What can other administrators access on my machine? The 2019 Stack Overflow Developer Survey Results Are In Announcing the arrival of Valued Associate #679: Cesar Manara Planned maintenance scheduled April 17/18, 2019 at 00:00UTC (8:00pm US/Eastern)Protect files from other administrator accountsHow secure are iCloud backups?Unwanted saving of proxy credentialsnsurlsessiond is using all my bandwidthOnly root login remains (all other users gone) and even root hangs, so can't access!How can you switch users at the login screen, without administrator access, with only one local account (the administrator) and many network accounts?Protect files from other administrator accountsCan a thief know my Apple ID without my PIN code?I have a company MacBook Pro and I no longer can see my username on the login screenFileVault and other user accounts; repairEffects of logging in to same Apple ID on multiple macOS accounts (single computer)

How did passengers keep warm on sail ships?

Does Parliament hold absolute power in the UK?

Can the DM override racial traits?

How to politely respond to generic emails requesting a PhD/job in my lab? Without wasting too much time

How many people can fit inside Mordenkainen's Magnificent Mansion?

Do warforged have souls?

Arduino Pro Micro - switch off LEDs

Why did all the guest students take carriages to the Yule Ball?

ELI5: Why do they say that Israel would have been the fourth country to land a spacecraft on the Moon and why do they call it low cost?

How did the audience guess the pentatonic scale in Bobby McFerrin's presentation?

Can a 1st-level character have an ability score above 18?

How to delete random line from file using Unix command?

Single author papers against my advisor's will?

He got a vote 80% that of Emmanuel Macron’s

Typeface like Times New Roman but with "tied" percent sign

Semisimplicity of the category of coherent sheaves?

Can the prologue be the backstory of your main character?

Are my PIs rude or am I just being too sensitive?

Does Parliament need to approve the new Brexit delay to 31 October 2019?

Create an outline of font

Why can't wing-mounted spoilers be used to steepen approaches?

Python - Fishing Simulator

What was the last x86 CPU that did not have the x87 floating-point unit built in?

How can I protect witches in combat who wear limited clothing?



What can other administrators access on my machine?



The 2019 Stack Overflow Developer Survey Results Are In
Announcing the arrival of Valued Associate #679: Cesar Manara
Planned maintenance scheduled April 17/18, 2019 at 00:00UTC (8:00pm US/Eastern)Protect files from other administrator accountsHow secure are iCloud backups?Unwanted saving of proxy credentialsnsurlsessiond is using all my bandwidthOnly root login remains (all other users gone) and even root hangs, so can't access!How can you switch users at the login screen, without administrator access, with only one local account (the administrator) and many network accounts?Protect files from other administrator accountsCan a thief know my Apple ID without my PIN code?I have a company MacBook Pro and I no longer can see my username on the login screenFileVault and other user accounts; repairEffects of logging in to same Apple ID on multiple macOS accounts (single computer)



.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;








6















I've been given a new MacBook Pro at work, and it has an administrator account which I assume the IT department has the credentials to. I have been created a local account which is also an administrator.



I'm just wondering, as another administrator, what of my data can they access and read? I have iCloud Drive and other services turned on, and I don't particularly like the idea that someone can go in and grab that stuff.










share|improve this question






























    6















    I've been given a new MacBook Pro at work, and it has an administrator account which I assume the IT department has the credentials to. I have been created a local account which is also an administrator.



    I'm just wondering, as another administrator, what of my data can they access and read? I have iCloud Drive and other services turned on, and I don't particularly like the idea that someone can go in and grab that stuff.










    share|improve this question


























      6












      6








      6


      1






      I've been given a new MacBook Pro at work, and it has an administrator account which I assume the IT department has the credentials to. I have been created a local account which is also an administrator.



      I'm just wondering, as another administrator, what of my data can they access and read? I have iCloud Drive and other services turned on, and I don't particularly like the idea that someone can go in and grab that stuff.










      share|improve this question
















      I've been given a new MacBook Pro at work, and it has an administrator account which I assume the IT department has the credentials to. I have been created a local account which is also an administrator.



