> When you add a work email address to your phone, you’ll likely be asked to install something called a Mobile Device Management (MDM) profile. Chances are, you’ll blindly accept it. (What other choice do you have?)
I use the Nine mail/calendar app[1] to keep all that contained. It integrates nicely with the native Android apps but keeps all of the security and control options within Nine itself. It looks like they are also beta testing an iOS app but I have no experience with that version of it.
For example, if the mail account security settings require a screen lock code, Nine will require a code to access the app but this won't affect the actual phone's unlock screen.
Similarly if a data wipe request is sent from the server it will only affect Nine.
Looks cool, but requires ActiveSync to be on. I think a lot of stodgy companies are locking that down and requiring the native Outlook app and its (as mentioned) stealthly MDM stuff.
You beat me to it. Nine also allows easy connection to multiple Exchange accounts, has a variety of other nice features and has been around long enough to have a very solid track record.
This kind of sandboxing is one of the things third party apps like this have always been known for, going all the way back to a really old one whose name in blanking on which I believe maintained its own entirely internal calendar, files, etc. (Dataviz maybe?)
Edit: this may still be useful for some people, but the work profiles introduced in Android 5+ may make it less relevant at least for anyone at enterprise scale or otherwise using MDM through a service provider.
At least if your org is on Office365 and doesn't have too restrictive policies, you can get your email over standard IMAP. There also exist some nice man-in-the-middle proxies which pretend to exchange servers that you've implemented the policies they ask for.
I've got multiple "work" (one is a volunteering role) office365 exchange accounts on my personal phone, using [https://sites.google.com/site/bikomobi/exchained](exchained). Seems to work well. I'm sure the respective IT departments would give me a stern talking to, but there is nothing in either job that is of any sensitive nature whatsoever so their blanket "ask for admin permissions on my phone" policies can get fd, frankly.
Tons of places outside of F500 are doing that. At work we just disabled IMAP for almost all O365 accounts and any other method of authentication that doesn't implement our two factor authentication. The rising number of compromised accounts because the user used the same password elsewhere, apparent bruteforce attacks, etal forced the issue.
Of course MDM is not required for any of this. Worst case is on Android you're forced to use Microsoft's Outlook app.
Yes, if it's important to your company for you to be able to receive any of their communications wherever you are, they can pay for a phone plus service to give to you for that purpose. Don't let them use your personal phone for that.
Which is why I only redirect my company phone regular voice calls to the private one when I'm out of office. If it's urgent, call. If it's not, I'll get to it when I'm in the office.
That is totally understandable, and I hope you don't get in trouble when law enforcement comes looking for your personal device that somehow got caught up in their list of devices to look for.
That is totally understandable, and I hope you don't get in trouble when law enforcement comes looking for your personal device that somehow got caught up in their list of devices to look for.
Yes, and your device read the email, so now your device is in scope. It doesn't matter what else you did with your device and their data, they now have a reason to look through your device.
Would that mean if I were at a hotel and used their computer in a pinch to access the web client (not that I ever would - keyloggers) would that be in scope?
Is this really high on your list of things to worry about? If someone doing something illegal sends me an email that happens to go to my work account that happens to be on my phone, law enforcement will just go to my employer. If someone sends me classified military secrets or something to my work account for some reason that gets sent to my phone, they can track me down, show me a warrant, and go to town. I rank that concern just above "what if I have a doppelganger that happens to be a spy and they get a hit on my face with facial recognition?" on my list of things to worry about.
>When you add a work email address to your phone, you’ll likely be asked to install something called a Mobile Device Management (MDM) profile
...what? The Outlook app containerizes your email accout specifically so that you dont have to do this. Your company can remotely wipe your work account and only your work account.
Of course MDM gives access to your phone - thats its whole purpose.
Thats kind of my point. MDM has an administrative and capital cost. The Outlook app is free for everyone and doesnt get IT involved in your personal phone.
The use-case for MDM is not to get email on personal phones - thats the right tool for the wrong job. MDM is for simplifying the deployment and management of corporate phones.
No it does not (source: iOS device user and Exchange admin).
Adding an Exchange account to an iOS device optionally allows the Exchange client to enforce password and screen lock requirements, encryption, and allow for remote device wiping.
It does not have any access to device location, data, photos, contacts, or anything else you can think of outside of device passcode, encryption, and remote wiping.
An MDM profile is a completely separate thing from Exchange. Also, unless the iOS device is supervised (which has to be done at time of setup and would require wiping the device if you want to supervise one that's already setup) you're extremely limited in what you can do and see.
Source: We provide employee's with iOS devices and use VMWare Workspace ONE (formerly AirWatch) along with their Secure E-Mail Gateway and also use Apple's Device Enrollment Program. This provides for as complete control over the device as you can get.
> On Android, there are tools that help prevent IT from reaching into your phone. If it’s allowed by your admin, you can create a separate “work” profile that contains sandboxed versions of your apps to avoid blurring the line between personal and work. The work profile can then be disabled on demand and flipped back on only when you need it, providing a level of control that iOS doesn’t yet allow.
This is changing with iOS 13 and the introduction of User Enrollment, which siloes off work data and adds restrictions to what corporate IT can access.
> you’ll likely be asked to install something called a Mobile Device Management (MDM) profile. Chances are, you’ll blindly accept it.
