448 comments

[ 2.1 ms ] story [ 272 ms ] thread
This goes double if you have any entrepreneurial ambitions. Do it on your own machines on your own time.

There has been at least one high profile case over the last few years over people who didn’t do that.

This is such critical advice, particularly if you work for a company that does remote hardware management.

You could be fired tomorrow, and your access to your hardware revoked instantly. Apple devices, in particular, allow IT to remote lock your laptop. Whatever you had stored on the drive is lost to you, available to your employer, and you can't do anything about it.

Don't mix business and personal hardware.

If you got the laptop in a sealed Apple box (purchased by employer), and set up macOS yourself, created your own admin user and everything, does this remote access still apply?
(comment deleted)
Yes, it does. The employer has registered in front of Apple the serial number and Apple considers the device theirs. MDM on an employer's laptop allows them full control. If the device is owned by the user, then the MDM is more limited.
It's actually the vendor that registers Macs. Only iOS devices can be registered to Apple DEP manually. Macs can't, only the vendor can do so, whether it's Apple or whoever else.
Are you saying the employer can take control of the device without ever having physical access to it?

That sounds like a massive privacy and security issue. Do you have more information?

I was researching MDM more than an year ago, but keep in mind that we are talking for an employer's machine. Here is the overview:

https://support.apple.com/guide/mdm/mdm-overview-mdmbf9e668/...

It would still need on-device authorisation to opt into MDM though. I can't just give Apple your serial number and tell them to start pushing updates to your device, can I?
At the time of purchase, the vendor knows which machines the employer buys and assigns them the relevant privileges. When the machine is initially opened, it connects to Apple and is provided with the address of its mothership server. The MDM server then instructs the machine what to download and how to configure it. The user has just to unbox the machine and nothing else. This is convenient because it allows for downloading multiple apps, installation and configuration of certificates, setting password policies and many other actions that users are really prone to mess up, and that are wasting lots of sysadmin time if done manually one by one.

If the user owns the machine, then there must be authorization and the MDM has much more limited, privacy-preserving scope.

I think they are asking if you could social engineer access to someone's laptop by knowing their serial and calling enterprise support. Seems to me like you could.
@R0b0t1

No, you can't. The employer has proof of ownership because they buy the machine.

That's really surprising. I suppose it makes sense if it happens at the time of setting up the machine, and an explicit notice is given to the end user. That should circumvent any privacy and security issues.
In that case you should know whether a management profile[1] has been installed, but you shouldn't assume you can simply create another admin account.

[1] https://support.apple.com/guide/server/intro-to-profile-mana...

If I don't see a Profiles section in my System Preferences, does this mean that my employer has a very high level of trust in me?
It means your employer has a very low level of security and you should be genuinely concerned about any personal or financial information you gave them during your hiring.
Seems like a vast overstatement.
Endpoint management is like bare minimum security basics. At this point luck is the only thing stopping a BEC or ransomware attack.
nonsense. there is no one-size-fits-all solution for security.
That is like arguing "not all cars need seatbelts." You might disagree on how many airbags or crash avoidance widgets a car needs, but the vast majority of the industry agrees that seatbelts are a requirement.
EPS isn't like a seatbelt. Often EPS (like kernel mode AV drivers) is used as an intrusion vector and reduces security.
Every single FAAMG company runs managed endpoints. I'm not sure why you are arguing that companies having no control over their hardware is somehow a security feature?
I manage hundreds of Macs. Just wanted to add that these management profiles don't say much about what you can and can't do and what your company can do. You have to go through each of them to see what they do (the management one is just the master one, there will be tons more which specify exactly what is restricted and/or enforced). Apple is very good at privacy protection, asking the user for permission even on managed machines, which can be bypassed with certain profiles but it's pretty tough to do. I personally take this as a sign to think long and hard about whether I really should.

Co-usage is just a thing these days. A little trust in your employees is also important. Usually these profiles just mandate some basics like password complexity, disk encryption and they set standard settings like WiFi and printers so you don't have to bother figuring all that stuff out. And it will install applications you need and security stuff.

And don't forget, a password complexity profile on a Mac will apply to all accounts created on it. Even ones created by the user. Many things work like this, on a machine level. It's more about establishing a security baseline than tying the users' hands.

This entirely depends on what you do from that point forward. Are you using a VPN provided by your employer? Are you installing any screen sharing or collaboration apps for work? You'll need to understand what each of these are capable of in order to fully understand your exposure.
Many services allow you to log out of either all or a specific session on another computer.
Android has work profiles separate from personal profiles -- I find that a reasonable compromise.

Having work emails/chat/etc on my phone has been a great benefit -- it means I can be untethered from desk but not miss anything important.

Reasonable countries don't allow companies to fire employees immediately, hence access cannot possibly be revoked instantly.
Just because you aren't fired instantly doesn't mean your access can't be revoked.

The company just says "your new job is to stare at the login screen until HR can schedule a meeting with you."

I live in Australia, which generally has decent (but slowly eroding) workplace protections. But I managed to get fired and walked out of the building with zero notice. So I would not count on this even in a country with traditionally strong labour laws.
I would say that not allowing a company to fire someone immediately, say, if they're looking at porn on their work computer during work time in front of the entire work office, is unreasonable.
Every country with employee protections allows for instant termination for gross infringements like you mention.
> access cannot possibly be revoked instantly

Not according to the comment I was replying to.

What country on earth won't allow an employer to lock you out of everything and escort you to the door if they deem it necessary for their security?

Employed or not, your access isn't under your control.

That’s a non sequitur. Access can be revoked on a machine with something like an MDM system the next time it gets network access, whether you’re fired or not.

Certainly if a machine is stolen I’d expect it to be remotely wiped. Same with a phone.

If you have hardware that isn’t under an mdm system though that’s different.

Even if a company can't fire you immediately, they can certainly revoke your access and remove all of your responsibilities while they process your termination.
This is what (public or personal) cloud is for. Nothing lost. Helps too if the laptop breaks or is stolen.

Though I would prefer to see stricter separation like Android Work profile on computers too.

Chromebooks provide separate logins for personal and Workspace/GSuite accounts.

As for what happens if your Chromebook is stolen and you've not selected the option to lock it when the lid is closed, Workspace/GSuite accounts can be remote wiped, personal ones cannot. Perhaps with the upcoming Workspace Individual plan, remote wiping of personal accounts will be possible too.

Yes, agreed. Apple does a good job letting you know what your company has access to, and if you use iCloud / Personal GMail, your stuff stays with you after you leave.
Saying "instantly" is under selling it. It literally happens before you are fired. IT will have disabled you ability to access files before you have been informed it is happening.
(comment deleted)
Couldn't you pop the drive out, wipe and format it, then put it back in?
I get to see the crazy stuff people do on work laptops all the time. After letting one guy go for poor performance, a quick scan of his machine showed he was spending a majority of his time reading and commenting on incel message boards. Nevermind the porn.

Never ever put anything personal on a work laptop. I recommend remote desktoping to your personal machine and doing all your personal stuff on that machine, so you get the best of both worlds.

Man, y’all are weird, reading browser history and shit. I would just remote wipe the computer and leave it be. That’s what my last employer did. They just Fleetsmithed it to zero and left me with the MacBook Pro.

I don’t see why anyone would do anything else.

