Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Security IT Technology

Don't Put Your Work Email on Your Personal Phone (medium.com) 192

Many of us have given up on the idea of carrying around a dedicated work phone. After all, why bother when you can get everything you need on your personal smartphone? Here's one reason: Your work account might be spying on you in the background. From a column: When you add a work email address to your phone, you'll likely be asked to install something called a Mobile Device Management (MDM) profile. Chances are, you'll blindly accept it. (What other choice do you have?) MDM is set up by your company's IT department to reach inside your phone in the background, allowing them to ensure your device is secure, know where it is, and remotely erase your data if the phone is stolen. From your company's perspective, there are obvious security reasons for installing an MDM on an employee's phone. But for employees, it's difficult to tell what these invisible profiles are collecting behind the scenes, as they provide people at your company with invisible control over your device. That's why when it comes to your phone, no matter how much you trust your IT department, it's a good idea to keep work and pleasure separate.

MDM profiles, paired with device management tools, allow companies to track employee phones in a single dashboard. They can mitigate security breaches or potential harm from a rogue employee; if you work for a law firm, say, and your boss worries you're leaking sensitive emails from your smartphone, they could remotely wipe your data. MDM profiles can also force you to use a long password on your device, rather than a simple PIN, among other policies.

This discussion has been archived. No new comments can be posted.

Don't Put Your Work Email on Your Personal Phone

Comments Filter:
  • by hsmith ( 818216 ) on Wednesday July 24, 2019 @01:09PM (#58979974)
    They should give you a phone. Never accept MDM on a personal device, it is crazy invasive (geo location, etc).
    • by Anonymous Coward

      I just use a retired personal device that is only used for work. It doesn't have a SIM card, so it can pretty much just do wifi. If I need to check email, I set up a hotspot for a bit. Works great - if they want more frequent access or checking, they can feel free to pay for service.

    • by iamgnat ( 1015755 ) on Wednesday July 24, 2019 @01:18PM (#58980054)

      Indeed. Even beyond the potential spying aspect everyone of those agreements I've seen has wording that they can search your device at anytime and destroy any data they choose. Ummm... No!

      My response is always "If you want me to respond off hours, then you need to provide me a phone and laptop.". Honestly I look forward to the company that says "OK, you only need to work during normal business hours", but so far they just hand me the equipment I need to do the job...

      • You should be paid hourly, if you're being asked to work outside of normal business hours.
        • Re:Paid hourly (Score:5, Insightful)

          by iamgnat ( 1015755 ) on Wednesday July 24, 2019 @02:19PM (#58980430)
          Meh. I'm happy with my salary and off hours work is a rare thing anyway. If I wasn't feeling properly compensated, hourly pay is not my answer. Finding a better job is.
        • Re:Paid hourly (Score:4, Insightful)

          by 110010001000 ( 697113 ) on Wednesday July 24, 2019 @02:22PM (#58980444) Homepage Journal

          Some of us actually enjoy what we do, and don't have "normal business hours" and prefer the flexibility of choosing our own hours.

          • by DogDude ( 805747 )
            You can do that, and still get paid hourly. I was a developer for a while, and I always worked hourly. The salary people always got burned badly, in my experience.
        • Sure you will be paid your hourly rate pro rata for the 20seconds you read your email. If you want full time payment then you also need to give up alcohol since we don't allow you to drink on company hours. Oh and no going out to a nightclub since we require employees to have at least 6 hours of uninterrupted sleep.

      • and destroy any data they choose. Ummm... No!

        If this is a problem for you, maybe you shouldn't have a phone. Like really who would be stupid enough to store something important on a device that is easily stolen, easily broken, and frequently so in both cases.

        • by iamgnat ( 1015755 ) on Wednesday July 24, 2019 @02:46PM (#58980652)

          and destroy any data they choose. Ummm... No!

          If this is a problem for you, maybe you shouldn't have a phone. Like really who would be stupid enough to store something important on a device that is easily stolen, easily broken, and frequently so in both cases.

          What the data is is irrelevant. It's mine and they have no business looking at it or touching it.

        • by grub ( 11606 )
          If my personal device is stolen or broken, I have backups of it. I won't give my employer what amounts to backdoor access to it.
      • Pen-testers love MDM, it gives them complete control over the target's phone. Once you've got MDM access you can push out an OTA provisioning profile and then you're done. If you're particularly clever, you phish the target to some desirable site with an untrusted cert, when they click OK on it to get to the site they've also accepted the cert for MDM/OTA provisioning - this works for iOS devices, not sure about Android.

        So I think a better summary would be "disable MDM on your device if at all possible".

    • I get paid 150 a month to have email on my cell phone.

