• @[email protected]
    link
    fedilink
    182 years ago

    Your bosses make you do this? For me I just installed Teams and Outlook, and even that was voluntary.

      • @[email protected]
        link
        fedilink
        52 years ago

        Like I said I didn’t have to, it’s just convenient to be able to keep an eye on teams when I am slacking off yknow

        • @[email protected]
          link
          fedilink
          22 years ago

          You keep an eye on Teams? Hahaha lol Teams keeps an eye on you. 60 permissions needed to install Tems 3 trackers needed to install Teams

          You have no idea what software you are installing on your “personal” (its not personal anymore) device.

          • @[email protected]
            link
            fedilink
            42 years ago

            Not really? Checked now and the only permissions it has at the moment is location while using and access to pictures. The latter is on purpose so I can upload stupid memes to the non-serious chats

            • @[email protected]
              link
              fedilink
              1
              edit-2
              2 years ago

              Hahahahaha you are funny. Im not asking, Im letting you know. Its not a matter of opinion.

            • @[email protected]
              link
              fedilink
              12 years ago

              I didn’t even give mine location. It just has camera, microphone, and phone. That’s it. I very rarely use the app, so I’ll probably uninstall it eventually (it’s nice to drop an “I’m running late” note when I’m in the restroom or something.

  • @[email protected]
    link
    fedilink
    English
    82 years ago

    MDM when configured properly only get a specific section of your phone that’s separate from your personal use section, so they don’t see your apps and personal data.

  • @[email protected]
    link
    fedilink
    12 years ago

    I quit my job of over a decade using the same phone and email, I left to go competition. I gave them all my passwords.

    I’ve kept my personal phone a lot longer than I had theirs lol

  • Eddie Trax
    link
    fedilink
    English
    822 years ago

    These people really don’t know how MDM solutions work.

    • 520
      link
      fedilink
      282 years ago

      … actually they aren’t wrong. MDMs are given special permissions including but not limited to reading your SMSes and phone records, restricting and monitoring your installed apps and even wiping your device.

      • n1ckn4m3
        link
        fedilink
        26
        edit-2
        2 years ago

        Please cite any one of your sources. I’ve managed MDM for over a decade and you’re spreading misinformation.

        Absolutely none of the MDM products on the market allow for the reading of personal e-mail, SMS, phone records, etc. On the contrary, almost every single one provides an information screen during the enrollment that makes it abundantly clear that they do not (and can not) access that data. Moreover, the “wipe” of data is the removal of company data. It doesn’t wipe your phone, it just removes the work profile (Android) or deprovisions the work profile and associated apps (Apple). All of your non-work-related data is untouched.

        Quick Sources for Intune and JAMF – do your own googling for others:
        https://learn.microsoft.com/en-us/mem/intune/protect/privacy-data-collect
        https://www.jamf.com/blog/apple-mobile-device-management-faq/

      • @[email protected]
        link
        fedilink
        42
        edit-2
        2 years ago

        Can you support your claims? I’ve worked with Intune, Jamf, MaaS360, Citrix, and Workspace ONE and none of them could read texts, emails or browser history.

        I’d be very interested to learn more about how they can access this information through MDM. We always did it through either the mobile carrier or the admin console for whatever the office/mail suite that was deployed.

          • @[email protected]
            link
            fedilink
            62 years ago

            I looked through your links. I don’t see anywhere that SMS can be read. The permission kind of makes sense as there is a security component to filter spam/phishing type texts. Sophos themselves claim they don’t store any of that data.

            I hadn’t ever seen the call log one and I’m not sure what that would even be used for. It was interesting though.

            App lists is common across all MDMs. It’s used to ensure apps are being updated and on fully owned corporate devices some apps will be blocked.

            It seems like many don’t really understand how this technology works. That said, it’s better to be overly careful and I agree with others in the comments. If you want me to use a mobile device for work you can provide it, I don’t put MDM on my personal device*.

            *the exception being our own MDM we have setup to manage our personal devices more easily.

            • 520
              link
              fedilink
              12 years ago

              I looked through your links. I don’t see anywhere that SMS can be read.

              From the link, emphasis mine. SMC is the MDM in question

              Read SMS or MMS
              Allows an application to read SMS messages stored on your device or SIM card.
              Malicious applications may read your confidential messages.
              SMC usage:

              1. Read the initial configuration and further server notifications.
                2. Read all SMS for Backup.
              • @[email protected]
                link
                fedilink
                0
                edit-2
                2 years ago

                Yep, it’s part of their message filtering that I mentioned.

                This link provides more information and explicitly states the following:

                Sophos Mobile does not track privacy data such as contacts, SMS and call history, browser history, bookmarks, or emails. Sophos Mobile does not access any data outside of the Sophos container.

                and

                Sophos Mobile does not track privacy data such as contacts, SMS and call history, browser history, bookmarks, emails, or data on the SD card.

