Funny story (well OK, not so funny), I worked at a company where the FBI decided to pay a visit and investigate some potential naughtiness performed by members of the senior staff. They asked questions such as "Do you use your cell phone and personal email for company matters." Guess what a lot of them said, "Yep, have to." That immediately made their personal equipment, etc. in scope for the investigation and they confiscated it. Interestingly enough, any crime discovered while in pursuit of another crime can also be prosecuted. (Guess how they leverage people to flip.)
After hearing about that, I never attach anything work related to my personal equipment. There is too much liability. Anytime that anyone even whispers about me using anything I own for company use, the answer is a resounding "No." You honestly, don't know who you are really working with/for and what they are actually like.
Recently my employer has pushed for Okta Identity management. And somewhere in that plan they somehow thought appropriating employee personal phones was a good idea. Now we can't login to certain internal apps without a mobile device because Okta needs one time password/accepting push notification. And the otp/push notification should necessarily happen on a mobile device. Given that company hasn't provided any mobile devices to employees, everyone is forced to use their personal phones.
We use Okta where I work but we are allowed to install Okta Verify without installing the MDM profile.
If we want to do work email on our phone, we do have to submit to MDM. 99% of the employees I know refused to allow MDM on their personal phone, and the company was OK with that. They made a few managers carry work issued 2nd phones.
We also use Slack and are allowed to use that without MDM so that works for a lot of us.
My wife has to carry a 2nd phone for work, she's got 2 iPhones and it's very annoying, but preserves the separation.
Any company that wants to put an MDM on my phone, will have to buy me a second phone.
See, I'm the computer geek in the family, and that means that I'm the family MDM manager. Which means I already have an MDM on my phone, and since you can only ever have one MDM on a mobile device like that, well the conclusion is inevitable.
If they don't want to buy me a second phone, then they're going to have to decide which of those two policies they actually want to enforce.
I worked for a company that was forcing a MDM on employees a few years back. I went ahead and wiped it and installed Cyanogenmod instead of the stock android rom. My phone was then incompatible with the MDM so I was no longer required to install it. I don't think it would of been able to do all that much even if it managed to install.
I ask for a phone if my duty requires it. If they won't provide it then they don't want the job done very badly and if they fire you then unemployment should cover it. Each granted claim increases their unemployment insurance premium if I understand correctly, so there is some disincentive to just fire you--it's probably cheaper to get the phone. (This is in California, SF Bay Area).
For this specific case, you can actually use other otp apps such as Google Authenticator with okta. See https://help.okta.com/en/prod/Content/Topics/Security/MFA.ht...
You'll also have to unselect push notifications somewhere, don't remember exactly where, but it was apparent in the ui.
My company recently required the use of a specific 2FA app that I didn't use in order to validate credentials on our laptops when accessing our VPN. I don't personally like having to put an app on my phone however, using an app to validate identity and using an app too conduct business are two very different things. I'm still considering requesting a physical token though...
Can't you ask for a key fob OTP code generator device? Employees who work at sensitive client sites in many cases wouldn't be allowed to connect their phones to the Internet and may have restrictions placed on the usage of it. A separate hardware key generator (which is really a second factor) could possibly help (depending on the situation and need).
Maybe they don’t have great labor laws. Would your boss really believe you if you said you don’t have a cell phone? If you didn’t have legal protection (or a shit ton of other employment options) would you just tell him to fuck off?
No, we have great labour laws (employment protection, anti-discrimination, limits of business relationship well defined) but it is illegal to conceal identity in government and business matters (here in Turkey, you cannot avoid identifying yourself even while invoking the right against self-incrimination). Not like the UK or the US. Employer would think you try to conceal your essential contact info and will be able to refuse your contract.
In addition, all IMSIs and IMEIs are registered in a whitelist and tied to identity.
"...don't know who you are really working with..." this resonates with me, I recently left a company of finding out that the recently hired VP was the Presidents favorite bar tender, he was also trying to coax her into a relationship. The VP had also backdated her resume and was claiming to have been at the company about 4 years prior to her actual arrival.
The back dating no doubt matched a back dated stock option grant that would allow her to claim that she was fully vested.
That is just fraud and the board of directors should be all over it (they would have visibility into the hiring of executive staff). Now if the company has no board, or the board is composed entirely of founders, this sort of stuff slides by. Best to avoid working in the future with anyone associated with the senior staff in future companies.
The company was owned by a single founder, the board was an advisory board with no real teeth, advisory board made up of good ole boys. The company folded early last year due directly to her management decisions, preceded by 3 other execs leaving, they all cited her decisions in their resignations. Sad because the product was coming along nicely, product market fit, positive feedback from customers, etc. I think the owner was just old and burnt out combined with a bit of "control all of a little rather than a little of a lot" syndrome.
And since discovery processes are often leaky, pPart of the onboarding at my company is the lesson that you shouldn't write anything in an email that you wouldn't be happy to have splashed all over the Wall Street Journal.
So, for example, we try to choose names for applications that aren't going to give people the wrong idea, eg don't call your market manipulation tool TurboMarketManipulator, call it EnhancedOrderManager.
> don't call your market manipulation tool TurboMarketManipulator, call it EnhancedOrderManager
Good advice. I am somewhat surprised at times on what the media doesn't uncover and try to spin as a conspiracy theory. For example, we had this open source project publically available https://gfiber.googlesource.com/kernel/prism/ around at the same time as the Snowden leaks about "prism" and nobody wrote any articles about it. Of course, it's completely unrelated... but I feel that that normally doesn't stop people.
I realize you are being somewhat facetious, but calling your (presumably unlawful) market manipulation tool EnhancedOrderManager isn't really the answer. Not building the unlawful tool is.
If you use your home computer to RDP into your work computer, what would be the correct answer to the question? The "work" occurs on the company-owned computer, but you are typing on the keyboard of your personally-owned computer.
I am not a lawyer, but from what I understand from a forensics class I took, personal devices can be in scope in the US if:
* A warning banner is displayed when you connect to the VPN / network / asset that states that use of the resource voids your expectation of privacy, you consent to monitoring, and you acknowledge they can inspect personal devices etc
* You signed a policy document acknowledging that they can monitor you and that connecting to a company resource brings your personal device in scope of monitoring and seizure
* You committed a crime, the police become involved, and a search warrant is issued.
If you do not sign such a policy document, they do not have evidence of a criminal (ie not civil) infraction, and they do not display a warning banner, then you can claim reasonable expectation of privacy (meaning you were ignorant of their policy), refuse a search, and there isn't much they can do to my knowledge. In this specific case you would have to talk to a lawyer, but I would just be safe and use only work assets for work.
That's a good question. But as long as you don't save any files on your personal computer, it is just a transport device like a car that gets you to work.
I'm guessing the law isn't that forward thinking though. Maybe I should keep a <$200 mini-PC, just to RDP into work so I have no problem giving up that machine.
