What can other administrators access on my machine?

I've been given a new MacBook Pro at work, and it has an administrator account which I assume the IT department has the credentials to. I have been created a local account which is also an administrator.

I'm just wondering, as another administrator, what of my data can they access and read? I have iCloud Drive and other services turned on, and I don't particularly like the idea that someone can go in and grab that stuff.


Solution 1:

Short answer: Generally an administrator account can access and read any file on the computer. To protect files, either remove all untrusted admin accounts except for yours or encrypt the specific files you need protected with your admin password. Another admin can reset your password, but not see it to unlock things like your keychain. Of course a new password for encryption is ideal if you don’t trust another admin.

There are certain files within your account that are encrypted and can not be read without your password.

The main file I'm thinking of is the "Keychain" which may contain your iCloud password and any other passwords you've allowed Safari (or other apps) to remember.


As an IT system administrator myself I would recommend not to store personal data on your work computer that you don't want anyone else to see.

The computer may have backup software that's backing up all files on the computer - including your iCloud Drive.

Also remember that if you're fired, the computer may be taken away before you have a chance to remove your personal files.

Solution 2:

This document provided by Apple titled: Set up users, guests and groups on Mac covers the types of privileges each user type is allowed.

Administrator: An administrator can add and manage other users, install apps and change settings. The new user you create when you first set up your Mac is an administrator. Your Mac can have multiple administrators. You can create new ones, and convert standard users to administrators. Don’t set up automatic login for an administrator. If you do, someone could simply restart your Mac and gain access with administrator privileges. To keep your Mac secure, don’t share administrator names and passwords.

Expanding on this, basically an Administrator can access any of your files and pretty much do anything on the system.

References

  • Protect files from other administrator accounts

Solution 3:

An Administrator account should be able to install software to log keystrokes, a keylogger. With your keyboard input captured, any passwords input would be captured and could be used to open otherwise secure applications and files. I cannot say whether Apple prevents their use on macOS, but anyone sufficiently determined would be able to circumvent such restrictions.

Also, screen capture software can often be used to determine what keystrokes have been made, especially on mobile devices where the on-screen keyboard keys pop-up as typed.

It is not your computer. Treat it as such.