Is My Employer Monitoring My Mac? How to Actually Check

Quick answer: If your employer owns the Mac, they likely can monitor it through an MDM profile (System Settings > General > Device Management) and may install agents that log activity. Check Privacy & Security permissions, Login Items, and Activity Monitor for unfamiliar tools. A personal Mac you bought yourself is far harder for them to monitor without you installing something.

A reader asked me this last month, and it's a fair question. They'd just started a remote job, the company shipped them a MacBook, and they wanted to know whether someone on the other end could see their screen. The honest answer depends almost entirely on one thing: who owns the machine.

So before we get into the technical checks, let's separate the two situations, because they're completely different.

> Prefer not to dig through menus? Run a free CoreLock Security Score to see every app with screen, mic, camera, or full-disk access in about 60 seconds.

Who Owns the Mac Changes Everything

If your employer bought the Mac and handed it to you, they have a legal and technical right to manage it. Most companies enroll these machines in an MDM (Mobile Device Management) system before you ever open the box. That's normal, and in many places it's disclosed in your employee handbook or acceptable-use policy.

If it's *your* personal Mac that you bought with your own money, your employer generally can't monitor it unless you installed their software yourself — a VPN client, a "secure browser," a time-tracking app, or a meeting tool with broad permissions. No company can magically reach into a laptop they don't manage.

Most of the worry I hear comes from people who genuinely aren't sure which situation they're in. So let's make it checkable.

Check for a Device Management Profile

This is the single most important check, and it takes ten seconds.

Go to System Settings > General > Device Management (on older macOS it lived under Profiles). If you see a profile here — something like "Company MDM" or a named configuration profile — your Mac is being managed by an organization. That organization can typically push apps, enforce settings, require a passcode, and in some cases wipe the device remotely.

If this section is empty or says "No profiles installed," your Mac is not under MDM control. That rules out the most common form of corporate oversight right away.

What MDM does *not* automatically mean: it does not mean someone is watching your screen in real time. MDM is mostly about configuration and security policy. Live monitoring requires additional software, which we'll look for next.

Look at What Can See Your Screen, Mic, and Camera

macOS makes you grant explicit permission for the invasive stuff, and it lists every app that has it. This is where actual monitoring tools show up, because they need these permissions to do their job.

Open System Settings > Privacy & Security and check each of these one at a time:

• Screen & System Audio Recording — anything here can capture what's on your display. Look for tools you didn't install. Legitimate apps like Zoom, Loom, or your screen-sharing software will appear here too, which is expected.
• Accessibility — a powerful permission that lets an app control and read other apps. Monitoring software often lives here.
• Input Monitoring — apps that can watch your keyboard and mouse. This is the permission a keylogger-style tool needs. My guide to checking your Mac for a keylogger goes deeper on this one.
• Camera and Microphone — see which apps can switch these on.
• Full Disk Access — the broadest of all. An app here can read essentially every file in your account, including Mail, Messages, and Safari data.

Go through each list and ask yourself the same two questions: do I recognize this app, and do I remember granting it this access? If something looks like a corporate agent — names like "endpoint," "agent," "monitor," "DLP," "InTune," "Jamf," or a vendor you've never heard of — that's worth noting. Walking through every recording permission methodically is exactly what my post on how to check which apps are recording you covers.

Understand the Green and Orange Dots

macOS gives you live, hard-to-fake signals when your camera or mic turns on, and they're genuinely useful.

A green dot next to the menu bar (the Control Center area, top-right) means your camera is active right now. An orange dot means your microphone is active. If either appears when you're not on a call or recording, click the Control Center icon — macOS will tell you exactly which app is using it.

These indicators are built into the system at a low level, so even well-behaved monitoring tools can't hide the dot while using your camera or mic. If you never see an unexpected dot during normal work, nothing is secretly recording your audio or video in that moment.

Check Login Items and Background Agents

Monitoring software usually needs to start automatically and stay running. So it tends to install itself as a login item or a background agent.