If they were let go for cause then the laptop history is useful probably in case of lawsuit or unemployment claims.
Is it, though? I genuinely don’t think so. Performance stuff like this is usually documented via your HR stuff, the PIP etc.

“This guy was browsing incel forums from this time to this time”

Which court in what land uses that information?

Sounds kind of mythical, especially since I’m sure there’s an army of other people on idiot forums like that who are nonetheless performing fine.

EDIT: Okay, you guys hit me with sufficient downvotes that I’m rate limited so I know the predominant view is different.

Fine. I’m not a lawyer, but I’ll tell you this. If some rando IT dude is going through folks’ computers after they quit and I find out, I am quitting your company and telling everyone. I have never done that to anyone reporting to me and no company has ever done that to me. I can’t believe you’d accept these work conditions. Wild.

"This guy was stealing company data"

"This guy was conducting illegal business using the company's network"

"This guy was running his own mining rig on company servers"

It's not hard to think of actual cases that happen.

Sure, but fortunately we’re not context-free text generators. We are able to see that we are in a thread where the guy was let go for poor performance. Like that shit is not “poor performance”.

Y’all are playing me if you think that.

(comment deleted)
(comment deleted)
If someone is that bad that they run mining rigs on your servers, I suspect a little personal web use is the least of your worries :)
It makes sense if you think you're likely to have to defend the decision in court. For instance, I've worked on a team where a guy was fired for performance reasons that were obvious to all of us, but he sued and claimed it was discrimination. HR had known of a performance problem and the process was documented, but if the trustworthiness of the manager who gave them all that information is cast in doubt, could they really defend it quickly and decisively in court? We all had to be deposed. Imagine if it became a lengthy court case. I imagine it would be nice for the company to have a paper trail of convincing evidence of a performance problem. A timeline of significant, non-work web browsing during work hours on work machines would do the trick, and protect the rest of the team and the company.

That said, I agree with the commenters that I wouldn't want to work somewhere that did this as a matter of routine. I always have my work laptop encrypted with a key only I know and I have not (yet) been forced to give work root access for management. I'm always confident handing in my laptop that they couldn't find anything even if there was something.

> Is it, though? I genuinely don’t think so.

Are you a lawyer?

> Which court in what land uses that information?

That seems like a question for the legal department, not for the IT department.

You're doing this thing that smart people do (I know because I do it myself if I'm not careful) where you way overstep your area of expertise. It's not a good look, avoid the trap.

EDIT: You've changed your stance from a general stance to a specifically ethical stance here, and I agree: it would be better if employers respected the privacy of their employees more.

However, that's just not the world we live in. From the perspective of an employer, you can make your choice to behave ethically regardless of the legal implications, and that's a choice that I would laud you for. But from the perspective of an employee, you shouldn't assume that your employer will behave ethically: on the contrary, I would always assume that your employer is going to go through your computer when you give it back. You can fight that if you want, but that's not the hill I would choose to die on, as there are much worse privacy violations going on.

If you want to see how bad things have gotten, freeze your credit, sign up for credit monitoring, and then start applying for jobs, and see what happens. About 75% of jobs I've applied for in the last few years have tried to pull credit reports--and you can't really stop them as long as they do a "soft" credit check (freezing credit doesn't block this).

>Fine. I’m not a lawyer, but I’ll tell you this. If some rando IT dude is going through folks’ computers after they quit and I find out, I am quitting your company and telling everyone. I have never done that to anyone reporting to me and no company has ever done that to me. I can’t believe you’d accept these work conditions. Wild.

Every large company I've worked at or heard of it's pretty much assumed that IT may monitor everything you do on their machine. Everyone knew this. Which is why you don't use the company laptop for personal use.

Is it same in EU? If I read the law correctly I understood they need a good reason to monitor and they definitely need to notify you and ask for consent.

I have been using my work laptop quite heavily for personal use and I would prefer not to stop honestly.

I believe my intentions are pure and to provide value, I understand world is not perfect, but I would not want to work for an employer that needed to monitor me.

IANAL, but as far as I read into the situation, employee monitoring is a very dangerous field. There are exceptions, however, such as company-provided http(s) proxies and more concrete monitoring or investigation when suspicion arises (I know of two cases where employees were suspected of consuming child porn and they were both monitored as well as having their hardware seized).

Lastly, the companies or specific malicious admins might simply not care about the legality and still monitor you - either for company reasons or simply to stir through your data. If they have admin access to your computer, it's simply not your computer.

IT may have the legal right and often the technical ability to monitor any activity on work computers.

But it is stupid to allow any old IT staff to do so, and this thread is a good illustration of why: because most IT staff do not have the discipline or smarts to keep what they learn sufficiently confidential. Allowing IT staff to browse the files of other staff at will can lead to other HR problems such as harassment or even blackmail, or loss of corporate reputation if people post embarrassing stuff in, say, a public HN thread.

The ability should be exercised only under the supervision of a lawyer, which limits bad behavior and creates attorney-client privilege for discussions of what might be found.

This can be a double edged sword though.

I worked at a place that did have good 'secrecy' around most monitoring. While I was one of three people outside of Infosec that managed to find out that someone was let go because they were caught exfiltrating client/employee PIFI... I'm pretty sure nobody who was possibly compromised got informed.

This was a place that was so concerned with image that the handbook was about as strict as what my Sister had to deal with when teaching at a Catholic school. Image was everything to them.

We were investigating the employee as part of their offboarding.
Okay, man, I’ll trust that you’re doing this because they were stealing stuff or something like that but if it’s just sucking at their job then damn, dude. That’s like kinda a shitty thing.

Sure it’s company hardware, and you get to do this shit but damn that shit would be like “I gotta get out of here” if I heard IT was scanning people’s browser history for sucking at their jobs.

EDIT: The lawsuit thing makes this even worse. If I even heard that someone was suing their employees for poor performance I am like straight up blackballing that company and all of its damn subsidiaries as places to work. Like my friends would know, my family would know, friends of my family would know. I’m sorry, this is straight up unacceptable to me.

I assume it's for liability reasons in case they start a lawsuit.
Agreed. If he's already been let go, who cares what's on his laptop?
It's important to document and archive the contents for liability reasons, but the takeaway here is that you should remember that the laptop belongs to the company and you have zero rights to privacy on it, so conduct yourself appropriately.
Depends where. Here in Europe it has been said that a Personal folder cannot be looked at by the company. But ofc it can ask you to delete it or fire you if you spend too much time idling but Personal data is Personal.
This is a major cultural difference between US and EU. In the U.S., data is only Personal if it's on a Personal device.
>It's important to document and archive the contents for liability reasons

Unless this guy was sexually harassing people, I'm curious how this is going to protect anyone from any kind of liability.

>you should remember that the laptop belongs to the company and you have zero rights to privacy on it, so conduct yourself appropriately.

Yes, but as others have mentioned, just because the company has the right to do that doesn't mean it's either ethical OR good. No one here was asserting the right to privacy on company owned hardware.

(comment deleted)
I pretty much assume they're watching everything I do on a work computer. I don't do anything that would be too embarrassing to see sitting printed out on my supervisor's desk.
Same here. It's my only Windows machine and the only one that reliably prints some PDFs. If they cared that I'm printing out MLP RPG sheets to play with my daughter I'll have that conversation.

I Never have work email on any other device but works.

