Don't Put Your Work Email on Your Personal Phone (medium.com) 192
Many of us have given up on the idea of carrying around a dedicated work phone. After all, why bother when you can get everything you need on your personal smartphone? Here's one reason: Your work account might be spying on you in the background. From a column: When you add a work email address to your phone, you'll likely be asked to install something called a Mobile Device Management (MDM) profile. Chances are, you'll blindly accept it. (What other choice do you have?) MDM is set up by your company's IT department to reach inside your phone in the background, allowing them to ensure your device is secure, know where it is, and remotely erase your data if the phone is stolen. From your company's perspective, there are obvious security reasons for installing an MDM on an employee's phone. But for employees, it's difficult to tell what these invisible profiles are collecting behind the scenes, as they provide people at your company with invisible control over your device. That's why when it comes to your phone, no matter how much you trust your IT department, it's a good idea to keep work and pleasure separate.
MDM profiles, paired with device management tools, allow companies to track employee phones in a single dashboard. They can mitigate security breaches or potential harm from a rogue employee; if you work for a law firm, say, and your boss worries you're leaking sensitive emails from your smartphone, they could remotely wipe your data. MDM profiles can also force you to use a long password on your device, rather than a simple PIN, among other policies.
MDM profiles, paired with device management tools, allow companies to track employee phones in a single dashboard. They can mitigate security breaches or potential harm from a rogue employee; if you work for a law firm, say, and your boss worries you're leaking sensitive emails from your smartphone, they could remotely wipe your data. MDM profiles can also force you to use a long password on your device, rather than a simple PIN, among other policies.
If they want you to respond to emails (Score:5, Insightful)
Re: (Score:1)
I just use a retired personal device that is only used for work. It doesn't have a SIM card, so it can pretty much just do wifi. If I need to check email, I set up a hotspot for a bit. Works great - if they want more frequent access or checking, they can feel free to pay for service.
Re:If they want you to respond to emails (Score:4, Insightful)
Re: (Score:3)
Of course they do. It's called the Big Stack:
Re:If they want you to respond to emails (Score:5, Insightful)
Indeed. Even beyond the potential spying aspect everyone of those agreements I've seen has wording that they can search your device at anytime and destroy any data they choose. Ummm... No!
My response is always "If you want me to respond off hours, then you need to provide me a phone and laptop.". Honestly I look forward to the company that says "OK, you only need to work during normal business hours", but so far they just hand me the equipment I need to do the job...
Paid hourly (Score:2)
Re:Paid hourly (Score:5, Insightful)
Re:Paid hourly (Score:4, Insightful)
Some of us actually enjoy what we do, and don't have "normal business hours" and prefer the flexibility of choosing our own hours.
Re: (Score:2)
Re: (Score:2)
Sure you will be paid your hourly rate pro rata for the 20seconds you read your email. If you want full time payment then you also need to give up alcohol since we don't allow you to drink on company hours. Oh and no going out to a nightclub since we require employees to have at least 6 hours of uninterrupted sleep.
Re: (Score:1)
and destroy any data they choose. Ummm... No!
If this is a problem for you, maybe you shouldn't have a phone. Like really who would be stupid enough to store something important on a device that is easily stolen, easily broken, and frequently so in both cases.
Re:If they want you to respond to emails (Score:4, Insightful)
and destroy any data they choose. Ummm... No!
If this is a problem for you, maybe you shouldn't have a phone. Like really who would be stupid enough to store something important on a device that is easily stolen, easily broken, and frequently so in both cases.
What the data is is irrelevant. It's mine and they have no business looking at it or touching it.
Re: (Score:2)
Re: (Score:2)
Pen-testers love MDM, it gives them complete control over the target's phone. Once you've got MDM access you can push out an OTA provisioning profile and then you're done. If you're particularly clever, you phish the target to some desirable site with an untrusted cert, when they click OK on it to get to the site they've also accepted the cert for MDM/OTA provisioning - this works for iOS devices, not sure about Android.
So I think a better summary would be "disable MDM on your device if at all possible".
Re: (Score:2)
I get paid 150 a month to have email on my cell phone.
I have a pretty boring life and Google and Facebook have conditioned me not to care about my privacy.