      I'm just wondering, as another administrator, what of my data can they access and read? I have iCloud Drive and other services turned on, and I don't particularly like the idea that someone can go in and grab that stuff.







      macos security user-account






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Apr 10 at 3:38









      bmike

      162k46291630




      162k46291630










      asked Apr 9 at 23:28









      RickyRicky

      23018




      23018




















          3 Answers
          3






          active

          oldest

          votes


















          8














          Short answer: Generally an administrator account can access and read any file on the computer. To protect files, either remove all untrusted admin accounts except for yours or encrypt the specific files you need protected with your admin password. Another admin can reset your password, but not see it to unlock things like your keychain. Of course a new password for encryption is ideal if you don’t trust another admin.



          There are certain files within your account that are encrypted and can not be read without your password.



          The main file I'm thinking of is the "Keychain" which may contain your iCloud password and any other passwords you've allowed Safari (or other apps) to remember.




          As an IT system administrator myself I would recommend not to store personal data on your work computer that you don't want anyone else to see.



          The computer may have backup software that's backing up all files on the computer - including your iCloud Drive.



          Also remember that if you're fired, the computer may be taken away before you have a chance to remove your personal files.






          share|improve this answer




















          • 4





            Even in jurisdictions that are typically very worker- and privacy-friendly, it is generally accepted that all files you store on a company device "belong to" the company, at least in the sense that they can arbitrarily delete them. While in the more privacy-conscious jurisdictions, it may be illegal for an IT admin to continue reading when he accidentally discovers private files on your device, there is a) no guarantee that he will actually do that, and b) he is allowed anyway to read anything on your device until he discovers obviously private data.

            – Jörg W Mittag
            Apr 10 at 7:08






          • 1





            Plus, not all jurisdictions are that privacy-conscious.

            – Jörg W Mittag
            Apr 10 at 7:09






          • 1





            This answer doesn't address FileVault (nor encrypted backups). Can encrypted files inside FileVault be read by other admins? I thought the answer was no.

            – Konrad Rudolph
            Apr 10 at 8:21







          • 1





            @KonradRudolph The original version of FileVault (which encrypted individual home directories) could not be read be others unless a specific user was logged in. The current version with full disk encryption does not provide that level of privacy, any user allowed to unlock will unlock the whole disk.

            – nohillside
            Apr 10 at 21:55


















          6














          This document provided by Apple titled: Set up users, guests and groups on Mac covers the types of privileges each user type is allowed.




          Administrator: An administrator can add and manage other users, install apps and change settings. The new user you create when you first set up your Mac is an administrator. Your Mac can have multiple administrators. You can create new ones, and convert standard users to administrators. Don’t set up automatic login for an administrator. If you do, someone could simply restart your Mac and gain access with administrator privileges. To keep your Mac secure, don’t share administrator names and passwords.




          Expanding on this, basically an Administrator can access any of your files and pretty much do anything on the system.



          References



          • Protect files from other administrator accounts





          share|improve this answer






























            2














            An Administrator account should be able to install software to log keystrokes, a keylogger. With your keyboard input captured, any passwords input would be captured and could be used to open otherwise secure applications and files. I cannot say whether Apple prevents their use on macOS, but anyone sufficiently determined would be able to circumvent such restrictions.



            Also, screen capture software can often be used to determine what keystrokes have been made, especially on mobile devices where the on-screen keyboard keys pop-up as typed.



            It is not your computer. Treat it as such.






            share|improve this answer








            New contributor




            newyork10023 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
            Check out our Code of Conduct.



