> Maybe I should keep a <$200 mini-PC, just to RDP into work so I have no problem giving up that machine.
Doesn't help you. Either your personal devices are in scope or not. If they are, then they all disappear and you're unlikely to get them back.
Investigators don't trust the subjects of the investigation to tell them what devices are in scope or not. If your devices are in scope, they'll take everything that has any chance of having data on it.
(Source: many many reports from subjects of such investigations.)
In the FBI's defense, they did return all the equipment after they were done with it (if I remember correctly within like a day too). Funny enough though, one guy thought it was strange that after they gave his phone back, all of his text messages from then on were suddenly emailed to his work email also. Wouldn't happen to be that all email in the company was saved indefinitely due to the archiving server?
> All email in the company was saved indefinitely due to the archiving server
Not at all. Many companies actually do the opposite. A previous company I worked for had a 30 day email deletion policy, though we could setup special folders for 13 month retention on emails.
At another company, we were in the backup space and some enterprises had very restrictive backup and archive policies. One was to the point that our backup software was pretty much useless.
To limit liability, files that are not involved any ongoing legal issue such as a lawsuit are deleted as soon as possible without interrupting the business. Once there is a lawsuit, any relevant documents or emails can be deleted. This is all from the point of view for civil lawsuits. I assume gov't investigations are similar.
Sorry, that was sarcasm. It turns out that after the investigation started, they saved all emails indefinitely. I'm pretty sure that it was due to something going on with the investigation, but I can't say for sure. It just seemed a little too coincidental that both occurred so close to each other and one right after the other. It might be too that the FBI requested this, because they said they were trying to "catch the other party involved" (not part of the company).
Oh yeah, at the backup company, we worked on a Legal Hold feature where if an employee was tagged as being involved in a company lawsuit, all their backup files would be held indefinitely. You can delete shit after learning of a lawsuit, only before.
If you think that's clever, you'll be blown away when you see actual thin client and zero client hardware. PCoIP zero client tech is pretty seamless with the right backend & network configuration.
Logically, to me, it doesn't count. But lawyers and courts have a real twisted sense of logic and will indict their way around this to get your data off of your personal device.
The details of what you claim to do, are irrelevant -- you can produce work product on the personal computer (ie. writing down a note in textedit, etc)
If the FBI comes in your office with a warrant and you refuse to speak I'm guessing they'll be taking your phone anyway and/or arresting you. Making things harder for investigators often means making things harder for yourself too. Winning an argument about your personal device's admissibility in court six months later isn't really winning is it?
>you refuse to speak I'm guessing they'll be taking your phone anyway and/or arresting you
If you refuse to speak without a lawyer there, they'll either a) move on because they're out fishing and you're not biting, or b) arrest you because they already have evidence but were looking for an easy confession to make it a slam dunk case for the prosecution. Once arrested, you can hire/be assigned a criminal defense attorney who will figure out if you have a good chance of being found innocent or can minimize prison time through a plea deal.
>Winning an argument about your personal device's admissibility in court six months later isn't really winning is it?
Not taking their bait and running your mouth will minimize the chances of the FBI being able to get a warrant for your device to begin with. It's not just about the phone, it's about your freedom, financial stability (you will lose your job and you can't pay your bills from prison, so say goodbye to your credit score), and employment opportunities (federal convictions don't bode well for job hunting).
Look up "don't talk to the police" on YouTube if you want more reasons why letting the FBI look at your phone is a bad idea.
the whole point of the above anecdote was that by answering the questions, you've expanded their scope.
if they're going to arrest you, there's nothing you're going to say to talk them out of it. all you can do by talking is convince them to arrest you.
you can't talk them out of anything they were already going to do; they're just talking to you because so many folks think the way you do, that they're somehow clever enough to say the thing that prevents the arrest.
> Winning an argument about your personal device's admissibility in court six months later isn't really winning is it?
Hmmm, I don't think, if the allegations/accusations were "serious enough" that if (actually having never used the personal devices for work) someone had replied "No, never" they would have taken your word as good, i.e. they would have probably said "OK, now let's check if that is true" and confiscated the devices as well.
Please also understand that when you say "No, never" to a FBI agent, you myst be pretty sure that it is accurate, as if they (still hypothetically) find even a single interaction they could accuse you to lying to a government officer.
Anyway, yours is the right approach, never, and I mean never mix personal with work relatd activities.
Is this only true for using some company provided app or even a dedicated email app? What about just going to webmail on a browser on a phone? Does that have the same implication?
This is true for any work interaction on your personal device. You aren't going to win arguing technicalities with someone executing a search warrant.
The only safe and sane thing to do is refuse to have any work touch devices you own, and likewise don't let any of your personal affairs touch work systems.
The simple truth is, everyone breaks the law. I don't mean willingly, there are tons of laws that exist that even well versed attorneys are not aware of. You accidentally downloaded a song you didn't pay for? We'll that's a criminal wrong doing. You did it over the internet? Somehow we'll tack on a wire fraud charge while we're at it, because we're sure we can convince a grand jury to at least allow us to try you. Now you're looking at a massive fine, and say 5-10 years. Sure you don't want to help us? By the way, if you've never been on the other end of an FBI agent interrogation, it's scary. Like really scary. I had a friend once show me briefly what it's like, and I never want to come near that again.
Here's the thing about lawsuits, even if you're innocent, you're still probably ruined. It's not like on T.V., lawsuits take years, even criminal ones. If you encounter a law enforcement agent (say a prosecutor), that wants to make a career off of something you're involved in, you're screwed. At best, you'll probably be bankrupt and emotionally destroyed. Imagine this, they bring charges against you, and if you get a public intoxication, or heaven forbid a DUI, you go to jail for the next 3 years while awaiting trial and for something that you might not have even committed. Don't believe me, read a case document on conditions of release. They list off a ton of things that can send you back to jail while awaiting trial.
I don't know what country you reside, but in USA you are innocent until you are proven guilty. Prove of guilt is on the prosecution side, I don't have to prove I'm innocent. This and 5th amendment works magic against being wrongly accused; it also is indeed a deterrent to "carrier prosecutors" from trying to obtain prosecution via a good-old soviet style type of investigations: "give me a man, I give you a paragraph"
Edit: don't break the laws when you being prosecuted; and BTW: I don't drink alcohol at all. Period.
> I don't know what country you reside, but in USA you are innocent until you are proven guilty.
Yep. And you can sit in jail for a year or so while they figure that out at your trial. Of course you’ll have lost your job by then. And paid your lawyer a fortune so you’re broke. And your family is kind of screwed up over the whole thing and the hardship it caused.
But you were innocent. And that’s all that mattered.
Yep. It happens. And these are extreme cases in which system has failed. Usually you end up suying the system and state/county/whomever wronged you has to pony up millions in settlement. That's also probably the only reason the scenario you describe is very rare and not a norm.