> We were investigating the employee as part of their offboarding.

I do not know how it works in your country, but anything that you discover of his personal life becomes a liability for the company. If he had AIDS and now you get that knowledge and it leaks, you may find the company fined for big money. In Europe, again and again, companies are forbidden to use any knowledge gained spying on employees.

What reason would you have to investigate an employee that is leaving the company anyway? Unless it has some contractual impact and your company HR/legal department is aware, there is no reason. "To see what the employee was doing" is not a legal reason.

I strongly agree that IT needs ethical education. That you have access to some information does not mean that you have the right to access it or that it is moral to do so.

Legal reasons for pending litigation. And we're not in Europe.
(I'm in the US and have worked a similar job as the parent poster and have had to do similar things on several occasions.)

>What reason would you have to investigate an employee that is leaving the company anyway? Unless it has some contractual impact and your company HR/legal department is aware, there is no reason. "To see what the employee was doing" is not a legal reason.

In our case, we would and could never investigate someone for any reason besides HR and/or legal explicitly requesting it for a specific reason and telling us what they wanted us to look for and why. "Fishing expeditions" weren't permitted. (There were a few occasions where such fishing expedition requests did come from them, and our managers would push back and basically professionally tell them to fuck off.)

I'm not sure of any specific laws or liabilities, but I'm sure we also would (and should) have likely been sued if we discovered some sensitive personal information about an employee and that information then leaked. If we inadvertently stumbled across personal things like that during the course of a specific investigation, we would always ignore it and not make any record of it. We didn't care about someone's personal life and didn't intentionally ever look at anything related to it.

Due to the nature of the investigations, it was often unavoidable that we'd end up seeing something at least somewhat personal, even if it's just some random website they habitually browsed appearing multiple times in their browsing history.

So, we would never look at an employee's computer or network traffic "just to see what they were doing" or just because we could. That would definitely be extremely unethical and unprofessional, and if management discovered any of us doing that we surely would and should have been fired. However, I'm not sure if there are actually any laws against that in the US if it's disclosed in the employment contract.

> What reason would you have to investigate an employee that is leaving the company anyway?

Well, an obvious one is "did we fire him for cause or will we have to pay more unemployment"...

(comment deleted)
> I don’t see why anyone would do anything else.

Because that is the smart thing to do. I got to purchase my laptop when I left the company, and they still wiped it out before handling it. It protects them and it protects me. I do not want access to any company resource, it can only hurt me. And they are not interested anymore on what was in the laptop either.

It’s pretty common practice to capture system images from returned employee equipment when they’re fired for cause (at least in the US). But it’s also pretty common for technicians to be forbidden from browsing those files without a very good reason.
Agreed, this is creepy, unnecessary, and possibly even damaging to whatever litigation is pending. (Assuming the litigation thing is even true, which I personally doubt.) Even if they do need an image of the drive, the people in IT shouldn’t be the ones pawing through it. That’s a job for a professional investigator or a lawyer. I ran an IT department for four years and if any of my staff did something like this, at the very least they’d be getting a closed door conversation about why this isn’t ok.
I used to work with a security guy who tried to make it a policy that staff would have to hand over their social media logins to make sure that they weren't talking to anyone or having any conversations that were "suspicious".

Fortunately that idea was beaten to a bloody pulp by the HR team before it got off the ground. But you would not believe the mall cop mentality in many companies.

I'm convinced the doorway to personal use on work hardware is the free printing. I still find half printed mapquest directions piling up in the copy room, in this day and age no less.
MapQuest prints? Did we jump back in time? Do people still do this?

Edit: I see the printing part. I guess I was more shocked at the call out to MapQuest.

for long cross country trips, I do this. I have been burned before..
Consider a AAA membership. Their maps are high-quality, frquently-updated, and entirely free. You can walk into any AAA on any day and get as many free maps as you can carry.

Not to mention the roadside assistance and towing coverage. I take long roadtrips too. The couple times that AAA has saved me make all the yearly dues worthwhile. E.g., once they arranged a 300-mile tow from a small coastal town back home; it took less than an hour to setup and didn’t cost me a dime. The alternative would have been paying next-day air freight on a Mercedes alternator and battery, and staying another 2 days to get the work done.

For a non-US dweller: how frequent are AAAs and how easy are they to find?

(Because, in Germany, even if you're an ADAC member, you'd be hard pressed to find an ADAC-affiliated office to pick up a map from...)

There are at least hundreds and probably thousands of locations. AAA is shockingly good. Maybe not shocking if you consider it's a 120-year-old nonprofit member services organization, but still: anyone who drives an auto in America is leaving serious value on the table if they aren't a member.

The bottom line is that if you're having a problem and you're in an automobile (doesn't have to be yours) AAA will do their best to help you solve that problem.

Unlimited, free, high-quality paper maps are just another perk. Walking in to a member branch and walking out with maps is just the beginning: a AAA employee will help you plan out a road trip, and make what's called a TripTik, which is a custom spiral-bound route map, with various sorts of amenities you can choose pointed out for you.

There are campgrounds as well. It's truly remarkable how much AAA offers.

They used to be a staple at pretty much any/all gas stations. Not so much any more though. Edit: the maps were available, not the offices.
AAA will also mail maps/trip planning materials (they call it "TripTik") to members.
They are very common--even tiny cities in the US will have an office somewhere. In fact, they're one of the few places to easily pick up properly formatted and valid international drivers licenses before you go overseas.

However, I would caution you that some of the benefits that used to come from being an AAA member have been severely curtailed. The towing benefit, in particular, now has quite a few restrictions on it.

Rather astonishingly, yes!
It only takes one time arriving in a new city by air at 11pm and your phone becoming non-functional prior to reaching the rental car to make one bring a redundant set of paper directions to get to the hotel.
My redundancy these days is having a cellular-equipped iPad.

It's saved my bacon a few times at this point. Basically a (large and unwieldy) cell phone I can pull out when my main driver falls dead.

Pro tip: install ride share apps on the tablet in advance, because in a serious UX fail, Uber and Lyft both want you to receive an SMS code to activate accounts. I was lucky that time, that getting my iPhone out of airplane mode at 1% battery wasn't enough to trigger forced shutdown.

Lyft doesn't even have a separate app, but Uber actually offers an iPad-native experience, but is unable to activate you without SMS. Which, along with standard voice calls, is the one thing a data plan associated with a phone number won't let you do except from the primary advice.

As part of my firewalling work from personal at my new job, I have been thinking "cellular iPad" for an ultra-portable personal machine that can also poke a personal server if needed.

(Well, that or Pi 400, but I worry how well the Pi 400 would hold up for travel, or about getting a hotel room with no easy HDMI on the TV)

> Pro tip: install ride share apps on the tablet in advance, because in a serious UX fail, Uber and Lyft both want you to receive an SMS code to activate accounts. I was lucky that time, that getting my iPhone out of airplane mode at 1% battery wasn't enough to trigger forced shutdown.

Of course regular taxis are also still a thing ;)

Uh-uh. Because you can just use a payphone to call one, right?

When I lost my phone in Madrid, and realized that I have no way to call a taxi, since I was staying in a residential area where you don't see taxis in the streets.

My Spanish was barely sufficient to explain my predicament, and I lucked out because a random convenience store clerk called me a taxi from his phone.