              3 Answers
              3






              active

              oldest

              votes








              3 Answers
              3






              active

              oldest

              votes









              active

              oldest

              votes






              active

              oldest

              votes









              8














              Short answer: Generally an administrator account can access and read any file on the computer. To protect files, either remove all untrusted admin accounts except for yours or encrypt the specific files you need protected with your admin password. Another admin can reset your password, but not see it to unlock things like your keychain. Of course a new password for encryption is ideal if you don’t trust another admin.



              There are certain files within your account that are encrypted and can not be read without your password.



              The main file I'm thinking of is the "Keychain" which may contain your iCloud password and any other passwords you've allowed Safari (or other apps) to remember.




              As an IT system administrator myself I would recommend not to store personal data on your work computer that you don't want anyone else to see.



              The computer may have backup software that's backing up all files on the computer - including your iCloud Drive.



              Also remember that if you're fired, the computer may be taken away before you have a chance to remove your personal files.






              share|improve this answer




















              • 4





                Even in jurisdictions that are typically very worker- and privacy-friendly, it is generally accepted that all files you store on a company device "belong to" the company, at least in the sense that they can arbitrarily delete them. While in the more privacy-conscious jurisdictions, it may be illegal for an IT admin to continue reading when he accidentally discovers private files on your device, there is a) no guarantee that he will actually do that, and b) he is allowed anyway to read anything on your device until he discovers obviously private data.

                – Jörg W Mittag
                Apr 10 at 7:08






              • 1





                Plus, not all jurisdictions are that privacy-conscious.

                – Jörg W Mittag
                Apr 10 at 7:09






              • 1





                This answer doesn't address FileVault (nor encrypted backups). Can encrypted files inside FileVault be read by other admins? I thought the answer was no.

                – Konrad Rudolph
                Apr 10 at 8:21







              • 1





                @KonradRudolph The original version of FileVault (which encrypted individual home directories) could not be read be others unless a specific user was logged in. The current version with full disk encryption does not provide that level of privacy, any user allowed to unlock will unlock the whole disk.

                – nohillside
                Apr 10 at 21:55















              8














              Short answer: Generally an administrator account can access and read any file on the computer. To protect files, either remove all untrusted admin accounts except for yours or encrypt the specific files you need protected with your admin password. Another admin can reset your password, but not see it to unlock things like your keychain. Of course a new password for encryption is ideal if you don’t trust another admin.



              There are certain files within your account that are encrypted and can not be read without your password.



              The main file I'm thinking of is the "Keychain" which may contain your iCloud password and any other passwords you've allowed Safari (or other apps) to remember.




              As an IT system administrator myself I would recommend not to store personal data on your work computer that you don't want anyone else to see.



              The computer may have backup software that's backing up all files on the computer - including your iCloud Drive.



              Also remember that if you're fired, the computer may be taken away before you have a chance to remove your personal files.






              share|improve this answer




















              • 4





                Even in jurisdictions that are typically very worker- and privacy-friendly, it is generally accepted that all files you store on a company device "belong to" the company, at least in the sense that they can arbitrarily delete them. While in the more privacy-conscious jurisdictions, it may be illegal for an IT admin to continue reading when he accidentally discovers private files on your device, there is a) no guarantee that he will actually do that, and b) he is allowed anyway to read anything on your device until he discovers obviously private data.

                – Jörg W Mittag
                Apr 10 at 7:08






              • 1





                Plus, not all jurisdictions are that privacy-conscious.

                – Jörg W Mittag
                Apr 10 at 7:09






              • 1





                This answer doesn't address FileVault (nor encrypted backups). Can encrypted files inside FileVault be read by other admins? I thought the answer was no.

                – Konrad Rudolph
                Apr 10 at 8:21







              • 1





                @KonradRudolph The original version of FileVault (which encrypted individual home directories) could not be read be others unless a specific user was logged in. The current version with full disk encryption does not provide that level of privacy, any user allowed to unlock will unlock the whole disk.

