My company is implementing device management and I'm unsure of how to proceed

Hey all,

For the first time in my career, a company I am working for is implementing MDM. I’ve been very fortunate to avoid this so far, and curious if anyone has any insights or experiences to share to ease my stress. I would say that fundamentally my stress comes from the fact that my workflow has always been “One Mac To Rule Them All”, and MDM (maybe?) means moving to a Two Mac system.

The MDM we’re implementing is Microsoft Intune; reading their docs, it seems fairly light hande in it’s approach; they claim to not be able to see our files, our photos, our iMessages, etc. – and I do trust my company generally. We will be able to install any apps we want, etc. We have company permission to use our company computers for “lightweight” personal things, which frankly is all I use my personal mac for anyways.

Should I just stick to “One Mac”? Should I try to move to a two mac lifestyle? One of the considerations here is that my personal Mac is hugely overpowered (16 inch M1 Max, 64gb ram, 4 TB hard drive), and the laptop I will be provided with by work is a 14 inch M2 Pro, 16 GB ram, 512gb hard drive. A downgrade, but certainly good enough for my modest needs (although could certainly use my disk).

I could adapt to a Two Mac lifestyle, or sell my personal mac for thousands of dollars? I could also sell my personal mac and still do a Two Mac lifestyle, buying a more modest personal machine like an M2 Air.

In the case where I do use a Two Mac lifestyle, I feel like I probably would still need to sign in to my iCloud account on the MDM laptop to access the apps I’ve purchased, although I guess I could turn iCloud, Photos, iCloud Drive, etc. off?

What would you guys do? I am not particularly privacy conscious, but it does give me a slight unease at the idea of using my MDM’d company laptop for light personal use, even if they are limited by both policy and technology on what they can see and do.

Is your company implementing device management on computers that belong to their employees or only on company issued devices?

The Two Mac approach may prove itself non viable if they block access to iCloud Drive (and, to be honest, if I was in charge I would probably block it and leave only OneDrive or whatever).

I am in the same situation as you, a lightweight MDM system that allows me to use iCloud Drive, and use my own Apple acount on iCloud etc.

About a year ago, we had a similar discussion. The only difference was that this was not about having one or two Macs but about one or two iPhones (work and personal - or using the work phone for personal stuff):

I - and others - shared our view on that matter there. I think a lot of those thoughts may also be worthy to consider in your situation.

My point of view: I would never put personal data or personal apps on a work device, especially if it is managed with a MDM system (this is me in my job and in my situation). Not only to protect my data but also to protect the company I am working for.

A big question would be in being able to backup your device. Is that allowed, can your choose your own backup solution and location? That would be my first area of interest, simply because if your device is ever remotely wiped, you don’t want to lose your personal data.

In the ‘good ole days’ I tested betas in a virtual OSX machine running on a 16gb ram Intel iMac.

If you “will be able to install any apps we want, etc” that might be a way to just have the company Mac and still have a “second” Mac for “lightweight personal things”

Two Mac lifestyle. I lean strongly on separating work and personal.

I’m in the same boat and have been having the same internal debate for months. My company implements MDM with Microsoft Intune, but only on our work devices (M2 MBP for me). My personal device is an M1 iMac, which is beautiful and I love it, and honestly prefer to do all of my computing on it, even though it is less powerful, because of the bigger screen.

I wind up switching back and forth, which is less than ideal. I prefer the single Mac lifestyle, but reading through some of the recommendations here has me second-guessing if I should have work and personal data mixed. It’s amazing how much you get used to being signed into iCloud all the time. Like having Messages, Calendar, Notes, etc… There’s a lot that I’d miss if I weren’t signed into iCloud.

If I had room for a second screen I’d probably buy an Apple Studio Display and use my MBP more, but I honestly have no idea what I’d do with my iMac then.

Enough about me though. For the OP’s question, I think it comes down to your personal tolerance, and your companies tolerance, for risk. If being signed into your personal accounts is not (yet) against company policy, and you don’t have any problems mixing the two, than a one-Mac lifestyle would probably work well for you. However, if you have any qualms at all from either standpoint, splitting your work and personal between two machines is probably for the best.

I want to bring a different flavour here. Because I work in compliance, I naturally see risks from both sides (Employer and Employee) and have seen a few scenarios which have caused problems for the employee.

If you operate solely on a corporate device, even if they allow you to use it for personal reasons, the device belongs to the company. This means that any time they can remove access to it (Physically at least) temporarily or permanently.

Please don’t think about the best case scenario of the above, also consider what happens if the company removes your access with no warning. I appreciate that you trust your company, but those in charge may not always be in charge (look at Twitter with Musk) and if they have to make a call that they believe is best for the company over multiple or a single employee, they’ll choose the company because it’s their job to do that.

I would always keep my personal life on personal devices which I have full control of. It’s more expensive, but you always know where you stand.

The only way this might remotely work is if you are a partner/principal in the company and thus can establish rules to protect/segregate your personal data.

If you are an employee with out such management privileges, then there is no question that you need to have your own separate Mac for all the reasons others have said so far.

Moreover you mentioned potentially signing into your iCloud account on this Mac; I doubt you will want to do that. Let your employer buy all the software you need for this new Mac; keep it totally separate from your personal computer. Or perhaps look into ways you can do a remote session to login to your personal computer remotely rather than installing personal software/data on the new company computer.

Ever since I’ve had both a work and home computer, since the late 1970’s, I’ve always maintained the two computer lifestyle. I never put personal data on a work computer. It’s more than just fear of snooping IT and HR departments but also that work computer could go away at any time. Note also that my work computers were never under much in the way of central management, basically a perk of being in Engineering and IT not really wanting to get involved with our non-traditional usage patterns!