                Sophos has a strong cybersecurity focus which, I’d imagine, is why they have the message filtering option that they do.

                • 520
                  link
                  fedilink
                  12 years ago

                  …why would they need to backup all SMS messages for a filtering option? That just plain does not compute.

      • Eddie Trax
        link
        fedilink
        English
        53
        edit-2
        2 years ago

        I’m not sure what MDM you’re subjected to but I’ve been an MDM engineer for 7 years using Intune and JAMF and no, no SMS or phone records. Even the phone # is blanked out minus the last 4 digits. Yes we can wipe the devices if it’s lost\compromised but personal versus corporate owned devices are limited. I can’t see what apps you have that were personally installed. And the only info I can get are the device stats (SN, IMEI, storage, battery, memory, etc).

    • Steve Anonymous
      link
      fedilink
      122 years ago

      Can you elaborate? I have simple mdm on my work phone and would like to know exactly what they see and can do

      Not that I am hiding anything. It’s more curiosity at this point

      Posted from my personal phone

      • Osa-Eris-Xero512
        link
        fedilink
        132 years ago

        This depends on the configuration of the MDM and the MDM vendor. For example, most MDM deployments to Android for instance conform to Android For Work, which functions in practice to a virtual machine from a user’s perspective, and doesn’t have access to a non workspace content. iOS has a similar functionality which, while less commonly used, is there specifically for use on personal devices to sandbox off ‘work’ content where pervasive features like factory resets and access to phone logs and sms records don’t function, and you can’t access the more advanced features without having purchased the device via a corporate account.

        SimpleMDM has a credit card-less trial which you could set up to see what features exist and how they work from the vendor side. You won’t have access to some of the ‘supervised’ features without being a business,but you can see the buttons offered when you aren’t a corporate-purchased device readily enough.

        For corporate owned devices, the rules are very different though.

      • Eddie Trax
        link
        fedilink
        English
        62 years ago

        I can’t read your emails, text messages, I can’t remote into your phone without your permission. The info we have is very limited. You know how we can see that information? If you gave us your phone and password :-)

        • @[email protected]
          link
          fedilink
          English
          32 years ago

          So if the info it provides is very limited, why are companies pushing for it? Why should I install it on my personal phone so I can access Teams and Outlook?

          • @[email protected]
            link
            fedilink
            22 years ago

            That’s something that I never understood, is the claim that default OS is just not secure… well then put all your dev hours into fixing that…

          • Eddie Trax
            link
            fedilink
            English
            42 years ago

            Because if you are accessing company data, the company needs to ensure it’s safe. If you don’t want outlook or Teams access, you don’t have to enroll your device. In some cases companies will purchase a corporate owned device for you. An MDM allows companies to restrict copying data from work to personal and vice versa. If your device gets stolen and is compromised, it allows the company to wipe it. It can also locate the decide if it’s lost.

            • @[email protected]
              link
              fedilink
              English
              12 years ago

              An MDM allows companies to restrict copying data from work to personal and vice versa.

              So is having MDM useless if you also have corporate webmail? Because not having MDM on my phone means I just go to my webmail site on my phone for email, and I can copy there if I need to.

              If your device gets stolen and is compromised, it allows the company to wipe it. It can also locate the decide if it’s lost.

              Google’s “Find Device” allows for finding and wiping a device by default on Android.

              So it’s really just those two features? Doesn’t really seem worth the hassle unless there’s something else they’re getting out of it.

              • @[email protected]
                link
                fedilink
                22 years ago

                The data is valuable and it provides some amount of data security. Any MDM worth a shit will wall off your Android with a work profile and that’s the only part that’s actually controlled by the MDM. They can also mandate a minimum level of security before accessing the work profile.

                Webmail can be used as a workaround, but allowing it is more of a convenience issue than a security consideration. Depending on your security team it could be a major hole or not an issue. Authentication requirements can offset the vulnerabilities somewhat, such as short timeouts, MFA, etc.

                In my experience, users like you are what make MDM a requirement in any environment. People that refuse to participate in any security processes because they think they know better than the people whose job is literally cybersecurity are almost always the cause of major incidents. That’s how my current employer got a huge ransomware attack and why I’m not allowed to install anything on my phone or laptop without spending several hours on hold with the help desk.

                • @[email protected]
                  link
                  fedilink
                  English
                  12 years ago

                  Gotta love getting down voted for trying to learn more about a topic. Looks like Reddit culture is seeping in here.

                  Anyway, when you say:

                  They can also mandate a minimum level of security before accessing the work profile.