Go to System Settings > General > Login Items & Extensions. Look at both lists: "Open at Login" and "Allow in the Background." The background section often hides the more interesting stuff — services that run quietly without a visible window. Unfamiliar entries from companies you don't recognize deserve a closer look.

You can also check the classic locations from Terminal:

ls -la ~/Library/LaunchAgents/
ls -la /Library/LaunchAgents/
ls -la /Library/LaunchDaemons/

Each .plist file here represents a background process. Anything in /Library/LaunchDaemons/ runs with elevated privileges, which is exactly where a managed endpoint agent likes to live. To see what one actually launches:

cat /Library/LaunchDaemons/suspicious.name.plist

Look at the ProgramArguments section to find the real executable being run. A vendor name there often tells you immediately whether it's a corporate tool. If you want a broader walkthrough of spotting things running quietly, see my post on hidden processes running on your Mac.

Watch Running Processes and Network Connections

Open Activity Monitor (in /Applications/Utilities/) and click the CPU tab. Sort by process name and skim for anything unfamiliar — especially names referencing monitoring, endpoint protection, or a vendor brand. Double-click a process to see its full file path and which account it's running under.

From Terminal, you can see what's running and, importantly, what's phoning home:

ps aux | grep -v grep | sort
lsof -i | grep ESTABLISHED

The first command lists every running process. The second shows active network connections. Monitoring agents typically maintain a connection back to a management server, so an unfamiliar process holding a steady outbound connection is a reasonable thing to investigate. Note the name, then search for it — most corporate agents (Jamf, Kandji, CrowdStrike, Microsoft Defender for Endpoint, and similar) are easy to identify once you have the exact name.

Be fair to yourself here, though: a lot of legitimate software keeps network connections open. The goal isn't to panic at every result, it's to recognize what's yours and flag what isn't.

What's Realistic vs. What's Paranoid

Let me be straight about the boundaries, because the internet tends to exaggerate this topic.

On a company-owned, MDM-managed Mac, it's reasonable to assume your employer *could* see installed apps, enforce security settings, know the device's location in some setups, and — if they've installed the right agent — log application usage or capture screenshots. Whether they actually do any of this varies enormously by company. Many enroll devices purely for security compliance and never look at individual activity.

On a personal Mac, the realistic risk is much smaller. Without you installing their software, an employer can typically only see what you do *inside* their systems — your work email, their VPN traffic while connected, activity in their SaaS tools. They can't see your personal browsing or local files on a machine they don't manage.

What macOS genuinely protects against: silent camera/mic access (the dots), and undisclosed access to your screen, keystrokes, or files (the permission lists). Those are the checks that actually matter, and you've now run all of them.

How to Revoke Access on a Personal Mac

If this is your own machine and you found something you don't want, you're in control. In System Settings > Privacy & Security, open the relevant category (Screen Recording, Accessibility, Input Monitoring, Full Disk Access, etc.) and toggle the app off. The app may stop working or complain — that's expected.

To stop a background agent, disable it in Login Items & Extensions, then quit the process in Activity Monitor. If it was installed as a LaunchDaemon, removing the .plist and the underlying app fully is the cleaner fix. Then check for signs your Mac is still compromised over the following days, since some tools try to reinstall.

One important caveat: don't do this to a company-owned Mac. Removing a required management agent can violate your acceptable-use policy and may flag IT. If it's a work device and you're uncomfortable, the right move is to ask your employer directly what's installed and why — a reasonable employer will tell you.

The Calm Version of the Answer

If you bought the Mac, you almost certainly aren't being monitored unless you installed something that does it — and now you know how to find and remove it.

If your employer owns the Mac, they may have management and possibly monitoring in place, which is common and often disclosed. The Device Management profile, the Privacy & Security permission lists, the green and orange dots, and your login items together give you a clear, honest picture of what's actually possible on your specific machine.

You don't need to assume the worst. You just need to look in the right places — and you can do that in a few minutes whenever the question comes up again.