OS X management profiles / root certificate
https://apple.stackexchange.com/questions/207659
-
06-02-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
My father asked me to sort out some things on his MacBook. He's recently left his company where he used his laptop on the company servers/IT system whilst he was there. At some point in the past he got some tech support from the company IT department and they might have set up some software on his laptop.
Whilst in the App Store application I tried to install some updates but it failed to connect with a message something like "could not contact the app store server at apple.<company-domain>.com".
I thought this was strange that the App Store thought the update server was one at the company domain so I had a look around the Mac settings.
In settings I found a "profiles" section and inside there were some items which appeared to be some sort of trusted root certificate issued by <company name> and something that said it enabled remote management of the laptop by .
It also may have had a configuration profile with something like "Mobile Device Management", although I can't recall exactly.
I promptly deleted them all and the app store then worked as normal.
Can anyone explain what these items were and what security implications could there have been? Could <company name> have performed man-in-the-middle attacks on my father's web traffic? Would deleting these items such that the "Profile" section of Settings is no longer visible protect from any access or control from the company's IT department?
This may be more appropriate for security.stackexchange.com but I'd just like to understand if any privacy may have been breached.
Edit
This is the kind of item present, although this is not the actual one but a screenshot I found:
Solution
MDM (Mobile Device Management) profiles can change many settings within the system. As you suspected, in this case the software update mechanism was redirected to a company server. There were likely other settings as well. If the profile forced all network traffic through a VPN, then the company could view it in transit. You can check by looking in the network preferences for interfaces labeled "VPN" in the interface list.
Since you deleted the profile, you should be ok. Check the network settings, and also look for applications that may have been installed by the profile in /Applications. One other thing to look for, would be CA certificates installed into either the System Roots or the System Keychain. Use Keychain Access and search in the System Roots for anything including the name of the company. Do the same for the System Keychain.
