686
top 50 comments
sorted by: hot top controversial new old
[-] FMT99@lemmy.world 159 points 11 months ago

If they want to install anything on my phone other than apps I choose to install for my own convenience they better give me a work phone.

[-] CommunicationOk3492@feddit.de 79 points 11 months ago

Exactly this. Any employer trying to put private devices into their MDM is totally unprofessional anyway… Most MDMs allow access to the GPS Data and have a remote wiping function, it would be a privacy mess for the employee AND employer.

[-] tabris@lemmy.world 54 points 11 months ago

Years ago, I worked in the IT department at a university that brought in an MDM for accessing work email on personal devices with a policy of wiping the phone if you got your unlock code wrong 3 times. I refused to use it on my personal device and told the head of the department that it was far too risky as you could accidentally do this with the phone in your pocket. He disagreed, but less than a week later, this exact thing happened to him, got his unlock wrong 3 times, phone wiped, no backup done. He still refused to change the policy even with the inconvenience it caused him. I just laughed.

[-] ApathyTree@lemmy.dbzer0.com 16 points 11 months ago

One of my colleges had MDM enabled for staff and students alike. (I realize this is likely a configuration problem, rather than malice or whatever)

The number of students who, nonetheless, did it… mind boggling.

Remote wipe? Lawl fuck no. Not worth the risk that some asshole has a bad day and wipes them all for fun.

I can understand it for certain things but.. frankly there should be some sort of like.. laws? About what your employer can require of you. Sure, company phone go for it, idgaf. But if they would need to remote wipe a device, maaaaaaaybe they shouldn’t be allowed to let employees use their own. You want full control, company, you get to pay for that with another phone, phone line, etc. (extra bonus, most people won’t carry the work phone when they are off work, so they are less reachable for unpaid labor :) )

[-] smeg@feddit.uk 58 points 11 months ago

"You need to install this on your phone"

"Oh I don't have a phone"

[-] ares35@kbin.social 33 points 11 months ago

"you're welcome to try"

hands over my brain-dead flip phone with no 'app' capability

load more comments (3 replies)
[-] jballs@sh.itjust.works 16 points 11 months ago

I used to have Teams and Outlook on my phone, so I was accessible for work at almost any time. I know a lot of people think that's dumb, but I was an hourly employee so I never minded the occasional work ping after hours, since I didn't mind getting paid to reply with a few sentences from my couch. It worked out well for both me and my company.

Then they decided to make MDM mandatory on your phone to access Teams and Outlook. I declined the install and removed both apps from my phone. Now I can easily miss IMs for weeks at a time if I don't open a 2nd laptop to check them. I'm more disconnected than I've ever been, which is probably better for my mental health. I don't bill as much as I used to, but that's fine for me.

load more comments (1 replies)
[-] NoIWontPickaName@kbin.social 12 points 11 months ago

Mine just gave us all phones.

Too much litigation chance

[-] JoMiran@lemmy.ml 124 points 11 months ago

We have never, and will never, integrate someone's personal phone into our infrastructure. Everyone gets a company phone. If you want to use the company phone as your personal phone, or the phone you use to cheat on your husband, that's your call. Just don't complain to me when video of you pleasuring yourself end up backed up to our cloud storage and discovered by IT when tracking down large files eating up storage. (Yes that happened.)

[-] SpaceCowboy@lemmy.ca 25 points 11 months ago

Yeah the whole thing is kinda dumb on both ends. From the employees perspective it's ridiculous to allow the company have any level of control over a device they own. From the company's perspective, why would you want to allow access and/or have information that's the company's property on a device the company doesn't own?

If I have a password for key company infrastructure stored on my personal phone, then the company fires me... well that seems like a problem a company would want to avoid. It could happen in any scenario, but significantly less likely if I have to turn in my company phone when my employment ends.

But hey the company saves a few bucks on buying phones and that helps the quarterly profits I guess.

[-] cm0002@lemmy.world 13 points 11 months ago

That's the whole point of work profiles and company owned devices. This Joelle just has no idea what she's talking about.

You literally can't "just install an MDM" to your phone in the way that allows a company complete access to your device. Both iOS and Android require that either the device is new or the device is factory reset. Then and only then can the device have MDM enabled as a "Company Owned Device" e.g. complete access.