                – nohillside
                Apr 10 at 21:55













              8












              8








              8







              Short answer: Generally an administrator account can access and read any file on the computer. To protect files, either remove all untrusted admin accounts except for yours or encrypt the specific files you need protected with your admin password. Another admin can reset your password, but not see it to unlock things like your keychain. Of course a new password for encryption is ideal if you don’t trust another admin.



              There are certain files within your account that are encrypted and can not be read without your password.



              The main file I'm thinking of is the "Keychain" which may contain your iCloud password and any other passwords you've allowed Safari (or other apps) to remember.




              As an IT system administrator myself I would recommend not to store personal data on your work computer that you don't want anyone else to see.



              The computer may have backup software that's backing up all files on the computer - including your iCloud Drive.



              Also remember that if you're fired, the computer may be taken away before you have a chance to remove your personal files.






              share|improve this answer















              Short answer: Generally an administrator account can access and read any file on the computer. To protect files, either remove all untrusted admin accounts except for yours or encrypt the specific files you need protected with your admin password. Another admin can reset your password, but not see it to unlock things like your keychain. Of course a new password for encryption is ideal if you don’t trust another admin.



              There are certain files within your account that are encrypted and can not be read without your password.



              The main file I'm thinking of is the "Keychain" which may contain your iCloud password and any other passwords you've allowed Safari (or other apps) to remember.




              As an IT system administrator myself I would recommend not to store personal data on your work computer that you don't want anyone else to see.



              The computer may have backup software that's backing up all files on the computer - including your iCloud Drive.



              Also remember that if you're fired, the computer may be taken away before you have a chance to remove your personal files.







              share|improve this answer














              share|improve this answer



              share|improve this answer








              edited Apr 10 at 3:26









              bmike

              162k46291630




              162k46291630










              answered Apr 10 at 2:39









              BenBen

              1963




              1963







              • 4





                Even in jurisdictions that are typically very worker- and privacy-friendly, it is generally accepted that all files you store on a company device "belong to" the company, at least in the sense that they can arbitrarily delete them. While in the more privacy-conscious jurisdictions, it may be illegal for an IT admin to continue reading when he accidentally discovers private files on your device, there is a) no guarantee that he will actually do that, and b) he is allowed anyway to read anything on your device until he discovers obviously private data.

                – Jörg W Mittag
                Apr 10 at 7:08






              • 1





                Plus, not all jurisdictions are that privacy-conscious.

                – Jörg W Mittag
                Apr 10 at 7:09






              • 1





                This answer doesn't address FileVault (nor encrypted backups). Can encrypted files inside FileVault be read by other admins? I thought the answer was no.

                – Konrad Rudolph
                Apr 10 at 8:21







              • 1





                @KonradRudolph The original version of FileVault (which encrypted individual home directories) could not be read be others unless a specific user was logged in. The current version with full disk encryption does not provide that level of privacy, any user allowed to unlock will unlock the whole disk.

                – nohillside
                Apr 10 at 21:55












              • 4





                Even in jurisdictions that are typically very worker- and privacy-friendly, it is generally accepted that all files you store on a company device "belong to" the company, at least in the sense that they can arbitrarily delete them. While in the more privacy-conscious jurisdictions, it may be illegal for an IT admin to continue reading when he accidentally discovers private files on your device, there is a) no guarantee that he will actually do that, and b) he is allowed anyway to read anything on your device until he discovers obviously private data.

                – Jörg W Mittag
                Apr 10 at 7:08






              • 1





                Plus, not all jurisdictions are that privacy-conscious.

                – Jörg W Mittag
                Apr 10 at 7:09






              • 1





                This answer doesn't address FileVault (nor encrypted backups). Can encrypted files inside FileVault be read by other admins? I thought the answer was no.

                – Konrad Rudolph
                Apr 10 at 8:21







              • 1





                @KonradRudolph The original version of FileVault (which encrypted individual home directories) could not be read be others unless a specific user was logged in. The current version with full disk encryption does not provide that level of privacy, any user allowed to unlock will unlock the whole disk.