Say WHAT? That's the entire premise of the article. Any sane person who have even a vague idea of what a MDM is will answer with a resounding NO.
Is there actually serious companies who ask their employees to install a MDM on their personal phone? The moment you install a MDM on a phone, that phone is no longer your own, it now belongs to the company.
A nontechnical person won’t blink an eye. Those are still sane people, they simply don’t understand the threat like we do.
Same reason that recent issue with all the Chrome extensions happens. A lot of people blindly click OK, just like we’ve been trained to do on privacy policies as well.
Can confirm; the Fortune 500 company I work for has pretty extensive support for BYOD. Managers can be stodgy about providing work phones, plus carrying two devices is a pain.
I use Android so I'm relying on the Android for Work sandboxing, but truthfully I don't know the exact details of what that does and does not allow my employer to access. It does bother me, but I don't feel like I have a whole lot of choice. Being able to respond to Google Chat messages at any time (when away for lunch, for example), is feeling more and more like a requirement/expectation.
Also, commuting on the train pretty much requires mobile Hangouts support (which Google effectively makes impossible to use via a website if you're on Android), unless you want to always be at your desk in the office prior to the first meeting each day.
Edit: Furthermore, on iOS, you can go to Settings -> General -> Device Management -> <Select MDM Profile> -> More Details -> MDM Profile. The list of rights are listed there.
I feel like most/many articles such as this are targeted at large enterprises/organisations. I've never been asked to install anything like MDM on my phone for any company I've worked for if needing to/wanting to view work email on my phone. But then I've never worked for a company who has more than around 25 members of staff.
Company size and industry definitely play a significant role in the roll-out of managed device policies. Some organizations are required to pass specific ISO/IEC standard certifications with regards to their security policies. Managed-devices with remote-wipe capabilities being one such requirement.
This is certainly a very good reason to not put your work account on your personal phone, but my primary reason not to is that it's my device and I pay for the service. If my company needs me to be available beyond my 9-5 workday, they can pay for it.
If there's an emergency, they can always call, but I don't like being "always on".
I recently got a new job where the email is completely locked down (only accessible on a networked computer or via the awful outlook web interface). It's been awesome not getting work emails on my phone.
I used to have work email and slack on my phone. While it made some things easier (heading out in the work day and not blocking people who might need my input, for example), it also made me feel tethered. Slack in particular was very addictive to me (to be fair, not just work slack, but other slacks which I was on).
When I got a new phone, I simply didn't install the email or slack clients. It's led to occasional text messages, when I really needed to communicate with a team member, but all in all has been a fantastic experience. Highly recommended.
One of the things I miss most about my previous BigCo job was only being able access work tools via my work phone. I could go on vacation and tell my team that I wasn't taking my work phone or computer (I needed a corporate VPN installed on my work computer to access anything internal) and everyone knew I was completely unreachable.
> If there's an emergency, they can always call, but I don't like being "always on".
Personally, I choose the opposite: you need to email me to tell me you want to call me (so that I’ll turn on my softphone app), otherwise you’ll just automatically go to voicemail (which will also go to my email.)
I notice that with Gmail’s inbox categories, you only get push-notified when something lands in Primary or Updates; so as long as you’ve trained the system to push the irrelevant/lifecycle stuff into the other categories, your phone won’t ding all that often. (Mine doesn’t, and I get a good amount of raw email.)
I can't believe anyone can handle having push notifications on email. I only read my email when I go to check it. For both work and personal.
I have hundreds of rules for email filtering. With most mailing lists never hitting my inbox. But it's still way too much for individual email push notifications.
The other thing I do is to separate my personal and work email accounts. I’m signed into both on my phone, but I only get push-notified about personal mail. I want to know if a family member is in trouble; servers burning down can wait until tomorrow.
How do you even lose days off to some work emergency? If I was scheduled to be on vacation but I have to come in for some emergency, I don't lose those days, and you shouldn't either, since you never actually took those days off.
I meant that less literally. While I might still be technically out of the office, if I'm spending time worrying about an on-going problem it's not nearly as restful as if I'm blissfully ignorant.
Exactly- if work doesn't pay, they don't get to play on my phone. I'd be willing to check work email sporadically, and it's unfortunate that doing so in any capacity means allowing an unknown admin "wipe my phone" privileges. Companies don't handle that stuff with any sort of finesse and mistakes happen. Ultimately email on a phone may be a moot point for software developers: We use more independent chat apps like Slack, no one worries about texting you, and it's hard to do anything really more involved than messaging without opening your laptop (which probably is provided by work).
Exactly. Your employer is not going to enforce boundaries to ensure healthy work/life balance for you, you must do it yourself (until labor regulations catch up; see France [1] and NYC [2] labor law regarding checking email outside of work hours for examples).
Are you, with a straight face, saying that you'd rather receive a PHONE CALL than a notification from an app that you can set time-sensitive notification methods for (i.e. DND overnight, etc.)? I'm not fan of getting any kind of work message outside of working hours, but I'd FAR rather let my co-workers send me a slack message that I can ignore and/or deal with when I feel like it than call me on the phone. No one at my office except my direct manager and HR has my phone number (and in the 5+ years I've worked here), no one has called me on it.
At least on iOS, Do Not Disturb covers phone calls, too. With the ability to set overrides for calls from Very Important Numbers. Voice mail exists as well.