Which reminds me: in case you didn't notice, there are no more payphones. In 2001, I could walk up to one, and use one of them Yellow Books to do anything you could do one the phone.

Today, you need to have a smartphone to do many basic things.

The comment thread mentions flying into a city by air. There are taxis at airports without fail anywhere I've been
That very much depends on location and time. Smaller airports particularly, in off hours, may only have ten to twelve, which is not enough for that late plane that's coming in.
Fair point although worst case is you wait longer
Try flying into not-even-that-rural Iowa.
I would bring a phone in that case. I would bring a phone in any case.
Really? I live in Barcelona and there are always taxis ready for the hailing :) Uber and Lyft are not common here, though a local alternative, Cabify is. But whenever I use cabify I need to wait for ages for them to get there, and tens of taxis pass me during this time. So I only use them when I want the quiet of a nice car or when I want to know how much I'll pay in advance.

There are still some payphones here too, but most of them have been vandalised, that's true.

True, but I was going to have trouble hailing a taxi from inside a port after dropping off my car for shipping across the ocean.

Which in typical fashion, I dropped off just under the deadline, so the office was closed.

Oh did I mention that no there aren't regular taxis on this island anymore? I should have mentioned that first.

i went back to mapquest because i wanted to avoid google software and Apple Maps is absolute ass where i live.
First 'real' job I had I was a 20 something working in an office of mostly 40+ guys. (dot.com era had taken off and the company needed warm bodies)

As typical I became the guy who could help coworkers fix basic PC stuff quick. I didn't mind this as I got to know my coworkers and really just did simple things for just our small team.

One guy calls me over to help him with why he couldn't open some images on his computer. I fix the file association and ... yeah it's porn.

A little while later a guy brings in an old digital camera (back when they had some weird proprietary formats for images). Yeah his daughters were taking pics of them standing by the highway flashing traffic as it goes by.

Nothing ever came of any of it, but here I was thinking loading a bunch of mp3s on my computer was a bit dicey....

I'm not sure people's attitudes have changed that much in the following decades.

How come this was never brought up during a performance review
I would add that you should avoid connecting your personal devices to corporate networks until you understand their usage policies.
(comment deleted)
I got a new job recently after being at my old place almost 15-years. I've decided I'm doing things differently this time. All my work stuff is on my work equipment, all my personal on my personal, and never the two shall meet. I don't have e-mail or slack on my phone. I don't have personal e-mail on my work computer.

It's remarkable to me how much this has improved my life. It took some getting used to, but when I'm working I focus better on work, and when I'm not I unplug. It seems obvious yet somehow leaving work behind at the end of the day escaped me before.

Also as someone who used to run an IT department, it's shocking the degree that some people fail to realize their work equipment is well works. Personal e-mail on your work laptop, I get it. Your entire collection of photography celebrating the human form in your folder of the company shared drive, why would anyone think that's a good idea?

I do this while freelancing/contracting as well. I have a macbook for client work only.

While I don't have a one for each potential client, I do use a different user for each client, and all data should remain in user space -- which is easy enough to accomplish since I need to maintain matching versions of databases anyway, there is no need to share a single data store.

The user per client on the computer sounds like a nice idea. I haven't done that, but can easily see the appeal. Nice one
Would almost be better with in addition a vm per customer or at least some kind of encrypted partition per user/customer. Not sure how easy it is under Linux.
Just bite the bulllet and move to Qubes
Another advantage of doing this on separate VMs on Qubes is it makes it easy to comply with end-of-contract requirements to destroy all data. Just delete the VMs, and if needed, old backups.
Didn't know Qubes had such a feature (encrypted home partition/container). Will have a look, thanks.
> Not sure how easy it is under Linux.

Not sure how easy it is on other OSes. On Linux, it's easy.

On the face of it, it looks fairly simple on Linux with the encrypted homes feature.

Don't have the need for that, so I've never tested it in practice, though.

It's a great system. The only real pain I've run into with it, on macOS anyway, is that you can't isolate iCloud accounts and still receive texts on your Mac. So unless you have a separate phone for each client, that's not so great. Also, the lack of profiles on iDevices means any client-specific apps (2fa stuff, for instance, or if you like to have Slack on your iDevice, or dev/testing apps, or whatever) ends up in a shared space on there.
I created a new iCloud account with my work email.
Right, the trouble's getting text messages and such through to your laptop (text message 2fa is so nice with a synced phone—auto fill!), if you have multiple clients. One work phone + personal phone (or tablets, or whatever) is fine. It's when you have three clients, and maybe they rotate out sometimes, that it gets to be a little annoying.

... unless you can add multiple iCloud accounts to one phone. I guess I've never tried, because I just assumed you couldn't. Though you'd still have the problem of things like dev builds and all that existing in the same space, and email accounts (on the phone) syncing to the same application without much separation, and all that.

I once worked with a guy in the early 2000s that did 1 laptop per major client project (this was local workflow type app stuff, so windows desktop clients with maybe some kind of data backend) when he was complete he literally took the laptop and put a label on it and put it on a shelf. He'd been burned once to many times on backwards compatibility and library quirks with windows.
KDE has the concept of activities (think like, virtual desktop on steroids, with custom widgets and look) which I used for some time to split between clients' work.

It was a fun gimmicky but I can't say I missed it once I had to start using a Mac.

I've started using that when working from home, putting the work stuff on a separate activity.
I've done this before with one VM per client. Makes archiving etc. simple also, and means that per-client setup stuff never tramples on each other.

Gives an answer for how you firewall sensitive data also, e.g. every document you gave me never existed anywhere except in this (potentially encrypted) VM. Easy to delete cleanly.

That sounds like a clean way to organize multiple clients.

For some types of development, I find working on a remote server using SSH/Mosh/tmux works really well for me. I am retired now but I used to ask clients to rent a reasonably powerful VPS that we both had access to and just worked on that. I think this gave customers good control over their property (i.e., the work I did on their behalf).

I tried to use this approach before, but if I remember correctly Homebrew didn’t like it. I like to manage my software with Homebrew, but multi user simply wasn’t working
You can install Homebrew in a non-default directory like somewhere under your home directory. It requires every package to be rebuilt during install, but it's possible. This means you should even be able to get away without even escalating your privileges to root.
How do you handle brew? It makes all the /usr/local/bin stuff belong to the regular user which installed it. Other users had trouble working with brew-installed stuff, last time I tried a few years ago.
You can install brew in your home directory using the Untar Anywhere approach. I’m particular sceptical of how brew handles permissions, so I always install it to ~/homebrew. One thing to note, if you use this approach Homebrew will not use its precompiled binaries and build everything from source.

https://docs.brew.sh/Installation#untar-anywhere

> While I don't have a one for each potential client...

So 6 clients = 6 computers...pardon me Macbooks is your ideal setup?

I hope that was a joke.

I really hope that was a joke.

I do the same on Linux, I install software that I always use (DBeaver, Intellij, Spotify, 1Password, browsers, postman, docker stuff, etc) with my 'personal' user and when I switch clients I just create a new user and copy over my licenses.

Then I use firefox for everything client related (their outlook, jira, etc) and just login to my gmail on chrome or brave or something.

