@notsle@kzoo.to Company I worked for years ago decided to require this for any device that wanted access to Outlook. I put my foot down and said nope, my device: either gimme a phone or I just won’t have access to my work email nights and weekends. They stood firm; and it was nice to delete Outlook (I wasn’t there much longer, the writing was on the wall for what they were becoming and I left).
this post was submitted on 06 Feb 2025
16 points (100.0% liked)
Privacy
6 readers
8 users here now
Everything about privacy (the confidentiality pillar of security) -- but not restricted to infosec. Offline privacy is also relevant here.
founded 1 year ago
MODERATORS
@NefariousAryq@hoosier.social did the same at a previous job. i wont install teams on my phone
@notsle@kzoo.to @NefariousAryq@hoosier.social Needed to install Teams for a mandatory job programme. Wiped an old phone, minimum setup, and installed Teams.
They ended up sending out a Chromebook. I refused access to our home network on a device I didn't own, it wouldn't go through setup on an open AP. I bridged an unused router with the open AP, Chromebook saw through it. 3 months later they had it back after a factory reset.
I use a different Raspberry Pi for job searches FFS.
@notsle@kzoo.to My brother regularly says, "Act your wage." And he's an architectural project manager, so he knows project task scope. @NefariousAryq@hoosier.social
@notsle@kzoo.to one thing that surprised me about Intune MDM on a personal device is that your organization can reset/remove your passcode at will. I still can't find anything in the docs nor enrollment process that would clearly explain this capability to the user.
@notsle@kzoo.to In my previous job, I worked with Intune MDM... Yeah we had several instances of someone on my team accidentally disabling or wiping employee-owned phones. I suspect this is more common than many would like to admit. After that experience, I'll never allow an employer to have control over my personal device, even if it means I have to find a new job.
@baralheia@dragonchat.org yeah. People are not infallible. Look at the stories of jealous cops using license plate scanner cameras to track an ex.
Or just a micromanaging boss wanting to know your location.
Sometimes it’s an intern hitting the wrong button.
@notsle@kzoo.to I have to install this on people's devices as part of my job. I'm shocked at the number of people who would rather put this on their personal phone as opposed to carrying a second company-supplied phone. And yes, the option is presented.
@notsle@kzoo.to I'm curious, but how would isolating this within an island suffice if one absolutely had to do it?
@notsle@kzoo.to @CosmicTraveler@mastodon.social If your company requires access to your phone, then they owe you a phone.
@notsle@kzoo.to exactly the reason I don't have outlook on my phone. Some of my teammates accepted it without even knowing, lol. I just use outlook PWA. No notifications, but we primarily use slack so 🤷
@notsle@kzoo.to @@funnelfiasco@hachyderm.io I like that some platforms have a good segmentation barrier in the form of containers like Samsung's Knox, but yea. I work in IT, I've been asked to issue a wipe, I know what happens :/
@notsle@kzoo.to there are settibgs within intune to only put in place control over the corporate apps. Essentially containerizing that data and wiping only that data without the ability to remote wipe the rest of the phone.
@notsle@kzoo.to This is highly dependent on the way MDM is implemented. If your company is implementing MDM to fully onboard your personal device, then yes. Everything you said is correct. If however they are using a combination of (for Microsoft environments) App Restriction Policies and Conditional Access policy then the company has no way to issue a wipe on your phone. App restriction policies places managed applications in a separate encrypted partition. The company can see company data, but nothing from your personal partition at all. Nor can they control your device, monitor any of the sensors, or track your location or contacts.
The vast majority of orgs just do the full blown MDM enrollments though because it's far less work to implement and less complicated to manage.
@notsle@kzoo.to
This sounds like the sort of thing that certain staff have the ability to fight and other staff might lack the ability to fight.
#union #unions
@notsle@kzoo.to @graydon@types.pl I actually went through this with the IT at our current company when I enrolled. MDM is quite appropriate for us, we manage people's money. I also have some experience in iOS device management.