It’s not rare, though it may not be for a year. And you can’t sue because the government did nothing wrong. You were found innocent at trial, that’s how things work. People found innocent don’t get to sue the government for wasting their time. If you can’t bail out you’re stuck waiting in jail.
Again it happens but very rarely. There will always be prosecutoral misconduct unfortunately. And yes absolutely you can sue anyone for anything. If you believe you were detained for too long you can sue the government. People do that all the time - sue for governmental neglect. You just have to have strong enough case. If you were held day too long thats nothing. A year thats a plain abuse.
Umm, kemiller2002 perfectly described the justice system of the good ole US of A. Once a prosecutor wants to get you, they stack all kinds of charges together to take your 1 year crime and make it a total of 10 years in prison, so you'll take a deal that gets you back to the original. At the Federal level, the conviction rate is 93%. Even if you are innocent, you can still be convicted.
> Edit: don't break the laws when you [sic] being prosecuted;
What? The whole point is you can't help but break a law.
Let me clear up. The problem isn't breaking the law with the DUI. It's violating the court order. A judge can impose any set of rules (read that right ANY), and you get tossed back in jail for doing that. Not drinking just happens to be a common one. But you say, "I'm over 21, it's legal." Now it's not, because the judge told you not to. What about accessing a computer? He can put that in there. Using a cell phone. "But that's an undue burden." Do you honestly think that matters?
This is certainly a very good reason to not put your work account on your personal phone, but my primary reason not to is that it's my device and I pay for the service. If my company needs me to be available beyond my 9-5 workday, they can pay for it.
If there's an emergency, they can always call, but I don't like being "always on".
I recently got a new job where the email is completely locked down (only accessible on a networked computer or via the awful outlook web interface). It's been awesome not getting work emails on my phone.
I used to have work email and slack on my phone. While it made some things easier (heading out in the work day and not blocking people who might need my input, for example), it also made me feel tethered. Slack in particular was very addictive to me (to be fair, not just work slack, but other slacks which I was on).
When I got a new phone, I simply didn't install the email or slack clients. It's led to occasional text messages, when I really needed to communicate with a team member, but all in all has been a fantastic experience. Highly recommended.
One of the things I miss most about my previous BigCo job was only being able access work tools via my work phone. I could go on vacation and tell my team that I wasn't taking my work phone or computer (I needed a corporate VPN installed on my work computer to access anything internal) and everyone knew I was completely unreachable.
Exactly- if work doesn't pay, they don't get to play on my phone. I'd be willing to check work email sporadically, and it's unfortunate that doing so in any capacity means allowing an unknown admin "wipe my phone" privileges. Companies don't handle that stuff with any sort of finesse and mistakes happen. Ultimately email on a phone may be a moot point for software developers: We use more independent chat apps like Slack, no one worries about texting you, and it's hard to do anything really more involved than messaging without opening your laptop (which probably is provided by work).
Exactly. Your employer is not going to enforce boundaries to ensure healthy work/life balance for you, you must do it yourself (until labor regulations catch up; see France [1] and NYC [2] labor law regarding checking email outside of work hours for examples).
Are you, with a straight face, saying that you'd rather receive a PHONE CALL than a notification from an app that you can set time-sensitive notification methods for (i.e. DND overnight, etc.)? I'm not fan of getting any kind of work message outside of working hours, but I'd FAR rather let my co-workers send me a slack message that I can ignore and/or deal with when I feel like it than call me on the phone. No one at my office except my direct manager and HR has my phone number (and in the 5+ years I've worked here), no one has called me on it.
You're not wrong, but there's also the filter of "is this a real emergency or could this be an email he'll see tomorrow morning?" that goes through the coworker's head when his options are call vs. email. And, at least in my position, if it is a real emergency I'd like to know.
That said, other than a handful of coworkers who I'm friends with outside of work, only my manager & HR have my personal number. This adds an extra step where the coworker should determine if getting in touch with me immediately is actually worth the effort.
So far, I've received one such phone call in 3 years. It was an actual emergency, and easily resolved by me at that time because they called me. If they had waited until the next working day, the issue would have blown up and taken much more effort for me to resolve.
This might alternatively be an argument for working with people who respect your time.
Pretty much this, it's an instant bullshit filter.
If I were to ever receive so many phone calls it becomes a problem I'll solve that problem. Right now I've had all of zero calls this year so I think I'll be right for the moment.
Yes I do. Why? It raises the bar. Its all too easy to whisper someone via electronic communication. If you need to get to speak to the person, and they hear my kid yelling at the background, perhaps they'll wonder if I got other things to do in my leisure time.
Furthermore, I don't find it particularly bright to host sensitive data by such a vague company. Bonus negative points for the infosec community using such.
At least on iOS, Do Not Disturb covers phone calls, too. With the ability to set overrides for calls from Very Important Numbers. Voice mail exists as well.
No joke, we recently went to a BYOD model with no "assistance". I'm expected to be available 24/7 in most cases. So I'm refusing to be available until I get some compensation.
Google pays for on-call hours. You are credited with 33.3% time for each hour on call if you have a 30 minute response requirement, and 66.6% time for each hour on call if you have a 5 minute response requirement. These can be taken as extra holiday, or cashed out. [0]
The really dumb thing is paying for overtime works great. Some younger employees want to do it for the extra cash or vacation for a longer holiday. I know there were times I wanted to work on a holiday day/bank holiday to save up time in lieu.
The problem is companies where default on-call becomes part of the culture. They also have little incentive to fix terrible ops. I hear AWS can be like this, depending on the service.
I'd leave. Unless you're a contractor who gets paid a lot and equipment costs are expected in that contract (similar to plumbers, carpenters, etc.) there is no reason for a full-time/salaried employ to purchase their own IT equipment. That's just insane.
we're pretty close to full employment. lots of industries are job-seekers' markets right now. which doesn't mean that management recognizes this and wouldn't do something stupid like fire a good worker, but that doesn't have a lot to do with the labor market.
> If there's an emergency, they can always call, but I don't like being "always on".
Personally, I choose the opposite: you need to email me to tell me you want to call me (so that I’ll turn on my softphone app), otherwise you’ll just automatically go to voicemail (which will also go to my email.)
I notice that with Gmail’s inbox categories, you only get push-notified when something lands in Primary or Updates; so as long as you’ve trained the system to push the irrelevant/lifecycle stuff into the other categories, your phone won’t ding all that often. (Mine doesn’t, and I get a good amount of raw email.)
I can't believe anyone can handle having push notifications on email. I only read my email when I go to check it. For both work and personal.
I have hundreds of rules for email filtering. With most mailing lists never hitting my inbox. But it's still way too much for individual email push notifications.
The other thing I do is to separate my personal and work email accounts. I’m signed into both on my phone, but I only get push-notified about personal mail. I want to know if a family member is in trouble; servers burning down can wait until tomorrow.
