74 comments

[ 2.8 ms ] story [ 143 ms ] thread
My employer recently required that any mobile access (or, really, any access through a method other than web browser) to any real-time communications systems for the company, including internal e-mail and instant messaging, must be through a device that has the chosen MDM solution enabled.

It was at that point that I informed my manager that I would no longer be checking work e-mail and instant messages on my mobile device unless the company chose to pay for a company-owned device and require that I carry it. My manager told me that he intended to do the exact same thing. Informal surveys of my group show that about 80% of the group are not following work e-mail or IMs when away from work computers.

I am happy that this is the case but am also disappointed that the remaining 20% are almost entirely the "burn the candle at both ends" segment of our group and they're forever replying to threads and the like even when off work on weekend or vacation.

I have read on multiple places that MDMs on an iPhone have quite restricted access (no SMS/iMessage, pictures, non-MDM e-mail, and the like) unless the device has been wiped and redone under the All Powerful MDM mode but I don't know if those people are correct or if they're all going from the same (possibly inaccurate) source. Therefore, I keep the MDM stuff off of my iPhone because it is mine and I have data from other unrelated projects and companies on it that is none of my employer's business nor theirs to have access to hoover up.

Same here. I was a partially remote employee. When my employer mandated MDM and an unworkable VPN for offsite emails I sent my work colleagues a message informing them I could no longer receive corporate email and asked them to contact me at my personal email address. Problem solved, for me. But of course it effectively lowered the company's overall email security posture.
I bought a Kindle Fire expressly for the purpose of BYOD for my employer's mail client and other productivity apps. It required side loading the play store to make their app store work but keeps any potential MDM from managing or resetting my phone. I feel like that's a reasonable compromise.
fortunately, my employer will pay for a device. We don't have an MDM - soon we will - but to be honest I can't see allowing BYOD without MDM.
I can't see BYOD with MDM. With MDM, it's not YOD. You're just paying for the corporate device out of your pocket, and there's no certainty you'll ever get it back.
we agree. I understand why employers require MDM, but I've always had a device that is a work-only silo of apps and authorizations because control of my device is important to me.
Pretty much exactly the same story here, but sadly most of us reading this are in Tech so we know better than to accept a BYOD policy, and our companies are rich enough to accept that and either issue phones or deal with the fact we're going to be out of communication for some period of time.

Other industries are not going to give people the choice, and will force these policies on their captive users. So, we need to push back and make MDMs better to protect those users.

> I would no longer be checking work e-mail and instant messages on my mobile device unless the company chose to pay for a company-owned device

Interestingly enough, where I work is unthinkable to check your work email in your personal smartphone, both because workers won't accept working in their free time and because it goes against the company security policy (writing your password in a personal, spyware ridden device? _shrugs_). Maybe we should start outright refusing to perform work activities during personal time.

> I am happy that this is the case but am also disappointed that the remaining 20% are almost entirely the "burn the candle at both ends" segment of our group and they're forever replying to threads and the like even when off work on weekend or vacation.

Really? Off work is off work.

The moment I step out the building door, work is done, finished.

Want to talk with me? Wait for the following day I am at work.

There is nothing the employer can do about it unless it specifically states it on the work contract, most European countries have laws about being contacted after work.

Out of curiosity - do you work in the US, and are you am hourly or exempted worker?

Here's my problem: I try to maintain a good work life balance. I devote time outside of work to passions, hobbies and relationships. But I am not dogmatic about hours. My company does not pay me to have my butt in a chair. They pay me to get the job done.

In Europe.

I am very dogmatic about hours, because when the next layoff round comes, HR won't care 1 second about how much overtime people were doing when considering who to fire.

That makes total sense. Here, they absolutely care about who worked (unpaid) overtime when deciding who to fire. The people I've seen who are out the door at 5:01 don't survive those transitions.

I'll admit to more than a little envy!

That's exactly what I meant. The 20% who immediately jumped straight into the MDM rollout are the ones who do not have the concept of "not at work." They have two modes: working on e-mail and sleeping.
Not checking work e-mails or IMs while not on the clock should be the standard practice anyway.
I tried to get outlook for my work on personal device, wanting to use the app for push notifications.

They wanted MDM, I tried to deploy in my "secure folder"(formerly Samsung Knox), but would block my phone as incompatible platform.