You're not wrong, but there's also the filter of "is this a real emergency or could this be an email he'll see tomorrow morning?" that goes through the coworker's head when his options are call vs. email. And, at least in my position, if it is a real emergency I'd like to know.
That said, other than a handful of coworkers who I'm friends with outside of work, only my manager & HR have my personal number. This adds an extra step where the coworker should determine if getting in touch with me immediately is actually worth the effort.
So far, I've received one such phone call in 3 years. It was an actual emergency, and easily resolved by me at that time because they called me. If they had waited until the next working day, the issue would have blown up and taken much more effort for me to resolve.
This might alternatively be an argument for working with people who respect your time.
Pretty much this, it's an instant bullshit filter.
If I were to ever receive so many phone calls it becomes a problem I'll solve that problem. Right now I've had all of zero calls this year so I think I'll be right for the moment.
Yes I do. Why? It raises the bar. Its all too easy to whisper someone via electronic communication. If you need to get to speak to the person, and they hear my kid yelling at the background, perhaps they'll wonder if I got other things to do in my leisure time.
Furthermore, I don't find it particularly bright to host sensitive data by such a vague company. Bonus negative points for the infosec community using such.
No joke, we recently went to a BYOD model with no "assistance". I'm expected to be available 24/7 in most cases. So I'm refusing to be available until I get some compensation.
we're pretty close to full employment. lots of industries are job-seekers' markets right now. which doesn't mean that management recognizes this and wouldn't do something stupid like fire a good worker, but that doesn't have a lot to do with the labor market.
Google pays for on-call hours. You are credited with 33.3% time for each hour on call if you have a 30 minute response requirement, and 66.6% time for each hour on call if you have a 5 minute response requirement. These can be taken as extra holiday, or cashed out. [0]
The really dumb thing is paying for overtime works great. Some younger employees want to do it for the extra cash or vacation for a longer holiday. I know there were times I wanted to work on a holiday day/bank holiday to save up time in lieu.
The problem is companies where default on-call becomes part of the culture. They also have little incentive to fix terrible ops. I hear AWS can be like this, depending on the service.
I'd leave. Unless you're a contractor who gets paid a lot and equipment costs are expected in that contract (similar to plumbers, carpenters, etc.) there is no reason for a full-time/salaried employ to purchase their own IT equipment. That's just insane.
> If my company needs me to be available beyond my 9-5 workday, they can pay for it.
If you're salaried then they are paying you for it based on the job requirements, it's part of the job and one of the things that separates hourly employees from salaried ones.
Unless you're talking about the cost of your cell plan or device? But even then, a lot of companies will pay for your plan and subsidize part/all of your device if they have a legitimate work reason to need to contact you and expect a fairly quick response outside the office.
EDIT: To be clear I'm referring to US law/practices. The entire point of salaried as opposed to hourly work is that it is based on performance rather than hours, and it's up to you and your employer to come to agreement on what performance means. At some companies salary might be for 40 hours, at others it's for 60 or 80 regularly. It's your own responsibility to find out before taking the job, and decide for yourself what you're willing to provide or not.
I worked for a University that paid cell phone plan steepens back in 2012. In Illinois, it now required by law for employers to pay cell expensive if they're required for work.
This of course depends on your particular employment contract. In some cases, someone may agree to be on call whenever they're not working and AFAIK (IANAL) such contracts are legal in some circumstances.
Depends on the jurisdiction. I think there's a clear separation of work time and free time in most of Europe. Here in Finland an employee can never be forced to work over their daily working time (usually 7.5h between 8-5); doing so is always voluntary, though of course pressuring exists. For force majeure circumstances there's the legal concept of emergency work, but that's very rarely invoked.
Meanwhile, in Europe, they have employee protection laws that outright prevent these practices. If you need someone to be available outside of work hours, you need to pay them extra for it, similar to how overtime is mandated in the US for hourly workers.
Wish we had those laws here. Fortunately I work at a company where I am compensated extra for my oncall shifts that take place outside of normal work hours -- it ends up being a few extra tens of thousands of dollars per year. That should be the mandated standard though, not just for those who are lucky.
What if you're being reimbursed for your phone? I assume they can only see activity on my logged in GSuite account. Can't imagine that they have access to anything beyond that.
All they do is hand me a certain amount of money every month. The plan is my own, and they didn't install any software on my phone. All I do is run Gmail through the built-in mail and calendar apps on my iPhone. I also have Slack on my iPhone.
This is precisely why I make it clear that I do not want a work phone. My mobile number is published in the global address book for emergencies, but otherwise if I'm not at work then I'm not working, and I do my best to not think about work when I'm not working. Having a block of metal and plastic specifically to intrude into my free time for the benefit of my employer is not something that I am interested in.
The counter to this is that oftentimes I'm at work and not at my computer so I need access to my email/calendar on a mobile device. This doesn't happen often enough for me to warrant a work phone but happens often enought to where it would be a pain to always go back to my computer to pull that up.
My solution so far has been to just use the outlook web app. Sure it's not as nice as the app but it lets me get to the info I need while also preventing me from having to install any sort of profiles on my device, as an added bonus I do not allow the site to send me notifications so I do not have to worry about being bothered off-hours.
Yeah, my last job wanted me to install their rootkit/spyware on my personal phone for the privilege of being able to check my work email at night. I resolved this by letting my manager know how to contact me after hours in the event of an absolute emergency, and that otherwise I'll check my messages at the office when I get in to work.
