Just a reminder, especially in this wild time we live in. DO NOT INSTALL WORK MDM ON YOUR PERSONAL DEVICE.
If your work requires Microsoft Intune or similar MDM, to get email/teams/slack. don’t accept it. It opens your device up for them to access private data and disable/delete your phone (even if they say they wont, they can)
https://blog.cdemi.io/never-accept-an-mdm-policy-on-your-personal-phone/
#privacy #android #iphone #work #email #outlook #microsoft
@notsle@kzoo.to Company I worked for years ago decided to require this for any device that wanted access to Outlook. I put my foot down and said nope, my device: either gimme a phone or I just won’t have access to my work email nights and weekends. They stood firm; and it was nice to delete Outlook (I wasn’t there much longer, the writing was on the wall for what they were becoming and I left).
@NefariousAryq@hoosier.social did the same at a previous job. i wont install teams on my phone
@notsle@kzoo.to My brother regularly says, “Act your wage.” And he’s an architectural project manager, so he knows project task scope. @NefariousAryq@hoosier.social
@notsle@kzoo.to @NefariousAryq@hoosier.social Needed to install Teams for a mandatory job programme. Wiped an old phone, minimum setup, and installed Teams.
They ended up sending out a Chromebook. I refused access to our home network on a device I didn’t own, it wouldn’t go through setup on an open AP. I bridged an unused router with the open AP, Chromebook saw through it. 3 months later they had it back after a factory reset.
I use a different Raspberry Pi for job searches FFS.
@notsle@kzoo.to one thing that surprised me about Intune MDM on a personal device is that your organization can reset/remove your passcode at will. I still can’t find anything in the docs nor enrollment process that would clearly explain this capability to the user.
@notsle@kzoo.to I’m curious, but how would isolating this within an island suffice if one absolutely had to do it?
@notsle@kzoo.to @@funnelfiasco@hachyderm.io I like that some platforms have a good segmentation barrier in the form of containers like Samsung’s Knox, but yea. I work in IT, I’ve been asked to issue a wipe, I know what happens :/
@notsle@kzoo.to exactly the reason I don’t have outlook on my phone. Some of my teammates accepted it without even knowing, lol. I just use outlook PWA. No notifications, but we primarily use slack so 🤷
@notsle@kzoo.to
This sounds like the sort of thing that certain staff have the ability to fight and other staff might lack the ability to fight.
#union #unions
@notsle@kzoo.to there are settibgs within intune to only put in place control over the corporate apps. Essentially containerizing that data and wiping only that data without the ability to remote wipe the rest of the phone.
@notsle@kzoo.to This is highly dependent on the way MDM is implemented. If your company is implementing MDM to fully onboard your personal device, then yes. Everything you said is correct. If however they are using a combination of (for Microsoft environments) App Restriction Policies and Conditional Access policy then the company has no way to issue a wipe on your phone. App restriction policies places managed applications in a separate encrypted partition. The company can see company data, but nothing from your personal partition at all. Nor can they control your device, monitor any of the sensors, or track your location or contacts.
The vast majority of orgs just do the full blown MDM enrollments though because it’s far less work to implement and less complicated to manage.
@notsle@kzoo.to In my previous job, I worked with Intune MDM… Yeah we had several instances of someone on my team accidentally disabling or wiping employee-owned phones. I suspect this is more common than many would like to admit. After that experience, I’ll never allow an employer to have control over my personal device, even if it means I have to find a new job.
@baralheia@dragonchat.org yeah. People are not infallible. Look at the stories of jealous cops using license plate scanner cameras to track an ex.
Or just a micromanaging boss wanting to know your location.
Sometimes it’s an intern hitting the wrong button.
@notsle@kzoo.to I have to install this on people’s devices as part of my job. I’m shocked at the number of people who would rather put this on their personal phone as opposed to carrying a second company-supplied phone. And yes, the option is presented.
@notsle@kzoo.to @CosmicTraveler@mastodon.social If your company requires access to your phone, then they owe you a phone.
@notsle@kzoo.to if work wants me to have a cellphone then they will provide it. (And they do). This is not negotiable. I will never mix my personal life with my work life on a phone.
@notsle@kzoo.to what about p.1 of this article regarding how this works on Apple devices:
- Work Data Separation and Encryption
@in_sympathy@mastodon.social as that article says, “managed through a leading Apple-specific MDM using the BYOD method”.
Is that what your employer is using? can you independently verify it?
Did they configure it properly.
Most businesses are lazy and just buy into the Microsoft ecosystem and use defaults.
My IT infrastructure team, while security minded, care about protecting the business not the employee. They wipped an employees phone this week because it said it was in a different country
@in_sympathy@mastodon.social Of course, there are places that do it right. But most people either are not technical enough to know what to verify, or the company wont share details of their MDM system and just generically say its required.
@notsle@kzoo.to Speaking only for Microsoft 365 and Endpoint (Intune). Devices are marked as company or personal during enrollment. Administrators can’t see your personal apps or data. The only thing we can do is wipe the apps installed by MDM.
@tzudad@mastodon.social I know the permission the Microsoft profile requests gives them( Microsoft) much more access than that. I belive they then reduce its capabilities in endpoint(intune) but the permissions are still given. At least in iOS.
Here are screenshots for iOS when setting up intune. It’s about trusting Microsoft and your company.
I believe even connecting to exchange gives the ability to delete your phone from the server. But it’s been years since I checked that.
@notsle@kzoo.to Those settings look closer to a corporate device to me. I’m the original IT guy in my company and created our M365 organization. I don’t think some of those abilities being available when I configured our environment for personal devices in 2018.
We can only see and reset M365 apps when they are signed in with a company account. We do not see personal apps or data. I’ll never allow that horrible sh*t on the personal devices of our people. Corporate devices are very different.@tzudad@mastodon.social those are screenshots taken on my personal device when I went through the steps to install intune like my work wants. I had no intention of finishing it. Just wanted to see if anything has changed from previous employers.
@notsle@kzoo.to Your company’s IT has some really invasive settings. Are you handling sensitive data? If I had to do that, I’d buy a garbage phone with a prepaid SIM and not put anything but their stuff on it. 2 phones sucks, but privacy is your right on your device.
@notsle@kzoo.to @tzudad@mastodon.social Connecting to Exchange with the phone manufacturer’s pre-installed mail app usually gives the ability to remotely wipe the device; if you use a 3rd party app, only the profile in that app can be deleted.
@notsle@kzoo.to I have to wonder if Samsung might be doing something like this, but with customer phones. Before I dropped Samsung in favour of another brand, I’d noticed what teemed like new apps that I’d never installed, nor wanted, being updated.