Exactly this. Any employer trying to put private devices into their MDM is totally unprofessional anyway… Most MDMs allow access to the GPS Data and have a remote wiping function, it would be a privacy mess for the employee AND employer.
Years ago, I worked in the IT department at a university that brought in an MDM for accessing work email on personal devices with a policy of wiping the phone if you got your unlock code wrong 3 times. I refused to use it on my personal device and told the head of the department that it was far too risky as you could accidentally do this with the phone in your pocket. He disagreed, but less than a week later, this exact thing happened to him, got his unlock wrong 3 times, phone wiped, no backup done. He still refused to change the policy even with the inconvenience it caused him. I just laughed.
One of my colleges had MDM enabled for staff and students alike. (I realize this is likely a configuration problem, rather than malice or whatever)
The number of students who, nonetheless, did it… mind boggling.
Remote wipe? Lawl fuck no. Not worth the risk that some asshole has a bad day and wipes them all for fun.
I can understand it for certain things but… frankly there should be some sort of like… laws? About what your employer can require of you. Sure, company phone go for it, idgaf. But if they would need to remote wipe a device, maaaaaaaybe they shouldn’t be allowed to let employees use their own. You want full control, company, you get to pay for that with another phone, phone line, etc. (extra bonus, most people won’t carry the work phone when they are off work, so they are less reachable for unpaid labor :) )
Virtually all current flip phones run either Android or KaiOS under the hood. The giveaway would be any Google app pre-installed, or any app you already recognize.
The era of “dumb” flip phones is long over. I would be very surprised if any are still being manufactured.
my current one actually does have an older, and very stripped-down, android.. but no google anything installed, and no google play. i don't even have a data plan attached to it--although it does have a mobile browser and can function as a hotspot.
I used to have Teams and Outlook on my phone, so I was accessible for work at almost any time. I know a lot of people think that’s dumb, but I was an hourly employee so I never minded the occasional work ping after hours, since I didn’t mind getting paid to reply with a few sentences from my couch. It worked out well for both me and my company.
Then they decided to make MDM mandatory on your phone to access Teams and Outlook. I declined the install and removed both apps from my phone. Now I can easily miss IMs for weeks at a time if I don’t open a 2nd laptop to check them. I’m more disconnected than I’ve ever been, which is probably better for my mental health. I don’t bill as much as I used to, but that’s fine for me.
I eventually caved and installed stuff on a Pixel 1.
If they wanted a phone with security updates they would have given me one.
The solution for their use should have been standard TOTP and/or yubikey. But apparently some vendor came in with a fancy PowerPoint for their proprietary project.
MDM when configured properly only get a specific section of your phone that’s separate from your personal use section, so they don’t see your apps and personal data.
But, in all honesty, no one is going to be looking at it unless there’s a very good reason too. IT sure as hell doesn’t have enough resources to monitor it.
MDM largely exists to remote wipe a lost or stolen phone.
In reality, yes there will be snooping. I’ve had a new colleague that had to explain why they had parked several times near the HQ of a competitor outside working hours. Answer: he lived in that village and his favorite bakery was were he had parked. After that he removed the company tracker from his car, a car that he was leasing and paying for himself. He had only installed the tracker as a courtesy to facilitate on site personnel tracking and it was abused in the shortest order.
Easy solution, use Linux. No extra permissions, no spying, and everything worked for me so far. Android has a neat feature for a separate work account. It used to be called “work acxount”, but it’s not there anymore and you have to use “secure folder”, or whatever it is called now.
When you sign into your works Google account or intune usually it will set a work profile up. If you want to set one up without this, or just want your own personal space for secondary apps you can install an app called “Island” from the play store.
I wouldn’t recommend shelter as it bricks the functionality of the work profile on newer versions of Android.
Setting aside the issue of whether this post is overstating the risk of MDM software on a personal phone, I had a tangentially related experience that might provide a tip for anyone who’s in a similar situation.
I like to have the convenience of checking my work messages and chats on my personal phone, so I have Teams and Outlook installed and using my work account.
When I first went to sign in to my work account on Outlook, I got this message like “Outlook needs to run with administrator privileges in order to provide the necessary security for this account” and shunted me off to some system settings to approve the permissions. Big nope.
So I tried Outlook Lite, and it made no such demands and works perfectly. So for anyone else who’s run into this, try Outlook Lite! I hope this helps somebody.
Or, and I cannot stress this enough, don’t use Outlook. Outlook still is email and as such has IMAP support, use a different email app to check outlook.
Sadly you won’t always have a choice. My university has disabled any non-Microsoft client support. They do this to “protect the privacy of the teachers”. Currently I’m running a windows VM on my server with Outlook to forward the emails to my personal email. Which in the end is even worse for them GDPR wise
TL;DR - never use company devices for personal materials. Create a separate, independent email strictly for work or your company email for all company devices, not your personal one.
