12
votes
Using work OSX machine while travelling
I will shortly be travelling for work. I do not have the capacity to bring anything other than my work machine. In addition to working every day I would like to: legally stream movies in the evening, work on writing, email friends etc. At home of course I use a separate laptop for this but in this case I won't have that option. Any thoughts on how best to achieve a separation of concerns while travelling? How do people on Tildes manage this case?
p.s I know in a best case scenario it's not ideal, hence my behaviour at home, I just need a working method for this particular case.
Ideally you would just not use your work machine to access any personal information or sites but it seems like you don’t really have a choice.
I’m not sure how locked down your work laptop is, but you can do all of those things via a web browser. Just make sure you log out everything when you’re done with your trip. All of the major browsers will let you open a separate profile so you can keep your personal and work stuff separated.
Thanks @JXM, unfortunately that won't be enough. I need a few personal applications, Joplin etc. My machine is not locked down at all. It was shipped to me new and I have full admin privileges.
I'm likely overthinking it, I just want to maintain some kind of split. I was thinking of a live persistent distro of some kind but that might be overkill.
I mean, if you have full admin rights and trust your employer not to monitor your computer, then you can just install what you want and uninstall if when you get back. You can also use an app like AppCleaner to completely remove the apps once your trip is done.
That's not a choice I'd make, but it's an option.
As for using a live image, it's a whole lot harder on newer M-series based Macs. You could use something like UTM to install your own virtualized copy of MacOS.
Your employer could still hypothetically monitor your network traffic or screen, but at least the apps are in a separate environment.
Maybe keep everything in an encrypted image file?
Or, in case that is feasible, dual boot or at a separate user?
I don't suppose you have experience dual booting linux on an m3 mac? AFAIUI, Apple's switch to their own silicon chips means no more boot camp :/
Why not dual boot macOS? You can create a new APFS volume and reinstall macOS on it. macOS security is pretty good. A device provisioning profile (if one exists) can reinstall itself to a new macOS image, but macOS will tell you about it. Most likely there isn’t one, and you are good to go. Also you can easily delete that volume once you get back from the trip if you want.
Hmmmm. That's an interesting idea, thanks for sharing. Do you know of guide anyplace I can follow to achieve that??
I don’t know about a guide, but it’s pretty straightforward. Boot the Mac into recovery mode (I think you hold the power button, Google should tell you for sure). Then open disk utility and create a new apfs volume called whatever you want. Then recovery mode has an option to reinstall macOS. Select that and have it install onto your new volume. You can pick what OS you want to boot into at startup (I think you hold down the power button again, if you have issues search Google for “change macOS startup disk” or similar).
As a side note, apfs volumes are like partitions but only take up whatever storage they are actually using. You don’t have to choose how much space to allocate to each disk.
True. I forgot.
Well, there is this repo, which looks like it might work: https://github.com/leifliddy/asahi-fedora-builder
Since it’s your work machine, maybe use an external drive to install this and change the startup disk.
Appreciate the link, sadly I think m3 users will still have to wait a while :(
Since you mentioned “work on writing” and not just watching Netflix, you should read your employment agreement very carefully to look for any implications around using company resources (e.g. granting ownership rights to to the company for any IP produced)
Awhile back I was in a similar situation. I was too lazy to read the employee handbook/agreement, so I just made sure to do any creative personal projects on my computer at home. I figured it was just safer that way.
Personally, I almost never mix personas on devices. I suck it up and lug two laptops around the airports if I have to.
Consider using your phone for your personal activities, or perhaps bring a tablet, with maybe a small portable keyboard.
re: streaming movies: consider a streaming device, like a Roku. They're very small and portable, and, with an HDMI cable, can hook up to most hotel room TVs.
Not sure if I'm reading the situation correctly, so please ignore if my advice is not appropriate.
