We have never, and will never, integrate someone’s personal phone into our infrastructure. Everyone gets a company phone. If you want to use the company phone as your personal phone, or the phone you use to cheat on your husband, that’s your call. Just don’t complain to me when video of you pleasuring yourself end up backed up to our cloud storage and discovered by IT when tracking down large files eating up storage. (Yes that happened.)
Yeah the whole thing is kinda dumb on both ends. From the employees perspective it’s ridiculous to allow the company have any level of control over a device they own. From the company’s perspective, why would you want to allow access and/or have information that’s the company’s property on a device the company doesn’t own?
If I have a password for key company infrastructure stored on my personal phone, then the company fires me… well that seems like a problem a company would want to avoid. It could happen in any scenario, but significantly less likely if I have to turn in my company phone when my employment ends.
But hey the company saves a few bucks on buying phones and that helps the quarterly profits I guess.
Wtf how? Was someone cybering over vid chat and checked the record option?
She was recording herself, sending the video file, then deleting the file from the phone. Our phones are configured to immediately back up, so (I am assuming) that while she put together the e-mail or text, our phone was dutifully doing its job.
Oh man how embarassing. I imagine you make it pretty clear that the company phone comes with this capability after that incident lol
You have to sign a document before you get equipment. Part of that document is you acknowledging that you read another document that outlines what you can and cannot do with company equipment and what the capabilities of said equipment are. We even tell people to close the physical camera shutter on the laptop whenever they aren’t on a video call if they want to ensure privacy. There is also a code of conduct document they need to read and sign. Using company property for lewd acts and to conceal adultery broke a number of agreements.
Well you tried
This is a woefully misinformed post…
Setting aside the issue of whether this post is overstating the risk of MDM software on a personal phone, I had a tangentially related experience that might provide a tip for anyone who’s in a similar situation.
I like to have the convenience of checking my work messages and chats on my personal phone, so I have Teams and Outlook installed and using my work account.
When I first went to sign in to my work account on Outlook, I got this message like “Outlook needs to run with administrator privileges in order to provide the necessary security for this account” and shunted me off to some system settings to approve the permissions. Big nope.
So I tried Outlook Lite, and it made no such demands and works perfectly. So for anyone else who’s run into this, try Outlook Lite! I hope this helps somebody.
Or, and I cannot stress this enough, don’t use Outlook. Outlook still is email and as such has IMAP support, use a different email app to check outlook.
Fuck everything about Microsoft
Sadly you won’t always have a choice. My university has disabled any non-Microsoft client support. They do this to “protect the privacy of the teachers”. Currently I’m running a windows VM on my server with Outlook to forward the emails to my personal email. Which in the end is even worse for them GDPR wise
I didn’t even know there is lite version.
I just use the web version… Outlook kept killing my battery.
Thanks for the tip.
If you have work stuff on your personal device, any legal proceedings against the company might mean your personal device is taken as evidence, all of the data in it will get examined and you might only get it back years later.
So even if only for legal reasons, never have company stuff in a personal device, quite independently of there being some fancy tech or other to virtually partition it.
These people really don’t know how MDM solutions work.
Can you elaborate? I have simple mdm on my work phone and would like to know exactly what they see and can do
Not that I am hiding anything. It’s more curiosity at this point
Posted from my personal phone
This depends on the configuration of the MDM and the MDM vendor. For example, most MDM deployments to Android for instance conform to Android For Work, which functions in practice to a virtual machine from a user’s perspective, and doesn’t have access to a non workspace content. iOS has a similar functionality which, while less commonly used, is there specifically for use on personal devices to sandbox off ‘work’ content where pervasive features like factory resets and access to phone logs and sms records don’t function, and you can’t access the more advanced features without having purchased the device via a corporate account.
SimpleMDM has a credit card-less trial which you could set up to see what features exist and how they work from the vendor side. You won’t have access to some of the ‘supervised’ features without being a business,but you can see the buttons offered when you aren’t a corporate-purchased device readily enough.
For corporate owned devices, the rules are very different though.
… actually they aren’t wrong. MDMs are given special permissions including but not limited to reading your SMSes and phone records, restricting and monitoring your installed apps and even wiping your device.
I’m not sure what MDM you’re subjected to but I’ve been an MDM engineer for 7 years using Intune and JAMF and no, no SMS or phone records. Even the phone # is blanked out minus the last 4 digits. Yes we can wipe the devices if it’s lost\compromised but personal versus corporate owned devices are limited. I can’t see what apps you have that were personally installed. And the only info I can get are the device stats (SN, IMEI, storage, battery, memory, etc).
Intune and JAMF are not the only MDMs on the market. There are others that do offer these capabilities, at least on Android.