I have a mobile device required for work, and my personal device.
No personal stuff goes on the work device. Photos, apps, logins, messaging, whatever. Zero. However, many of my colleagues use the device like, “Free mobile device, bro!” and load it up with everything they have on their personal device.
That is a horrible idea. The company device has its own cybersecurity app installed and managed by company servers that sees everything on your device, and should your device be used for something it shouldn’t, they don’t even have to take it from you to know what you did. They know when you did it, too. Watching movies or texting while driving? Reading a book or using social media while monitoring a system? If you crash the company car, or the system goes TU and they see you were fucking around with the company device instead of doing your job, you’re fucked. They see it all, it’s all regularly scanned, uploaded, screened, whatever. They just don’t bother to look unless they need to. Already had a couple people fired for illegal material on their devices.
When I set up the device management on my work phone, it explicitly said it couldn’t see media files on my phone. And particularly it didn’t touch the non-work profile. Do you have a source that contradicts this?
If you have work stuff on your personal device, any legal proceedings against the company might mean your personal device is taken as evidence, all of the data in it will get examined and you might only get it back years later.
So even if only for legal reasons, never have company stuff in a personal device, quite independently of there being some fancy tech or other to virtually partition it.
I worked in a place that required this, it was basically a time clock app, but it detected automatically if your phone supported work mode which allowed it to be basically sandboxed in it’s own virtual space., I’ve also run into school apps that do this
No we were contract workers, we traveled to different job sites so our clock in also had to be mobile. I mean you COULD do a clock in sheet if you downloaded it from the depths of their website and then filled it out and mailed it in weekly by snail mail buuuut
Don’t pay attention to this Joelle person, she has no idea what she’s talking about (Or does and is spreading misinformation intentionally)
You literally can’t “just install an MDM” to your phone in the way that allows a company complete access to your device. Both iOS and Android require that either the device is new or the device is factory reset. Then and only then can the device have MDM enabled as a “Company Owned Device” e.g. complete access.
The other way, is through “Work Profiles”, it’s an isolated and sandboxed partition. The “Work side” has no access to anything on the personal side and the personal side has no access to anything on the work side. On Android the work side has its own Play Store, its own Chrome, its own apps. (In fact, if you’re rooted you can hijack work profiles for yourself if you want to install apps you’d rather keep isolated, like TikTok).
If I issue a wipe command to a phone with a work profile, only the work profile gets wiped and the personal side is untouched.
Hell, Android even gives you the ability to restrict the Work Profiles to work hours so all the work apps go dormant after 5
There’s also the option for MAM apps as well which I quite like as light touch management option for ios and android. Essentially limits control to select apps and even then just the company data in those apps.
We’re required to use a MFA app, but it has minimal access to the system. It literally just prompts for an “Is this you?” with a fallback to codes if the network connection goes down.
I also have Teams and Slack installed for team communication, but that’s optional and also has minimal access. Teams has an login helper thing installed as well, and I’m not really sure what it does, but it didn’t require any special permissions.
I suppose I could refuse, but that would just be a pain for everyone since I’d either need to use someone else’s device or they’d need to get one just for me. Seems kinda silly imo.
My last company wanted my phone to be connected to the Google Apps thing, but it allowed my boss to remote wipe, so I refused. It wasn’t required, and most people said no, but it was a thing they recommended fairly strongly.
So curious, did your job listing mention you needed to own a smartphone as a requirement? Feels like they are probably riding a line where this is made to “feel” required, but legally they are careful of their wording or they may have some issues with your local labor board.
No, but I’m in a technical role where pretty much everyone has one anyway. Our company culture is such that they’d find a workaround (e.g. provide a phone if needed).
My last role required a smartphone, and we got ~$50/month on our paycheck to pay for it. My current job doesn’t “require” anything, it’s just strongly recommended.
I think in that scenario, you could separately open an account with a cheap provider that includes a free, cheap phone and dedicate its use to only work. So yes, pain in the ass worth extra steps, but not a requirement to use your own phone.
I think it’s garage regardless, if they need you to have a phone, they should fully provide, but just pointing out that it’s legal fuckery on their part as it’s meant to confuse/scare people into thinking they don’t have a choice.
Not really? Checked now and the only permissions it has at the moment is location while using and access to pictures. The latter is on purpose so I can upload stupid memes to the non-serious chats
I didn’t even give mine location. It just has camera, microphone, and phone. That’s it. I very rarely use the app, so I’ll probably uninstall it eventually (it’s nice to drop an “I’m running late” note when I’m in the restroom or something.
Add comment