Interesting that this was just about spying, when the real reason to keep work email off your phone (imo) is to maintain work life balance. If I can access my work email on my phone, I will access my work email on my phone. Constantly. I'm bad enough with my phone and my personal email.
Everywhere I've worked I've told my manager I turn off work when I leave (unless I'm oncall). I've never had this be a concern, across three large companies.
I just use Android 7+'s work profile feature - basically a walled garden for MDM - and turn off work notifications on nights and weekends. After that it's just a matter of a tiny speck of self-control (unless you're workaholic, it's not that hard _not_ to open a work app) and I don't get annoyed by work stuff despite it being setup on my personal device.
Having work apps on your phone is not mutually exclusive to having work/life balance though.
I have work apps on my personal device primarily for when I'm away from my desk during work hours. I disable notifications etc. outside of work hours.
I wouldn't say I'm really happy with it, but it does permit me some freedom to be away from my desk without the risk of missing something important during the day. It's a trade-off I've decided I'm willing to make.
Work also provides guest wifi which is conveniently configured by the Android for Work profile, so data usage while at the office isn't really a concern.
A lot of my workmates have Slack installed on their phones as well, and I won't do it. I have a life, and when I'm not working, I'm busy living it. No thanks.
This "stop and think" warning is very good, but let's be honest, in many roles you can't say "no" anymore. Most companies require a significant subset of employees to use their personal device for work and have corporate accounts active on it.
It may not be true for you personally, but I bet it is for most people who have on-call rotations.
Features like Android's separate profiles are critical. We need similar sandboxing on all platforms. I don't think we can change the 24/7 availability culture, but we can change things from a software side to make it less onerous.
A company cannot force you to use your hardware to run their business at least not without compensation. Having a phone number that can be paged is significantly different than installing MDM software that can track literally everywhere you go, wipe your phone without your permission, etc. If a company is saying you "must" install something in your personal device without any compensation on top of your regular paycheck this is incorrect. If you use your own car for work you're typically compensated with mileage or you can write it off on your taxes.
I've often thought that if everyone, or even a majority, said "no", then we could have better policies. As it is, I've been the only person at my last two workplaces to object, and there's no way they're going to put in the effort to work with me.
So it is that I've given permission to confiscate my personal cellphone in the case of a breach. Otherwise, I literally couldn't do my job -- not because of anything particular about our field or technology, but because it was easier to set things up the way they are. We could spend a few days changing our alert structures, etc, and no-one would have to have "sensitive" data on their personal phones. But that's not going to happen for one employee.
If your employer subscribes to an ethical model which permits them to abuse MDM, viewing your web history and tracking your location, you need to do more than remove your personal device from their control.
You must find a new employer—preferably while you make public this repulsive behavior.
How does one know if an employer is abusing MDM? Honest question... I have no idea. I just point my iPhone's mail app at our Outlook 365 server and that's it - I assume that installs a profile that allows them some remote access (I believe they can remote wipe the phone, but maybe not), but no idea how to tell if they're doing anything else.
Edit - looking at Settings->General->Profiles, there is one entry, which is for connecting to my Olympus camera. Nothing for the office.
Ask. Since this often affects larger enterprises, start at the help/service desk. If that doesn't get you an answer, try Information Assurance or Information Security departments. Lastly, most large orgs have a Privacy office.
During all communications, make it clear what your concerns are; perhaps even link to articles like this one.
Corporations that care about customer and employee privacy will take such inquiries seriously.
Sure, but I assume there's something in the device itself that indicates there is a profile or remote access? I don't see a work-related profile on my phone, but maybe there's something else beyond the obvious Profiles entry in General settings?
This is why I frame this as an ethics issue. If you install some sort of MDM profile, unless you spend a lot of time understanding mobile device management implementations, you won't necessarily know what the capabilities are.
If it is your device, typically an employer will disclose in their policies what capabilities they use.
Now, does this prevent a rogue infosec person from deviating from the policy? No. Nor does it prevent the state from compelling the company to abuse their MDM technology. If these examples are part of your threat model, you should not use your personal device with your employer's infrastructure. I don't think this makes your employer's choice to use MDM a bad one, however. They are protecting the corporation, after all.
I worked at a security startup where installing Slack/email on our personal phones (BYOD policy) was possible via an MDM (but was optional, we weren't forced). I don't know every detail, but many of our engineers were naturally spooked and did lots of checking to make sure no packets flowed to the VPN from apps not within the MDMs control (just slack and mail).
I personally was fine with this as I don't want to carry two devices, I like being able to check in via Slack (especially if I was on call), and we had several folks who had our security/IT team under a lot of scrutiny proving this wasn't overly invasive.
It helped that we were a small startup, so our IT and security teams were 20 feet away :)
Generally MDM software swallows up everything. It's been a while since I managed an MDM instance but we could track everywhere the employee went by default and when I suggested we turn it off there wasn't an option nor did management want to. We could see every app pretty much everything on the device. I will never install MDM on my phone after managing it. I've also seen phones accidentally wiped. Back up your phones.
Does turning off location on your phone mitigate their tracking of where employees go? I realize the other problems are still there, but I'm wondering if that would help. I turn on location on my phone once in a blue moon when an app gets too damn annoying that I actually need to use right then.