Yeah, my last job wanted me to install their rootkit/spyware on my personal phone for the privilege of being able to check my work email at night. I resolved this by letting my manager know how to contact me after hours in the event of an absolute emergency, and that otherwise I'll check my messages at the office when I get in to work.
The counter to this is that oftentimes I'm at work and not at my computer so I need access to my email/calendar on a mobile device. This doesn't happen often enough for me to warrant a work phone but happens often enought to where it would be a pain to always go back to my computer to pull that up.
My solution so far has been to just use the outlook web app. Sure it's not as nice as the app but it lets me get to the info I need while also preventing me from having to install any sort of profiles on my device, as an added bonus I do not allow the site to send me notifications so I do not have to worry about being bothered off-hours.
How do you even lose days off to some work emergency? If I was scheduled to be on vacation but I have to come in for some emergency, I don't lose those days, and you shouldn't either, since you never actually took those days off.
I meant that less literally. While I might still be technically out of the office, if I'm spending time worrying about an on-going problem it's not nearly as restful as if I'm blissfully ignorant.
This is precisely why I make it clear that I do not want a work phone. My mobile number is published in the global address book for emergencies, but otherwise if I'm not at work then I'm not working, and I do my best to not think about work when I'm not working. Having a block of metal and plastic specifically to intrude into my free time for the benefit of my employer is not something that I am interested in.
> If my company needs me to be available beyond my 9-5 workday, they can pay for it.
If you're salaried then they are paying you for it based on the job requirements, it's part of the job and one of the things that separates hourly employees from salaried ones.
Unless you're talking about the cost of your cell plan or device? But even then, a lot of companies will pay for your plan and subsidize part/all of your device if they have a legitimate work reason to need to contact you and expect a fairly quick response outside the office.
EDIT: To be clear I'm referring to US law/practices. The entire point of salaried as opposed to hourly work is that it is based on performance rather than hours, and it's up to you and your employer to come to agreement on what performance means. At some companies salary might be for 40 hours, at others it's for 60 or 80 regularly. It's your own responsibility to find out before taking the job, and decide for yourself what you're willing to provide or not.
This of course depends on your particular employment contract. In some cases, someone may agree to be on call whenever they're not working and AFAIK (IANAL) such contracts are legal in some circumstances.
Meanwhile, in Europe, they have employee protection laws that outright prevent these practices. If you need someone to be available outside of work hours, you need to pay them extra for it, similar to how overtime is mandated in the US for hourly workers.
Wish we had those laws here. Fortunately I work at a company where I am compensated extra for my oncall shifts that take place outside of normal work hours -- it ends up being a few extra tens of thousands of dollars per year. That should be the mandated standard though, not just for those who are lucky.
Depends on the jurisdiction. I think there's a clear separation of work time and free time in most of Europe. Here in Finland an employee can never be forced to work over their daily working time (usually 7.5h between 8-5); doing so is always voluntary, though of course pressuring exists. For force majeure circumstances there's the legal concept of emergency work, but that's very rarely invoked.
I worked for a University that paid cell phone plan steepens back in 2012. In Illinois, it now required by law for employers to pay cell expensive if they're required for work.
What if you're being reimbursed for your phone? I assume they can only see activity on my logged in GSuite account. Can't imagine that they have access to anything beyond that.
All they do is hand me a certain amount of money every month. The plan is my own, and they didn't install any software on my phone. All I do is run Gmail through the built-in mail and calendar apps on my iPhone. I also have Slack on my iPhone.
If your employer subscribes to an ethical model which permits them to abuse MDM, viewing your web history and tracking your location, you need to do more than remove your personal device from their control.
You must find a new employer—preferably while you make public this repulsive behavior.
My employer and I are bound by a working agreement negotiated through my union. The contract has privacy protections for many different types of personal information and data that could potentially be accessed or collected by the company. Think location data, data at rest on both personal and company devices, and network traffic.
Here’s the big issue I still have even with all of these ‘legal’ protections. The definitions are not highly technical and thus open to interpretation. Also, to my knowledge none of the clauses have been tested in the real world. How in the world am I supposed to feel secure that a legal agreement stops them from doing what is still technically possible? Even if they can’t use the data collected against me as admissible evidence in a disciplinary action what’s to stop them from collecting data anyway and then if they find something they don’t like they harass me in other ways?
The issue is in MDM systems. Until we design them in a way preventing access to certain classes of information through technical means then no type of agreement or ethical code is safe. The device must be treated as hostile. We can’t simply rely on ‘ethics’ because, as we’ve seen play out time after time in America, corporations lose no sleep over saying one thing and doing another.
I declined corporate MDM on my personal phone. I’m confident that abuse of my data would be against policy, but I don’t feel like taking the risk that our technical controls can or will guarantee adherence to policy. At the end of the day, whatever agreements are in place, someone has access.
I’ll take that kind of risk with i.e. Google employees and my Google searches, because it’s fundamentally necessary to provide me good search. There is just no reason to do it with my corporate security team and personal SMS.
How does one know if an employer is abusing MDM? Honest question... I have no idea. I just point my iPhone's mail app at our Outlook 365 server and that's it - I assume that installs a profile that allows them some remote access (I believe they can remote wipe the phone, but maybe not), but no idea how to tell if they're doing anything else.
Edit - looking at Settings->General->Profiles, there is one entry, which is for connecting to my Olympus camera. Nothing for the office.
Generally MDM software swallows up everything. It's been a while since I managed an MDM instance but we could track everywhere the employee went by default and when I suggested we turn it off there wasn't an option nor did management want to. We could see every app pretty much everything on the device. I will never install MDM on my phone after managing it. I've also seen phones accidentally wiped. Back up your phones.
Apple MDM is changing quite a bit come iOS 13 and macOS Catalina 10.15. A new enrollment methodology called User Enrollment is aimed at protecting the privacy of employees using their own personal devices. User Enrollment greatly limits what the company can see about the device. As an example, the MDM can only see the apps that it has installed on its own, it can't get any PII (Personally Identifiable Information) such as a phone number or serial number from the device, etc. The MDM data and visibility into the device is essentially sandboxed.
This article provides a summary of MDM User Enrollment, including details about how Apple separates personal and business data on separate APFS volumes.
Before User Enrollment there wasn't a great Apple MDM enrollment option that struck this privacy balance for employee-owned devices. App data couldn't be viewed per-se, though a list of apps is certainly available (as mentioned by cannonedhamster). Some companies would skip MDM and essentially "wrap" individual apps in order to have the ability to encrypt the app data and have some control over the binary, but that's about it.
I'm not sure of the story with Android, though I'm under the impression that there is a similar "sandbox" option for MDM, albeit the implementation and user experience is rather messy and obtuse.
Full disclosure: I work for an MDM software producer.