They could enable this, but my company doesn't want to and no reason given

I just use the Outlook web portal. No MDM needed.
Yea that's what I am doing now, but don't have the push notifications to make it useful.

I am not required to access my work emails outside of my core hours, but it comes in handy if I could get notified of a new email directly to me (I get 100+ emails a day with maybe 10 requiring me to do something).

I like to be prepared knowing what I need Todo before I come into my office the next morning.

I ripped the MDM off my iPhone. Wasn’t worried about the, tracking my porn habits, just got sick of being forced to update my passcode every few months.

Fortunately (?) I can access schedule and email with iPhone app.

We work primarily with small businesses in mental health, where a large percentage of devices are employee managed. The lack of attention to employee privacy with security needs in these solutions has been an ongoing point of frustration for us.

A carefully designed MDM solution could greatly simplify compliance and improve the security baseline for many of these businesses. As the market stands now, you either get easy to use with no safety rails on one end of the spectrum or all the power and flexibility and complexity in the world on the other.

I think there is definitely some opportunity in this area.

I use Samsung's knox VM thing. The corporate policy is applied only on the virtual phone that checks office email and calendar.
Sad that Samsung EOLed their Knox ecosystem. There seems to be a market for it.
I remember that this was a big deal when they introduced something similar at my previous company. It added something not mentioned in this article-If I recall correctly, it enabled IT to wipe your device at will. I declined.
I hate that as an admin, I have that power instead of just restricting my ability to remove company email/calendar/contacts only. I have a handful of senior execs who do not want a company phone (or rather give up their personal phone), still want to access company email, but do not want to install MDM because it allows me to completely wipe their device or perform other system-level stuff.

All I want as the admin is to (1) authorize if a device can be used to connect to company resources (2) require minimum level of security (pin/pass unlock) to be available to access company data and (3) de-authorize the device, which immediately deletes ONLY company data.

I don't want anything else. I don't want to sync photos, share clipboard, change security settings, send blaring lost-phone alerts. Those are not my problems. Just let me have an isolated VM-like area where I can allow/disallow the user's access to company data.

> I don't want anything else. I don't want to sync photos, share clipboard, change security settings, send blaring lost-phone alerts. Those are not my problems. Just let me have an isolated VM-like area where I can allow/disallow the user's access to company data.

Good for Enterprise (now owned by Blackberry) does this. I do not know if it is really a secure enclave, but their app is its own universe and was the only part of my phone that was controlled by my employer at my last job. The drawback is that its their own universe - you are using their mail program, calendar, browser rather than your personal favorites. But it sure beats the MDM policy.

This is bullshit. I own my device, and this kind of management shouldn't be possible on devices that I own.

Can I run some sort of VM or a sandbox to make the server think they're MDMing my whole phone? I should be able to feed them enough garbage to keep the other end happy, right? If IT wants to be able to remote wipe my phone, they can remote wipe my VM instead. Anything less would be absurd.

Just don't agree to it. Or remove the policy and state your concerns to your employer.
Just get a cheap burner feature phone for work. They’ll get the message. You might be able to use the same number on two phones on some carriers.
Google Voice can ring multiple phones from a single number.
I have Samsung Knox of on my phone and the work profile is completely isolated from the rest of my device. If they wipe the device, it just wipes that container. It's near complete isolation of work and personal apps.
As a counterpoint, I do recommend installing your own Supervised MDM profile onto your iOS device. This will:

- prevent the installation of any other MDM profiles (such as a work profile)

- allow you to pair-lock your device, which will prevent any forensic tools from accessing your device (for instance if it gets taken by police or at a border crossing, even if you're forced to give up your password, they won't be able to image your device or do other scans).

iOS security researcher (now Apple employee) Jonathan Zdziarski has a blog post on it:

"Counter-Forensics: Pair-Lock Your Device with Apple’s Configurator": https://www.zdziarski.com/blog/?p=2589

sweet tip, than you! this is the reason I read HN.

queue the long nested thread of technical objections, policy objections, legal objections, objections on behalf of web publishers just trying to make it in this difficult internet and need your data to monetize, ...