The other way, is through "Work Profiles", it's an isolated and sandboxed partition. The "Work side" has no access to anything on the personal side and the personal side has no access to anything on the work side. On Android the work side has its own Play Store, its own Chrome, its own apps. (In fact, if you're rooted you can hijack the work profiles feature for yourself if you want to install apps you'd rather keep isolated, like TikTok).

If I issue a wipe command to a phone with a work profile, only the work profile gets wiped and the personal side is untouched. An employer utilizing work profiles only has visibility and control within the work profile, the rest of the phone might as well not exist

Hell, Android even gives you the ability to restrict the Work Profiles to work hours so all the work apps go dormant after 5

load more comments (1 replies)
load more comments (5 replies)
[-] Taalen@lemmy.world 82 points 11 months ago

My previous employer was acquired and the new owner required jumping through these kinds of hoops to use company email or Teams on our phones.

As an end result, everybody stopped using those on their phones. Once the laptop lid was shut, work wouldn't be bothering you until you open it the next day. Sometimes stupid things can lead to good outcomes.

[-] half_fiction@lemmy.dbzer0.com 17 points 11 months ago

Yup, to get email on your phone my employer makes you download something or other that in the fine print says they reserve the right to wipe your phone, if necessary. I saw that and now I don't have email on my phone. It's great.

load more comments (1 replies)
[-] UNWILLING_PARTICIPANT@sh.itjust.works 13 points 11 months ago

Yeah this exact scenario happened where I used to work. The only time it's an inconvenience is if we're all in person for a tech summit or something, but having the personal contacts of a few co-workers let's me check in on any plans I might have missed.

Nowadays my phone is too old to even run slack, so I'd require work to buy me a new, separate work phone anyway.

But truth be told, it's amazing being unreachable. I logged on to the work slack today Monday morning, and found out that the company had an all hands on deck show stopper bug last Friday ~1730 lol not for me it wasn't. I was walking my dog enjoying the brisk winter air, completely oblivious until I logged back on this morning to read the postmortem. 😌

[-] eddietrax@dmv.social 79 points 11 months ago

These people really don’t know how MDM solutions work.

[-] 520@kbin.social 27 points 11 months ago

... actually they aren't wrong. MDMs are given special permissions including but not limited to reading your SMSes and phone records, restricting and monitoring your installed apps and even wiping your device.

[-] eddietrax@dmv.social 51 points 11 months ago* (last edited 11 months ago)

I’m not sure what MDM you’re subjected to but I’ve been an MDM engineer for 7 years using Intune and JAMF and no, no SMS or phone records. Even the phone # is blanked out minus the last 4 digits. Yes we can wipe the devices if it’s lost\compromised but personal versus corporate owned devices are limited. I can’t see what apps you have that were personally installed. And the only info I can get are the device stats (SN, IMEI, storage, battery, memory, etc).

[-] 520@kbin.social 23 points 11 months ago* (last edited 11 months ago)
[-] eddietrax@dmv.social 10 points 11 months ago

Yeah I have looked at those solutions and one not on your list (MobileIron, not sure if they’re still around). I don’t know why anyone would choose those solutions but good call.

load more comments (1 replies)
[-] LilB0kChoy@midwest.social 41 points 11 months ago* (last edited 11 months ago)

Can you support your claims? I’ve worked with Intune, Jamf, MaaS360, Citrix, and Workspace ONE and none of them could read texts, emails or browser history.

I’d be very interested to learn more about how they can access this information through MDM. We always did it through either the mobile carrier or the admin console for whatever the office/mail suite that was deployed.

[-] n1ckn4m3@kbin.social 26 points 11 months ago* (last edited 11 months ago)

Please cite any one of your sources. I've managed MDM for over a decade and you're spreading misinformation.

Absolutely none of the MDM products on the market allow for the reading of personal e-mail, SMS, phone records, etc. On the contrary, almost every single one provides an information screen during the enrollment that makes it abundantly clear that they do not (and can not) access that data. Moreover, the "wipe" of data is the removal of company data. It doesn't wipe your phone, it just removes the work profile (Android) or deprovisions the work profile and associated apps (Apple). All of your non-work-related data is untouched.

Quick Sources for Intune and JAMF -- do your own googling for others:
https://learn.microsoft.com/en-us/mem/intune/protect/privacy-data-collect
https://www.jamf.com/blog/apple-mobile-device-management-faq/

[-] 520@kbin.social 15 points 11 months ago* (last edited 11 months ago)

Absolutely none of the MDM products on the market allow for the reading of personal e-mail, SMS, phone records, etc.