Total separation of personal and work. NEVER put ANY personal data or sign in to any personal apps on any machine that is owned by or controlled by your work company. Just Don’t Do It! The risks are far and away not worth any perceived efficiencies. It protects you AND your company.

I’ve done it both ways. On most jobs, I used one machine for both work and personal. Sometimes it was the company issued machine. Sometimes, if I couldn’t stand the company issued machine, I’d use my own. And I put the company-mandated MDM software on my iPhone and iPad.

Nothing bad happened in those cases but I worried about it a lot. Because I knew that very bad things could happen. I was taking a big risk.

On my last job, I kept a separation between work and home machine. It wasn’t quite 100%, but it was close. That job lasted only four months–bad fit all around. When it was done I boxed up my work computer, shipped it back to HQ, and that was that. Simple and easy. I’m glad I did that.

I … ehm … routinely use a work machine for accessing personal data.

It may make a difference what industry you work in, and where in the world you are located. My employer is a British university. They issue me a MBP which has its software stack centrally managed, but it comes with additional ‘admin rights’ so I effectively run my own machine alongside them; manage my own backups; and on on. iCloud was switched off by default, but I could request for it to be switch on (for some app syncing primarily – data storage there is seriously discouraged in favour of Microsoft OneDrive). The one time my IT team required direct access to trouble shoot something, this happened through an app called TeamViewer, and only worked when I ok’d access temporarily at my end. Ultimately they own the MPB, and may have access to more than I’d care to know.

But for me the line between ‘company’ and ‘private’ date is also very nebulous. As a Humanities scholar, I would always, always, expect to ‘own’ my research data and take this to any next job. Once more my discipline matters here: in the Humanities no one cares; had I worked in engineering with major industry partners filing patents, it would be a different situation I am sure.

I guess that the careful advice above is the sensible one. I’ve never much worried about this – and you’ve given me food for thought. @ibuys is right, this all comes down to your appetite for risk. I consider mine relatively low at the moment – famous last words?

Responding to @geoffaire but really to everyone – thank you for all the points of view here!

I am not sure if I’ve achieved any clarity, but certainly more to think about. I understand the stance of “church-and-state absolutism” but I worry about how it actually works in practice.

Things like “you don’t need to worry about signing in to the App Store to download your apps because your company should pay for all the software you use for work” doesn’t really reflect reality, in my experience. Taking a look at a handful of apps (some App Store, some not): Obisidian, Raycast, Pixelmator Pro, Overcast, iA Writer, Cleanshot, Things … any of these my employer might not pay for because they’re not directly work required, but all are key to my own personal workflows, etc. Espcially utilities like Raycast – having this on one Mac and not on another would be like using two fundamentally different systems.

I think for me the best outcome will probably be a blend; two Macs, but with 90% of my usage concentrated to the work machine.

I buy services which I’m lucky my work allow me to have installed like 1 password and Textexpander, so I understand. My advice was more around your personal data.

Don’t lose access to it if the worst happens. And ensure you can remove access to it from the work machine.

I have a work machine, and I only access personal data through web apps, but mass storage is completely blocked, as is webmail. I’ll, for example, sign into a website I use for personal use (e.g., this forum) but I wouldn’t save anything there. I have installed personally paid-for apps - you just need to check the terms that they are fine to use in a work environment (e.g., Obsidian).

I would never do personal non-work things on my work laptop. As others have said it’s just too risky for all involved.

The company I work for allows the use of personal devices, but requires MDM for anything that connects to corporate resources. They also provide needed hardware if you’re not BYODing things.

I use the corporate-issued laptop for “regular” computing, and an old iPhone for the limited number of things I need a mobile device for. It has only corporate-required apps and configs.

I set up a separate Apple ID for my corporate devices. I added that Apple ID as a managed account to my iCloud “family”, so that I can use some apps from the Mac App Store without needing to get corporate approval for buying them. But in all other ways my corporate devices and personal devices are separate.

Personal opinion: you’re absolutely NUTS to put personal anything on a corporate-managed device.

• I don’t want the risk
• Corporate doesn’t want the risk
• I don’t want the distraction

The number of things that can go wrong, even when everyone has the best of intentions, is way too large for any post here to cover.

Yes, having two devices is a PITA. Especially if you’re trying to share one display. Especially if it’s an Apple display that has only one input. My Studio Display is constantly on the “wrong” computer.

So be it. I’m more likely to buy a second display (or, better yet, replace the current one with something with two inputs) than I am to combine personal and company computer use.

Because I’m nuts, but I’m not that nuts.

I share your frustration as my org uses MS Intune. It’s not been horrible and have been able to lockout my photos and other programs. Downside is that you have to select media as you need to share it.

Our IT henchmen require reauthenticating every other day or so which is also a pain. Upside though is I can continue my M1 MBA life and flow.

I had a similar situation before I retired 11 years ago. Got to use my Lenovo laptop for personal stuff since I needed to have it with me when on call. Not a big deal since it was lightly managed and not locked down. Didn’t switch to Apple for personal until just before retiring when I moved all my personal stuff off the company machine and went with the 2 machine lifestyle. With the changes that have been implemented since I left I would definitely go with a separate personal machine now.

I don’t understand those people, and the ones that reuire password change every three months or so. It disturbs the workflow and if you have to change pw you write them on small stickers next to your computer. Dumbass ideas.

It’s like the Apple forum, you need to log in every effing time you visit. I hate it (and therefore doesn’t use it as much as I can)!