Unless you're somehow 100% sure that IT is not tracking your computer activity, I would assume that they are. And since it sounds like there is no way to liveboot from a USB drive or similar with your type of Mac, any of these other options will leave some sort of trace. Even if IT can't see exactly what you're doing in a virtual machine or an SSH session, they can still see the fact that you're doing it. And they could investigate further based on that.
Personally I wouldn't want to face that risk. Even if you're doing nothing wrong, it's about the appearance of wrongdoing. And doing any of these weird work-arounds looks a lot shadier than if you simply got caught streaming Netflix on a browser.
Is there a way you can ask your manager or an IT person about this? If you're traveling enough for this to be an issue, I think it would seem reasonable to ask about doing the things you're interested in doing. I would just try to keep it low-key. Maybe there is an official policy saying you can't use the laptop for any personal uses. But if you have a personal conversation with the IT person, they might say "Oh yeah as long as you're not doing anything illegal or downloading viruses from shady gaming sites, we don't really care."
And to be clear, that situation would still be a risk for you if anything went wrong, but if I were you, I'd feel a lot more comfortable knowing that.
This is an excellent idea. I asked today about fair use and it seems I'll be well within the boundaries of that. Thanks @felixworks! Sometimes the best solution is just having a chat with someone. I'll still be exercising caution (separate OS on APFS volume) but it's good to get confirmation that personal use is no issue in such cases. Thanks again.
I’m in a similar situation; I use separate browsers to make the separation easier in my mind; Chrome for work, Firefox for personal stuff. Other than VMs or dual booting (both of which have their downsides), I’d say you just download whatever you need and accept that it’s mixed in with other work applications. You could create a separate user on your machine I guess to really separate things, but I haven’t felt the need to do that. Even then, that approach isn’t really perfect separation as some things are installed globally.
Thanks for the reply. Given I'm using an m3 I think the best option I have is a separate user profile running VirtualBox and Linux there. It ought to be separate enough for my use case.
You might look at Jump Desktop or something similar. Set your personal laptop at home to always be on and awake, then remote into it while traveling. That way, none of your personal data is on your work laptop.
How about setting up a new OS level user account ? It should be easy to erase everything afterwards (just delete the whole account). This would mean having a strict separation between work and personal though, which is not easy.
Everyone else is overcomplicating this. This is the answer here. Create a new user account for personal stuff and delete the account when you’re done and back home.
I would argue that the OP is overcomplicating this. The real solution is to just tough it out for a few days, or just bring the personal laptop if it's a longer trip. Not sure if OP will address why they can only bring a work laptop.
Is that relevant? They said they can’t do it so any suggestions should factor that in as a requirement. The reasons why are their business. I’m not sure they need to address why they can only bring their work laptop.
There’s a name for it that escapes me now, but essentially someone specifically asks for X, but only because they think it will solve problem Y, when really Z is a more appropriate solution. So, it can be helpful to probe and find out the true problem/situation to offer the best advice.
You pretty much remember the name, it's called the XY Problem. :)
They flatly stated that they do not have the capacity to bring their work machine. That is the problem. Everything else would be open to probing but this is literally the first thing they said.
Do they think they can only fly with one laptop in carry-on? Misunderstanding, problem solved. Are they so tight on luggage space that an extra laptop physically won’t fit? Maybe even suggestions like an iPad won’t fit either. There could be any number of factors that change the nature of the advice or even eliminate the problem entirely.
An iPad isn’t an answer to their problem either. They asked how to separate work and personal use on one machine. It’s pretty presumptuous to assume that they didn’t attempt or consider multiple devices. They’re specifically asking for something with this restriction. The reason for the restriction is irrelevant.
Sometimes knowing the nature of the boundaries lets you craft much better solutions, even ones that might appear to straddle or overshoot the line with only a 30,000 foot view of the border. Maybe it's presumptuous, but it's something that comes up very often when giving advice, at least in my experience. Assuming the boundaries aren't personal or secret, more information only means better problem solving.
It seems we’re already going in circles, so I’ll just refer you back to my original reply with the XY Problem and end it here.
