[caladin]

Does anyone know if on company-provided macOS/macbook, can these kinds of tracking programs turn the microphone or webcam on without it being indicated in the system?

Obviously, it is a device that's not yours and the company can do all kinds of things such as installing rootkits and other things to do whatever, but putting that aside, short of that level of commitment, is anyone familiar with these kinds of programs and whether or not they indicate in some way (e.g. macOS-level indicators that some app is using the microphone/webcam).

I'm just curious if I have my work laptop in clamshell mode and it goes to sleep, to what extent is it not a 24/7 active bug? Maybe I should be shutting it down every single moment that I don't want to risk being spied on?

Is "sleeping" the macbook and closing it shut, enough? Is it low-level enough of a block, or can apps circumvent even that?

I'm specifically putting aside Pegasus-level circumventions here, since then all bets are off. I'm just thinking about 'off-the-shelf' level apps that companies can license and use.

[smithcoin]

MDM software only allows to do so much. We use it my company. We can remotely wipe a Mac or reboot it but that pretty much it. I’m not aware of any 3rd party software that can turn on the camera (remember the green light) or capture the screen without the user knowing it’s happening. Checkout Jamf it’s a pretty standard 3rd party tool, whatever they say they can do is what’s possible from a corporate “non-hostile” perspective.

[wolverine876]

Unless Apple specifically prevents it - and maybe they do - it's not hard to do. I remember an old story of a school district in the US that gave the high school kids laptops, though I don't recall the brand, and used the camera to watch and take remote photos 24/7 without notifying anyone or getting permission; I think it might have taken photos automatically on a schedule too, but I'm not sure. I think the excuse was to prevent illicit use of the laptop.

IT pros, stop and think for a moment about the risks. How long did that take you? Apparently the school administration and IT personnel completely overlooked them.

They were watching and photographing underage kids in their bedrooms, not that spying on anyone anywhere is ok. They thought they caught one with drugs (it was candy) in their bedroom and showed the images to the parents. The parents sued the school district and it was in national news (maybe on HN). Somehow I never saw child pornography charges, even though I don't know that they could have prevented it - just turn on the camera at the wrong time.

I blame the IT personnel too, especially the CIO / IT director who failed to point out the risk and stop it, and even the low-level people should have stopped when they first saw the inside of a teenager's bedroom.

[c420]

This article doesn't specify what the offending devices were, but iirc they were using Chromebooks: https://www.computerworld.com/article/2521075/pennsylvania-s...

>Michael and Holly Robbins of Penn Valley, Pa., said they first found out about the alleged spying last November after their son Blake was accused by a Harriton High School official of "improper behavior in his home" and shown a photograph taken by his laptop.

[Schiendelman]

Apple specifically prevents it.

[rho138]

Unless they use MDM to push a profile that authorizes a specific application/developer to access system resources without prompting the user. This is a common practice for deploying security applications - e.g. crowdstrike requires full-disc access and there’s a policy thats deployable via MDM to enable it automatically during the next beacon from a host.

Edit: as an example https://pickorchard.com/deploy-crowdstrike-with-jamf/

[a-r-t]

> Is "sleeping" the macbook and closing it shut, enough?

For Apple silicon-based (and newer Intel-based), yes: https://support.apple.com/guide/security/hardware-microphone...

[KennyBlanken]

...which is pointless, because in the last two major MacOS releases (well, now three) an Apple Silicon system will not only remain connected to any bluetooth audio devices and wifi (even if "wake for network access" is set to "never"), it will actively seek connections with bluetooth audio devices that are turned on or come into range.

Not only is this a huge potential privacy issue, it's extremely annoying, because on many bluetooth headphones, it makes it impossible to, say, connect your phone to the headphones.

The issue with remaining on wifi is also extremely annoying if you're connected to a hotspot device. I discovered well into a vacation that my macbook was remaining connected to a hotspot and using up data - despite both "low data mode" (which has a penchant for magically turning itself off) and "wake for network access" set to never.

There was an option to disable allowing a bluetooth device to "wake" the system, which stops the mac from keeping bluetooth connections active during sleep, but that was removed in Catalina.

There's no excuse for removal of such an option, nor is there any excuse for not setting some logic such that only keyboards and mice retain active bluetooth connections.

The dumbification of MacOS marches on, as some anonymous mid-tier executive at Apple continues his or her mission to turn MacOS into iOS. We also lost wifi network priority a couple releases ago as well - a move that is so unfathomably stupid it defies belief. You used to be able to set a hotspot as high priority and then, say, a cafe's free (and far less secure) wifi network as a lower priority, and when you wanted to do something on the hotspot, you could just turn it on, and your mac would prefer that network. Now it's a roll of the dice at best.

[dehrmann]

Companies doing this have to be extremely careful. California is a two-party consent state. If an employer is found recording a personal conversation in the employee's home, they could find themselves in court with an unsympathetic jury.

[gmiller123456]

Almost every state is one or two party consent. That means you have to be a party to the conversation at the very least. I don't know any state that allows passive recording of conversations in private.

[KennyBlanken]

Many employers during the pandemic engaged in all sorts of electronic monitoring on employees with seemingly no legal repercussions. The corporate law firms of America lawyers have almost certainly devoted much time to dreaming up extensive legal arguments and language to slip into employee contracts, agreements, and 'handbooks'

When you're fired for saying something derogatory about your employer that is picked up by your company-issued computer sitting in your home office, do you have the resources to fight them in court, especially given your employer's law firm almost certainly has a cozy relationship with the judiciary in your area?

[dehrmann]

> Many employers during the pandemic engaged in all sorts of electronic monitoring on employees with seemingly no legal repercussions.

But there's a key difference. If employers want to track what time you're on the company laptop or if it's connecting from an IP address in the location you claim to be working from, that's legal. Monitoring nominally mic-off personal conversations isn't.

[paulryanrogers]

If you don't have root, and sometimes even if you do, then you cannot be entirely sure. That's why hardware shutters and physical disconnects are a thing.

[olliej]

If you have root you still cannot turn on the camera without the physical light turning on, and I believe you’d need at least a kernel exploit to disable the screen indicator for the microphone.