| | alistairSH on July 24, 2019 | parent | context | favorite | on: Don’t Put Your Work Email on Your Personal Phone
How does one know if an employer is abusing MDM? Honest question... I have no idea. I just point my iPhone's mail app at our Outlook 365 server and that's it - I assume that installs a profile that allows them some remote access (I believe they can remote wipe the phone, but maybe not), but no idea how to tell if they're doing anything else.Edit - looking at Settings->General->Profiles, there is one entry, which is for connecting to my Olympus camera. Nothing for the office. |  | | cannonedhamster on July 24, 2019 | next [–]
Generally MDM software swallows up everything. It's been a while since I managed an MDM instance but we could track everywhere the employee went by default and when I suggested we turn it off there wasn't an option nor did management want to. We could see every app pretty much everything on the device. I will never install MDM on my phone after managing it. I've also seen phones accidentally wiped. Back up your phones. | | | | robohoe on July 24, 2019 | parent | next [–]
I learned my lesson when in the early days of MDM, an employer I quit decided to erase my personal device that had work email on it. Live and learn :S | | | | izzydawndrdog on July 24, 2019 | parent | prev | next [–]
Apple MDM is changing quite a bit come iOS 13 and macOS Catalina 10.15. A new enrollment methodology called User Enrollment is aimed at protecting the privacy of employees using their own personal devices. User Enrollment greatly limits what the company can see about the device. As an example, the MDM can only see the apps that it has installed on its own, it can't get any PII (Personally Identifiable Information) such as a phone number or serial number from the device, etc. The MDM data and visibility into the device is essentially sandboxed.This article provides a summary of MDM User Enrollment, including details about how Apple separates personal and business data on separate APFS volumes. https://simplemdm.com/apple-user-enrollment/ Before User Enrollment there wasn't a great Apple MDM enrollment option that struck this privacy balance for employee-owned devices. App data couldn't be viewed per-se, though a list of apps is certainly available (as mentioned by cannonedhamster). Some companies would skip MDM and essentially "wrap" individual apps in order to have the ability to encrypt the app data and have some control over the binary, but that's about it. I'm not sure of the story with Android, though I'm under the impression that there is a similar "sandbox" option for MDM, albeit the implementation and user experience is rather messy and obtuse. Full disclosure: I work for an MDM software producer. | | | | godshatter on July 24, 2019 | parent | prev | next [–]
Does turning off location on your phone mitigate their tracking of where employees go? I realize the other problems are still there, but I'm wondering if that would help. I turn on location on my phone once in a blue moon when an app gets too damn annoying that I actually need to use right then. | | | | syn0byte on July 24, 2019 | root | parent | next [–]
Depends on the MDM and phone really but, No. Triangulating a cellphone on the network via cell towers is a tried and true feature of wireless infrastructure. Even your phones GPS capabilities are most likely "A-GPS" meaning Cellular Assisted; It'll use cell location data when GPS satilites are slow/unavailable.GPS toggle isn't doing much of anything besides application permissions enforcement. | | | | blaird on July 24, 2019 | prev | next [–]
I worked at a security startup where installing Slack/email on our personal phones (BYOD policy) was possible via an MDM (but was optional, we weren't forced). I don't know every detail, but many of our engineers were naturally spooked and did lots of checking to make sure no packets flowed to the VPN from apps not within the MDMs control (just slack and mail).I personally was fine with this as I don't want to carry two devices, I like being able to check in via Slack (especially if I was on call), and we had several folks who had our security/IT team under a lot of scrutiny proving this wasn't overly invasive. It helped that we were a small startup, so our IT and security teams were 20 feet away :) | | | | lukeschlather on July 24, 2019 | prev | next [–]
Anyone with admin access to Outlook 365 can do this stuff. Even in a large company that could mean a surprising group of people able to do this sort of spying with no technical restrictions to enforce policy (assuming there is an explicit policy, which in a smaller company is not a given.) | | | | souterrain on July 24, 2019 | prev | next [–]
Ask. Since this often affects larger enterprises, start at the help/service desk. If that doesn't get you an answer, try Information Assurance or Information Security departments. Lastly, most large orgs have a Privacy office.During all communications, make it clear what your concerns are; perhaps even link to articles like this one. Corporations that care about customer and employee privacy will take such inquiries seriously. | | | | alistairSH on July 24, 2019 | parent | next [–]
Sure, but I assume there's something in the device itself that indicates there is a profile or remote access? I don't see a work-related profile on my phone, but maybe there's something else beyond the obvious Profiles entry in General settings? | | | | souterrain on July 24, 2019 | root | parent | next [–]
This is why I frame this as an ethics issue. If you install some sort of MDM profile, unless you spend a lot of time understanding mobile device management implementations, you won't necessarily know what the capabilities are.If it is your device, typically an employer will disclose in their policies what capabilities they use. Now, does this prevent a rogue infosec person from deviating from the policy? No. Nor does it prevent the state from compelling the company to abuse their MDM technology. If these examples are part of your threat model, you should not use your personal device with your employer's infrastructure. I don't think this makes your employer's choice to use MDM a bad one, however. They are protecting the corporation, after all. | | | | cj on July 24, 2019 | parent | prev | next [–]
> Ask.This is a good recommendation. | | | | Aeolun on July 24, 2019 | prev | next [–]
If you installed MDM, it’s probably been fairly clear. The iOS warning is kind of scary as I remember.Also found under Settings -> General -> Device Management. | | | | lern_too_spel on July 24, 2019 | prev | next [–]
Android tells you exactly what information MDM collects from your phone and exactly what restrictions have been placed on it. If your employer is collecting your browsing history, you would have known when you enabled their policy, and you can review their policy by opening the Device Policy app. https://lh3.googleusercontent.com/re65G-N_kR2HUCzd4IUjahS_7u... | | | | discordance on July 24, 2019 | prev [–]
If you don't have a profile there your device is not managed and they can't do what the article talks about. | | | 