Re: (Score:2)
I don't care if my employer knows where I am.
I do care about carrying around another device.
Re: (Score:2)
FWIW, my employer DID provide me with a phone. I took the SIM card out and put it in my own, dual-sim phone, for my own convenience.
Re: (Score:2)
Yes I do. Fine with me.
Re: (Score:1)
Re: (Score:2)
I do care about carrying around another device.
Which is why I ditched my personal phone years ago and simply carry the work phone full time. I don't get pestered by it, but my job is such that up to date information is helpful. No social media bullshit on it (except Twitter, mostly for public safety communications). Reasonable personal use of company IT assets is permitted.
Re: (Score:2)
Which is why I ditched my personal phone years ago and simply carry the work phone full time. I don't get pestered by it, but my job is such that up to date information is helpful. No social media bullshit on it (except Twitter, mostly for public safety communications). Reasonable personal use of company IT assets is permitted.
Certainly one approach. But I don't want my personal shit on a work phone, as that would violate several policies. I also would also risk not being able to put something on the phone that I wanted to put there.
Re: (Score:2)
Exactly.
Same goes for pagers.
Re: (Score:2)
Pagers? How old are you guys?
Re:If they want you to respond to emails (Score:5, Funny)
I used to make my own S-100 bus computers and used an oscilliscope to tune my floppy drives.
And used punch cards for data input and a strip of LEDs to read the output.
Does that help?
Re: (Score:2)
I don't know what any of that stuff is, but you sound like one of them terrorists.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
You had LEDs? What happened to old-skool blinkenlights?
They were red
Re: (Score:1)
My rule is simpler: the company needs to provide me with everything required to do my job. Want me to drive to visit a vendor - rent me a car. Want me to take pictures of something, provide me with a camera. Want me to call someone, provide me with a phone. I'm not even willing to use a weblink to check the company email from my personal laptop. They want me to check email on a weblink, provide me with a computer asset to do so.
Re: (Score:2)
Re: (Score:2)
"They should give you a phone. Never accept MDM on a personal device, it is crazy invasive (geo location, etc)."
Exactly! And more important, leave that phone at work when going home.
Re: (Score:2)
Why is this even on /. ?
What's next, a post from BeauHD stating that you need to keep breathing?
Re: (Score:2)
I wonder if this allows private TLS certificate injection.
Re: (Score:2)
I wonder if this allows private TLS certificate injection.
It absolutely does.
Using MDM, you can push your own root CA to the client device, and then decrypt & inspect all TLS traffic to/from the device by forcing all traffic through a VPN.
I've done it.
This is also why I insist on a company-provided phone that does nothing but work stuff. I'll never put MDM on my personal phone unless I'm the one running the server for personal use.
For example, it would be handy for managing family phones, if it wasn't so expensive.
This is news? (Score:5, Insightful)
Only a millenial would find this to be news. Anyone with a brain and attention span longer than a gnat would have a) read the ubiquitous usage agreement all companies use with MDM and b) thought for maybe a minute about what MDM is.
Plus this article completely ignores MDM containers and the privacy benefits associated with them.
This is a stupid click bait article, not news for nerds.
Re: (Score:2, Funny)
Squirrel!
Re: (Score:2)
Only a millenial would find this to be news
Disagree. There are settings for example for the Google Docs suite that can give company administrators some degree of control over a device. However, it's entirely unclear as to what degree of control, what degree of tracking, whether wiping that data wipes the entire phone, can my phone be locked without my consent, etc.?
Our admin flipped it on accidentally once. All I got on my phone was a prompt that I needed to approve a prompt to continue using that account, with zero context about any of the above.
If
Re: (Score:2)
Only a millenial would find this to be news. Anyone with a brain and attention span longer than a gnat would have a) read the ubiquitous usage agreement all companies use with MDM and b) thought for maybe a minute about what MDM is.
Plus this article completely ignores MDM containers and the privacy benefits associated with them.
This is a stupid click bait article, not news for nerds.
Good information to learn though, isn't it? So worth spreading for learning? You seem to be suggesting it shouldn't be said. The baby boomer needs to gatekeep even more things?