Which computer are you posting this from?
Everyone knows that HN is work.
Potentially from the ~6x10cm computer
... while sitting on porcelain with his trousers down.
Personal. Took a break, got some food, browsed HN, etc.
Posting from his personal phone while sitting in front of a company computer.
Imo browsing hn every morning is a useful part of my job. I've found out so many useful things before anyone else because of it.
HN in the morning. HN after lunch. HN during meetings that are dragging on. HN makes me SO productive.
I still concider that better alternative than playing Candy Crush
it's useful for you only unless your job wouldn't have found out otherwise anytime soon.
I had a similar experience after switching companies (to remote) last year. Work computer has no personal accounts/services. iPhone (and personal Mac) has no work accounts/services. No Slack, calendars, etc. I made it clear up-front that I am not available before 8AM and after 5PM M-F, but very available during work hours. Best decision I ever made!
I did this exact same thing at my last job, and I agree that it's remarkable how much it made both work and non work life better. Drawing hard lines can oftentimes make compliance much easier. Just the fact that I had decided to not have/do ANY personal stuff on my work computer made it very easy to focus and be extremely productive. I'm in the middle of my career, and it was by far my most productive time as a software engineer.

That being said, I didn't work myself to the bone. Instead of taking breaks with reddit, checking personal email, or spending time on social networks, I allowed myself long lunches, long walks, naps in the park or at the beach, and other forms of relaxation during the working day. This easy pace allowed me to perform some of the highest quality and most creative work of my career.

For me to have work Teams on my phone, have to install this app that can remotely wipe my phone. Understandable but still.
When I have worked for similar companies, I simply didn't install any of their software on my phone. If they wanted the ability to wipe it, they would have to give me a phone for it. Sure enough, it never turned out to be that important to anyone.
Yeah, I wouldn't trust company MDM on a personal device at all. Best case is that someone with an itchy trigger finger wipes your phone. Worst case you've got someone deciding to poke around your personal device for shits and giggles.
Ironically, a week before I left one of these companies, they remotely wiped my work laptop. Someone got the memo wrong, and I spent the better part of my remaining time with them trying to get access to all the various systems so I could complete one bug ticket. I hate to imagine what would have happened if I had given them access to my personal phone.
Is it an Android? How does that work? Is it a special permission or something?

I've allowed Slack on my personal phone. It has no permissions according to the Android OS (beyond permission to use the network, which, of course, can't be denied least Google lose ad revenue). I don't think it can wipe my phone. I hope it can't wipe my phone?

I didn't install it. After 5/6 I'm done with work. I don't use work devices for personal use/vice versa.
MDM is kind of a super admin feature on Android and iOS which allows for all kinds of things normal apps can never access. It's used by companies to manage company owned devices so they can do things like reset the password and remove the apple id lock when an employee leaves.

It's not that slack can wipe your phone, but that (it sounds like) slack can detect the presence of the company MDM setup which can wipe your phone and lock you out of the app if it is not detected.

Calendar is what kills this approach for me. I am not two different people with two different calendars, I am one person with one calendar. Scheduling & making all my appointments is really troublesome with two separate calendars.
It's a pain, but no way are my appointments any of the company's business, and it's not worth putting work stuff on my calendar.

Fortunately my work day ends when I leave work and I can just block off time if I am otherwise out of office for whatever reason.

You can share a calendar as free/busy
If you are not the administrator of the system in question, that isn't quite the right description.
... not the administrator of your personal calendar?
(comment deleted)
This is one place where you can, maybe, shed a tear for management. Imagine your CEO keeping a separate calendar. Don’t you want them inviting investors over for dinner?
This sounds strange, but I assume you must have extremely flexible work hours.

So just share the calendar and isolate the rest? No need to throw the baby out with the bath water, do what works for you

I provide access to my work one from my personal so I can view it on my personal when scheduling events and hide it otherwise. Works pretty well imo.
Yep, that's the way to go. I do the same. Easy to do with Google Calendar.

In your work calendar: Settings -> Settings for My Calendars -> Access Permissions -> Get shareable link.

In your personal calendar: Other Calendars -> Subscribe to Calendar

With this, I've managed to remove all other traces of work from my personal phone.

And it takes like 12+ hours to update....
To me it works instantly between Google calendars, and with a few minutes of delay between Google and Office365 calendars.
> with a few minutes of delay between Google and Office365 calendars

How in the world do you do that? Subscribe to Calendar isn't even possible with Office 365, right? You have to use From URL, to which you give the .ics URL, which Google Calendar normally pulls a couple times a day. Is there a different mechanism you use?

And if you are in a high security organization (DOD, banks) … good luck.
> High Security organization (banks)

Hahahahahahaha. Good one.

Perhaps "high security process organization" is a better term.
That's a good description. The invest a lot in highly secure technology and processes, and then ignore them out of convenience.

I work at a department that's all about data quality and integrity, and we have super bureaucratic processes to regulate access to data, but you don't want to know how much data lives in Excel files; an issue I'm constantly trying to address.

boomers love excel
They usually have extreme security guidelines for employees. All external laptop ports disabled, so no way to plug in periphery nor connecting a tv for a presentation.

No internet access at on laptops or only with a sim card which only allows connections to the VPN bastion host etc. Direct Internet on premise is a no-go as well, obviously. So no checking stack overflow if you've got any issues

They still leave infrastructure with default passwords exposed to the internet and implement questionable password policies for their customers... But they do everything they can in order to sabotage their employees!

Works until IT resets the passwords once a month and you have to renew access on your device, missing a meeting.
We should discourage this stupidity of expiring passwords wherever we can.

Maybe make it a point to put your passwords on a sticky note stuck on the monitor prominently on display if $work requires you to change passwords that frequently?

Nobody actually cares about the security of expiring passwords, it's just a line item on a checklist of official processes. And the people auditing it don't visit in person
Your organization SHOULD follow NIST SP 800-63B Section 5.1.1.2

https://pages.nist.gov/800-63-FAQ/#q-b05

Q-B05: Is password expiration no longer recommended?

A-B05: SP 800-63B Section 5.1.1.2 paragraph 9 states:

“Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.”

Users tend to choose weaker memorized secrets when they know that they will have to change them in the near future. When those changes do occur, they often select a secret that is similar to their old memorized secret by applying a set of common transformations such as increasing a number in the password. This practice provides a false sense of security if any of the previous secrets has been compromised since attackers can apply these same common transformations. But if there is evidence that the memorized secret has been compromised, such as by a breach of the verifier’s hashed password database or observed fraudulent activity, subscribers should be required to change their memorized secrets. However, this event-based change should occur rarely, so that they are less motivated to choose a weak secret with the knowledge that it will only be used for a limited period of time.

Both NIST and NCSC now actively discourage password expiration. And it took them only what, 30 years, to catch up with real-world best practices?

That said, there is a place for 30-day rotation. That's when the so-called "password" is actually a shared secret for extremely high-value systems. Payment gateways, for example.

> That said, there is a place for 30-day rotation. That's when the so-called "password" is actually a shared secret for extremely high-value systems. Payment gateways, for example.

Should we even attempt to let the user define such shared secrets? If 30-day rotation is good, surely 30 second rotation is better? Perhaps we can replace such "passwords" with some kind of one time PIN (OTP) or some generated pass phrase only valid for n minutes?

Well, in this shared-secret case we're talking about "symmetric signing keys" (really: MAC keys). Those types of keys are not defined by the users, they are issued by the party you're connecting to and delivered over a known, reasonably secure out-of-band mechanism.