      I have a pretty boring life and Google and Facebook have conditioned me not to care about my privacy.

    • I don't care if my employer knows where I am.

      I do care about carrying around another device.

      • FWIW, my employer DID provide me with a phone. I took the SIM card out and put it in my own, dual-sim phone, for my own convenience.

      • I do care about carrying around another device.

        Which is why I ditched my personal phone years ago and simply carry the work phone full time. I don't get pestered by it, but my job is such that up to date information is helpful. No social media bullshit on it (except Twitter, mostly for public safety communications). Reasonable personal use of company IT assets is permitted.

        • Which is why I ditched my personal phone years ago and simply carry the work phone full time. I don't get pestered by it, but my job is such that up to date information is helpful. No social media bullshit on it (except Twitter, mostly for public safety communications). Reasonable personal use of company IT assets is permitted.

          Certainly one approach. But I don't want my personal shit on a work phone, as that would violate several policies. I also would also risk not being able to put something on the phone that I wanted to put there.

    • Exactly.

      Same goes for pagers.

    • by Anonymous Coward

      My rule is simpler: the company needs to provide me with everything required to do my job. Want me to drive to visit a vendor - rent me a car. Want me to take pictures of something, provide me with a camera. Want me to call someone, provide me with a phone. I'm not even willing to use a weblink to check the company email from my personal laptop. They want me to check email on a weblink, provide me with a computer asset to do so.

    • Well it's not like having a dedicated work phone is going to protect you from geo location. If anything, they'll be less inhibited to track that one.
    • "They should give you a phone. Never accept MDM on a personal device, it is crazy invasive (geo location, etc)."

      Exactly! And more important, leave that phone at work when going home.

    • Why is this even on /. ?

      What's next, a post from BeauHD stating that you need to keep breathing?

    • by reanjr ( 588767 )

      I wonder if this allows private TLS certificate injection.

      • I wonder if this allows private TLS certificate injection.

        It absolutely does.
        Using MDM, you can push your own root CA to the client device, and then decrypt & inspect all TLS traffic to/from the device by forcing all traffic through a VPN.
        I've done it.
        This is also why I insist on a company-provided phone that does nothing but work stuff. I'll never put MDM on my personal phone unless I'm the one running the server for personal use.
        For example, it would be handy for managing family phones, if it wasn't so expensive.

  • This is news? (Score:5, Insightful)

    by Anonymous Coward on Wednesday July 24, 2019 @01:10PM (#58979984)

    Only a millenial would find this to be news. Anyone with a brain and attention span longer than a gnat would have a) read the ubiquitous usage agreement all companies use with MDM and b) thought for maybe a minute about what MDM is.

    Plus this article completely ignores MDM containers and the privacy benefits associated with them.

    This is a stupid click bait article, not news for nerds.

    • Re: (Score:2, Funny)

      Only a millenial would find this to be news. Anyone with a brain and attention span longer than...

      Squirrel!

    • Only a millenial would find this to be news

      Disagree. There are settings for example for the Google Docs suite that can give company administrators some degree of control over a device. However, it's entirely unclear as to what degree of control, what degree of tracking, whether wiping that data wipes the entire phone, can my phone be locked without my consent, etc.?

      Our admin flipped it on accidentally once. All I got on my phone was a prompt that I needed to approve a prompt to continue using that account, with zero context about any of the above.

      If

    • Only a millenial would find this to be news. Anyone with a brain and attention span longer than a gnat would have a) read the ubiquitous usage agreement all companies use with MDM and b) thought for maybe a minute about what MDM is.

      Plus this article completely ignores MDM containers and the privacy benefits associated with them.

      This is a stupid click bait article, not news for nerds.

      Good information to learn though, isn't it? So worth spreading for learning? You seem to be suggesting it shouldn't be said. The baby boomer needs to gatekeep even more things?

    • Honestly I don't think this is a generational thing. It's more stupid managers that thought "hey my employees already have phones, why should I have to pay for one". I don't think boomers, Millenials, Gen-Z or whatever generation you are actually a part of is any better at reading license agreements than any other. Yes MDM's benefits are great... for the company's phone. Though installing it on your own phone is stupid, as it is turning your phone into their phone.
  • Google (Score:1, Informative)

    by Anonymous Coward

    Practically does the same on android. They'd probably sell it to your employer too at the right price.

  • But then I read my corporate terms and conditions for using email on my phone.
    Then I said I am not signing that, it's my phone, not the company's.

    From what I understand, my company is using Good. There is also a per user monthly fee.

    • But it is named "Good", so it must be OK. At least that is how I think.