Depends on the MDM and phone really but, No. Triangulating a cellphone on the network via cell towers is a tried and true feature of wireless infrastructure. Even your phones GPS capabilities are most likely "A-GPS" meaning Cellular Assisted; It'll use cell location data when GPS satilites are slow/unavailable.
GPS toggle isn't doing much of anything besides application permissions enforcement.
Apple MDM is changing quite a bit come iOS 13 and macOS Catalina 10.15. A new enrollment methodology called User Enrollment is aimed at protecting the privacy of employees using their own personal devices. User Enrollment greatly limits what the company can see about the device. As an example, the MDM can only see the apps that it has installed on its own, it can't get any PII (Personally Identifiable Information) such as a phone number or serial number from the device, etc. The MDM data and visibility into the device is essentially sandboxed.
This article provides a summary of MDM User Enrollment, including details about how Apple separates personal and business data on separate APFS volumes.
Before User Enrollment there wasn't a great Apple MDM enrollment option that struck this privacy balance for employee-owned devices. App data couldn't be viewed per-se, though a list of apps is certainly available (as mentioned by cannonedhamster). Some companies would skip MDM and essentially "wrap" individual apps in order to have the ability to encrypt the app data and have some control over the binary, but that's about it.
I'm not sure of the story with Android, though I'm under the impression that there is a similar "sandbox" option for MDM, albeit the implementation and user experience is rather messy and obtuse.
Full disclosure: I work for an MDM software producer.
Anyone with admin access to Outlook 365 can do this stuff. Even in a large company that could mean a surprising group of people able to do this sort of spying with no technical restrictions to enforce policy (assuming there is an explicit policy, which in a smaller company is not a given.)
Android tells you exactly what information MDM collects from your phone and exactly what restrictions have been placed on it. If your employer is collecting your browsing history, you would have known when you enabled their policy, and you can review their policy by opening the Device Policy app. https://lh3.googleusercontent.com/re65G-N_kR2HUCzd4IUjahS_7u...
This generally is a reasonable advice, but companies change policies. Even if MDM policy today sounds benign (although IT departments make mistakes, too) it can morph into something much more invasive in the near future, "because cyber". MDM on my personal phone is the line I personally would not cross. My 2c.
My employer and I are bound by a working agreement negotiated through my union. The contract has privacy protections for many different types of personal information and data that could potentially be accessed or collected by the company. Think location data, data at rest on both personal and company devices, and network traffic.
Here’s the big issue I still have even with all of these ‘legal’ protections. The definitions are not highly technical and thus open to interpretation. Also, to my knowledge none of the clauses have been tested in the real world. How in the world am I supposed to feel secure that a legal agreement stops them from doing what is still technically possible? Even if they can’t use the data collected against me as admissible evidence in a disciplinary action what’s to stop them from collecting data anyway and then if they find something they don’t like they harass me in other ways?
The issue is in MDM systems. Until we design them in a way preventing access to certain classes of information through technical means then no type of agreement or ethical code is safe. The device must be treated as hostile. We can’t simply rely on ‘ethics’ because, as we’ve seen play out time after time in America, corporations lose no sleep over saying one thing and doing another.
I declined corporate MDM on my personal phone. I’m confident that abuse of my data would be against policy, but I don’t feel like taking the risk that our technical controls can or will guarantee adherence to policy. At the end of the day, whatever agreements are in place, someone has access.
I’ll take that kind of risk with i.e. Google employees and my Google searches, because it’s fundamentally necessary to provide me good search. There is just no reason to do it with my corporate security team and personal SMS.
Agreed. MDM usually gets set up when you're a new hire and may not know what the organization is really like yet. Additional note: it's a shame Glassdoor is so easy for employers to game.
Our company uses G Suite's Advanced MDM on a G Suite Enterprise account. I administer its configuration.
Unless I'm missing something, there's not an obvious way to "spy" on employees, which this article is claiming. Perhaps it's possible, but if it is, it would require a lot of deliberate effort to accomplish. For example, there's not an out of the box way to track employee location. There's not a way to track employee internet browsing history out of the box.
TLDR: using G Suite Advanced MDM, there are not out of the box solutions for tracking or spying on employees in the ways suggested in the article. It might be technically possible, but to accomplish it, your company would need to make a (large) deliberate effort to do this.
>There's not a way to track employee internet browsing history out of the box.
Some large enterprises use MDM to deploy certificates and proxy policies that essentially force you into a MitM situation, with the intention of tracking browser usage.
Location is a bit more tricky. I would say that's less common, but I've seen MDM solutions that offer location tracking as a feature
Not even sketchy. Monitoring how long techs take on calls is a requirement in some roles for quality assurance and training purposes. Company I worked for had GPS tracking that they used to make it show that one employee was visiting another employees wife because our home base was over street over. It was a funny prank until it wasn't.
For g suite location is under Mobile management. They list it as a find my phone type of feature. There's even a picture of it on their marketing.
I mention this because one of the top use cases for MDMs is deploying said MitM setups. It's common in certain industries, like for banks and for schools. Saying this from experience because I worked for a company that produced both an MDM product and a MitM product.
If the device belongs to the organization, you might not even know these profiles are installed, if it's a BYOD environment you know you are installing the MDM profile and if you open the settings page you can manually inspect which other sub-profiles have been installed by the MDM.