Is my question relevant? I think so. There's lots of solutions to their problem (separating work and personal computing needs), but they're arbitrarily limiting the solution because they haven't explained why there's a restriction. Is it purely due to size/weight? In which case a portable Bluetooth keyboard and their phone would be a decent solution as well.
If someone is asking for help, then in order to fully help them I would want to know all the details. If you go to the doctor and just say "I just need to make my stomach stop hurting", then you are skipping all possible diagnosis if you don't give them more details. You're treating the symptom and not the cause.
Is it their business? Yes, but they also posted the question on a public forum so it's not that private.
Maybe they thought of those solutions but would ideally like to limit themselves to one laptop so are trying to get ideas on how to do it. I mean they specifically said they don’t want to bring another laptop and they want solutions for if you are only bringing one.
...or maybe they misunderstood the limitations? Without clarification, we can't really know for sure.
What is my point? OP could save all the time and hassle of setting up a more elaborate solution that still ultimately compromises their separation of work and personal. I just don't want them to waste their time. I promise that I only have good intentions, and not merely trying to be argumentative.
I never said it was private. I’m saying that the stated problem is not “separation of work and personal computing needs”. It’s “separation of work and personal needs on one computer”. Why does the reason for the restriction matter if that restriction exists regardless of the reason?
What do you mean by "The reasons why are their business."? My understanding of the phrase "their business" is that it means private.
I read “separation of work and personal needs on one computer” is their solution to the problem, but that's okay that we have different interpretations of it.
The reason for the restriction matters because it might not be real. Like DrStone mentioned, it could be a misunderstanding. It's also presumptuous to assume that they did attempt or consider multiple devices. This is a random internet person that most of us don't personally know. We can't make any assumptions either way. That's why we're asking for clarity.
I meant “it’s their business” as in “we don’t need to know how they got here, they’re clear about the situation they’re in”.
This is the kind of presumptuous thing I’m complaining about. It’s not at all presumptuous to assume they attempted or considered multiple devices considering they’ve explicitly stated they’re in a situation where they cannot take multiple devices.
This is like someone asking “I can only watch one movie, which movie should I watch?” and someone responding with “Why are you only watching one movie? You might be able to watch two so tell me why you’re only watching one?”
It’s neither helpful nor respectful of the person asking the question.
Using your example of being only able to watch one movie, I would absolutely want to know why they can only watch one LOL. Is it a time constraint? Media constraint? Data constraint? Like someone else said a few posts above, knowing the situation better will yield better solutions. I don't think it's being unhelpful or disrespectful. But that's okay, we can agree to disagree on this.
Knowing the situation better might yield better solutions. There’s not a guarantee that it will. It might also waste everyone’s time since the question is relatively simple and adding more info may unintentionally overcomplicate the responses (as it clearly has from all the speculation) and not be helpful at all.
I agree! There is no guarantee, but we won't know for sure unless we do have this information.
And I disagree that adding more info may unintentionally overcomplicate the responses. The reason why there's so much speculation is because we don't have more info LOL.
Fellow Tildes user (Tildean?), it's okay to not agree on things. You are free to do as you wish, but I'm going to leave it at that as I don't think I'm adding anything else to this thread.
Could you elaborate on this statement?
Is it possible for you to bring a tablet (eg, an iPad, possibly with a keyboard attachment)? This might be a relatively pricey investment (upwards of $400, possibly less if you buy used/older models), but if you're traveling often and seriously concerned about co-mingling your personal and professional life, I don't think anything less than separate hardware would suffice.
This particular statement puzzles me too.
If it's just a short trip, just use your phone for streaming and emailing friends. Skip writing for the duration of the trip...or maybe just write on paper? If it's a longer trip, then the clear solution is to just bring the personal laptop too.
I'm not sure why there's this limitation of not being able to bring 2 laptops.
I would be really careful about using work systems to directly access personal stuff. If it was me, I'd either self host a little system with dynamic DNS at home, or run a little VPS or an EC2 instance in AWS. Install the personal apps you need there, and all you need to do on the work system is have an SSH client with X11 forwarding, or whatever works for remote access.
