At my company we’ve just outsourced our IT and MDM, and have had to rethink allowing personal Apple accounts on Macbooks. Our devs (all on Mac) have had their local admin revoked, and the MSP now has admin access to all machines.
It is not clear whether a separate local admin account (that can presumably access root) can access the Apple ID accounts, keychains, or locally synced iCloud directories of users. Common sense says yes, because root is root; but I know there are additional levels of access control above root on macOS, does anyone have a definitive answer?
(I’d rather not discuss the merits of personal/company AppleIDs on company machines or whether devs should have local admin, these topics have been done to death.)