But you're right the MitM itself isn't built into the MDM, because that's a totally different product category ("Secure Web Gateway"). The MitM setup only works if you have an MDM to enforce the certificates and proxy setup upon the user.
Same, we use gsuite MDM for BYOD just to ensure that personnel's devices have basic security configurations (e.g. encryption, lock screen, etc.) Beyond that, this MDM is quite limited to what's possible to accomplish.
TLDR: "do not put work email on personal phone, as the company may ask you to install mobile device management (MDM) to manage your device, which gives them opportunity to spy / control".
This conflates two different things: work email and MDM on personal phone. While I would never install company MDM on my personal phone, many organizations allow you to access work email from personal phone, no MDM strings attached. My 2c.
There are a lot of companies that require you to enable MDM before you can setup an email account, I've seen it on android back in the day when I had a smartphone.
FWIW when that happened I just started using the cruddy web interface.
It can be annoying sometimes, but honestly it can also be pretty cathartic to leave your work phone behind when you go for a bike ride, or out to dinner with friends etc.
I had to deal with this a number of years ago, and my response was "If you want MDM on the device to enable mail, then you buy me a separate device. Otherwise, I will access mail when I am at my corporate laptop or on the web via VPN." Never let them MDM your personal device, because they will possibly auto-wipe your phone if something proprietary or secret leaks out via email and you are on the distro.
At my current org, it was hinted to us that if we tied (email forwards, etc.) or added any work account to a personal device, that the personal accounts and device could be subject to audits.
Don't mix your work and personal stuff. Keep it separate, keep it safe.
277 comments
[ 2.9 ms ] story [ 310 ms ] threadI use the Nine mail/calendar app[1] to keep all that contained. It integrates nicely with the native Android apps but keeps all of the security and control options within Nine itself. It looks like they are also beta testing an iOS app but I have no experience with that version of it.
For example, if the mail account security settings require a screen lock code, Nine will require a code to access the app but this won't affect the actual phone's unlock screen.
Similarly if a data wipe request is sent from the server it will only affect Nine.
[1] https://www.9folders.com/product/
This kind of sandboxing is one of the things third party apps like this have always been known for, going all the way back to a really old one whose name in blanking on which I believe maintained its own entirely internal calendar, files, etc. (Dataviz maybe?)
Edit: this may still be useful for some people, but the work profiles introduced in Android 5+ may make it less relevant at least for anyone at enterprise scale or otherwise using MDM through a service provider.
I've got multiple "work" (one is a volunteering role) office365 exchange accounts on my personal phone, using [https://sites.google.com/site/bikomobi/exchained](exchained). Seems to work well. I'm sure the respective IT departments would give me a stern talking to, but there is nothing in either job that is of any sensitive nature whatsoever so their blanket "ask for admin permissions on my phone" policies can get fd, frankly.
Of course MDM is not required for any of this. Worst case is on Android you're forced to use Microsoft's Outlook app.
Which is why I only redirect my company phone regular voice calls to the private one when I'm out of office. If it's urgent, call. If it's not, I'll get to it when I'm in the office.
I'm not making this up, y'all; I've sat there with the other side's data collection party when my boss was telling me to let him collect the data.
...what? The Outlook app containerizes your email accout specifically so that you dont have to do this. Your company can remotely wipe your work account and only your work account.
Of course MDM gives access to your phone - thats its whole purpose.
If you use the Microsoft apps, you don't need to have an MDM applied because those apps handle the remote management functionality themselves.
The use-case for MDM is not to get email on personal phones - thats the right tool for the wrong job. MDM is for simplifying the deployment and management of corporate phones.
Adding an Exchange account to an iOS device optionally allows the Exchange client to enforce password and screen lock requirements, encryption, and allow for remote device wiping.
It does not have any access to device location, data, photos, contacts, or anything else you can think of outside of device passcode, encryption, and remote wiping.
An MDM profile is a completely separate thing from Exchange. Also, unless the iOS device is supervised (which has to be done at time of setup and would require wiping the device if you want to supervise one that's already setup) you're extremely limited in what you can do and see.
Source: We provide employee's with iOS devices and use VMWare Workspace ONE (formerly AirWatch) along with their Secure E-Mail Gateway and also use Apple's Device Enrollment Program. This provides for as complete control over the device as you can get.
This is changing with iOS 13 and the introduction of User Enrollment, which siloes off work data and adds restrictions to what corporate IT can access.
But trying to search around I can't find anything about how to actually find out. Does anyone know?
I assume Settings >> General >> Profiles, but it is empty so not sure.
Say WHAT? That's the entire premise of the article. Any sane person who have even a vague idea of what a MDM is will answer with a resounding NO.
Is there actually serious companies who ask their employees to install a MDM on their personal phone? The moment you install a MDM on a phone, that phone is no longer your own, it now belongs to the company.
Same reason that recent issue with all the Chrome extensions happens. A lot of people blindly click OK, just like we’ve been trained to do on privacy policies as well.
Every company that does BYOD?
I use Android so I'm relying on the Android for Work sandboxing, but truthfully I don't know the exact details of what that does and does not allow my employer to access. It does bother me, but I don't feel like I have a whole lot of choice. Being able to respond to Google Chat messages at any time (when away for lunch, for example), is feeling more and more like a requirement/expectation.