Barring that, yeah, it sounds like folks have got you going down the VM path, which is about the next best option.
Is there a reason why you'd be so careful about doing things like emailing or streaming after work hours? I get that there's no expectation of privacy, but I'm not sure why the average person should care.
It depends on the employer, and this one is obviously fairly loose as these things go, but it can be used as a pretext to fire you. I'm used to larger organizations where they spell that out in user agreements with the computers, but I've seen someone fired in a smaller org where that was used as a for cause justification.
Huh, that would have never crossed my mind so long as I was using the computer outside of work hours to do normal, legal things. Thanks.
Just know you have no expectation of privacy on your work machine. If you’re doing it try to silo your personal stuff off from the work stuff. If they have any agents on your laptop they’ll be able to see your activity, primarily where you’re connecting and what applications you’re running. But in most cases it’s probably not a big deal.
I have a separate browser on my work machine that I use for personal stuff. Safari is private browsing and chrome is work browsing. I also use separate applications or accounts within those applications where there’s overlap.
The other thing you can do is try to Remote Desktop into your home computer from the work machine if that’s practical. If you have your own VPN that should be pretty well screened off (though they’ll know you’re accessing a VPN). The only way they’d see anything is if they’re running a keylogger, but most corporate snoopware doesn’t get that granular because nobody has the audit capacity to sift through THAT many logs.
Use a hosted virtual machine. Then all your personal stuff is in the virtual machine and you are only using the work laptop to make a connection to it.
Create a remote virtual desktop on AWS (or other VDI service) and login to it every day?
I didn't expect this to generate the amount of discussion it has. Lots of great ideas here. Thanks all for your time! Not bringing two laptops is only born of a desire to travel light. I could bring two if I so wished. I was only curious of others in a similar boat. Whatever the case, I hope we all learnt something.
Here's another idea. What kind of phone do you have? Some devices (I believe mainly Samsung) have a desktop-like mode where you can plug it into an external monitor/keyboard and use it for web browsing, word processing, etc. You could plug it into the TV in your hotel as a monitor. Or if you're planning on bringing a tablet, you could bring a Bluetooth keyboard and use it almost like a laptop. Both will have limitations obviously, but I'd guess they would work fine for the basics.
Thanks for the clarification of the phrase "I do not have the capacity to bring anything other than my work machine".
It's already been suggested but if your real reason is to travel light, then a Bluetooth keyboard + phone/tablet is the probably the best compromise while still keeping your work and personal fully separated. But that's me. I never want to mingle work with personal. While the risk is low (I've read your post above and it seems like you're good to go), it's never zero.
I hope it works out for you, as those much smarter than me have given fantastic suggestions!
I would recommend against installing personal software or dual booting the work machine. One of the most important reasons companies provide a dedicated work machine is to have a separate security context. When you introduce your own software you take on the risk and responsibility for any confidential work data compromised by your personal use.
I used to run a single laptop with both work and personal stuff running in VMs. That was my daily driver when I worked at reddit in the early 2010s. Using VMs or doing everything personal in a browser are pretty low risk, because both function as a sandbox.
However, these days, it's not worth the complexity imo. It's nice to close up the work laptop and have it stay closed at the end of the day.
Since you have admin privilege on your computer, what I would do is install a separate browser for your personal stuff, then uninstall it when you get back and remove all its other files. If you need your own software, you could download virtualbox and have a virtual machine volume, encrypted which you use for all your personal stuff. Then you can easily remove the virtual volume and virtualbox. I don’t know if this would be disallowed or not, or seen as a way of circumventing certain security features of your device.
A thing I haven't seen mentioned here is booting another (mac)OS from an external drive. If the Mac's main drive is encrypted, and yours is too, there's no way to mix or track what you're doing on the other OS. Windows is quite bitchy but macOS should be installing and booting just fine from an external drive