SMS reading:
https://support.sophos.com/support/s/article/KB-000034436?language=en_US
Call log reading:
And app lists:
https://help.ivanti.com/mi/help/en_us/cld/admin/ivanti/91/all/en-us/App_Inventory.htm
Yeah I have looked at those solutions and one not on your list (MobileIron, not sure if they’re still around). I don’t know why anyone would choose those solutions but good call.
Can you support your claims? I’ve worked with Intune, Jamf, MaaS360, Citrix, and Workspace ONE and none of them could read texts, emails or browser history.
I’d be very interested to learn more about how they can access this information through MDM. We always did it through either the mobile carrier or the admin console for whatever the office/mail suite that was deployed.
SMS reading:
https://support.sophos.com/support/s/article/KB-000034436?language=en_US
Call log reading:
app lists:
https://help.ivanti.com/mi/help/en_us/cld/admin/ivanti/91/all/en-us/App_Inventory.htm
I looked through your links. I don’t see anywhere that SMS can be read. The permission kind of makes sense as there is a security component to filter spam/phishing type texts. Sophos themselves claim they don’t store any of that data.
I hadn’t ever seen the call log one and I’m not sure what that would even be used for. It was interesting though.
App lists is common across all MDMs. It’s used to ensure apps are being updated and on fully owned corporate devices some apps will be blocked.
It seems like many don’t really understand how this technology works. That said, it’s better to be overly careful and I agree with others in the comments. If you want me to use a mobile device for work you can provide it, I don’t put MDM on my personal device*.
*the exception being our own MDM we have setup to manage our personal devices more easily.
I looked through your links. I don’t see anywhere that SMS can be read.
From the link, emphasis mine. SMC is the MDM in question
Read SMS or MMS
Allows an application to read SMS messages stored on your device or SIM card.
Malicious applications may read your confidential messages.
SMC usage:- Read the initial configuration and further server notifications.
2. Read all SMS for Backup.
Yep, it’s part of their message filtering that I mentioned.
This link provides more information and explicitly states the following:
Sophos Mobile does not track privacy data such as contacts, SMS and call history, browser history, bookmarks, or emails. Sophos Mobile does not access any data outside of the Sophos container.
and
Sophos Mobile does not track privacy data such as contacts, SMS and call history, browser history, bookmarks, emails, or data on the SD card.
Sophos has a strong cybersecurity focus which, I’d imagine, is why they have the message filtering option that they do.
…why would they need to backup all SMS messages for a filtering option? That just plain does not compute.
- Read the initial configuration and further server notifications.
Please cite any one of your sources. I’ve managed MDM for over a decade and you’re spreading misinformation.
Absolutely none of the MDM products on the market allow for the reading of personal e-mail, SMS, phone records, etc. On the contrary, almost every single one provides an information screen during the enrollment that makes it abundantly clear that they do not (and can not) access that data. Moreover, the “wipe” of data is the removal of company data. It doesn’t wipe your phone, it just removes the work profile (Android) or deprovisions the work profile and associated apps (Apple). All of your non-work-related data is untouched.
Quick Sources for Intune and JAMF – do your own googling for others:
https://learn.microsoft.com/en-us/mem/intune/protect/privacy-data-collect
https://www.jamf.com/blog/apple-mobile-device-management-faq/Absolutely none of the MDM products on the market allow for the reading of personal e-mail, SMS, phone records, etc.
So you’re not aware of Sophos’s MDM offering? That explicitly states they can make copies of all SMS messages?
https://support.sophos.com/support/s/article/KB-000034436?language=en_US
How about call logs, with SureMDM?
Also I said nothing about personal emails.
Moreover, the “wipe” of data is the removal of company data. It doesn’t wipe your phone, it just removes the work profile (Android) or deprovisions the work profile and associated apps (Apple). All of your non-work-related data is untouched.
No, the ‘wipe’ can be a full factory reset.
https://learn.microsoft.com/en-us/mem/intune/remote-actions/devices-wipe
Edit: typo
If your employer expects you to access corporate resources or be available to respond / on-call out of hours, then they should issue you a corporate device to do so.
My company gives you the option to do either. I don’t want to carry two phones like a drug dealer though. Id take a beeper if that was an option lol.
If they want to install anything on my phone other than apps I choose to install for my own convenience they better give me a work phone.
Exactly this. Any employer trying to put private devices into their MDM is totally unprofessional anyway… Most MDMs allow access to the GPS Data and have a remote wiping function, it would be a privacy mess for the employee AND employer.
Years ago, I worked in the IT department at a university that brought in an MDM for accessing work email on personal devices with a policy of wiping the phone if you got your unlock code wrong 3 times. I refused to use it on my personal device and told the head of the department that it was far too risky as you could accidentally do this with the phone in your pocket. He disagreed, but less than a week later, this exact thing happened to him, got his unlock wrong 3 times, phone wiped, no backup done. He still refused to change the policy even with the inconvenience it caused him. I just laughed.