Also, commuting on the train pretty much requires mobile Hangouts support (which Google effectively makes impossible to use via a website if you're on Android), unless you want to always be at your desk in the office prior to the first meeting each day.
Very few people have even a vague idea of what a MDM is.
Mobile Reports: https://support.google.com/a/answer/6072773
Device Audit: https://support.google.com/a/answer/6350074
Mobile Alerts: https://support.google.com/a/answer/3230421
Edit: Furthermore, on iOS, you can go to Settings -> General -> Device Management -> <Select MDM Profile> -> More Details -> MDM Profile. The list of rights are listed there.
If there's an emergency, they can always call, but I don't like being "always on".
When I got a new phone, I simply didn't install the email or slack clients. It's led to occasional text messages, when I really needed to communicate with a team member, but all in all has been a fantastic experience. Highly recommended.
Personally, I choose the opposite: you need to email me to tell me you want to call me (so that I’ll turn on my softphone app), otherwise you’ll just automatically go to voicemail (which will also go to my email.)
I notice that with Gmail’s inbox categories, you only get push-notified when something lands in Primary or Updates; so as long as you’ve trained the system to push the irrelevant/lifecycle stuff into the other categories, your phone won’t ding all that often. (Mine doesn’t, and I get a good amount of raw email.)
I have hundreds of rules for email filtering. With most mailing lists never hitting my inbox. But it's still way too much for individual email push notifications.
Personally I need to be able to put everything to the side when I'm out of office.
How do you even lose days off to some work emergency? If I was scheduled to be on vacation but I have to come in for some emergency, I don't lose those days, and you shouldn't either, since you never actually took those days off.
If you want me after hours you call. Thats the only option you have.
[1] https://newatlas.com/right-to-disconnect-after-hours-work-em...
[2] https://legistar.council.nyc.gov/LegislationDetail.aspx?ID=3...
That said, other than a handful of coworkers who I'm friends with outside of work, only my manager & HR have my personal number. This adds an extra step where the coworker should determine if getting in touch with me immediately is actually worth the effort.
So far, I've received one such phone call in 3 years. It was an actual emergency, and easily resolved by me at that time because they called me. If they had waited until the next working day, the issue would have blown up and taken much more effort for me to resolve.
This might alternatively be an argument for working with people who respect your time.
If I were to ever receive so many phone calls it becomes a problem I'll solve that problem. Right now I've had all of zero calls this year so I think I'll be right for the moment.
Furthermore, I don't find it particularly bright to host sensitive data by such a vague company. Bonus negative points for the infosec community using such.
Yes, a thousand times. People often write on company instant messaging just to ask things that can figure on their own.
People don't phone you for stuff that could have easily waited till tomorrow morning.
Also, if the employee has very marketable skills, they may be happy to leave a job whose hourly rate has suddenly dropped.
If you are highly skilled, you are highly in demand. Therefore, demand good treatment.
Tech industry compensation has never been higher: http://levels.fyi/comp.html
Google pays for on-call hours. You are credited with 33.3% time for each hour on call if you have a 30 minute response requirement, and 66.6% time for each hour on call if you have a 5 minute response requirement. These can be taken as extra holiday, or cashed out. [0]
[0] Among other public sources: https://www.reddit.com/r/cscareerquestions/comments/41v0ol/i...
The problem is companies where default on-call becomes part of the culture. They also have little incentive to fix terrible ops. I hear AWS can be like this, depending on the service.
If you're salaried then they are paying you for it based on the job requirements, it's part of the job and one of the things that separates hourly employees from salaried ones.
Unless you're talking about the cost of your cell plan or device? But even then, a lot of companies will pay for your plan and subsidize part/all of your device if they have a legitimate work reason to need to contact you and expect a fairly quick response outside the office.
EDIT: To be clear I'm referring to US law/practices. The entire point of salaried as opposed to hourly work is that it is based on performance rather than hours, and it's up to you and your employer to come to agreement on what performance means. At some companies salary might be for 40 hours, at others it's for 60 or 80 regularly. It's your own responsibility to find out before taking the job, and decide for yourself what you're willing to provide or not.
Salary is not 40 hours working + 128 hours on call per week.
Salary is a payment schedule, that's it. Anything else requires contractual agreement.
The fact that you think it gives companies the right to demand irregular hours is more about your mindset than reality.
Wish we had those laws here. Fortunately I work at a company where I am compensated extra for my oncall shifts that take place outside of normal work hours -- it ends up being a few extra tens of thousands of dollars per year. That should be the mandated standard though, not just for those who are lucky.
I'm not saying that's unreasonable, but I've heard of employees getting caught leaking by communicating through cell plans paid for by the employer.
My solution so far has been to just use the outlook web app. Sure it's not as nice as the app but it lets me get to the info I need while also preventing me from having to install any sort of profiles on my device, as an added bonus I do not allow the site to send me notifications so I do not have to worry about being bothered off-hours.
Everywhere I've worked I've told my manager I turn off work when I leave (unless I'm oncall). I've never had this be a concern, across three large companies.
I have work apps on my personal device primarily for when I'm away from my desk during work hours. I disable notifications etc. outside of work hours.
I wouldn't say I'm really happy with it, but it does permit me some freedom to be away from my desk without the risk of missing something important during the day. It's a trade-off I've decided I'm willing to make.