                  What does that mean? I thought MDM was just making it so I couldn’t copy data and that my employer could wipe/locate my phone. But it sounds like you’re saying it’s actually doing something more like creating a separate environment, almost like a VM, on my phone? Or is it different than that? My work MDM said they want to look at applications that you have installed. That was too much of a privacy invasion for me, so I chose not to use work apps on my phone.

                  In my experience, users like you are what make MDM a requirement in any environment. People that refuse to participate in any security processes because they think they know better than the people whose job is literally cybersecurity are almost always the cause of major incidents.

                  Yeah, our IT systems would be exponentially more secure if we didn’t have users too. One can dream, I suppose.

      • @[email protected]
        link
        fedilink
        English
        82 years ago

        I have a little experience with Microsoft’s intune and there are different ways to register devices. Someone feel free to correct me because I don’t feel like logging in to double check. Company owned devices have more control and can restrict apps, lock, full wipe, etc. Personal or “bring your own” devices are much less restricted. I can’t lock, wipe, or restrict apps. For the personal devices, it’s more about giving secure access to the companies resources and not really controlling the device. I work for a small business and only use this to setup access to non important documents for employees in the field so I know just enough to be dangerous.

  • @[email protected]
    link
    fedilink
    1652 years ago

    If they want to install anything on my phone other than apps I choose to install for my own convenience they better give me a work phone.

    • @[email protected]
      link
      fedilink
      812 years ago

      Exactly this. Any employer trying to put private devices into their MDM is totally unprofessional anyway… Most MDMs allow access to the GPS Data and have a remote wiping function, it would be a privacy mess for the employee AND employer.

      • tabris
        link
        fedilink
        522 years ago

        Years ago, I worked in the IT department at a university that brought in an MDM for accessing work email on personal devices with a policy of wiping the phone if you got your unlock code wrong 3 times. I refused to use it on my personal device and told the head of the department that it was far too risky as you could accidentally do this with the phone in your pocket. He disagreed, but less than a week later, this exact thing happened to him, got his unlock wrong 3 times, phone wiped, no backup done. He still refused to change the policy even with the inconvenience it caused him. I just laughed.

        • Apathy Tree
          link
          fedilink
          English
          172 years ago

          One of my colleges had MDM enabled for staff and students alike. (I realize this is likely a configuration problem, rather than malice or whatever)

          The number of students who, nonetheless, did it… mind boggling.

          Remote wipe? Lawl fuck no. Not worth the risk that some asshole has a bad day and wipes them all for fun.

          I can understand it for certain things but… frankly there should be some sort of like… laws? About what your employer can require of you. Sure, company phone go for it, idgaf. But if they would need to remote wipe a device, maaaaaaaybe they shouldn’t be allowed to let employees use their own. You want full control, company, you get to pay for that with another phone, phone line, etc. (extra bonus, most people won’t carry the work phone when they are off work, so they are less reachable for unpaid labor :) )

      • ares35
        link
        fedilink
        342 years ago

        “you’re welcome to try

        hands over my brain-dead flip phone with no ‘app’ capability

        • @[email protected]
          link
          fedilink
          12 years ago

          Virtually all current flip phones run either Android or KaiOS under the hood. The giveaway would be any Google app pre-installed, or any app you already recognize.

          The era of “dumb” flip phones is long over. I would be very surprised if any are still being manufactured.

          • ares35
            link
            fedilink
            1
            edit-2
            2 years ago

            my current one actually does have an older, and very stripped-down, android… but no google anything installed, and no google play. i don’t even have a data plan attached to it–although it does have a mobile browser and can function as a hotspot.

        • @[email protected]
          link
          fedilink
          1
          edit-2
          2 years ago

          Where do you buy something like that? Everything I’ve ever seen that’s not an iPhone runs Android.

      • @[email protected]
        link
        fedilink
        English
        162 years ago

        I used to have Teams and Outlook on my phone, so I was accessible for work at almost any time. I know a lot of people think that’s dumb, but I was an hourly employee so I never minded the occasional work ping after hours, since I didn’t mind getting paid to reply with a few sentences from my couch. It worked out well for both me and my company.

        Then they decided to make MDM mandatory on your phone to access Teams and Outlook. I declined the install and removed both apps from my phone. Now I can easily miss IMs for weeks at a time if I don’t open a 2nd laptop to check them. I’m more disconnected than I’ve ever been, which is probably better for my mental health. I don’t bill as much as I used to, but that’s fine for me.

      • @[email protected]
        link
        fedilink
        6
        edit-2
        2 years ago

        I eventually caved and installed stuff on a Pixel 1.

        If they wanted a phone with security updates they would have given me one.

        The solution for their use should have been standard TOTP and/or yubikey. But apparently some vendor came in with a fancy PowerPoint for their proprietary project.