      • But what happens if something is just "good enough" instead of being fully "good"? It's like it's missing a part, isn't it? And if you remove a part of "good", it becomes "god", i.e. an all-seeing, all-knowing boss.

        But then you flip the table on your boss, and he becomes a "dog".

        It's win-win!

      • But it is named "Good", so it must be OK. At least that is how I think.

        Yes, but it is owned by Blackberry, so it must be black

  • by The-Ixian ( 168184 ) on Wednesday July 24, 2019 @01:17PM (#58980048)

    This is why I don't put work accounts on my personal devices. If I want to check work e-mail, I will use web interfaces.

    This has how it has been since Windows CE / Blackberry days though and probably before then.... Not sure why this is coming up now.

    We do tell all of our users that if they are free to add their work account to their personal device but if they do, we will have the ability to wipe it.

    We currently do not enable any MDM features other than remote wipe.

    • It's the wiping that made me say "nuh-urrr" and not complete the install for my work email.

      The way I saw it was, if the company gets hacked that means the hacker can wipe out the phones of every employee connected. If an employee goes rogue and has a beef with the company, they can wipe out the phones of every employee connected.

    • My work email is handled through Google Apps, er, G Suite - which is designed around using a web interface, so no worries about giving them device management access. Since I'm a state employee, my work email is basically considered public records anyway - so the privacy concerns I have regarding Google don't really come into play.

      On a side note - a big concern I have is the number of people in our department (read: faculty) who just forward their university email to their personal accounts, and do all their

  • Sadly this is no different than people not realizing how much personal information they're giving social media access to. My company requires MDM in order to be able to access email on your phone. It allows them access to everything on your personal device. No thanks. So if I have a need to use email, I just do it through their web portal on my phone instead. Not quite as simple as using the built-in mail app but I don't have to give them all-out access to my personal phone either.
  • by HelpTheNewOverlord ( 4436409 ) on Wednesday July 24, 2019 @01:21PM (#58980076)

    IT department to reach inside your phone in the background

    invisible profiles are collecting behind the scenes

    remotely wipe your data

    Meh...

    MDM profiles can also force you to use a long password on your device, rather than a simple PIN

    HOLY SHIT, I WILL NEVER LET THEM TOUCH MY PHONE!!!111

  • Not everyone works for a large company that has time for this. I'd bet a basic Office 365 or Gmail account isn't going to do much harm if you manage things sensibly. My work is my income, they are good people - I don't want to carry two devices around, nor do I want them to spent extra money for no reason.
    • Re: (Score:2, Funny)

      Exactly. What is the problem? Everyone at my company is good people.

      • Re:Paranoid? (Score:4, Insightful)

        by i.r.id10t ( 595143 ) on Wednesday July 24, 2019 @01:44PM (#58980240)

        Nice people can be incredible screw ups.

        For example, in our IT department we "eat our own dog food" before rolling it out to the masses. Two of my coworkers lost everything on their phones when the server that was used as the "master control" for whatever system was being used for phone management. When server went off line, phone software assumed it had been stolen, etc. and simply self wiped.

        Put me in the camp of "I use a webmail interface if I must" and "if you really want me to use my phone for work stuff you'll need to provide me a phone to keep things separated."

        • No big deal. Restore the phone from the backup. Same thing can happen if the phone gets lost or damaged.

        • by maxrate ( 886773 )
          I am not speaking of you specifically..... Tech people who believe they are competent can be screw ups too (maybe not necessarily in tech, but in other areas). The company has faith in you - have faith in your company. Make a backup - you should be doing that anyway. Personally, I think it's generous companies allow individuals to use their own private smartphones at their place of employment. Too much time is wasted on social media and other stupid stuff. 2-way street, unless the company has a histor
    • by Hall ( 962 )

      We use Google Apps at my work and I have "Super Admin" privileges. With that, I don't know how to access other's emails nor have I looked to see if it's even possible. As for my phone, in my case my work does provide it but I just use the GMail app and no add'l apps at all.

  • I like to use Nine (https://www.9folders.com/) because of this.

    If you use application level inside Nine, as opposed to device level, wiping and other features are not available to your work sys admins. You retain more control over your device. Obviously, every employer is different and your mileage may vary. That being said, Nine is a great outlook client!

    -americamatrix

    • On the iOS side, using the MS Outlook app gives similar benefits. If work decides to purge your device, it just takes out the content of that single app, not your entire phone. When I left one job, I just deleted the Outlook app, and that was that.

      Android side, Touchdown used to be awesome until Symantec bought it and killed it. I'd definitely look into Nine, just because you have E-mail available, but keep the enterprise management stuff isolated to just the app level.

