This is a very very long rant against a decision that seems entirely sensible to me. I specifically would not want any corporate-issued hardware happily chatting away with my personally-owned hardware, and I would encourage others to similarly keep their home and work life separate. If having an iPad (or a Vision Pro) would be useful for work, then their employer should issue one.
Employers could be free to restrict use of such devices via MDM policy if they wanted.
Also, how many of us have purchased keyboards, mice, displays, headphones, etc with our own money that we happily use with employer owned computers because it’s safe to do so?
Some employers are just straight up control freaks.
Sometimes it's misguided thoughts about security and third party keyboards from "unapproved vendors" (which is not entirely invalid to be concerned about, but unlikely to be an attack vector)......
But other times, they really do want you to use exactly what they provide you and nothing else. Things like "looking uniform and professional" or not wanting employees bringing their personal belongings to the workplace or whatever nonsense they come up with.
> Some employers are just straight up control freaks.
Sometimes it makes sense, infuriating as it may be. My partner works for a bank and says that daily someone brings up an annoyance due to central IT's restrictions, but nobody wants to be a vector for exfiltration of customer data.
> Things like "looking uniform and professional"
Yeah OK, anybody like that is a control freak!
In extreme freaky control: Tom Siebel was like that at Siebel Systems: you can wear anything you want to work unless customers might see you, in which case you have to wear suit and tie (men) or equivalent. Doesn't sound so bad -- just salespeople, right? -- except that they would tour prospective customers through the development areas so...everybody had to wear suit and a tie.
> nobody wants to be a vector for exfiltration of customer data
I have a hunch that the companies that are most obsessed with this are also those who routinely outsource to third-world boiler rooms and are clients of very competent & secure companies such as Okta.
The banks are under pretty tight regulation in this regard. I have no illusion that bank management cares about the customers’ concerns but they sure do care about the regulators!
My partner has no exposure to live bank data (not even her own — her team all get bank accounts so they can see what it looks like to be a customer) and she has said to me that she and her colleagues are glad they don’t have to worry about accidentally leaking anything. I guess there must be other teams that have to deal with that.
To my surprise nothing she is exposed to is outsourced overseas.
iPad is not in the list of "standard" hardware for my company (with thousands of developers and a good balance sheet). Good luck getting that approved as an exception.
there are plenty of companies where the thought of an exception, let alone such a restriction, is entirely alien. in part because it would take many of these companies, combined, to match the furniture/head count of full corpo.
you also are ignoring the non-technical leadership class. there are plenty of exceptions in full corpo. clearly you weren’t special enough to get one on a whim. no judgement there, never was myself.
To elaborate, personally I draw the line at peripherals. I do try to use different devices for work and not-work, but I use the same monitor+keyboard+mouse+headphones (and desk, and chair...) for both.
The Vision Pro is a weird middle ground of device and peripheral. When it's operating as a virtual display it's more of a peripheral, and it'd be nice if it acted more like one.
On an iOS device that potentially means erasing GBs of content (photos, iCloud Drive and app files, Safari bookmarks etc) and re syncing GBs of content from the new account. Over and over.
Not to mention potential criss crossing of accounts that happens. Heck my work phone still rings when my personal FaceTime get a call even if I completely logged out of my personal iCloud on the work phone (was a bad idea should never have experimented). No obvious way to fix that.
At some point all my personal iCloud photos showed up on my work phone due to a similar problem. That’s fixed now but I’m always worried it’ll happen again.
I’ll never login with a personal iCloud on a work device ever again.
I'd go further and say that employers are also motivated to keep corporate hardware and personal hardware separate for security reasons. Allowing personal devices direct access to corporate ones is yet another attack surface. Separation of work and personal devices is a good policy for both employees and employer.
>Allowing personal devices direct access to corporate ones is yet another attack surface. Separation of work and personal devices is a good policy for both employees and employer.
True. Nobody would log into their work through their own, non-corporate-issued WiFi router, after all.
Well, yes and no. Most of my past employers only allowed VPN access for remote work, so the networks are in fact different. And I have had an employer that actually issued employees "SOHO" routers (routers always logged into the organization's VPN) to use with the company equipment at home. I never got one but they would issue you one if you asked. My point is that generally both employers and employers have good reasons to want separation here.
> I specifically would not want any corporate-issued hardware happily chatting away with my personally-owned hardware
Yeah, what kind of fool would plug in their own monitor into a corporate-own laptop?
Who knows what kinds of things they'll talk about! /s
Seriously though, you do you. What you specifically want is fine for what you have.
However, describing The Apple Way™ decision to only allow connections between devices that you own as sensible requires further justification (given a pretty expoistion in the article as to why it is not, in fact, sensible).
This annoyance also extends to other features like using an iPhone as webcam, unlocking with Apple Watch, using Apple Music (you can’t login to a different account, only the system one)…
MDM is so common in every tech company - I bet Apple’s own employee issued macs are managed, it is inexplicable how this is still a problem.
I think this is the 'https' flavor of the airplay handshake and it doesn't play well with the federated setup I use with work. Sidecar won't work with federated flavor of my orgs appleID. It could be policy, but I'm pretty sure it should work.