Re: (Score:2)
Google (Score:1, Informative)
Practically does the same on android. They'd probably sell it to your employer too at the right price.
I was about to install it (Score:2)
But then I read my corporate terms and conditions for using email on my phone.
Then I said I am not signing that, it's my phone, not the company's.
From what I understand, my company is using Good. There is also a per user monthly fee.
Re: (Score:2)
But it is named "Good", so it must be OK. At least that is how I think.
Re: (Score:2)
But what happens if something is just "good enough" instead of being fully "good"? It's like it's missing a part, isn't it? And if you remove a part of "good", it becomes "god", i.e. an all-seeing, all-knowing boss.
But then you flip the table on your boss, and he becomes a "dog".
It's win-win!
Re: (Score:2)
We should start a company called "Good Enough" or "Adequate". It would be a unicorn.
Re: (Score:2)
But it is named "Good", so it must be OK. At least that is how I think.
Yes, but it is owned by Blackberry, so it must be black
Slow news day (Score:3)
This is why I don't put work accounts on my personal devices. If I want to check work e-mail, I will use web interfaces.
This has how it has been since Windows CE / Blackberry days though and probably before then.... Not sure why this is coming up now.
We do tell all of our users that if they are free to add their work account to their personal device but if they do, we will have the ability to wipe it.
We currently do not enable any MDM features other than remote wipe.
Re: (Score:2)
It's the wiping that made me say "nuh-urrr" and not complete the install for my work email.
The way I saw it was, if the company gets hacked that means the hacker can wipe out the phones of every employee connected. If an employee goes rogue and has a beef with the company, they can wipe out the phones of every employee connected.
Re: (Score:2)
My work email is handled through Google Apps, er, G Suite - which is designed around using a web interface, so no worries about giving them device management access. Since I'm a state employee, my work email is basically considered public records anyway - so the privacy concerns I have regarding Google don't really come into play.
On a side note - a big concern I have is the number of people in our department (read: faculty) who just forward their university email to their personal accounts, and do all their
Pretty Common Sense (Score:2)
Not seeing the problem (Score:5, Funny)
IT department to reach inside your phone in the background
invisible profiles are collecting behind the scenes
remotely wipe your data
Meh...
MDM profiles can also force you to use a long password on your device, rather than a simple PIN
HOLY SHIT, I WILL NEVER LET THEM TOUCH MY PHONE!!!111
Paranoid? (Score:2)
Re: (Score:2, Funny)
Exactly. What is the problem? Everyone at my company is good people.
Re:Paranoid? (Score:4, Insightful)
Nice people can be incredible screw ups.
For example, in our IT department we "eat our own dog food" before rolling it out to the masses. Two of my coworkers lost everything on their phones when the server that was used as the "master control" for whatever system was being used for phone management. When server went off line, phone software assumed it had been stolen, etc. and simply self wiped.
Put me in the camp of "I use a webmail interface if I must" and "if you really want me to use my phone for work stuff you'll need to provide me a phone to keep things separated."
Re: (Score:1)
No big deal. Restore the phone from the backup. Same thing can happen if the phone gets lost or damaged.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
We use Google Apps at my work and I have "Super Admin" privileges. With that, I don't know how to access other's emails nor have I looked to see if it's even possible. As for my phone, in my case my work does provide it but I just use the GMail app and no add'l apps at all.
Nine Is Awesome (Score:2)
If you use application level inside Nine, as opposed to device level, wiping and other features are not available to your work sys admins. You retain more control over your device. Obviously, every employer is different and your mileage may vary. That being said, Nine is a great outlook client!
-americamatrix
Re: (Score:2)
On the iOS side, using the MS Outlook app gives similar benefits. If work decides to purge your device, it just takes out the content of that single app, not your entire phone. When I left one job, I just deleted the Outlook app, and that was that.
Android side, Touchdown used to be awesome until Symantec bought it and killed it. I'd definitely look into Nine, just because you have E-mail available, but keep the enterprise management stuff isolated to just the app level.