As far as I know, these concerns are wildly exaggerated for iOS. It wasn't true in 2018 when this was written (read further down to the comments) and it's far less true now.
IME users are about 1000x more likely to be compromised by some free-to-play game or social network
@notsle@kzoo.to or if they are incompetent like my employer they can accidentally wipe your phone! Happened to like 200 people I think.
@notsle@kzoo.to Huge shout out to instead
@notsle@kzoo.to I don't accept work phones anymore because i don't want to carry an extra phone.
Business emails, calendars and phone calls are very useful in everyday life, but if that requires an MDM or other crap software like Outlook, I'll say: no thanks.
The separation of working time and free time can be ensured technically in a better way (e.g. an eSIM if this is important to the employer and the setting options of Android)
@notsle@kzoo.to Thais Blog Post is 7 years old and a lot has changes singe then. The mentioned android administrator profile is deprecated and replaced bz a much user friendlier version. If done right ( aka competent IT, segregation profiles, dual sim) there is nothing speaking against using a personal phone for company stuff. But: as an end user it’s very hard to know what the tea to do in the first place. So I’d say be conscious and if IT can show and proof what they are doing, you’re fine on android.
@notsle@kzoo.to Better to buy a cheap phone exclusively for work if you can.
Apple is probably one of the most extreme examples of personal phones being used for that reason.
They tracked employee's personal data on phones, including passwords.
It's essentially cyberstalking on a mass scale.
@notsle@kzoo.to Good advice. Never had, on any personal device.
When I was at S***, they wanted to do that so I can get work email and basically be available on-call after-hours.
I told them from manager up to SVP "give me a separate phone, or I'm not doing it".
They never gave me a separate phone, and I wasn't held to be available off-hours.
Really helped when I separated from company as nothing I had got arbitrarily remotely wiped.
Also saved things during the Crowdstrike event.
@notsle@kzoo.to my employer recently refreshed phones and the new ones come with MDM installed by default. I carefully read the privacy policy and they explicitly say that in a justified case they're allowed to read your private data and can lock/delete the phone if necessary. Nope, my private data wont be on that device.
Nope, my private data wont be on that device.
That's exactly why we write those policies. To let people know not to put their private shit on the devices.
I never had to open up a phone yet to access any data, and I don't expect I ever will. Even if I did, I'm not going to snoop around, I'm just going to get the data the company needs.
Yet, I still advise any new employee not to put their private shit on the device.
I have had to delete phones remotely though. Tough luck if your famiz photos are on it, not my problem.
@notsle@kzoo.to @chirpbirb@meow.social I know back awhile ago, Outlook on android had the ability to wipe a device without MDM. Coworker accidentally wiped an ex employee’s personal device trying to deauthorize it.
@notsle@kzoo.to this article is either clickbait or the author has several year old experience. Most of the described things are only available on fully supervised devices. To get one of those you need to wipe the device and get permanent warnings in the lockscreen.
There are dangers but they are clearly communicated by the OS.
@matmair and most companies do not have the time/experience to do set it up properly.
Microsoft intune shows these warnings when going through the steps.
Even if Intune restricts what my work can do in their app. Microsoft is still requesting a lot of permissions.
Even the simple fact that they can wipe my phone is enough to not sign into outlook with iOS.
@notsle@kzoo.to this is completely controllable by the company. Maybe you just have a shitty IT department and shouldn’t work somewhere that does not educate their IT staff appropriately?
We have intune at work - we do not request the option to wipe personal devices. Flaming a net-good technology because you have had bad experience is not a good look.
@matmair so send me a screenshot of what your mdm profile looks like on your device and what the permissions that it gives.
What net-good is there for individuals to allow any control over their device to their employer?
You even said the best part. “Controllable by the company” I choose to give zero control of my personal device or its contents to “the company“
@notsle@kzoo.to this article is fear-mongering bullshit.