So you're not aware of Sophos's MDM offering? That explicitly states they can make copies of all SMS messages?

https://support.sophos.com/support/s/article/KB-000034436?language=en_US

How about call logs, with SureMDM?

https://knowledgebase.42gears.com/article/how-to-view-call-logs-on-android-phones-remotely-using-suremdm/

Also I said nothing about personal emails.

Moreover, the "wipe" of data is the removal of company data. It doesn't wipe your phone, it just removes the work profile (Android) or deprovisions the work profile and associated apps (Apple). All of your non-work-related data is untouched.

No, the 'wipe' can be a full factory reset.

https://learn.microsoft.com/en-us/mem/intune/remote-actions/devices-wipe

Edit: typo

[-] Steveanonymous@lemmy.world 12 points 11 months ago

Can you elaborate? I have simple mdm on my work phone and would like to know exactly what they see and can do

Not that I am hiding anything. It’s more curiosity at this point

Posted from my personal phone

[-] Osa-Eris-Xero512@kbin.social 13 points 11 months ago

This depends on the configuration of the MDM and the MDM vendor. For example, most MDM deployments to Android for instance conform to Android For Work, which functions in practice to a virtual machine from a user's perspective, and doesn't have access to a non workspace content. iOS has a similar functionality which, while less commonly used, is there specifically for use on personal devices to sandbox off 'work' content where pervasive features like factory resets and access to phone logs and sms records don't function, and you can't access the more advanced features without having purchased the device via a corporate account.

SimpleMDM has a credit card-less trial which you could set up to see what features exist and how they work from the vendor side. You won't have access to some of the 'supervised' features without being a business,but you can see the buttons offered when you aren't a corporate-purchased device readily enough.

For corporate owned devices, the rules are very different though.

[-] ElusiveClarity@lemmy.world 8 points 11 months ago

I have a little experience with Microsoft’s intune and there are different ways to register devices. Someone feel free to correct me because I don’t feel like logging in to double check. Company owned devices have more control and can restrict apps, lock, full wipe, etc. Personal or “bring your own” devices are much less restricted. I can’t lock, wipe, or restrict apps. For the personal devices, it’s more about giving secure access to the companies resources and not really controlling the device. I work for a small business and only use this to setup access to non important documents for employees in the field so I know just enough to be dangerous.

load more comments (8 replies)
[-] Rookeh@startrek.website 67 points 11 months ago* (last edited 11 months ago)

If your employer expects you to access corporate resources or be available to respond / on-call out of hours, then they should issue you a corporate device to do so.

load more comments (2 replies)
[-] GroundedGator@lemmy.world 57 points 11 months ago

While it has not yet been enforced, my employer has an MDM. Because I do not want to violate this policy or install something that gives my employer access to my device, I do not use my personal device for work and I do not have a work device other than my laptop.

This has given me some interesting perspectives.

  • I do not need to be connected at all times.
  • I can walk away.
  • They pay me for work hours, not for my free time.
  • I can easily disconnect every night and weekend, even emergencies in my area can wait.

Seems people think things are much more urgent than they should be or actually are.

[-] ApathyTree@lemmy.dbzer0.com 10 points 11 months ago* (last edited 11 months ago)

I wish I could get my partner to see it this way.. they work in IT and manage the MDM tho, and the other person with access has been partner’s friend and colleague for over 10 years, so partner is confident it’ll all be fine.

Such a dumb mindset for someone who constantly complains of being burnt out.. like no shit you are burned out, you check work emails all day/night, and handle them regardless of time..

[-] mp3@lemmy.ca 36 points 11 months ago* (last edited 11 months ago)

It depends how the MDM is implemented. If it allows locking and wiping the entire device, no. If it makes a sandbox for the work stuff, and it only grant them access to control, lock and wipe that sandbox then I don't mind.

That's what we do for personal devices, corporate devices are fully managed/supervised.

[-] 0110010001100010@lemmy.world 16 points 11 months ago

Yeah my work MDM is setup this way with Android Enterprise. Everything work-related is isolated to that area and there is no other access to the full device. I can even have all those apps shut off after-hours or when on vacation so I don't get notifications during personal time. My boss knows to text/call me if there is something urgent that comes up.