Does turning off location on your phone mitigate their tracking of where employees go? I realize the other problems are still there, but I'm wondering if that would help. I turn on location on my phone once in a blue moon when an app gets too damn annoying that I actually need to use right then.
Depends on the MDM and phone really but, No. Triangulating a cellphone on the network via cell towers is a tried and true feature of wireless infrastructure. Even your phones GPS capabilities are most likely "A-GPS" meaning Cellular Assisted; It'll use cell location data when GPS satilites are slow/unavailable.
GPS toggle isn't doing much of anything besides application permissions enforcement.
I worked at a security startup where installing Slack/email on our personal phones (BYOD policy) was possible via an MDM (but was optional, we weren't forced). I don't know every detail, but many of our engineers were naturally spooked and did lots of checking to make sure no packets flowed to the VPN from apps not within the MDMs control (just slack and mail).
I personally was fine with this as I don't want to carry two devices, I like being able to check in via Slack (especially if I was on call), and we had several folks who had our security/IT team under a lot of scrutiny proving this wasn't overly invasive.
It helped that we were a small startup, so our IT and security teams were 20 feet away :)
Anyone with admin access to Outlook 365 can do this stuff. Even in a large company that could mean a surprising group of people able to do this sort of spying with no technical restrictions to enforce policy (assuming there is an explicit policy, which in a smaller company is not a given.)
Ask. Since this often affects larger enterprises, start at the help/service desk. If that doesn't get you an answer, try Information Assurance or Information Security departments. Lastly, most large orgs have a Privacy office.
During all communications, make it clear what your concerns are; perhaps even link to articles like this one.
Corporations that care about customer and employee privacy will take such inquiries seriously.
Sure, but I assume there's something in the device itself that indicates there is a profile or remote access? I don't see a work-related profile on my phone, but maybe there's something else beyond the obvious Profiles entry in General settings?
This is why I frame this as an ethics issue. If you install some sort of MDM profile, unless you spend a lot of time understanding mobile device management implementations, you won't necessarily know what the capabilities are.
If it is your device, typically an employer will disclose in their policies what capabilities they use.
Now, does this prevent a rogue infosec person from deviating from the policy? No. Nor does it prevent the state from compelling the company to abuse their MDM technology. If these examples are part of your threat model, you should not use your personal device with your employer's infrastructure. I don't think this makes your employer's choice to use MDM a bad one, however. They are protecting the corporation, after all.
Android tells you exactly what information MDM collects from your phone and exactly what restrictions have been placed on it. If your employer is collecting your browsing history, you would have known when you enabled their policy, and you can review their policy by opening the Device Policy app. https://lh3.googleusercontent.com/re65G-N_kR2HUCzd4IUjahS_7u...
This generally is a reasonable advice, but companies change policies. Even if MDM policy today sounds benign (although IT departments make mistakes, too) it can morph into something much more invasive in the near future, "because cyber". MDM on my personal phone is the line I personally would not cross. My 2c.
Agreed. MDM usually gets set up when you're a new hire and may not know what the organization is really like yet. Additional note: it's a shame Glassdoor is so easy for employers to game.
I'm a remote contractor. Usually, if my customer wants me to install some tracking software (recording you're present in front of PC, tracking mouse/keyboard activity, etc) I agree only on one term: they need to send me a machine with this software so I can use it while doing work. I lose customers this way, though most of the time people agree to not have this kind of software involved instead of rejecting offer altogether.
If I worked in an office environment and company wanted me to use tracking software I'd see no problems with it. But it should be installed on a company provided phone. Which in the best case I'd leave at office off work, or in other cases - carry home and store it there.
Tracking software?! I often have remote contracts and have never been suggested to install any presence or keyboard activity trackers. Sounds horrible. You are a professional, not a teenager.
I think that would be such a red flag for me of how everything else is at that client that I would never agree to the contract in the first place.
Since most of my clients allow BYOD I sometimes get asked to ensure I have antivirus etc installed. Which is ok as long as they don't dictate which software. So far that has been fine for all clients.
I have some clients that insist on a locked-down laptop to access some parts of their network, and they happily send me one that I use it for mostly email only. Having tracking software on it would be pointless as it would only show 5 minutes of email checking activity every 2-3 hours.
Unless by tracking you mean webcam and slack status? That seems acceptable to me. And as I mostly encourage(insist) that my teams use webcams when they are remote pairing etc it would be hypocritical of me to say otherwise.
I work from home/remotely. For years I've followed a simple policy. I don't use work devices for personal use, and I don't connect my personal devices to any work accounts. I've never had an employer that's had a problem with this, and the most I've ever heard is comments about how I'm just inconveniencing myself because I carry two phones, two laptops. But the reality is, it's been extremely beneficial when I've had to work in compliance sensitive companies for exactly the reasons listed here and then some, and it's a minor inconvenience.
If you're a tech worker you can afford to buy your own personal equipment for personal use. If the company needs you to have equipment to do work, they can purchase it for you. Simple as that.
I love having a work laptop that only has work on it but I've never been able to have a personal laptop that doesn't eventually get all the work stuff onto it at some point.
What do you do if you're lying in bed watching a movie when you remember that you need to schedule a meeting with X for tomorrow at 11am? Do you get out of your warm bed and pull out your work laptop and add the calendar entry and then climb back into bed or do you just pause the movie, log in to your work calendar and make the entry real quick before resuming the movie?
The closest I've ever had to making this a reality was when my work computer was an iMac so I'd just leave it on 24/7 and RDP into it from home (I lived within WiFi distance of the office so all this was done via LAN). Even then, when the work stuff was going to take more than ~5 minutes, I'd still end up doing it natively from my home computer rather than deal with RDP lag.
edit: I also really struggle with what IM programs to keep on my work laptop these days. Medium of communication doesn't map cleanly onto work/personal contacts so I either deal with friends pinging me while at work or missing vital messages from people expecting a business response/having long professional conversations using a phone keyboard.
>What do you do if you're lying in bed watching a movie when you remember that you need to schedule a meeting with X for tomorrow at 11am?
I schedule it when I get in the office at 8 AM.
>I also really struggle with what IM programs to keep on my work laptop these days. Medium of communication doesn't map cleanly onto work/personal contacts so I either deal with friends pinging me while at work or missing vital messages from people expecting a business response/having long professional conversations using a phone keyboard.
My advice is to separate your work and friend accounts. You can have whatever messengers you need for work on your work laptop, but make sure that none of your accounts you share with friends are logged in on that machine. Same for your personal machines - only log in the accounts for friends. Then you don't have that problem.
In most cases, all you need is an email address to make a new account, and you can slowly move all of your friends over to this new account where friends and work do not overlap.
> On Android, there are tools that help prevent IT from reaching into your phone. If it’s allowed by your admin, you can create a separate “work” profile that contains sandboxed versions of your apps to avoid blurring the line between personal and work. The work profile can then be disabled on demand and flipped back on only when you need it, providing a level of control that iOS doesn’t yet allow.