> I bet Apple’s own employee issued macs are managed
I thought so too. The Apple retail employee that gave me the demo of the Vision Pro confirmed this. He said the manager at his store had a Vision Pro and wanted to use it with his Apple-issued Mac, which was managed via MDM.
Apple’s MDM is a bit different. It runs through a SSO service called Apple Connect and Apple encourages employees to use their personal Apple ID to link to it instead of creating a separate Apple ID.
It essentially adds a special entitlement to someone’s Apple ID, similar to how a dev gets App Store Connect access added to their Apple ID when they enroll into the developer program.
This makes it so that every MDM device is logged into the personal Apple ID.
Oh interesting. Might explain why Apple employees aren’t feeling this same pressure. Do you know if Apple’s MDM is the same for their retail and corporate employees?
Also - I’m not super well versed in MDMs, but they seem to come in two general flavors/deployment strategies: bring-your-own-device (BYOD) and manage a fleet of employer-owned hardware.
In my experience, I’ve only ever seen BYOD policies for employee-owned _smartphones_ (e.g. for access to an intranet mail server). I’ve never worked anywhere that permitted employees to use their own _workstations_.
> Do you know if Apple’s MDM is the same for their retail and corporate employees?
Apple Connect, SSO authentication service, is used by all Apple employees, both corporate and retail.
The actual MDM itself (what is allowed, how much is controlled, what can be accessed, etc. etc.) does vary from corporate to retail and between employee roles and departments and from device to device (BYOD v. Apple owned devices).
To facilitate this they use a bit of a patchwork of mainly in-house developed solutions and Jamf MDM services.
A lot of it is pretty well documented in public, The Apple Wiki page[0] on Apple’s internal apps would be a good entry point to go down the rabbit hole, should you be so inclined.
Just keep in mind that a lot of the information on the inner workings of Apple will be perpetually outdated, due to the nature of that information and its reliance on employees leaking information. You’ll find that most publicly available information is about stuff on the retail side, because corporate employees usually are more risk averse when it comes to jeopardizing their job.
Do you want your laptop screen be as thick as an iPhone?
It’s just basic physics: you cannot have 1-inch sensor with a lens right on top of it in 3-5mm of total thickness. Just the same way your eye is not flat but 2cm long.
the camera protrudes on iPhones making them not sit flat, why cant they add a little bump to the outter shell of the top of the Macbook to fit better cameras?
The options are 3rd party things to mount your phone that take up way more space.
an iphone is not 1cm thick and I absolutely would not mind a buldge on the top of the screen, it doesnt change how the laptop would sit. and i think the iphone whith their protrudeing camera so that they wobble when placed screen up is more of a design crime. like some chair or table outside a cafe that wobbels, Steve is dead clearly in design
Folded optics and metalenses would like to have a chat. They just started using it on the iPhone, I imagine either tech will make it to laptops in the next couple years.
Face tracking. Even for my self, sounds crazy but a handful of my terminal aliases attempt to capture my mood by scanning my face so I can make a fun chart of my emotion while commiting code.
The fact companies sell products to stick mounting gear on a Macbook to mount your iphone to capture better video will tell you theres a market.
The Macbook camera ships with the same chip as the iPhone 5S (2013). It has sufficient pixels for what it is meant for with most of the processing done in software. That last bit is key.
Why thin? The WxH of their phones is crazy, bend gate.... I'd take a thicker phone, cant belive the dropped the 13 mini size, it was my last refugee since they killed the SE.
Surely there’s an app for that: “Duet display” exists more than a decade (sidecar basically sherlocked it). Also something called Astra or Luna (don’t remember exactly).
Huh? That must've been a recent change. I used to log into apple music via itunes with my personal account while MacOS itself was using my work account.. yep, two separate apple IDs.
Who are these companies that either require a non-personal Apple Id or forbid a personal Apple Id? I’ve worked for startups and multinationals and never had an issue with my work machine allowing a personal Apple Id.
Obviously I have to be personally ok with allowing work possible access to my Apple Id, but for me it’s an acceptable trade off given that they have access to everything I say on Slack, and if we’re being honest, that’s the where the “HR needs a word” is gonna come from.
My employer requires you to use a work Apple ID if you use an Apple ID (optional for just MacBook, required if you have a work iPhone). I think it's perfectly reasonable - I don't want my personal Apple ID intermingled with my work computer.
> Obviously I have to be personally ok with allowing work possible access to my Apple Id, but for me it’s an acceptable trade off given that they have access to everything I say on Slack, and if we’re being honest, that’s the where the “HR needs a word” is gonna come from.
Strange sentiment to me...I can modulate what I communicate in company channels, but in absolutely no way would I ever consider it acceptable that a random person from my employer could access a huge amount of my personal information... iCloud contents might include phone backups, messages, emails, passwords, personal photo library, web history, bookmarks, notes, etc, synced in from all of your other personal devices.
I've learned firsthand the hard way that a small percentage of people are deeply unethical and completely untrustworthy. I can't optimize my entire life around avoiding them, but I certainly can make sure that if they happen to be an {IT employee, HR employee, higher-up} in my company, they won't have access to my personal things.