[-] ParetoOptimalDev@lemmy.today 14 points 11 months ago

Software is imperfect and you shouldn't trust that future updates will not add that ability.

load more comments (2 replies)
[-] Snapz@lemmy.world 36 points 11 months ago

Which companies are requiring that employees install apps on personal devices? Feels like it should be illegal coercion if true.

[-] cm0002@lemmy.world 71 points 11 months ago

Don't pay attention to this Joelle person, she has no idea what she's talking about (Or does and is spreading misinformation intentionally)

You literally can't "just install an MDM" to your phone in the way that allows a company complete access to your device. Both iOS and Android require that either the device is new or the device is factory reset. Then and only then can the device have MDM enabled as a "Company Owned Device" e.g. complete access.

The other way, is through "Work Profiles", it's an isolated and sandboxed partition. The "Work side" has no access to anything on the personal side and the personal side has no access to anything on the work side. On Android the work side has its own Play Store, its own Chrome, its own apps. (In fact, if you're rooted you can hijack work profiles for yourself if you want to install apps you'd rather keep isolated, like TikTok).

If I issue a wipe command to a phone with a work profile, only the work profile gets wiped and the personal side is untouched.

Hell, Android even gives you the ability to restrict the Work Profiles to work hours so all the work apps go dormant after 5

[-] apqnxhfriqhfjxrrcxs@lemmy.world 13 points 11 months ago

In fact, if you're rooted you can hijack work profiles for yourself if you want to install apps you'd rather keep isolated, like TikTok

You can use Shelter to enable this functionality without root.

https://f-droid.org/packages/net.typeblog.shelter/

load more comments (9 replies)
load more comments (7 replies)
[-] Neil@lemmy.ml 35 points 11 months ago

This is a woefully misinformed post..

[-] prettybunnys@sh.itjust.works 28 points 11 months ago

You want me to check email outside of work hours …. Better provide me a phone and money for that.

load more comments (1 replies)
[-] Rolder@reddthat.com 18 points 11 months ago

Your bosses make you do this? For me I just installed Teams and Outlook, and even that was voluntary.

[-] ExpensiveConstant@kbin.social 17 points 11 months ago

SUPER depends on the platform. If you own an iOS device and enroll it in MDM through the settings app, MDM ONLY has access to whatever it puts on the device

load more comments (1 replies)
[-] cardboardchris@lemmings.world 15 points 11 months ago

Setting aside the issue of whether this post is overstating the risk of MDM software on a personal phone, I had a tangentially related experience that might provide a tip for anyone who's in a similar situation.

I like to have the convenience of checking my work messages and chats on my personal phone, so I have Teams and Outlook installed and using my work account.

When I first went to sign in to my work account on Outlook, I got this message like "Outlook needs to run with administrator privileges in order to provide the necessary security for this account" and shunted me off to some system settings to approve the permissions. Big nope.

So I tried Outlook Lite, and it made no such demands and works perfectly. So for anyone else who's run into this, try Outlook Lite! I hope this helps somebody.

load more comments (2 replies)
[-] Aceticon@lemmy.world 15 points 11 months ago* (last edited 11 months ago)

If you have work stuff on your personal device, any legal proceedings against the company might mean your personal device is taken as evidence, all of the data in it will get examined and you might only get it back years later.

So even if only for legal reasons, never have company stuff in a personal device, quite independently of there being some fancy tech or other to virtually partition it.

[-] wheeldawg@sh.itjust.works 13 points 11 months ago

I wouldn't do this. Sandbox sounds good, but that kind of access is just to shady to want anywhere near my device.

I've never had to download an app for work. But I wouldn't deal with an MDM at all without a gun pointed at me.

[-] Thcdenton@lemmy.world 9 points 11 months ago

"I don't have a smartphone"

[-] arin@lemmy.world 8 points 11 months ago

MDM when configured properly only get a specific section of your phone that's separate from your personal use section, so they don't see your apps and personal data.

load more comments (1 replies)
load more comments
view more: next ›
this post was submitted on 22 Jan 2024
686 points (100.0% liked)

People Twitter

5373 readers
591 users here now

People tweeting stuff. We allow tweets from anyone.

RULES:

  1. Mark NSFW content.
  2. No doxxing people.
  3. Must be a tweet or similar
  4. No bullying or international politcs
  5. Be excellent to each other.
  6. Provide an archived link to the tweet (or similar) being shown if it's a major figure or a politician.

founded 2 years ago
MODERATORS