This is changing with iOS 13 and the introduction of User Enrollment, which siloes off work data and adds restrictions to what corporate IT can access.
>When you add a work email address to your phone, you’ll likely be asked to install something called a Mobile Device Management (MDM) profile
...what? The Outlook app containerizes your email accout specifically so that you dont have to do this. Your company can remotely wipe your work account and only your work account.
Of course MDM gives access to your phone - thats its whole purpose.
No it does not (source: iOS device user and Exchange admin).
Adding an Exchange account to an iOS device optionally allows the Exchange client to enforce password and screen lock requirements, encryption, and allow for remote device wiping.
It does not have any access to device location, data, photos, contacts, or anything else you can think of outside of device passcode, encryption, and remote wiping.
An MDM profile is a completely separate thing from Exchange. Also, unless the iOS device is supervised (which has to be done at time of setup and would require wiping the device if you want to supervise one that's already setup) you're extremely limited in what you can do and see.
Source: We provide employee's with iOS devices and use VMWare Workspace ONE (formerly AirWatch) along with their Secure E-Mail Gateway and also use Apple's Device Enrollment Program. This provides for as complete control over the device as you can get.
Thats kind of my point. MDM has an administrative and capital cost. The Outlook app is free for everyone and doesnt get IT involved in your personal phone.
The use-case for MDM is not to get email on personal phones - thats the right tool for the wrong job. MDM is for simplifying the deployment and management of corporate phones.
> When you add a work email address to your phone, you’ll likely be asked to install something called a Mobile Device Management (MDM) profile. Chances are, you’ll blindly accept it. (What other choice do you have?)
I use the Nine mail/calendar app[1] to keep all that contained. It integrates nicely with the native Android apps but keeps all of the security and control options within Nine itself. It looks like they are also beta testing an iOS app but I have no experience with that version of it.
For example, if the mail account security settings require a screen lock code, Nine will require a code to access the app but this won't affect the actual phone's unlock screen.
Similarly if a data wipe request is sent from the server it will only affect Nine.
You beat me to it. Nine also allows easy connection to multiple Exchange accounts, has a variety of other nice features and has been around long enough to have a very solid track record.
This kind of sandboxing is one of the things third party apps like this have always been known for, going all the way back to a really old one whose name in blanking on which I believe maintained its own entirely internal calendar, files, etc. (Dataviz maybe?)
Edit: this may still be useful for some people, but the work profiles introduced in Android 5+ may make it less relevant at least for anyone at enterprise scale or otherwise using MDM through a service provider.
Looks cool, but requires ActiveSync to be on. I think a lot of stodgy companies are locking that down and requiring the native Outlook app and its (as mentioned) stealthly MDM stuff.
At least if your org is on Office365 and doesn't have too restrictive policies, you can get your email over standard IMAP. There also exist some nice man-in-the-middle proxies which pretend to exchange servers that you've implemented the policies they ask for.
I've got multiple "work" (one is a volunteering role) office365 exchange accounts on my personal phone, using [https://sites.google.com/site/bikomobi/exchained](exchained). Seems to work well. I'm sure the respective IT departments would give me a stern talking to, but there is nothing in either job that is of any sensitive nature whatsoever so their blanket "ask for admin permissions on my phone" policies can get fd, frankly.
Tons of places outside of F500 are doing that. At work we just disabled IMAP for almost all O365 accounts and any other method of authentication that doesn't implement our two factor authentication. The rising number of compromised accounts because the user used the same password elsewhere, apparent bruteforce attacks, etal forced the issue.
Of course MDM is not required for any of this. Worst case is on Android you're forced to use Microsoft's Outlook app.
I had to deal with this a number of years ago, and my response was "If you want MDM on the device to enable mail, then you buy me a separate device. Otherwise, I will access mail when I am at my corporate laptop or on the web via VPN." Never let them MDM your personal device, because they will possibly auto-wipe your phone if something proprietary or secret leaks out via email and you are on the distro.
Remember 10 years ago when people were predicting/building technology to let our phones run multiple "virtual" phone instances on a hypervisor, solving the work phone/play phone single device dilemma?
I'd still freaking love this feature ten years later. I don't want app level segregation of work and play, I want them in entirely different "instances" of my phone.
I wish that there was some movement on that feature as well, but with time new possible implementations have become available on desktop environments that I would like see extended to mobile.
Application Streaming [1] is getting pretty solid, and I would love to see an integrated mobile solution for that.
It would be a good way to have the easy access to applications, but keep the code, manage the security, and keep the data on the server.
It wouldn't allow access to data when offline, but I think that's actually a benefit when it comes to security. It could also be used by corporations to quickly secure lost devices since there would be no cached data, as well as lock down access at certain places such as when crossing the US border or when employees are on vacation (in other countries, especially).
[1] https://en.wikipedia.org/wiki/Application_streaming
Sneaky medium, I used to have a paid account and the page looked like I couldn't read the article until i resumed the paid membership. Signed out and clicked on the link again and was able to read the article. Account deleted!
Edit: Furthermore, on iOS, you can go to Settings -> General -> Device Management -> <Select MDM Profile> -> More Details -> MDM Profile. The list of rights are listed there.
Thinking ahead to the next time I need it (I haven't tested this), I was looking into current respectful options for people who are on-call in some way.
Considerations included not interrupting personal time or reminding people of work unnecessarily, location privacy, certainly not doing MDM of personal devices, security simplicity, etc.
The most interesting option was the old-school one-way radio alpha/numeric pager. It turns out that the Boston hospitals still use these heavily, as do some EMTs, and they're considered much more reliable than cellular- and WiFi-connected smartphones.
I'm imagining people on-call have their pager on, and it's only used for emergencies. There would be a couple/few numeric codes for the few different appropriate possibilities of importance/urgency/nature/modality, and what you should do. The most usual code might mean get on email/chat ASAP. Another code might mean phone devops ASAP. Code "666" apocalypse might mean call a car service immediately, get on phone/email/chat while you wait, don't delay to groom or anything.
As a matter of culture, all of the codes are worth bothering someone in their personal time. For example, maybe there's no code for "hey, if you have a second, it would save me half an hour if...". (Of course, we have to not raise the importance/urgency bar too much, or people might end up staying on chat or something, because the pager's bar is higher than their own.)
When my company wanted to issue me with a work phone, i looked for the most pager-like thing around. The only reason i would ever use it is to receive alerts when i'm on call, and to do 2FA to connect my laptop to the VPN, so i would like it to have small size, long battery life, and a loud speaker. I couldn't find anything at all like that.
At my current org, it was hinted to us that if we tied (email forwards, etc.) or added any work account to a personal device, that the personal accounts and device could be subject to audits.
Don't mix your work and personal stuff. Keep it separate, keep it safe.
Yes, if it's important to your company for you to be able to receive any of their communications wherever you are, they can pay for a phone plus service to give to you for that purpose. Don't let them use your personal phone for that.