I log in with my personal Apple ID and get the stuff from App Store I bought on my company machine too.
All companies have used MDM to disable iCloud Drive though, which was a pain with a few apps that used it to sync stuff between computers, but perfectly reasonable. It's so transparent that it'd be too easy to accidentally get corporate stuff on my own Cloud Drive.
I moved that stuff to sync via a Dropbox account I don't use for anything else and everything has been fine for years.
Most of the time it's fine. But it can become a very major problem, and the risk is easily avoided. If you need some equipment for work, work should pay for it. If you can BYOD and want to do that, don't use it for anything else.
> Who are these companies that either require a non-personal Apple Id or forbid a personal Apple Id?
They exist, but they're mostly the companies that are the kind you'd never see on HN: relatively high-employee-turnover medium-sized businesses entirely uninvolved in technology - that aren't large enough to have an adequately funded IT dept - or where their IT is outsourced to a nepotistic MSP.
...the kind where IT policies are set by the same-kinds-of-people that banks hire that tell them to actively try to stop users pasting passwords into their online-banking logon screens.
I don’t understand the downvotes to this comment. Obviously you can disagree, but it’s the obvious question in response to lots of commenters implying this isn’t possible.
I'm also annoyed that using an Apple Watch requires signing into an iCloud account. I stopped using iCloud a long time ago (currently self-hosting everything). Garmin smartwatches don't need a persistent login, which is why I purchased it. I think I will stick to Garmin watches going into the future.
Apple had to lock down iOS in 17.4 because enough people were being tricked into entering their passcode by a thief who in turn would steal the device, access their passwords and drain their bank accounts.
So not sure that allowing pairing between different accounts and relying on a passcode for security is going to be that secure.
Consider the setup process for the Apple TV. The TV shows a unique one-time-use QR code-like pattern that you can scan with the camera of an iOS device. Surely something like this would be sufficient for pairing a Vision Pro with a Mac.
Also the security implications of encouraging people to add their personal Apple ID to devices they don’t own are, IMO, worse.
I'm being more cynical and assuming it's probably to do with AirPlay screen-mirroring encryption and how tying everything to the same Apple ID account placates Hollywood's technophobic licensing execs.
I think it’s a lot simpler than that. If they require both devices are logged in to the same account, they don’t need to deal with authorization. You would not believe how much development time this saves.
Honestly the real problem with security is the whole passcode -> Face ID -> passcode flow.
It is relatively easy for someone to see the passcode that unlocks my phone, in one way or another.
All of my banking apps are locked behind Face ID. But if you lock an app with Face ID, you can just override with the phones passcode. This is dumb.
The app Face ID backup passcode should be separate from the device unlock passcode, or that should at least be an option. Maybe I'm at a party and I want someone to be able to unlock my phone to use Spotify, but I don't want to also give them access to all my banking apps.
The idea of FaceId is to minimize the use of a passcode so that wouldn’t be stolen in the first place.
In if you worry about that, then probably disable faceid for banking apps :-)
Apple also recently implemented optional stolen device protection in faceid settings just for this case: delay is introduced to be allowed to change the password and other related things.
The fact that you cannot connect this to an HDMI device will be the death for this.
Now they are hostages of Netflix, YouTube or any content owner. Had they have HDMI in, we would be able to just use a Roku stick to project 4k hdr Netflix content, or straight up project an 8k resolution Mac desktop.
> They employ a distinct brand of gaslighting and blaming-the-user that I have come to associate solely with them.
> Curiously this limitation wasn’t enough to make me return the device, despite it being part of my justification for it.
Why write such long winded post after considering the above quotes? In the end non of the considerations around work/personal apple id, MDM, etc matters when decisions are made purely on some brand persuasion. That's why Apple doesn't care
For the record, I did not return my (4x cheaper) iPad. I didn’t ever buy a Vision Pro. Because of the Apple ID issue. I’m trying to convince Apple that they should care because they lost a sale.
I do not recall any example of Apple overtly listening to customers unless pressed by class action. That's the irony of this feedback post. Apple is just not an org that takes direct customer feedback (like you've noticed from their "you're holding it wrong" debacle).
Also, they've probably done the maths and knowing their "loyal" customer base people would be more than happy to pay for multiple redundant devices just to have them seamlessly work together. They are in business of selling premium devices to people who have low sensitivity to price and cost
Apple uses AppleID to authenticate globally. If the experience degrades without one OR there is too much effort to support this, I’d be happy with Apple making this call.
I feel it’s very validation seeking to rail on a company for not supporting the most “privacy focused” use cases. If you want an uncommon use case to be supported, don’t expect a profit-motivated company to do this. It’s just not in their interest. Furthermore, I use these capabilities to improve my life. So, I personally don’t want Apple to be compelled to invest in an experience that breaks from the Apple-y way.
(Not a fan boy. Maybe I need to accept that I may be becoming one.)
Multi-user support would be very welcome on a device selling for 3500 USD. I find it rather user-hostile that iPads don’t have this option either, but even their flagship device? Come on.