    • Holy Crap! That website has so much Chinglish on it that I wouldn't *DARE* install that app!
  • This MDM shit is an iOS thing! News for nerds my a$$. Yes, there is an equivalent for Android (Device Admin) but even if you accept it (from Outlook and the like) it doesn't mean that the app can go through your stuff. Yes, it can set lock policies (force you to have a PIN, etc), can remotely lock/wipe your device but it can't leak the rest of the info from your device. And -here's the kicker- you can use any number of apps that tell to the remote server they enforce all the policies but they don't (Enhance

    • This MDM shit is an iOS thing! News for nerds my a$$. Yes, there is an equivalent for Android (Device Admin) but even if you accept it (from Outlook and the like) it doesn't mean that the app can go through your stuff. Yes, it can set lock policies (force you to have a PIN, etc), can remotely lock/wipe your device but it can't leak the rest of the info from your device. And -here's the kicker- you can use any number of apps that tell to the remote server they enforce all the policies but they don't (Enhanced Email was one but it's not in the play store anymore, you need to get the apk). I'm sure there are even more ways to neuter this on rooted devices too.

      Last I looked into a few years ago the MDM for iOS is actually very sandboxed at getting to your personal stuff (like messages and other email accounts) or at least have to be very transparent that you're giving permissions to access other areas than the corporate email box. Whereas the MDMs (or whatever they are called) for android are not.

      I could be wrong given it's been a few years so would welcome any new information with reference links for reading.

  • What they don't mention here is that what exactly the MDM can do varies from device to device.

    We used MaaS360 (terrible product-- don't use it) to manage some company-owned, purpose-specific devices, but never quite managed to lock them down entirely. We couldn't even get the same rules to apply across different devices.

    So, if you have an iPhone or a Samsung device.... be very wary of this. Otherwise, yeah, it still sucks, but MDM doesn't always have complete control over everything. (It's fun when it asks

  • All of IT was called in back in November and told we were rolling out IBM MaaS 360 MDM and shutting down the ActiveSync for mobile devices. I immediately told my boss they would need to supply a phone if they wanted me to keep receiving email. He gave me one and I set it up. They had done no testing or configuration because somebody's bonus was tied to making this happen ASAP. It's July and most things still do not work right. Refuse MDM and demand they supply a device.
  • Not me, but my wife's work asked her to set up email access on her personal phone and she initially told them she would do it (but didn't proceed yet). Mentioned it to me and what apps they also needed to install and I told her not to do it. Told her they could wipe her phone remotely if they had any inkling that there was a problem, etc, etc. She went back and told them "no thanks" .... so they issued her a "work" phone. That simple.... Just have to wonder how many other employees gave them the go-ahead fo

  • I want to be able to turn it off when appropriate.
  • Not if you are not a complete idiot.

  • Use an app that sandboxes the MDM requirements. Back in the day Touchdown was the go-to. Symantec ruined that.

    Thankfully, Nine Mail does all of that for us. No need to have your employer spying on you.

    • by DogDude ( 805747 )
      No need to have your employer spying on you.

      Of course not! You don't want the company that's paying your living expenses to spy on you. It's best to let a multinational conglomerate to spy on you, instead!
  • Under some sate laws. The work place needs to pay for the phone + plan if they want to use it.

  • If your company has it, just use their web interface to the mail. If not, then it can wait until I'm in the office.
  • by magarity ( 164372 ) on Wednesday July 24, 2019 @01:53PM (#58980298)

    Working for a health insurance company I don't have the option in the first place. Only company issued and totally controlled phones get company communications. There is no option to use one's personal device.

  • I totally do (Score:5, Informative)

    by Havokmon ( 89874 ) <rick@NospAm.havokmon.com> on Wednesday July 24, 2019 @01:54PM (#58980302) Homepage Journal
    I also run the MDM system - so I know we're not collecting anything. We push down mail and VPN configs to secure the environment. Of course, in reality, it's not any more data that you're probably already giving to the majority of the apps on your phone. Unfortunately the rights you grant are to the MDM application, not the MDM profile, so there's no way you can tell on the device.

    It should be relatively easy to get a copy of your company's MDM profile from IT. As opposed to finding out what Slack is doing with your data.

    It sure seems like all that's left on Slashdot are Chicken Littles.

  • I always use a dedicated open source email client on Android (K9) with imap protocol. Problem solved.
    • by schwit1 ( 797399 )

      That used to be the standard. Most big corps don't permit that kind of connectivity any more.

  • This was news ten years ago. You're really trying to explain to a tech audience what and MDM (or EMM) is - in 2019 ?