Which is why I only redirect my company phone regular voice calls to the private one when I'm out of office. If it's urgent, call. If it's not, I'll get to it when I'm in the office.
That is totally understandable, and I hope you don't get in trouble when law enforcement comes looking for your personal device that somehow got caught up in their list of devices to look for.
That is totally understandable, and I hope you don't get in trouble when law enforcement comes looking for your personal device that somehow got caught up in their list of devices to look for.
Is this really high on your list of things to worry about? If someone doing something illegal sends me an email that happens to go to my work account that happens to be on my phone, law enforcement will just go to my employer. If someone sends me classified military secrets or something to my work account for some reason that gets sent to my phone, they can track me down, show me a warrant, and go to town. I rank that concern just above "what if I have a doppelganger that happens to be a spy and they get a hit on my face with facial recognition?" on my list of things to worry about.
Yes, and your device read the email, so now your device is in scope. It doesn't matter what else you did with your device and their data, they now have a reason to look through your device.
Would that mean if I were at a hotel and used their computer in a pinch to access the web client (not that I ever would - keyloggers) would that be in scope?
There are a lot of companies that require you to enable MDM before you can setup an email account, I've seen it on android back in the day when I had a smartphone.
FWIW when that happened I just started using the cruddy web interface.
I actually gave up my smart phone a year ago. I've been with a feature phone (Nokia 3310) for a full year now. My position at work is this: "Given that I'm at my workstation 85% of my day, if I'm important enough to need to check e-mail 'on the go' or outside of work, I'm important enough for the company to get me a second phone - one dedicated to work and work only."
If you have a recent Samsung phone there is a feature called 'Knox' that splits off your personal files from the work-related stuff. Knox is like a secure container that's fully isolated from the rest of the phone -- like a phone within a phone. Knox cannot access your personal files so the assertion that it can 'wipe your data' or spy on you would be incorrect (it only works with the container.)
What the article mentions about tracking is a legit concern though, IMO. Within a container it's still possible to access the GPS sensors. I'm not sure if the user can block this / opt-out? It's possible that an app may have to request permissions to use the GPS. In any case, I would say the situation is still better and more transparent on Samsung devices than this article would imply. I don't know about other devices but I can tell you Apple phones don't yet have an equivalent secure container solution (like Knox or Enclaves) so I'd be more concerned about the security situation on those devices.
This is true of Android work profiles too. The MDM solutions I've seen use Android work profiles underneath, so your never in risk of your work accessing personal photos or data. The work profile and all work apps are in the septate container.
I feel like most/many articles such as this are targeted at large enterprises/organisations. I've never been asked to install anything like MDM on my phone for any company I've worked for if needing to/wanting to view work email on my phone. But then I've never worked for a company who has more than around 25 members of staff.
Company size and industry definitely play a significant role in the roll-out of managed device policies. Some organizations are required to pass specific ISO/IEC standard certifications with regards to their security policies. Managed-devices with remote-wipe capabilities being one such requirement.
I don't put it in my phone because it gives the company an out to turn your phone into an IT BYOD asset. This makes it subject to a wipe if you ever left the company.
My boss had his phone completely wiped because his kids tried to unlock it a couple of times. Apparently we had that behaviour programmed as a company policy...
This "stop and think" warning is very good, but let's be honest, in many roles you can't say "no" anymore. Most companies require a significant subset of employees to use their personal device for work and have corporate accounts active on it.
It may not be true for you personally, but I bet it is for most people who have on-call rotations.
Features like Android's separate profiles are critical. We need similar sandboxing on all platforms. I don't think we can change the 24/7 availability culture, but we can change things from a software side to make it less onerous.
A company cannot force you to use your hardware to run their business at least not without compensation. Having a phone number that can be paged is significantly different than installing MDM software that can track literally everywhere you go, wipe your phone without your permission, etc. If a company is saying you "must" install something in your personal device without any compensation on top of your regular paycheck this is incorrect. If you use your own car for work you're typically compensated with mileage or you can write it off on your taxes.
I've often thought that if everyone, or even a majority, said "no", then we could have better policies. As it is, I've been the only person at my last two workplaces to object, and there's no way they're going to put in the effort to work with me.
So it is that I've given permission to confiscate my personal cellphone in the case of a breach. Otherwise, I literally couldn't do my job -- not because of anything particular about our field or technology, but because it was easier to set things up the way they are. We could spend a few days changing our alert structures, etc, and no-one would have to have "sensitive" data on their personal phones. But that's not going to happen for one employee.
I've seen the same thing with Chrome. If you log into Gmail it automatically link the browser with the corporate account for all Google services. And if you go on the settings page (chrome://settings/) it shows "Your Browser is Managed by Your Organization". This allow the manager to automatically install extensions, filter websites... I removed the auto managed browser while being connected and it wasn't an easy task unfortunately.
Interesting that this was just about spying, when the real reason to keep work email off your phone (imo) is to maintain work life balance. If I can access my work email on my phone, I will access my work email on my phone. Constantly. I'm bad enough with my phone and my personal email.
Everywhere I've worked I've told my manager I turn off work when I leave (unless I'm oncall). I've never had this be a concern, across three large companies.
Having work apps on your phone is not mutually exclusive to having work/life balance though.
I have work apps on my personal device primarily for when I'm away from my desk during work hours. I disable notifications etc. outside of work hours.
I wouldn't say I'm really happy with it, but it does permit me some freedom to be away from my desk without the risk of missing something important during the day. It's a trade-off I've decided I'm willing to make.
Work also provides guest wifi which is conveniently configured by the Android for Work profile, so data usage while at the office isn't really a concern.
I just use Android 7+'s work profile feature - basically a walled garden for MDM - and turn off work notifications on nights and weekends. After that it's just a matter of a tiny speck of self-control (unless you're workaholic, it's not that hard _not_ to open a work app) and I don't get annoyed by work stuff despite it being setup on my personal device.
A lot of my workmates have Slack installed on their phones as well, and I won't do it. I have a life, and when I'm not working, I'm busy living it. No thanks.
Similar could be the case, when an office gmail account is used by a number of employees for viewing & replying official emails.
One employee who is logged in using office gmail in his/her android phone. The person (other employee) knowing the password can easily view most of the phone activity by visiting https://activity.google.com (which includes search history with location).
I only have my work Slack, not email, on my phone because of this.
Something I've wondered: why do they only do this for native email? Why can I use Slack without it? In college even our student email accounts had MDM (which was pretty silly), but I worked around it by just viewing my email in the web browser. Are locally-stored emails somehow more vulnerable than my browser cache and the messages stored in the Slack app, or are those just loopholes?
How many companies provide a company phone and allow the employee to use it for personal stuff? I thought that was the norm. I would question any company that expected me to provide my own phone to perform their tasks. Of course if they paid me enough, this would be negotiable.