Re: (Score:2)
iPhone should be in the title!!! (Score:2)
This MDM shit is an iOS thing! News for nerds my a$$. Yes, there is an equivalent for Android (Device Admin) but even if you accept it (from Outlook and the like) it doesn't mean that the app can go through your stuff. Yes, it can set lock policies (force you to have a PIN, etc), can remotely lock/wipe your device but it can't leak the rest of the info from your device. And -here's the kicker- you can use any number of apps that tell to the remote server they enforce all the policies but they don't (Enhance
Re: (Score:2)
This MDM shit is an iOS thing! News for nerds my a$$. Yes, there is an equivalent for Android (Device Admin) but even if you accept it (from Outlook and the like) it doesn't mean that the app can go through your stuff. Yes, it can set lock policies (force you to have a PIN, etc), can remotely lock/wipe your device but it can't leak the rest of the info from your device. And -here's the kicker- you can use any number of apps that tell to the remote server they enforce all the policies but they don't (Enhanced Email was one but it's not in the play store anymore, you need to get the apk). I'm sure there are even more ways to neuter this on rooted devices too.
Last I looked into a few years ago the MDM for iOS is actually very sandboxed at getting to your personal stuff (like messages and other email accounts) or at least have to be very transparent that you're giving permissions to access other areas than the corporate email box. Whereas the MDMs (or whatever they are called) for android are not.
I could be wrong given it's been a few years so would welcome any new information with reference links for reading.
Not always as god-like on Android (Score:2)
What they don't mention here is that what exactly the MDM can do varies from device to device.
We used MaaS360 (terrible product-- don't use it) to manage some company-owned, purpose-specific devices, but never quite managed to lock them down entirely. We couldn't even get the same rules to apply across different devices.
So, if you have an iPhone or a Samsung device.... be very wary of this. Otherwise, yeah, it still sucks, but MDM doesn't always have complete control over everything. (It's fun when it asks
Just rolled out (Score:1)
Told 'em "no" (Score:2)
Not me, but my wife's work asked her to set up email access on her personal phone and she initially told them she would do it (but didn't proceed yet). Mentioned it to me and what apps they also needed to install and I told her not to do it. Told her they could wipe her phone remotely if they had any inkling that there was a problem, etc, etc. She went back and told them "no thanks" .... so they issued her a "work" phone. That simple.... Just have to wonder how many other employees gave them the go-ahead fo
I would always have separate company phone. (Score:2)
Chances are, you'll blindly accept it. (Score:2)
Not if you are not a complete idiot.
Nine Mail (Score:2)
Use an app that sandboxes the MDM requirements. Back in the day Touchdown was the go-to. Symantec ruined that.
Thankfully, Nine Mail does all of that for us. No need to have your employer spying on you.
Re: (Score:2)
Of course not! You don't want the company that's paying your living expenses to spy on you. It's best to let a multinational conglomerate to spy on you, instead!
Under some sate laws they pay for the phone + plan (Score:2)
Under some sate laws. The work place needs to pay for the phone + plan if they want to use it.
Re: (Score:2)
use the web mail version... (Score:1)
Varies by sector, i suppose (Score:3)
Working for a health insurance company I don't have the option in the first place. Only company issued and totally controlled phones get company communications. There is no option to use one's personal device.
I totally do (Score:5, Informative)
It should be relatively easy to get a copy of your company's MDM profile from IT. As opposed to finding out what Slack is doing with your data.
It sure seems like all that's left on Slashdot are Chicken Littles.
Use IMAP protocol/client if remote server supports (Score:2)
Re: (Score:2)
That used to be the standard. Most big corps don't permit that kind of connectivity any more.
hello 2000s (Score:2)
This was news ten years ago. You're really trying to explain to a tech audience what and MDM (or EMM) is - in 2019 ?
Re: (Score:2)
I am not getting the posted argument.
Installing this, makes your phone more secure.
If there is a problem or security leak your employer can wipe your phone... But they should, because you are caring around a security problem.
In 2019 most of our precious personal data is on the cloud anyways, so the phone gets wiped to factory standards, then you reload your stuff from the cloud, and hopefully whatever caused the problem isn't there.
Re: (Score:2)
You're kidding or unfamiliar with virtually any element involved in this.
First, there would be the e-mail track. Both sent and received.
Ah! You say. If he can erase the phone, he can probably also delete the e-mails and manipulate the logfiles.
