Your University IT Sees More on Your Mac Than Respondus Does (Personal vs Managed Mac)
The two device classes
| Aspect | Personal Mac | University-Managed Mac (MDM) |
|---|---|---|
| Admin password | You | University IT (you may have user-level only) |
| Software install policy | Your decision | Pre-approved list, IT can push/remove apps remotely |
| EDR agent | None (typical) | CrowdStrike, SentinelOne, Microsoft Defender, Jamf Protect |
| Network monitoring | Your home router only | VPN with deep-packet inspection |
| Disk encryption | FileVault opt-in | FileVault enforced + IT recovery key |
| TCC permission control | You | IT can pre-grant or deny permissions via PPPC profiles |
What Respondus sees in either case
Same in both: the camera, microphone, screen recording, and TCC-permitted file access during the exam. Respondus's scope is identical regardless of who owns the Mac.
What your university IT can see - only on managed Macs
- Process memory + behavior: EDR agents have read access to process memory. Theoretically they could observe LDB's in-memory state - including pre-encryption camera frames and pre-upload recordings.
- File system events: Every file LDB writes (including the on-disk buffer) is logged by EDR. Your IT has visibility into the existence and size of recordings before they upload.
- Network connections: Even with TLS, EDR sees connection metadata - destination, timing, byte counts. Your university's VPN may also do TLS inspection on non-pinned connections.
- App launch history: Detailed log of every app you launched, including LDB session start/end times, installation history, and version.
None of this is captured on a personal Mac. The university's observability ends at the network gateway.
The privacy decision tree
| Scenario | Recommendation |
|---|---|
| You own a personal Mac | Use it for exams. Privacy stops at Respondus. |
| Personal Mac unavailable, managed Mac required | Accept the broader exposure. Document for yourself which IT systems can see what. |
| Hybrid: personal Mac, but university VPN required | VPN sees connection metadata only. Disconnect after exam. |
| Roommate's/family Mac (your name not on it) | Same as personal. But do full cleanup after. |
Configurations that matter on a managed Mac
- PPPC profile pre-grants: if your IT has pre-granted Camera/Mic/Screen Recording to LDB via configuration profiles, you don't see TCC prompts at all. Convenient but means no opportunity to deny.
- EDR exclusions: some IT departments configure EDR to exclude LDB process from inspection. Worth asking your helpdesk: "Does EDR inspect LDB process memory?"
- VPN split-tunnel: if your university's VPN is split-tunnel and routes only campus traffic, your home traffic isn't visible. Full-tunnel routes everything.
- FileVault recovery key escrow: on managed Macs, IT typically holds the recovery key. They can decrypt the disk if confiscated for investigation.
Practical hygiene
- On managed Macs: assume full IT visibility. Don't use the device for personal browsing during the exam window.
- On personal Macs: still run post-exam cleanup to clear the on-disk buffer.
- On either: exclude the Group Container directory from Time Machine if you don't want backed-up recording chunks.
- If you're given a choice, the personal Mac is the privacy-cleaner option by a substantial margin.
Frequently asked questions
Can my university IT actually access my Mac's screen during an exam?
On managed Macs with remote-management enabled (Apple Remote Desktop, Jamf Remote, etc.), yes - they have technical capability. Most universities do not exercise this during exams as policy, but capability ≠ policy. Ask your IT explicitly what their exam-time monitoring policy is.
Does FileVault encryption protect me on a managed Mac?
It protects against physical theft, not against IT. On managed Macs, IT holds the recovery key (escrowed during enrollment) - they can decrypt the disk if needed. FileVault is between you and external attackers, not you and IT.
Should I bring up privacy concerns with my professor or DPO?
DPO is the right channel. Universities are required (under GDPR / FERPA) to inform students about data processing. A polite query to the DPO yields written documentation of what's collected and how - useful for your records.