                – nohillside
                Apr 10 at 21:55







              4




              4





              Even in jurisdictions that are typically very worker- and privacy-friendly, it is generally accepted that all files you store on a company device "belong to" the company, at least in the sense that they can arbitrarily delete them. While in the more privacy-conscious jurisdictions, it may be illegal for an IT admin to continue reading when he accidentally discovers private files on your device, there is a) no guarantee that he will actually do that, and b) he is allowed anyway to read anything on your device until he discovers obviously private data.

              – Jörg W Mittag
              Apr 10 at 7:08





              Even in jurisdictions that are typically very worker- and privacy-friendly, it is generally accepted that all files you store on a company device "belong to" the company, at least in the sense that they can arbitrarily delete them. While in the more privacy-conscious jurisdictions, it may be illegal for an IT admin to continue reading when he accidentally discovers private files on your device, there is a) no guarantee that he will actually do that, and b) he is allowed anyway to read anything on your device until he discovers obviously private data.

              – Jörg W Mittag
              Apr 10 at 7:08




              1




              1





              Plus, not all jurisdictions are that privacy-conscious.

              – Jörg W Mittag
              Apr 10 at 7:09





              Plus, not all jurisdictions are that privacy-conscious.

              – Jörg W Mittag
              Apr 10 at 7:09




              1




              1





              This answer doesn't address FileVault (nor encrypted backups). Can encrypted files inside FileVault be read by other admins? I thought the answer was no.

              – Konrad Rudolph
              Apr 10 at 8:21






              This answer doesn't address FileVault (nor encrypted backups). Can encrypted files inside FileVault be read by other admins? I thought the answer was no.

              – Konrad Rudolph
              Apr 10 at 8:21





              1




              1





              @KonradRudolph The original version of FileVault (which encrypted individual home directories) could not be read be others unless a specific user was logged in. The current version with full disk encryption does not provide that level of privacy, any user allowed to unlock will unlock the whole disk.

              – nohillside
              Apr 10 at 21:55





              @KonradRudolph The original version of FileVault (which encrypted individual home directories) could not be read be others unless a specific user was logged in. The current version with full disk encryption does not provide that level of privacy, any user allowed to unlock will unlock the whole disk.

              – nohillside
              Apr 10 at 21:55













              6














              This document provided by Apple titled: Set up users, guests and groups on Mac covers the types of privileges each user type is allowed.




              Administrator: An administrator can add and manage other users, install apps and change settings. The new user you create when you first set up your Mac is an administrator. Your Mac can have multiple administrators. You can create new ones, and convert standard users to administrators. Don’t set up automatic login for an administrator. If you do, someone could simply restart your Mac and gain access with administrator privileges. To keep your Mac secure, don’t share administrator names and passwords.




              Expanding on this, basically an Administrator can access any of your files and pretty much do anything on the system.



              References



              • Protect files from other administrator accounts





              share|improve this answer



























                6














                This document provided by Apple titled: Set up users, guests and groups on Mac covers the types of privileges each user type is allowed.




                Administrator: An administrator can add and manage other users, install apps and change settings. The new user you create when you first set up your Mac is an administrator. Your Mac can have multiple administrators. You can create new ones, and convert standard users to administrators. Don’t set up automatic login for an administrator. If you do, someone could simply restart your Mac and gain access with administrator privileges. To keep your Mac secure, don’t share administrator names and passwords.




                Expanding on this, basically an Administrator can access any of your files and pretty much do anything on the system.



                References



                • Protect files from other administrator accounts





                share|improve this answer

























                  6












                  6








                  6







                  This document provided by Apple titled: Set up users, guests and groups on Mac covers the types of privileges each user type is allowed.




                  Administrator: An administrator can add and manage other users, install apps and change settings. The new user you create when you first set up your Mac is an administrator. Your Mac can have multiple administrators. You can create new ones, and convert standard users to administrators. Don’t set up automatic login for an administrator. If you do, someone could simply restart your Mac and gain access with administrator privileges. To keep your Mac secure, don’t share administrator names and passwords.