I am all for having transient secrets, but without an extremely well integrated and robust vault they would be unmanageable. Plus asymmetric handshakes are computationally really expensive, so you don't do them all the time.[ß] The 30-day rotation period for these types of secrets is merely a reasonable compromise between "assume all shared secrets will be compromised" and the human factor.

ß: a friend set up a dedicated payment gateway device for a UK challenger bank. For just one card issuer. That thing can supposedly run at 10Gb line rate, so doing asymmetric crypto frequently would murder performance and latency.

This is so infuriating. NIST has been advising against it for years by now and even Microsoft switched the official stance last year or so, but it still keeps being done out of inertia. It's also still in the AWS best practices (I unsuccessfully tried to argue against introducing it for our accounts).

Though, to be honest, at this point I believe that humanity should just abandon passwords for all but the most unimportant of things (e.g. your account on some hobbyist forum), at this point they just have too many downsides and most people seem to be unable to handle them properly.

Writing your password down in an insecure location will get you written up at most jobs, straight out fired at others.
You do need them on the work calendar if you need to account for travel distance and time to the dentist before accepting that last minute meeting.
The only time this bit me so far is that once I had a weekly recurring for…two years. And one day, for some reason, my phone started RSVPing to it again. Except it was every instance of it that had passed…blew up my bosses inbox and made my phone useless for about an hour. It was the weirdest thing. Funny though.
I believe that was an iOS bug, I remember hearing about that in a few instances where the built-in calendar client was connected to Office 365. In all cases it was solved by updating iOS to some bug-fixing point release.
> Calendar is what kills this approach for me.

If I have a personal thing during work hours I just block it off on the work calendar. No details, just "Not available".

Anything outside work hours doesn't need to be on a calendar.

So if you have a dentist appointment in the evening, after work, you don't put it on any calendar? I find that hard to believe.
I put it on my personal calendar, work has no need to know about it.
You do need them on the same calendar if you need to account for travel distance and time before accepting that last minute meeting.
For those rare cases, it really isn't a problem to look at my work calendar on the work PC and my personal calendar on my phone and do a quick comparison.

In general, if I have a personal appointment, I'm not going to forget about it. Just the act of having added it to my calendar is enough to remember it, without having to look at the calendar. I only ever mix personal events into my work calendar if I there is an overlap with my working hours, everything else is none of my workplace's business, I'll polite decline any meeting that conflicts.

Besides, last-minute meetings are a sign of bad meeting culture.

But you need to check both calendars when making the appointment. I can see how that's cumbersome, and in fact is one thing I deal with as well.

It would be nice if I could sync my work calendar with my personal calendar, but with all details redacted except for begin, end, and perhaps location.

Depending on your software, you can! I know Google Calendar allows you to restrict shared calendars to just time ranges, it'll show up as "not available".

Settings > Calendar Settings > Access Permissions > Make Available to Public > on the dropdown, pick "See only free/busy". Now you can share the link with your work calendar and it'll show up as indistinct blocks of time.

You can do it both ways, and you'll be able to check your availability for both work-related things and personal things in their own calendar, but contextualized.

Even my work calendar doesn't share the details of what I'm doing in a busy slot. Not particularly something anyone needs to know. If someone really needs to meet and my calendar looks blocked they can ping me to see if there's anything I can drop or move. It's not really up to them to make the decision (unless I work for them and it's urgent).
Be default, my work calendar is strictly work and my personal calendar is strictly personal. I only duplicate personal events to my work calendar if they overlap with my work hours. Everything outside of work hours goes in my personal calendar only.

Aside from the odd appointment at the dentist or doctor's office, I don't have very many appointments that need to show up in both calendars. Work hours are work, everything else is personal and none of my workplace's business.

> But you need to check both calendars when making the appointment.

If one covers strictly work hours and the personal one is strictly for outside work hours, then no need to check both. Just check the applicable one.

> Anything outside work hours doesn't need to be on a calendar.

I'm happy that works for you, but for me or anyone else who can be absent minded sometimes, that does. not. work. I need a calendar to remember promises I've made to people about when and where I'll be. Tuesday I'm meeting a friend to catch up in person, Thursday I've got a birthday dinner to go to, there's a show on Friday that I have tickets to. Stack multiple events in a single night if you have a busy social life. That's not a ton of information to remember but human memory is imperfect, and that sort of information is in one ear and out the other for me.

Prior to pocket computers, I'd have a paper datebook to carry around (and lose), but thanks to modern technology, it's stored in the cloud and accessible for me at https://calendar.google.com.

Can you block out the times on the work calendar to correspond with the actual booking in your personal calendar?
> Anything outside work hours doesn't need to be on a calendar.

Can't edit original, but what I meant there is that it doesn't need to be on a calendar that work has access to (if the event is outside working hours).

For things on weekends I put those on my personal calendar. But that's clear-cut separation since no work event will ever be there.

The conflict is only for personal events during work hours. For those I put the blank placeholder in work calendar to block out the time.

With google calendar, you can add your private calendar (via a sharable url) and set it up such that it marks your private events as busy. Very useful.
Establishing the habit of regularly checking your schedule and thus being aware of any upcoming events would mostly solve this.
I wish I could do this. Now the two are perfectly mixed on my work laptop.
I’ve known so many people that wanted to get into crypto over the last decade and didn't even own a laptop of their own and were practically married to their employer as if that was normal (in their corporate world that was normal)

They had no way of managing private keys, privately or properly at all

They did it anyway, in one instance one person turned in their computer for routine IT maintenance and it was wiped! lol! Its pretty obvious that a person like this only had a passing interest in crypto and never made any backup

Things are so much easier now with hardware wallets that connect to iphone apps

But its shocking how people often have no separation

I don't really.

But I use my own computers for most things. If I had to use a work-issued computer for work things, I'd be more careful about commingling. (I do have a work laptop, but I don't use it for very much.) I also generally keep personal and work email separate--to the degree one can really deliniate personal and work.

"I don't have e-mail or slack on my phone."

Thought maybe I was the only one. Text messaging is enough. Not even using any trendy apps, just a few basic things from F-Droid.

That wasn't OP's point. They meant that they don't have work e-mail or work slack on their private phone, to provide separation between work and private time.
What you realize when you do that is how people actually adapt. I dont mind both, I have phases when Ill be fully plugged and answer work email at 1am, which starts to create a super fun action-oriented life where it's a denser and denser tunnel of things to do, fix, answer.

But then when you stop (I got a Huawei phone which cant install most of the corporate things for national security reasons), then wow. When I leave I leave, I do dilletante stuff, eat out with my wife and nobody cares. They just call someome else. I get probably less cookie points at annual reviews but a few rushes at the end of the year can usually compensate.

For me, using Facebook cookies in the same browser as work stuff blows my mind. I specifically write in the onboarding of my employees “Create a separate Chrome or FF profile to use your Facebook and other personal browsing”, and only half respect this rule, interns being specifically bad (experience workers do want work/home isolation). They receive quite a scolding when I catch them, but the damage is done: All websites have immediately registered who they are associated with, who their colleagues are, etc.

Stringent security rules and obnoxious firewalls exist because people don’t respect cool rules.