One of my colleges had MDM enabled for staff and students alike. (I realize this is likely a configuration problem, rather than malice or whatever)
The number of students who, nonetheless, did it… mind boggling.
Remote wipe? Lawl fuck no. Not worth the risk that some asshole has a bad day and wipes them all for fun.
I can understand it for certain things but… frankly there should be some sort of like… laws? About what your employer can require of you. Sure, company phone go for it, idgaf. But if they would need to remote wipe a device, maaaaaaaybe they shouldn’t be allowed to let employees use their own. You want full control, company, you get to pay for that with another phone, phone line, etc. (extra bonus, most people won’t carry the work phone when they are off work, so they are less reachable for unpaid labor :) )
“You need to install this on your phone”
“Oh I don’t have a phone”
“you’re welcome to try”
hands over my brain-dead flip phone with no ‘app’ capability
Virtually all current flip phones run either Android or KaiOS under the hood. The giveaway would be any Google app pre-installed, or any app you already recognize.
The era of “dumb” flip phones is long over. I would be very surprised if any are still being manufactured.
my current one actually does have an older, and very stripped-down, android… but no google anything installed, and no google play. i don’t even have a data plan attached to it–although it does have a mobile browser and can function as a hotspot.
Mine just gave us all phones.
Too much litigation chance
“I don’t have a smartphone”
It depends how the MDM is implemented. If it allows locking and wiping the entire device, no. If it makes a sandbox for the work stuff, and it only grant them access to control, lock and wipe that sandbox then I don’t mind.
That’s what we do for personal devices, corporate devices are fully managed/supervised.
Software is imperfect and you shouldn’t trust that future updates will not add that ability.
Typically, the app needs to ask for permissions like that, though. On Android, they need to ask to become a “Device admin”, and they need to specify what specifically they’ll use that access for. I imagine (though I’m unsure since it’s never happened to me) they need to ask to update those permissions if they want their uses to change.
Agreed, but its not perfect. I recall but couldn’t recover a link to a story about some application bypassing android or iPhone permissions.
Another big recent flaw allowed apps without the permission to draw over other apps.
https://blog.checkpoint.com/research/android-permission-security-flaw/
MDM when configured properly only get a specific section of your phone that’s separate from your personal use section, so they don’t see your apps and personal data.
Correct. Having configured one, this is laughable.
TL;DR - never use company devices for personal materials. Create a separate, independent email strictly for work or your company email for all company devices, not your personal one.
I have a mobile device required for work, and my personal device.
No personal stuff goes on the work device. Photos, apps, logins, messaging, whatever. Zero. However, many of my colleagues use the device like, “Free mobile device, bro!” and load it up with everything they have on their personal device.
That is a horrible idea. The company device has its own cybersecurity app installed and managed by company servers that sees everything on your device, and should your device be used for something it shouldn’t, they don’t even have to take it from you to know what you did. They know when you did it, too. Watching movies or texting while driving? Reading a book or using social media while monitoring a system? If you crash the company car, or the system goes TU and they see you were fucking around with the company device instead of doing your job, you’re fucked. They see it all, it’s all regularly scanned, uploaded, screened, whatever. They just don’t bother to look unless they need to. Already had a couple people fired for illegal material on their devices.
When I set up the device management on my work phone, it explicitly said it couldn’t see media files on my phone. And particularly it didn’t touch the non-work profile. Do you have a source that contradicts this?
There’s a difference between setting up a work profile and just installing mdm on your main profile. I’d still try and stay away from it if you can
Ok makes sense. Thanks
Since when are companies installing MDM on peoples personal devices?
It is usually just for corporate devices, where you shouldn’t leave any personal data on.
SUPER depends on the platform. If you own an iOS device and enroll it in MDM through the settings app, MDM ONLY has access to whatever it puts on the device
Similar on Android. It creates a work profile and only has control over that.
I quit my job of over a decade using the same phone and email, I left to go competition. I gave them all my passwords.
I’ve kept my personal phone a lot longer than I had theirs lol
My previous employer was acquired and the new owner required jumping through these kinds of hoops to use company email or Teams on our phones.
As an end result, everybody stopped using those on their phones. Once the laptop lid was shut, work wouldn’t be bothering you until you open it the next day. Sometimes stupid things can lead to good outcomes.
Yeah this exact scenario happened where I used to work. The only time it’s an inconvenience is if we’re all in person for a tech summit or something, but having the personal contacts of a few co-workers let’s me check in on any plans I might have missed.
Nowadays my phone is too old to even run slack, so I’d require work to buy me a new, separate work phone anyway.
But truth be told, it’s amazing being unreachable. I logged on to the work slack today Monday morning, and found out that the company had an all hands on deck show stopper bug last Friday ~1730 lol not for me it wasn’t. I was walking my dog enjoying the brisk winter air, completely oblivious until I logged back on this morning to read the postmortem. 😌