Regardless, if I installed their remote monitoring S/W on my phone or used their phone, I would abandon any expectation of privacy on that device.
I've had a couple employers offer to transfer my personal number to my work-provided cell phone. I said no thanks, and carried two phones around instead. But it was a surprisingly popular option among my coworkers. They'd rather let their boss own their personal, everyday smartphone than carry around two phones.
When I came in to my current company last year, the only way to get work email was by enrolling your phone in our "company portal" which was based on MS's Intune, part of their 365 offering, which by the way is horrible. There was no IT director and the lawyer and CFO who drove the plan had draconian rules, so bad that only a few people ever enrolled, and those who did regretted it, as their phones would be wiped several times as unqualified people "poked around" in the system. Exchange and outlook alone can handle email data safely with remote wipe of company data without total MDM and device 0wnership. I changed to that immediately, and in the past year we've needed to wipe only two people's phones, and it went without a hitch. MD is a tool that frequently is more than required for the situation.
At this point, especially if I’m working at a company that isn’t a startup, I will not work somewhere that expects me to have slack available at “all times”. After hours if I’m not on call I simply do not respond.
> When you add a work email address to your phone, you’ll likely be asked to install something called a Mobile Device Management (MDM) profile.
My wife was asked to do this, and (and a discussion with me explaining what that means) she told them they could buy her a phone if they wanted that.
The company I work for does not require it, and I agree to have email and slack on my phone. They don't reach out to me on off hours unless there's a very good reason.
Maybe I have never worked a corporate-enough job to see this, but at all the tech companies I’ve worked at, the idea of requiring an MDM profile on your personal phone to access work email would be more or less unthinkable. I’ve known engineers to balk at installing a simple, no-permissions-required multi-factor authentication client; I can only imagine the revolt that would ensue were they asked to consent to remote management.
TLDR: "do not put work email on personal phone, as the company may ask you to install mobile device management (MDM) to manage your device, which gives them opportunity to spy / control".
This conflates two different things: work email and MDM on personal phone. While I would never install company MDM on my personal phone, many organizations allow you to access work email from personal phone, no MDM strings attached. My 2c.
Seems like I have Company Portal installed but it's not activated, and the permissions don't mention being able to look at browsing history. Just "Erase all data", "Monitor unlock attempts" and some things like that. Some lesser things on "Outlook Device Policy" which is also not activated. PingID, Outlook, and Amazon Workspaces are on here.
I'm surprised it's not more common for phones to support two sims and have an almost dual boot like separation of them (more like desktop computers having multiple user accounts)
Our company uses G Suite's Advanced MDM on a G Suite Enterprise account. I administer its configuration.
Unless I'm missing something, there's not an obvious way to "spy" on employees, which this article is claiming. Perhaps it's possible, but if it is, it would require a lot of deliberate effort to accomplish. For example, there's not an out of the box way to track employee location. There's not a way to track employee internet browsing history out of the box.
TLDR: using G Suite Advanced MDM, there are not out of the box solutions for tracking or spying on employees in the ways suggested in the article. It might be technically possible, but to accomplish it, your company would need to make a (large) deliberate effort to do this.
Same, we use gsuite MDM for BYOD just to ensure that personnel's devices have basic security configurations (e.g. encryption, lock screen, etc.) Beyond that, this MDM is quite limited to what's possible to accomplish.
>There's not a way to track employee internet browsing history out of the box.
Some large enterprises use MDM to deploy certificates and proxy policies that essentially force you into a MitM situation, with the intention of tracking browser usage.
Location is a bit more tricky. I would say that's less common, but I've seen MDM solutions that offer location tracking as a feature
I mention this because one of the top use cases for MDMs is deploying said MitM setups. It's common in certain industries, like for banks and for schools. Saying this from experience because I worked for a company that produced both an MDM product and a MitM product.
If the device belongs to the organization, you might not even know these profiles are installed, if it's a BYOD environment you know you are installing the MDM profile and if you open the settings page you can manually inspect which other sub-profiles have been installed by the MDM.
But you're right the MitM itself isn't built into the MDM, because that's a totally different product category ("Secure Web Gateway"). The MitM setup only works if you have an MDM to enforce the certificates and proxy setup upon the user.
Not even sketchy. Monitoring how long techs take on calls is a requirement in some roles for quality assurance and training purposes. Company I worked for had GPS tracking that they used to make it show that one employee was visiting another employees wife because our home base was over street over. It was a funny prank until it wasn't.
For g suite location is under Mobile management. They list it as a find my phone type of feature. There's even a picture of it on their marketing.
> These tools often allow administrators to pry into how the phone is used as well, retrieving call logs, SMS history, and in the most extreme cases, full logs of web browsing.
I doubt any of these (call logs, SMS, web history) are possible on iOS even with an MDM profile installed, unless it's call logs from the company's own VoIP app or web history from its own browser app. SMS? Nope. On Android all these are possible for any app that's given the permissions, even without MDM.
Can anyone who knows more validate or confirm the veracity of this claim in the article?
> you’ll likely be asked to install something called a Mobile Device Management (MDM) profile. Chances are, you’ll blindly accept it.
Say WHAT? That's the entire premise of the article. Any sane person who have even a vague idea of what a MDM is will answer with a resounding NO.
Is there actually serious companies who ask their employees to install a MDM on their personal phone? The moment you install a MDM on a phone, that phone is no longer your own, it now belongs to the company.
A nontechnical person won’t blink an eye. Those are still sane people, they simply don’t understand the threat like we do.
Same reason that recent issue with all the Chrome extensions happens. A lot of people blindly click OK, just like we’ve been trained to do on privacy policies as well.
Can confirm; the Fortune 500 company I work for has pretty extensive support for BYOD. Managers can be stodgy about providing work phones, plus carrying two devices is a pain.
I use Android so I'm relying on the Android for Work sandboxing, but truthfully I don't know the exact details of what that does and does not allow my employer to access. It does bother me, but I don't feel like I have a whole lot of choice. Being able to respond to Google Chat messages at any time (when away for lunch, for example), is feeling more and more like a requirement/expectation.
Also, commuting on the train pretty much requires mobile Hangouts support (which Google effectively makes impossible to use via a website if you're on Android), unless you want to always be at your desk in the office prior to the first meeting each day.
It can be annoying sometimes, but honestly it can also be pretty cathartic to leave your work phone behind when you go for a bike ride, or out to dinner with friends etc.
I did the opposite. Put all my personal stuff on my work phone. No way am I going to carry around two of those bulky monsters. The only bad part is that a bunch of my online identities are now directly coupled to work, unless I can convince them to let me keep the phone if I ever leave.
After hearing about that, I never attach anything work related to my personal equipment. There is too much liability. Anytime that anyone even whispers about me using anything I own for company use, the answer is a resounding "No." You honestly, don't know who you are really working with/for and what they are actually like.