    • I am not getting the posted argument.
      Installing this, makes your phone more secure.
      If there is a problem or security leak your employer can wipe your phone... But they should, because you are caring around a security problem.
      In 2019 most of our precious personal data is on the cloud anyways, so the phone gets wiped to factory standards, then you reload your stuff from the cloud, and hopefully whatever caused the problem isn't there.

    • The audience has changed: a lot less tech, a lot more far right wing, libertarian shit who believe that the masters are always right
  • MDM is for management of COMPANY PROPERTY -- That is Company Owned or Operated devices.
    MDM profiles should not under any circumstances be attempted to be installed on a personal phone, as its an
    abuse of MDM ---- this should probably be grounds for Apple revoking the MDM certificate (for iOS).

    Apple's terms of service specifically include language such as
    “Deployment Devices” collectively means iOS Products and/or OS X Products owned or controlled by You. ... ...
    Further, You may only use the MDM S

  • for the top 10% of employees who can tell their employer 'no' or who can afford a second fully featured phone for work. For the rest of us we're gonna install the software so we can keep our jobs.
  • There are a spectrum of MDM tools with different capabilities. I am familiar with a number of them.

    Most of them are just anti-virus protection.

    Office 365 for example (Not MS Intune) requires the ability to remote wipe.

    That is all that the tool offers, in case the employee looses their phone.

    To say that Office365 is MDM, which it technical is, is overstating what the company can do.

    With "MDM" There are a number of shades of grey.
    I would have no problem with installing office 365 if I wanted email on my pers

  • I get the feeling that every so often the "journalists" at Medium discover something that has been common knowledge for everyone for may years. Installing MDM tools literally all list the permissions and purpose of them and request them from you when you do so.

    It reminds me about the day someone at Medium discovered Control+Shift+T and declared he'd found the "undo button for the internet".

  • by Arkham ( 10779 )

    Article written by someone who knows nothing about MDM. Tell me, which MDM profile on iOS lets you read people's email? Oh, none of them. With Google the work and personal are in completely separate containers, and with iOS 13 this will be true for Apple users too.

    This article is just clickbait crap.

  • On Android, there are quite a few apps that constrain the powers you have to give your employer to use their email. Even Outlook used to, a year ago. Not sure if it does now, but it used to allow you to have it encrypt just Outlook and provide the employer the right to zorch that, but not the whole phone. AquaMail (among others) can be told to simply ignore those requirements.

    Using one of those programs, you don't give the program or the requested device administrator any rights. They can deactivate you

  • I have work email on my private phone. This is via IMAP and that is it. No spying. I would never install any app from my employer on my own phone. If they want that, they can damn well pay for a phone and connectivity for it. And that phone I will carry only when working.

  • When my employer enabled this feature in G Suite, I stopped getting email on my phone. It's really annoying to not have calendar sync.

  • I have an iPhone. My company runs a Microsoft Exchange server for email. If I try to add my account in the stock "mail" app, I get prompted to agree to join the MDM (they can remote wipe my phone, etc.). If I try to add my email to the "Outlook" app downloaded from the store, it works fine and my company is not granted any such MDM access. I just keep my work stuff in a separate app that doesn't have more than sandbox permissions on the phone.
  • Install the office email on a cheap phone with no SIM card. Use your personal phone as a hotspot for when you need to check office email -- the "office phone" connects to it via wifi. You're not paying extra for data to keep a second phone, but your boss doesn't get to snoop on your personal phone either.
  • On work phones you get the MDM. On personal phones they say just install Office365 "it's security approved." But I hear O365 has, effectively, it's own MDM/Stazi...
  • by CptJeanLuc ( 1889586 ) on Thursday July 25, 2019 @02:36AM (#58983494)

    The main reason for not putting work mail on your private phone is so you can put some boundaries between work and the rest of your life. So you can spend quality time with family or whatever, without your brain going into office mode every few minutes due to new email alerts, or e.g. having your work calendar mixed in with your personal calendar.

    At the very minimum, set things up so your phone does not give alerts or notifications about work stuff, and instead poll it at a time of _your_ choosing. With Office365 (which I imagine is what most people have these days) you can do this perfectly by going to office.com from your mobile phone browser. It's a bit more hassle, which is a _good_ thing, adding some barriers to doing office stuff when you are not supposed to.

    Your personal life and your off-hours time is precious. Protect it by setting and adhering to boundaries.

  • I feel like this article is overthinking it.

    At least on my iPhone all I do is install the Outlook app and then sign into the same login I use for the Outlook webmail portal and my work email works.

    There is no MDM and at least on iOS, app store apps (such as Outlook) are extremely sandboxed.

A Fortran compiler is the hobgoblin of little minis.

Working...