Firefox containers are good for this type of separation.
I try to do it. One thing that helps is my Logitech MX keys, it switches to my Phone with the push of a button, so I don't feel the need so much to install Signal and Telegram on my work laptop. (I still do of course, it's just too easy... but I try because I understand the problem.) What is nice about my employer is that they ask you to fully wipe your drives (throw away the encryption key) before handing/sending in stuff. It's as much protection for them as it is for me.
Really like this approach but 7KG cabin baggage limits on lots of international flights are what makes it really hard for me. I sometimes struggle to get single laptop + iPad + charger + power bank within the limit, let alone two sets.
I always carry two laptops (personal + work) on all trips, domestic or international. Other than added inconvenience of having to take out and put back stuff during security checks, it has always worked out. Even when I end up exceeding the 7 kg limit, I've never been stopped.
There are many cases where this is good advice--and certainly if you're the director of the CIA. There are of course additional reasons, including company policy and as peer comment says side projects, to keep personal and work devices separate. But I also don't think one-size fits all rules apply. I'm not going to carry two laptops when I travel.
Work laptop + personal iPad seems reasonable if you are in the Apple ecosystem.
That's a reasonable approach assuming you're not doing anything personal off-the-clock that requires a laptop computer.

It's something I'm not worried about in general given our work policies and practices. I just travel with a personal MacBook or Chromebook.

You can set up a server at home with wireguard if a PC is absolutely necessary. But yeah, a MacBook Air is lighter than an iPad in some cases
> personal iPad

Personal Apple devices are closest to the definition of "PC".

Yet my multi-user Linux desktop system is called a "PC".

Yeah, the carrying two laptops part is also my issue. Of course, I am well within my rights to not take my work laptop with me when I go anywhere and if a disaster strikes, I can just tell my manager to sod off - but it's just easier to take the work laptop and do my YouTube watching on it.

(I'm technically not on call but on practice it's messier)

Not the most environmentally friendly and may be against company security policies in certain places, but if you’re going traveling you could leave the work laptop plugged in and remote if disaster strikes (part of the point of this is that it shouldn’t be routine).

As for me, I’ve done the two-laptop thing when traveling since 5y or so. It’s actually worth it for other reasons too - having your only computer have a hardware failure or be stolen in the jungle is no fun. If both are of the same make you could even boot one’s drive off the other in a pinch.

For all the “what about X?” questions in this thread... you will figure it out easier and faster than you think once you force yourself to change habits.

> Not the most environmentally friendly

Solvable with wake-on-lab.

remote desktop for personal?
Hotel WiFi can be pretty awful. To be honest, this isn't a problem for me. I don't separate usage pretty much at all. I'm not sure what I would do if it were a bigger deal.
I carry 3 and I just flew to back home to Europe for the summer.

- 1 MbP for my actual job. I’m not admin. I can’t even trigger a update.

- 1 MBP to access the parent company system. Like … 1 a month. ( it has a vpn client that I can’t install on the first one … that’s all )

- my personal laptop. Because I can’t do shit beside working on the two first.

It’s ridiculous

Did you consider booting off an external drive? Macs work really well in this scenario. Windows is notoriously bad at booting off USB (though I'm not sure if this is still the case). But Macs can do it really well. Linux too.

I used to do this in earlier times when personal use was still a very dark thing (in our company it has since become normal - at least web browser stuff). In the days I carried a ThinkPad T42 I would just slip the HDD caddy out and stick in my own at night in the hotel.

Later on I ran my own macOS on a company mac from a USB 3 HDD. Just hold option when booting. You can even encrypt both to secure them from each other.

Luckily these days I don't have to bother with any of that anymore. But they weren't too bad options as long as you don't need both environments at the same time.

On Windows systems with BitLocker, booting off an external drive (or shoot, even opening the bios to look and see how much RAM was installed, as happened to me once) will often trip the BitLocker recovery prompt which means you have to call IT and ask for the magic 48 character password to get back into your laptop, to which they inevitably ask "why did that come up".
I think OS 11 got rid of booting from external drives, but I'm not sure. I know that CCC can't make bootable backups for 11.
Ha, nifty. The previous job had the bios on lockdown. It would have trip something up. But here I could pull it off and not take my personal laptop.

What’s annoying me is to have to carry 2 work laptop.

Oh well :)

But good tips.

I had 3 macbook pros in my apartment and a spiritual chick I had over found “the energy to be misaligned” because I had excessive consumptive goods

So I’ll keep those others in the closet

(next to the flux capacitor)

I love the shocked Pikachu face when I show up at someone's desk, let them know their laptop is part of an ongoing investigation, and IT will be by soon to give them a new one.
How does that work these days when people no longer work at their desk in the office?

Just one of the many ways that dual-use is becoming more common. And OSes are increasing their abilities for it too. Mobile OSes are already great at separation. Windows is coming along slowly with Windows Information Protection and Azure Information Protection. Mac has user enrolment but it's in its infancy, sadly.

Your companies lawyers or personnel security people call you and say your devices are being placed on a legal hold. Don’t deleted anything or you might have to deal with the courts. The large MegaCorp I work for had some training that included stuff about lawsuits.
Ok yeah we do get that sometimes in our company but it's always triggered by external causes (some supplier being unhappy about a deal or something, they never tell me the full story). So it only affects people dealing with external parties. And always in the US, never seen it anywhere else. Though it seems to be increasingly prevalent there.
They are using company owned assets, or devices that the company has an interest in. For example one of my former employers paid a percentage of your monthly cell phone bill as part of the BYOD program, which also involved you agreeing to turn over and unlock the device on request.

You can also be compelled by the courts to surrender a device that holds information relevant to a civil or criminal matter. For example sending text messages to a coworker on your personal phone about how you are going to coordinate your efforts to block someone's promotion.

Unless you actually have rogue employees I'm guessing you'll be able to do this once or twice before you get told to stop making people lose an afternoon or even entire days of productive work because of bullshit like that.
I mentioned elsewhere, but I run an encrypted linux VM for anything personal and run all its network traffic through a VPN. I think it's a pretty good compromise between mixing work/personal, and carrying two laptops.
I actually believe that certain government officials (including the director of the CIA) are asked not to have personal cellphones because that could reveal their location. IIRC, Obama needed to have some special technical work done so he could use an iPhone.
At all the jobs I've had, any code that I write using company-owned resources, even if done on my time, the company asserts ownership over. I like to work on open source projects on the weekends, and so that absolutely requires a non-work computer.
This was part of the reason I bought a PinePhone. It's not for everyone but it's a bout as powerful as my personal laptop (yes I know, it's 10 years old though.) I've carried work+personal laptops before and that can get heavy enough to start hurting my back so I generally avoid it now.
The one I think is harder for a lot of people is the phone in BYOD environments.

When I started needing specific apps for work, I also got a work phone. I don't think my employer is doing anything creepy, and now I know if I'm wrong about that, it is contained and severed from my everyday phone.

But that's an expensive option.

Get a $30 bottom end prepaid Android phone at Walmart and such. If you're only using it for 9-5 work stuff and expect to be on wifi you don't even need to pay for a cheap SIM card or plan. Yeah it will suck and perform terribly, but who cares it's just for the odd slack/email/etc. notification and that's it.
>But that's an expensive option.

Are you saying you personally purchased a phone for use as a work device? That's completely bonkers to me. I have a personal phone and a work phone, but I definitely don't pay for the work phone out of my own pocket. I even made them order the case and screen protector I put on it.