                  Expanding on this, basically an Administrator can access any of your files and pretty much do anything on the system.



                  References



                  • Protect files from other administrator accounts





                  share|improve this answer













                  This document provided by Apple titled: Set up users, guests and groups on Mac covers the types of privileges each user type is allowed.




                  Administrator: An administrator can add and manage other users, install apps and change settings. The new user you create when you first set up your Mac is an administrator. Your Mac can have multiple administrators. You can create new ones, and convert standard users to administrators. Don’t set up automatic login for an administrator. If you do, someone could simply restart your Mac and gain access with administrator privileges. To keep your Mac secure, don’t share administrator names and passwords.




                  Expanding on this, basically an Administrator can access any of your files and pretty much do anything on the system.



                  References



                  • Protect files from other administrator accounts






                  share|improve this answer












                  share|improve this answer



                  share|improve this answer










                  answered Apr 9 at 23:36









                  slmslm

                  679514




                  679514





















                      2














                      An Administrator account should be able to install software to log keystrokes, a keylogger. With your keyboard input captured, any passwords input would be captured and could be used to open otherwise secure applications and files. I cannot say whether Apple prevents their use on macOS, but anyone sufficiently determined would be able to circumvent such restrictions.



                      Also, screen capture software can often be used to determine what keystrokes have been made, especially on mobile devices where the on-screen keyboard keys pop-up as typed.



                      It is not your computer. Treat it as such.






                      share|improve this answer








                      New contributor




                      newyork10023 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                      Check out our Code of Conduct.
























                        2














                        An Administrator account should be able to install software to log keystrokes, a keylogger. With your keyboard input captured, any passwords input would be captured and could be used to open otherwise secure applications and files. I cannot say whether Apple prevents their use on macOS, but anyone sufficiently determined would be able to circumvent such restrictions.



                        Also, screen capture software can often be used to determine what keystrokes have been made, especially on mobile devices where the on-screen keyboard keys pop-up as typed.



                        It is not your computer. Treat it as such.






                        share|improve this answer








                        New contributor




                        newyork10023 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                        Check out our Code of Conduct.






















                          2












                          2








                          2







                          An Administrator account should be able to install software to log keystrokes, a keylogger. With your keyboard input captured, any passwords input would be captured and could be used to open otherwise secure applications and files. I cannot say whether Apple prevents their use on macOS, but anyone sufficiently determined would be able to circumvent such restrictions.



                          Also, screen capture software can often be used to determine what keystrokes have been made, especially on mobile devices where the on-screen keyboard keys pop-up as typed.



                          It is not your computer. Treat it as such.






                          share|improve this answer








                          New contributor




                          newyork10023 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                          Check out our Code of Conduct.










                          An Administrator account should be able to install software to log keystrokes, a keylogger. With your keyboard input captured, any passwords input would be captured and could be used to open otherwise secure applications and files. I cannot say whether Apple prevents their use on macOS, but anyone sufficiently determined would be able to circumvent such restrictions.



                          Also, screen capture software can often be used to determine what keystrokes have been made, especially on mobile devices where the on-screen keyboard keys pop-up as typed.



                          It is not your computer. Treat it as such.







                          share|improve this answer








                          New contributor




                          newyork10023 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                          Check out our Code of Conduct.









                          share|improve this answer



                          share|improve this answer






                          New contributor




                          newyork10023 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                          Check out our Code of Conduct.









                          answered 2 days ago









                          newyork10023newyork10023

                          211




                          211




                          New contributor




                          newyork10023 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                          Check out our Code of Conduct.





                          New contributor





                          newyork10023 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                          Check out our Code of Conduct.






                          newyork10023 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                          Check out our Code of Conduct.













                              Popular posts from this blog

                              Sum ergo cogito? 1 nng

                              三茅街道4182Guuntc Dn precexpngmageondP