@notsle@kzoo.to if work wants me to have a cellphone then they will provide it. (And they do). This is not negotiable. I will never mix my personal life with my work life on a phone.
@notsle@kzoo.to what about p.1 of this article regarding how this works on Apple devices:
- Work Data Separation and Encryption
@in_sympathy@mastodon.social as that article says, "managed through a leading Apple-specific MDM using the BYOD method".
Is that what your employer is using? can you independently verify it?
Did they configure it properly.
Most businesses are lazy and just buy into the Microsoft ecosystem and use defaults.
My IT infrastructure team, while security minded, care about protecting the business not the employee. They wipped an employees phone this week because it said it was in a different country
@in_sympathy@mastodon.social Of course, there are places that do it right. But most people either are not technical enough to know what to verify, or the company wont share details of their MDM system and just generically say its required.
@notsle@kzoo.to Speaking only for Microsoft 365 and Endpoint (Intune). Devices are marked as company or personal during enrollment. Administrators can't see your personal apps or data. The only thing we can do is wipe the apps installed by MDM.
@tzudad@mastodon.social I know the permission the Microsoft profile requests gives them( Microsoft) much more access than that. I belive they then reduce its capabilities in endpoint(intune) but the permissions are still given. At least in iOS.
Here are screenshots for iOS when setting up intune. It’s about trusting Microsoft and your company.
I believe even connecting to exchange gives the ability to delete your phone from the server. But it’s been years since I checked that.
@notsle@kzoo.to Those settings look closer to a corporate device to me. I'm the original IT guy in my company and created our M365 organization. I don't think some of those abilities being available when I configured our environment for personal devices in 2018.
We can only see and reset M365 apps when they are signed in with a company account. We do not see personal apps or data. I'll never allow that horrible sh*t on the personal devices of our people. Corporate devices are very different.
@tzudad@mastodon.social those are screenshots taken on my personal device when I went through the steps to install intune like my work wants. I had no intention of finishing it. Just wanted to see if anything has changed from previous employers.
@notsle@kzoo.to Your company's IT has some really invasive settings. Are you handling sensitive data? If I had to do that, I'd buy a garbage phone with a prepaid SIM and not put anything but their stuff on it. 2 phones sucks, but privacy is your right on your device.
@notsle@kzoo.to @tzudad@mastodon.social Connecting to Exchange with the phone manufacturer's pre-installed mail app usually gives the ability to remotely wipe the device; if you use a 3rd party app, only the profile in that app can be deleted.
@notsle@kzoo.to I have to wonder if Samsung might be doing something like this, but with customer phones. Before I dropped Samsung in favour of another brand, I'd noticed what teemed like new apps that I'd never installed, nor wanted, being updated.
@notsle@kzoo.to @dtanzer@social.devteams.at The problem here is that BYOD is not done right by Microsoft (maybe also other MDM vendors). With iOS itself you can enroll devices company owned and private owned. On private owned devices the private data is separated from the company data. On disk an additional encrypted partition is created for the company data, so that the data are separated. Also apps like Notes keeps the data separated. (I don’t know Android, but I think its similar.) See also https://www.apple.com/business/docs/resources/Managing_Devices_and_Corporate_Data.pdf
@notsle@kzoo.to Even the humble old ActiveSync gives them permission to delete everything on your phone. This is still used at some companies, particularly those who are only allowed to use on-prem Exchange.
ActiveSync is the protocol you'd use if you just add "Microsoft Exchange Account" (the way most Android versions call it).
Not the same as Outlook for Android and iOS. That app is comparatively harmless, you can give it fine-grained access to e.g. only your calendar.
@notsle@kzoo.to I'm about to start a contract where this certainly won't be up for discussion. Timely reminder thank you... I guess I'll dig out an old handset and buy a $2 Telstra SIM. Sigh.