staff, not to mention that those are most likely underfunded and understaffed. Locking down the users devices as much as you possibly can really is the only way they have even a chance of keeping the infrastructure running.

If it would be a public school I'd say they need to provide a device, but seeing it's a private school? I am sure they laid out the rules before you signed up. At this point I would suggest to bite the bullet and simply get a cheap device that you use for school and keep your own device away from it.

Does that suck? Sure, but if I would be responsible for the IT department of the school and I need to allow the students to bring their own devices I would do the same if not more to lock them down.

I totally understand the need to put software on the devices, however, to do so to the extent that it currently is, it seems like they're taking it a bit too far, do you think it would be possible to make their MDM stuff a bit more lightweight? 

[Bitter]

Welp. Time to just make your own network with a cellular hotspot so you don't need to use their network. See how they like that....

[Needfuldoer]

Is dual booting two copies of Mac OS an option?

[aisle9]

Just get a $50 refurb Chromebook off of Amazon for school use (or a refurb $80 ThinkPad T410 off of eBay--better) and nuke the living shit off of that stuff on your personal.

[RollyShed]

Your device so install Linux and ask for MDM. They can't so then demand they do... or else.

[seanondemand]

Look, you, or a parent, or a group of students could cause a stink about this and it might affect change. But, unfortunately, you’re probably going to have to live with the decision to BYO your MacBook and all of the nonsense that your school forces on you, and then do a full wipe when you’re done. In a perfect world, I’d have a school device and a personal device, but that’s not how it goes in life. 

[wanderingfool2]

You should be able to dual boot; it's what I did back in the day (back when I managed to get my MAC address booted from the uni network...turns out running a test server code sort of sends up red flags)...dual booting worked perfectly, and should in your case as well.  Install the software on a school boot OS and that way you maintain your privacy while still meeting all the schools requirements

[Mihle]

I personally think that sound like way too much from the schools side.

 

On my uni they don't have any software on my pc at all.

[wanderingfool2]

4 minutes ago, Mihle said:

I personally think that sound like way too much from the schools side.

 

On my uni they don't have any software on my pc at all.

Depends on what their reasoning for it is.  If they have in-class but online learning I can understand it...even then if they allow laptops in class I could understand it as you know there will be students who try accessing things they should be; and while you can detect it to an extent with network equipment the simpler solution is being able to monitor for that on the computer side.  With that said, I do suspect they might be required to take tests or similar on the laptop which then I could see the software being used.

[Needfuldoer]

7 hours ago, RollyShed said:

Your device so install Linux and ask for MDM. They can't so then demand they do... or else.

Linux is not a protected class, they can just deny your request to join the network if your laptop can't run their software.

[HammerheadH]

2 hours ago, wanderingfool2 said:

Depends on what their reasoning for it is.  If they have in-class but online learning I can understand it...even then if they allow laptops in class I could understand it as you know there will be students who try accessing things they should be; and while you can detect it to an extent with network equipment the simpler solution is being able to monitor for that on the computer side.  With that said, I do suspect they might be required to take tests or similar on the laptop which then I could see the software being used.

Dual booting is probably the best option around their software, although it's quite akward managing files and having to reboot everyday. We do not take tests on our laptops and I don't believe they ever actively monitor our activity, well, they certainly don't have any good reason to.
 

I think from here Ill go down the route seanondemand suggested and see how much of a stink I can kick up with a few friends who echo my thoughts, even if they just allow/make it possible to disable Falcon while at home or as required. Still happy to hear any other ideas though.

[Levent]

3 hours ago, HammerheadH said:

Dual booting is probably the best option around their software, although it's quite akward managing files and having to reboot everyday. We do not take tests on our laptops and I don't believe they ever actively monitor our activity, well, they certainly don't have any good reason to.
 

I think from here Ill go down the route seanondemand suggested and see how much of a stink I can kick up with a few friends who echo my thoughts, even if they just allow/make it possible to disable Falcon while at home or as required. Still happy to hear any other ideas though.

Some MDM solutions wont let you dual boot on macs (you cant also dual boot when there is a local admin account that you dont control). Good luck.

[Mark Kaine]

I'll be honest that sounds entirely fair.  Can u not use or own internet or what? Mobile phones not allowed? 

 

Also title is misleading as hell, they do not force you *at all*. 

[Alvin853]

It's a private school, they can totally have their own policies. If you don't agree with them, go to a different school. If enough people do that, they will change their policies.

 

Or just buy an entirely separate laptop for school that has all their required software, and use your existing one at home without any of the MDM stuff.

[BondiBlue]

If it's a personal device I'm not enrolling it in MDM. If they require devices on the network to be managed by their IT department then they'll need to provide the device. Does your school offer devices for students to use? 

 

I've done some work in a school before, and we didn't require anything like this. School owned and managed devices were on an entirely separate and secured network. Non-district devices (so personal devices brought by students and staff) were only permitted to use a separate Wi-Fi network that had zero access to anything on the main network. It had a few other limitations as well, but these were all network limitations, and they didn't require any sort of management configuration on the device itself. 

[TubsAlwaysWins]

8 hours ago, wanderingfool2 said:

Depends on what their reasoning for it is.  If they have in-class but online learning I can understand it...even then if they allow laptops in class I could understand it as you know there will be students who try accessing things they should be; and while you can detect it to an extent with network equipment the simpler solution is being able to monitor for that on the computer side.  With that said, I do suspect they might be required to take tests or similar on the laptop which then I could see the software being used.

Eh I dunno... Especially since its privatly owned. I get the school wanting MDM but it doesnt make sense if its not school property. Personally id say hell no. The only good reason I could see the school doing this is they can purchase applications in bulk and restrict applications. They don't own the hardware, they shouldn't be able to lock it down. 

They can block this stuff with hardware but the school sounds too cheap to do that, seeing as they wont provide laptops. Any half decent firewall or a dedicated web filter appliance should be able to do this. 

@HammerheadH I would tell them to remove it and worst case use a school laptop or something. INAL but they have no right to do that to your hardware. If the school was a business and you were accessing sensitive content from your own device, then sure. But its not a business, its a school. 

Just my opinion

[TubsAlwaysWins]

7 minutes ago, BondiBlue said:

If it's a personal device I'm not enrolling it in MDM. If they require devices on the network to be managed by their IT department then they'll need to provide the device. Does your school offer devices for students to use? 

 

I've done some work in a school before, and we didn't require anything like this. School owned and managed devices were on an entirely separate and secured network. Non-district devices (so personal devices brought by students and staff) were only permitted to use a separate Wi-Fi network that had zero access to anything on the main network. It had a few other limitations as well, but these were all network limitations, and they didn't require any sort of management configuration on the device itself. 

Seconding this. Also have done work for a school. They can provide a guest network and their own devices