He said he did it from home though. I always wondered if he was making it up or not, but this was the Bush era (not that that much has changed).

I'm assuming he landed somewhere after the search that his bosses had logs for, like maybe a bio page on some .mil domain. Back in the 2000's, you still got a referrer header that included not just "google.com", but also the search query parameters.

So if you followed https://www.google.com/search?q=my+asshole+boss+joe+schmoe to get to the .mil hosted bio page, they got to see that.

That seems plausible, but as this story was related to me over a decade ago, I can't remember if he said he clicked on anything in particular.

It's not made up. They monitor key sites including social media and those peddling in sensitive information. EO12333 makes warrantless searches legal for anyone with a clearance. It's also a convenient cover for why they need this extra-judicial domestic surveillance apparatus.

VPN or company managed device? Seems like something a vaguely savvy user would keep in mind though.

I think it was a home device, I don't think this guy was super savvy though.