IIRC in iOS 11 (if not earlier?) Apple changed it so forensic tools can't suck data off your phone unless you enter your password while the phone is attached to the computer. Previously if you unlocked your phone, they could then carry it off to their computer, attach it, and start vacuuming up your info. But now unless it's already attached to the computer before you unlock it, you know they can't do that.
You can easily be forced to enter your password while you are in the ‘constitution free zone’ though.
I've done this years ago and am very happy with it. However I don't recommend this to everybody (especially non-techies) since you cannot restore a backup to a different physical device, so changing your phone requires a re-installation from scratch.
Is there any sort of analogue for this with Android devices?
Mostly, many MDM providers support a system known as "Android for Work" or more genericly "Work Profile" which separates your device into two profiles and very little data passes between the two.

I've been doing some testing on my end on how well the separation is using Google's "Android Enterprise" MDM which you can setup yourself (for free), then put your Employer's MDM inside a Work Profile.

(comment deleted)
The article seems to engage in a bifurcation fallacy in suggesting that if you have company data on a personal device, then you must or ought to have MDM.

Trusting me to be able to access my work e-mail from my own equipment without the need to monitor me is perhaps the lowest baseline of trust that I expect an employer to put in me. Afterall, if they can't trust me to be responsible with such data why bother giving me access to their systems at all?*

* The exception of course is in cases where they are required to monitor data use by law, e.g. medical. But prefer working in open environments anyways...

"Sorry boss, I didn't know it was risky to download company data to my Android 4 device and also install Candie Croosh Castle that needs access to Photos, Files and Media"

It's as much about ignorance as it is about malice.

Most people don’t know how to keep their devices secure. I wouldn’t expect that from an employee unless they are a security professional.
So, do you only work at companies where every employee is a computer professional? Or perhaps you expect your employer to give some sort of individual assessment - "John is ok, Jim needs monitoring, Jane is ok...."?
The author is unclear of an issue I'm not 100% sure on -- once MDM is installed is it really "no longer your phone?"

Can't you just factory reset your phone, login to your accounts and download your data again?

Newer Android OSes have the concept of a "Work profile" that you can enable for this. The company's MDM goes onto the work profile, along with the approved work apps. These may be sandboxed copies of existing apps, like in the case of the google suite, where they're tied to company data and accounts.

The work profile apps and data are the only things the MDM can "see" at that point on the device.

You can also switch the profile on and off at will, which is nice for vacations.

Yeah, this article doesn't match my understanding either. When I went through the setup process on Android I clicked through a permissions dialog, similar to what you'd see when installing an app, that laid out what exactly the administrator would be allowed to do. To be sure, some policies effectively grant root on the device, but mine just asked for permission to disallow insecure lockscreen settings and to remotely wipe the device (needless to say, my personal data is all backed up elsewhere). This was on an older Android version; newer ones also allow device policies to be scoped to work profiles.

The article makes it sound like once you accept one of these policies the policy server can subsequently push out an update with more permissions and the user doesn't get a chance to opt out. But surely that must not be right?

Yes, practically not a single point in the article is true if you use a work profile. Even the remote wipe only wipes the work profile, no personal data.

It seems like the article is trying to spread some fear, without checking what users can actually control on newer Android and iOS devices.

While that’s true, how many of the devices in use in the wild by regular people have newer versions of Android available? With that in mind, I think the article makes sense.
Profiles were introduced in 4.2 on Android, if I recall, almost 4 years ago. Most Android devices in developed countries are above this version. My original Nexus 5 had them, and that's some 4 phones ago.

I'm sure you could find a shipping device that lacks them, but not from a major carrier in most of the world. Of Play-enabled devices, Google puts this at less than 5% worldwide

That's fair, also I haven't tried using one outside of the google ecosystem. My personal accounts are tied up inside google and most of my employers have used the gsuite as well.

Maybe someone else can comment if it works the same with office365 or similar?

There is a caveat, some larger organizations, like mine. Still haven't enabled Android for Work on all devices, but are piloting it currently to certain subsets of users.

I have a separate phone (Nextbit Robin) that has my work MDM on it. Thankfully, I've got access to the console, so I can keep an eye on the audit log.

Simply connecting an Exchange mail account allows an administrator (or yourself through the Exchange web app) to remotely wipe the device.

https://technet.microsoft.com/en-us/library/aa998614(v=exchg...

This varies by application, at least on Android. The built in client from the manufacturer or AOSP is far from the only option.

