MDM software only allows to do so much. We use it my company. We can remotely wipe a Mac or reboot it but that pretty much it. I’m not aware of any 3rd party software that can turn on the camera (remember the green light) or capture the screen without the user knowing it’s happening. Checkout Jamf it’s a pretty standard 3rd party tool, whatever they say they can do is what’s possible from a corporate “non-hostile” perspective.
Unless Apple specifically prevents it - and maybe they do - it's not hard to do. I remember an old story of a school district in the US that gave the high school kids laptops, though I don't recall the brand, and used the camera to watch and take remote photos 24/7 without notifying anyone or getting permission; I think it might have taken photos automatically on a schedule too, but I'm not sure. I think the excuse was to prevent illicit use of the laptop.
IT pros, stop and think for a moment about the risks. How long did that take you? Apparently the school administration and IT personnel completely overlooked them.
They were watching and photographing underage kids in their bedrooms, not that spying on anyone anywhere is ok. They thought they caught one with drugs (it was candy) in their bedroom and showed the images to the parents. The parents sued the school district and it was in national news (maybe on HN). Somehow I never saw child pornography charges, even though I don't know that they could have prevented it - just turn on the camera at the wrong time.
I blame the IT personnel too, especially the CIO / IT director who failed to point out the risk and stop it, and even the low-level people should have stopped when they first saw the inside of a teenager's bedroom.
>Michael and Holly Robbins of Penn Valley, Pa., said they first found out about the alleged spying last November after their son Blake was accused by a Harriton High School official of "improper behavior in his home" and shown a photograph taken by his laptop.
Unless they use MDM to push a profile that authorizes a specific application/developer to access system resources without prompting the user. This is a common practice for deploying security applications - e.g. crowdstrike requires full-disc access and there’s a policy thats deployable via MDM to enable it automatically during the next beacon from a host.