Work also provides guest wifi which is conveniently configured by the Android for Work profile, so data usage while at the office isn't really a concern.
It may not be true for you personally, but I bet it is for most people who have on-call rotations.
Features like Android's separate profiles are critical. We need similar sandboxing on all platforms. I don't think we can change the 24/7 availability culture, but we can change things from a software side to make it less onerous.
So it is that I've given permission to confiscate my personal cellphone in the case of a breach. Otherwise, I literally couldn't do my job -- not because of anything particular about our field or technology, but because it was easier to set things up the way they are. We could spend a few days changing our alert structures, etc, and no-one would have to have "sensitive" data on their personal phones. But that's not going to happen for one employee.
You must find a new employer—preferably while you make public this repulsive behavior.
Edit - looking at Settings->General->Profiles, there is one entry, which is for connecting to my Olympus camera. Nothing for the office.
During all communications, make it clear what your concerns are; perhaps even link to articles like this one.
Corporations that care about customer and employee privacy will take such inquiries seriously.
If it is your device, typically an employer will disclose in their policies what capabilities they use.
Now, does this prevent a rogue infosec person from deviating from the policy? No. Nor does it prevent the state from compelling the company to abuse their MDM technology. If these examples are part of your threat model, you should not use your personal device with your employer's infrastructure. I don't think this makes your employer's choice to use MDM a bad one, however. They are protecting the corporation, after all.
This is a good recommendation.
I personally was fine with this as I don't want to carry two devices, I like being able to check in via Slack (especially if I was on call), and we had several folks who had our security/IT team under a lot of scrutiny proving this wasn't overly invasive.
It helped that we were a small startup, so our IT and security teams were 20 feet away :)
Also found under Settings -> General -> Device Management.
GPS toggle isn't doing much of anything besides application permissions enforcement.
This article provides a summary of MDM User Enrollment, including details about how Apple separates personal and business data on separate APFS volumes.
https://simplemdm.com/apple-user-enrollment/
Before User Enrollment there wasn't a great Apple MDM enrollment option that struck this privacy balance for employee-owned devices. App data couldn't be viewed per-se, though a list of apps is certainly available (as mentioned by cannonedhamster). Some companies would skip MDM and essentially "wrap" individual apps in order to have the ability to encrypt the app data and have some control over the binary, but that's about it.
I'm not sure of the story with Android, though I'm under the impression that there is a similar "sandbox" option for MDM, albeit the implementation and user experience is rather messy and obtuse.
Full disclosure: I work for an MDM software producer.
Here’s the big issue I still have even with all of these ‘legal’ protections. The definitions are not highly technical and thus open to interpretation. Also, to my knowledge none of the clauses have been tested in the real world. How in the world am I supposed to feel secure that a legal agreement stops them from doing what is still technically possible? Even if they can’t use the data collected against me as admissible evidence in a disciplinary action what’s to stop them from collecting data anyway and then if they find something they don’t like they harass me in other ways?
The issue is in MDM systems. Until we design them in a way preventing access to certain classes of information through technical means then no type of agreement or ethical code is safe. The device must be treated as hostile. We can’t simply rely on ‘ethics’ because, as we’ve seen play out time after time in America, corporations lose no sleep over saying one thing and doing another.
I’ll take that kind of risk with i.e. Google employees and my Google searches, because it’s fundamentally necessary to provide me good search. There is just no reason to do it with my corporate security team and personal SMS.
Unless I'm missing something, there's not an obvious way to "spy" on employees, which this article is claiming. Perhaps it's possible, but if it is, it would require a lot of deliberate effort to accomplish. For example, there's not an out of the box way to track employee location. There's not a way to track employee internet browsing history out of the box.
TLDR: using G Suite Advanced MDM, there are not out of the box solutions for tracking or spying on employees in the ways suggested in the article. It might be technically possible, but to accomplish it, your company would need to make a (large) deliberate effort to do this.
Some large enterprises use MDM to deploy certificates and proxy policies that essentially force you into a MitM situation, with the intention of tracking browser usage.
Location is a bit more tricky. I would say that's less common, but I've seen MDM solutions that offer location tracking as a feature
I'm speaking to what's possible to accomplish out of the box with G Suite's Advanced MDM offering, without an extreme amount of additional effort.
(This is relevant because, when prompted to install a MDM profile, the MDM provider such as G Suite is visible to the end user)
For g suite location is under Mobile management. They list it as a find my phone type of feature. There's even a picture of it on their marketing.
For an MDM solution on iOS there's a big list of supported profiles you can deploy after the MDM profile is installed ( see https://developer.apple.com/business/documentation/MDM-Proto... under "request types").
If the device belongs to the organization, you might not even know these profiles are installed, if it's a BYOD environment you know you are installing the MDM profile and if you open the settings page you can manually inspect which other sub-profiles have been installed by the MDM.
But you're right the MitM itself isn't built into the MDM, because that's a totally different product category ("Secure Web Gateway"). The MitM setup only works if you have an MDM to enforce the certificates and proxy setup upon the user.
This conflates two different things: work email and MDM on personal phone. While I would never install company MDM on my personal phone, many organizations allow you to access work email from personal phone, no MDM strings attached. My 2c.
FWIW when that happened I just started using the cruddy web interface.
Don't mix your work and personal stuff. Keep it separate, keep it safe.