Years ago this was one of the key features of the Nitrodesk software - work data was all kept within that app and could be wiped by the Exchange admin. The Exchange client I'm using now (Nine) has an option in settings for the security model and can either be device or application, with capabilities as you'd expect.

I have the "Google Apps Device Policy" app on my Android phone so that I can use work email/Slack/etc, and it has these permissions: Erase all data, Change the screen lock, Set password rules, Monitor screen unlock attempts, Lock the screen, Set the device global proxy, Set screen lock password expiration, Set storage encryption, Disable cameras, Disable some screen lock features. I explicitly agreed to these permissions when I installed the policy on my phone.

The obvious intention here is to make sure there are reasonable measures in place in case my phone is lost or stolen. I think the main possibly-problematic permission here is "Set the device global proxy", which apparently could be use to intercept SMS messages (according to the article, I think). Other than that one, I'm pretty sure most of the scary capabilities listed in the article (the ones affecting privacy) don't apply here. Maybe other MDMs have those permissions?

My understanding of the Android security model is that permissions changes need to be explicitly approved by the user, so I think an app update or config change wouldn't be able to extend the permissions without my agreement. Also note that the app is written by Google, so my company isn't even running custom code on my phone. Even if the permissions do somehow change, I always have the option to remove the app, which un-applies the policy and disconnects my work Google account.

I suppose this sort of thing depends on the situation and how much you trust your employer, but I think that for many cases this article is a bit alarmist. Note that you run into similar problems if you ever log in with personal Google on your work computer. Since your employer owns the computer, I believe they have legal access your Google cookie and could use it to read your email and anything else associated with your Google account. But I do it anyway because it's convenient and I trust my coworkers, and I am quite certain that nobody is reading my personal email. But I also work at a small company where I know everybody. YMMV.

I was asked by a previous employer to perform the rollout of MDM to our mobile fleet, and I fully agree with everything in the article. Restrictions were implemented at the whim of my boss.

As an example, he found out there was a feature in the MDM service to block access to YouTube. He made sure that was ticked. Why? He didn't want people wasting time on 'his' phones. And the helpdesk would explode every time a new restriction was rolled out, but he didn't seem to notice or care. In his mind they were his phones.

BYOD really means "bring your own device --- and give ownership to us."
My employer at least offered an incentive to BYOD. You supply your own phone and plan, and they cover a portion of your carrier bill (you have to supply your invoices to prove you still pay for the plan).
You didn't explicitly state it, so I am just confirming, your previous employer did not actually purchase or own the phones, but expressed feelings of ownership over them?
It was a mixture of the two. Some of the phones were purchased by the company, some were personal devices.
So, people couldn’t watch youtube on their personal devices in their free time? :D The company must have offered a very generous package to put up with this shit...
This article is far too hyperbolic. Instead of calmly laying out the privacy implications and realizing people can choose where to draw the line for themselves, it draws the line for everyone. It's my decision whether I find it worthwhile to accept an MDM policy, not the author's. Yes, I know the line is drawn by humans and not technology—but I am comfortable with and trust those humans.

I accept that trying to achieve privacy from my employer through technical means is essentially a losing battle. It would mean taking multiple laptops on all (frequent) work trips, never checking anything personal at work, and not being able to effectively check my work from home.

Plus even if I had that full isolation they already can technically access much of my personal data since they host my email and browser.

The second I lose faith in the security and privacy values of my company, I would leave—but trying to technically limit myself seems functionally impossible.

The most important part is that MDM can install VPN settings and root SSL certs on your phone, allowing your employer to intercept all traffic to and from your phone (unless the apps use SSL certificate pinning or end-to-end encryption).

People probably don‘t expect their employer to be able to intercept eg. their Facebook messages or private email.

And it‘s trivial to protect against this: Just use your own device for personal stuff. You probably don‘t need to bring a second laptop on a work trip, just bring your own phone or tablet for stuff that you don‘t want someone at your company to track...

I agree that people should know the implications, but I know them and am essentially comfortable with the tradeoffs. After all, I already share much of my browser history via Chrome anyways.

> And it‘s trivial to protect against this: Just use your own device for personal stuff.

I don't consider that trivial. Switching from work email back to personal email, or checking Facebook while coding is very common for me. More importantly, I don't particularly care if my employer has the ability to track my activity.