What about iPhones? I was under the impression even with a company managed MDM profile installed, there’s a limit to how much they can see, like they can’t see messages or browsing history
You’re correct, but I’d guess that’s a level of nuance beyond what the article is geared for.
It depends on the MDM. My works' MDM required full access to my phone. That is the MDM software was fully capable of wiping the full device (not just the MDM data store). IT promised they wouldn't/couldn't do that; yet the app required the permissions. So yeah, noped right out of that.
I would've had to consent to full-device wipes if I wanted my school email back when I was in university. Thanks Microsoft Exchange.
> who in addition to accessing those university resources also visited several "high-risk" porn sites, one of which had placed cookies on the computer.

Get this, Charlie; get this, Charlie! It's cookies... Cookies! Oh, the humanity!

If I use my work laptop at home, I even put it in a separate guest WiFi. Since the introduction of an Endpoint Management system it essentially became an untrusted device.
More than avoiding keeping the personal stuff on the work laptop, avoid keeping work stuff on personal hardware. When you're off work, you're off work. No email, no notifications, no nothing.

The only work thing I have on my personal phone is Slack, and that's with auto-DND outside work hours. If there's an emergency, you can call me.

I had to install an authenticator and timesheet on my phone. Not really that bad.
Sure, if it doesn't generate notifications, that's no problem.
My friend uses one computer for both personal and business but he owns the company. I’ve always wondered if that was prudent, perhaps separate accounts at least?
Do we count posting on HN as personal stuff?
I don't, as a SW guy it's part of on-the-job training!
Yes, messageboards, etc. should be considered read-only at best on work devices.
I think one of the biggest risks to the employee is the CEO or anybody in power simply deciding to letting you go and suddenly taking your machine from you without notice while you're in the office.

Or a ransomware invading your work laptop and encrypting your stuff.

Or your creepy IT guy figuring out the stuff you post on amazon or having access to your nudes or whatever.

Try to be careful in avoiding binding your opinion or comment to your employer.
That applies whether you're posting from a work or personal device, really.

Alas, the stories I can no longer share on the Internet like it was the 90s.

My first ever office job was working for a local government, where one of the first things they told me when giving me a laptop was that the previous person in the position had been FOIAed and had to hand over the laptop to attorneys in the past so to be very careful about anything I did. This attitude has served me well in life.
(comment deleted)
I recently switched jobs. When I put in notice at my previous employer there was some sort of miscommunication with IT about my last day and I was shut out 2 days early, before I had a chance to wipe everything or even log out of my personal stuff (in their own chrome instance). They were not willing to undo it, but assured me everything would be instantly wiped once they received it. Couple days later I decide to check my google accounts for some other purpose and see an active session in the city where I mailed back my machine to. Same with a few other accounts. Was not thrilled with that.
Why didn't you remotely terminate that session?

The activity might just be that the laptop connected to the internet, but I'd still consider changing passwords.

I use an encrypted linux VM with a VPN on my company Mac for anything personal like listening to music or checking email. At least if they were to suddenly lock me out of my Mac, the personal data would be encrypted. If they had a problem with me doing this, I just delete a single disk image file and everything is gone.
Would you mind sharing more details about that "encrypted linux VM with a VPN", I would like to get something similar going on my company macbook.
I'm using VMware and it allows for encrypting the disk image and locking the settings behind a password. Within the VM, I'm using disk encryption so that the filesystem is secure. And then I run my own WireGuard VPN and I've setup network manager to auto connect so my traffic traverses the VPN.

I'm sure there are better ways to setup the VPN but it works for what I wanted it for.

I wish there was a way to do that natively with Firefox, whereby a whole profile is encrypted and password protected. Most personal things I do on work PC are through the browser, so if the profile were protected, it would be problem-solved.
Oh wow. So they aren’t encrypting the devices or they have a master key? We use Apple laptops at my work and when somehow I messed up changing my login credentials, the only recourse was to wipe the device because it couldn’t be decrypted.
Jamf, for instance, lets me configure a policy like “use FileVault to encrypt all laptops, and also escrow an encryption key”. I can decrypt any encrypted work laptops if needed.
Also just for practical reasons. When I shift to a new work laptop or reformat my current one for whatever reason I don't want to sift through docs and pictures I might lose.
This is one of the reasons I'm starting to like thin client stuff for work. They've gotten pretty good even for large-screen GUI desktops, and if your "work laptop" is actually a different machine that's just open inside one app on your personal one, it is very easy to keep your personal stuff outside of that session.
If you use the same computer for work and home, then you may be able to create a user account for your work stuff and a different user account for your home stuff.

If you do consulting for multiple customers, then you may be able to create a different user account per customers, so there's some separation among your customers' information.

If you're able to use thin clients, then you may be able to create separate user accounts on the servers, so any files stay fully on the servers and never download to your local computer.

When you use multiple user accounts, you're having the operating system help separate things per account, such as each account's credentials, profiles, logins, histories, cookies, caches, etc.

I’ve never understood why people do this and I never will. Work equipment for work things, personal equipment for personal things. Don’t login to your bank, pay bills etc on work equipment.

Not because it’s “wrong” or something, but because doesn’t that just strike you as a bad idea? They own that equipment, you don’t know what’s on it, what it’s recording or reporting. If you’re traveling you have your phone.

You should trust your employer on some level because you work for them, but this is a case where you won’t even need to think about trust if you just don’t do it.

Use airdrop etc to move files around.

Also, any company that will not give you a phone (if necessary for your job) and/or a computer (if necessary for your job), run away. Just, run away.
I got a phone so shitty that I gave it back. The phone was only going to sit at the bottom of my bag, where I would never hear it. I couldn't even log into Slack since I didn't want to log into Google Play with a personal Gmail account on it.
When I sat down on day 1 and had 4 glowing rectangles set up at my desk, I knew I ended up at the right place.
Not that simple. My company has BYOD for phone, but my total compensation is crazy good, a lot better than any other opportunity near my location. Why should I run?
It's the other way around: somne work on personal computer.
In my agency, we are allowed to use work laptop for personal purposes, except certain prohibited software and prohibited sites.

I don't store files though: they are only accessed though the browser.

I use a personal AWS Workspace as my personal machine, that I can access from my work laptop. It's handy, although I wish the cost was lower. Does anyone have a better managed VDI suggestion?
I bought a used R710 server for $200 and put it in the basement. I can run a handful of Win10 or Linux VMs on it at the same time and remote desktop into each of them. Just used wired ethernet if you can for speed and keeping the wifi quiet.
It's worth calculating power usage for this kind of thing. It's often a false economy if you don't use the compute.
Fair point. The server draws 185W @ idle and at my power cost it's about $15/month to run. Amortize the server hardware too and it's maybe $25/month

The server has 24 cores, 32GB/1TB, and I can't see what an equivalent AWS instance would cost monthly. But it's easily more than $25. The PowerPro (8vCPU 32/175) is $148 monthly.

These days I do almost all of my work on my personal desktop since it's so much faster and more pleasant than my work issued laptop. Funny enough, the main time I use the work laptop is to play Netflix while doing the dishes or folding laundry. So I'm sure it looks like I'm not doing anything at all. Laptops off for 3 days, I turn it on and go straight to Netflix. Oh well.