  • @[email protected]
    link
    fedilink
    4
    edit-2
    2 years ago

    TL;DR - never use company devices for personal materials. Create a separate, independent email strictly for work or your company email for all company devices, not your personal one.

    I have a mobile device required for work, and my personal device.

    No personal stuff goes on the work device. Photos, apps, logins, messaging, whatever. Zero. However, many of my colleagues use the device like, “Free mobile device, bro!” and load it up with everything they have on their personal device.

    That is a horrible idea. The company device has its own cybersecurity app installed and managed by company servers that sees everything on your device, and should your device be used for something it shouldn’t, they don’t even have to take it from you to know what you did. They know when you did it, too. Watching movies or texting while driving? Reading a book or using social media while monitoring a system? If you crash the company car, or the system goes TU and they see you were fucking around with the company device instead of doing your job, you’re fucked. They see it all, it’s all regularly scanned, uploaded, screened, whatever. They just don’t bother to look unless they need to. Already had a couple people fired for illegal material on their devices.

    • @[email protected]
      link
      fedilink
      12 years ago

      When I set up the device management on my work phone, it explicitly said it couldn’t see media files on my phone. And particularly it didn’t touch the non-work profile. Do you have a source that contradicts this?

  • @[email protected]
    link
    fedilink
    572 years ago

    While it has not yet been enforced, my employer has an MDM. Because I do not want to violate this policy or install something that gives my employer access to my device, I do not use my personal device for work and I do not have a work device other than my laptop.

    This has given me some interesting perspectives.

    • I do not need to be connected at all times.
    • I can walk away.
    • They pay me for work hours, not for my free time.
    • I can easily disconnect every night and weekend, even emergencies in my area can wait.

    Seems people think things are much more urgent than they should be or actually are.

    • Apathy Tree
      link
      fedilink
      English
      10
      edit-2
      2 years ago

      I wish I could get my partner to see it this way… they work in IT and manage the MDM tho, and the other person with access has been partner’s friend and colleague for over 10 years, so partner is confident it’ll all be fine.

      Such a dumb mindset for someone who constantly complains of being burnt out… like no shit you are burned out, you check work emails all day/night, and handle them regardless of time…

  • @[email protected]
    link
    fedilink
    192 years ago

    If it was a phone supplied by my employer and I used it only for work, then sure. Otherwise fuck no.

  • @[email protected]
    link
    fedilink
    English
    132 years ago

    I wouldn’t do this. Sandbox sounds good, but that kind of access is just to shady to want anywhere near my device.

    I’ve never had to download an app for work. But I wouldn’t deal with an MDM at all without a gun pointed at me.

  • @[email protected]
    link
    fedilink
    22 years ago

    But, in all honesty, no one is going to be looking at it unless there’s a very good reason too. IT sure as hell doesn’t have enough resources to monitor it.

    MDM largely exists to remote wipe a lost or stolen phone.

    • @[email protected]
      link
      fedilink
      32 years ago

      In reality, yes there will be snooping. I’ve had a new colleague that had to explain why they had parked several times near the HQ of a competitor outside working hours. Answer: he lived in that village and his favorite bakery was were he had parked. After that he removed the company tracker from his car, a car that he was leasing and paying for himself. He had only installed the tracker as a courtesy to facilitate on site personnel tracking and it was abused in the shortest order.

      Anything that can be abused, will be abused.

  • @[email protected]
    link
    fedilink
    282 years ago

    You want me to check email outside of work hours …. Better provide me a phone and money for that.

    • @[email protected]
      link
      fedilink
      12 years ago

      “So what’s the charge code you want me to use on that last email?” normally gets the point across.

  • m-p{3}
    link
    fedilink
    37
    edit-2
    2 years ago

    It depends how the MDM is implemented. If it allows locking and wiping the entire device, no. If it makes a sandbox for the work stuff, and it only grant them access to control, lock and wipe that sandbox then I don’t mind.

    That’s what we do for personal devices, corporate devices are fully managed/supervised.

      • @[email protected]
        link
        fedilink
        English
        52 years ago

        Typically, the app needs to ask for permissions like that, though. On Android, they need to ask to become a “Device admin”, and they need to specify what specifically they’ll use that access for. I imagine (though I’m unsure since it’s never happened to me) they need to ask to update those permissions if they want their uses to change.

    • @[email protected]
      link
      fedilink
      162 years ago

      Yeah my work MDM is setup this way with Android Enterprise. Everything work-related is isolated to that area and there is no other access to the full device. I can even have all those apps shut off after-hours or when on vacation so I don’t get notifications during personal time. My boss knows to text/call me if there is something urgent that comes up.

    • @[email protected]
      link
      fedilink
      32 years ago

      Yeah I don’t care about having a work profile.

      Also there are cross the wall permissions in the special permissions in the settings in Android