If you check Facebook while coding, your productivity might also profit if you started using a separate device for that :)
Thanks for the moralizing point, which is entirely what I objected to in the original article.

How I manage my personal productivity is my prerogative. Personally I find that I fluctuate between periods of intense focus (where hours of coding pass without me even noticing) and times where my brain is tired and I need a thoughtless distraction.

Very important detail regarding iOS: With the BYOD mode of MDM (not "Supervised Mode" used for company-owned devices), as I understand it, there will be a dialog box which appears on the device and asks you to approve the installation of such configuration profiles.
> It's my decision whether I find it worthwhile to accept an MDM policy, not the author's.

Well, yes, of course it's your decision. But I think his point stands: if you exercise your right to accept MDM on a personal device, you've made a wrong decision.

> I accept that trying to achieve privacy from my employer through technical means is essentially a losing battle. It would mean taking multiple laptops on all (frequent) work trips, never checking anything personal at work, and not being able to effectively check my work from home.

That's a bit strong. On work trips I'll sometimes bring my personal laptop, but even more often leave it at home. I don't need a personal laptop during my downtime — there's a whole big world out there! — but it can be nice. On personal trips I'll almost always leave my work laptop behind. Why would I work on a vacation?

Yes, you should never check anything personal at work. If you do, your employer is completely within his power (definitely) & rights (in many jurisdictions) to read your communications, store your passwords &c. Just Don't Do It™.

You can effectively check your work from home with your work laptop.

> Plus even if I had that full isolation they already can technically access much of my personal data since they host my email and browser.

Only if you use your work email & browser for personal purposes. Don't do that! Seriously, don't. Just don't. Sooner or later it will bite you, badly.

Work systems are the property of your employer; personal systems are your property. Work systems are the responsibility of your employer; personal systems are your responsibility. What your work wants, may not align 100% with what you want; what you want, may not align 100% with what your work wants. Don't cross the streams!

> if you exercise your right to accept MDM on a personal device, you've made a wrong decision.

Only if I share your exact same values. You cannot tell me my decision is "wrong" when I know the consequences but decide that I'm comfortable with the risks.

Your response, and the original article, are incredibly patronizing.

> Yes, you should never check anything personal at work.

That's your view. Stop applying your personal views to my own.

Yes I know my employer can store my information and read my communications, but personally I don't care at all that my employer could read my texts with my girlfriend.

> Only if you use your work email & browser for personal purposes.

I work at Google. Of course I don't use my work account or browser profile for personal purposes, but at the end of the day my employer hosts my personal email and makes my personal browser. Given the vast amount of personal data which we have, I think trying to use technical measures to limit my exposure is foolhardy: my faith in privacy lies with the policies and actions of my fellow employees. If that faith ever falters, I have far bigger problems than the occasional Facebook message sent at work.

I have a handy tip for [older] Android. On Android you can setup Users, the users are like completely different phones (from a software perspective), different apps, accounts, passcodes.

If an employer requires MDM to be installed, and verifies that it is installed, you can add a second user account and install MDM in there. The user is so separate that if MDM is used to remote wipe a phone, when MDM is installed in a secondary user, it doesn't actually wipe the phone, it just deletes the secondary user. Yes, I actually tested this remote wipe functionality with an employer's MDM.

On Android 7.0+ the "work profile" is probably a better option (https://support.google.com/work/android/answer/6191949).

You should also be aware that installing an ActiveSync profile (to access company mail and/or calendar) has a similar effect; ActiveSync has features to wipe your phone and set up restrictions.
That's something I encountered with my universities ActiveSync setup. I stopped it on Android with Mailwise.

http://mail-wise.com/faq/#bypass

But it is probably not wise to do that in a company setup, as it clearly undermines their control & security efforts.

No-one mentions performance impact of this. Maybe there is none or it's so small it goes unnoticed? I'm just wondering about that because in quite some companies I've seen the same issues; mostly on Windows, but I wouldn't be surprised the same happens on other OS: you let your device get managed by the company allowing it to push whatever onto it. Couple of months later performance comes to a grinding halt because of way too much unneeded stuff running, over-hungry virus scanners, bugs in managment scripts etc. It's horrifying to see a brand new workstation loosing all it's snappiness while an unmanaged +5year old one still runs smooth.