Yes, in a bad movie. In the real world, if the company has more than 5 employees, he very likely won't be the EMM-admin nor the mailserver-admin. So there's now two other people who know about his scheme and how he did it. That's not good news, because as we know, thr
Re: (Score:2)
MDM is NOT for personal phones (Score:2)
MDM is for management of COMPANY PROPERTY -- That is Company Owned or Operated devices.
MDM profiles should not under any circumstances be attempted to be installed on a personal phone, as its an
abuse of MDM ---- this should probably be grounds for Apple revoking the MDM certificate (for iOS).
Apple's terms of service specifically include language such as ... ...
“Deployment Devices” collectively means iOS Products and/or OS X Products owned or controlled by You.
Further, You may only use the MDM S
Great advise (Score:2)
O365 is only remote wipe (Score:1)
There are a spectrum of MDM tools with different capabilities. I am familiar with a number of them.
Most of them are just anti-virus protection.
Office 365 for example (Not MS Intune) requires the ability to remote wipe.
That is all that the tool offers, in case the employee looses their phone.
To say that Office365 is MDM, which it technical is, is overstating what the company can do.
With "MDM" There are a number of shades of grey.
I would have no problem with installing office 365 if I wanted email on my pers
Medium (Score:2)
I get the feeling that every so often the "journalists" at Medium discover something that has been common knowledge for everyone for may years. Installing MDM tools literally all list the permissions and purpose of them and request them from you when you do so.
It reminds me about the day someone at Medium discovered Control+Shift+T and declared he'd found the "undo button for the internet".
FUD (Score:2)
Article written by someone who knows nothing about MDM. Tell me, which MDM profile on iOS lets you read people's email? Oh, none of them. With Google the work and personal are in completely separate containers, and with iOS 13 this will be true for Apple users too.
This article is just clickbait crap.
Just use an alternative app! (Score:2)
On Android, there are quite a few apps that constrain the powers you have to give your employer to use their email. Even Outlook used to, a year ago. Not sure if it does now, but it used to allow you to have it encrypt just Outlook and provide the employer the right to zorch that, but not the whole phone. AquaMail (among others) can be told to simply ignore those requirements.
Using one of those programs, you don't give the program or the requested device administrator any rights. They can deactivate you
What is this nonsense? (Score:2)
I have work email on my private phone. This is via IMAP and that is it. No spying. I would never install any app from my employer on my own phone. If they want that, they can damn well pay for a phone and connectivity for it. And that phone I will carry only when working.
I rejected that "offer" (Score:2)
When my employer enabled this feature in G Suite, I stopped getting email on my phone. It's really annoying to not have calendar sync.
Exchange option (Score:2)
Cheap phone with no SIM card. (Score:2)
Office 365 (Score:2)
Right answer, not the most important reason (Score:3)
The main reason for not putting work mail on your private phone is so you can put some boundaries between work and the rest of your life. So you can spend quality time with family or whatever, without your brain going into office mode every few minutes due to new email alerts, or e.g. having your work calendar mixed in with your personal calendar.
At the very minimum, set things up so your phone does not give alerts or notifications about work stuff, and instead poll it at a time of _your_ choosing. With Office365 (which I imagine is what most people have these days) you can do this perfectly by going to office.com from your mobile phone browser. It's a bit more hassle, which is a _good_ thing, adding some barriers to doing office stuff when you are not supposed to.
Your personal life and your off-hours time is precious. Protect it by setting and adhering to boundaries.
Overthinking it (Score:2)
I feel like this article is overthinking it.
At least on my iPhone all I do is install the Outlook app and then sign into the same login I use for the Outlook webmail portal and my work email works.
There is no MDM and at least on iOS, app store apps (such as Outlook) are extremely sandboxed.
Re: (Score:2)
Virtually everyone has work email on their phone. You must be kidding. Are you from the 1980s?
Re: (Score:2)
What insult? I am just saying you must be from the 1980s or a government contractor. I don't know a single person that doesn't check work email from a phone somehow. I like it. It gives me the flexibility to be out of the office and still be able to act like I am in.
Re: (Score:2)
Yeah, I guess I assumed we are talking about so-called "office workers who use email regularly" here. Carry on.
Re: (Score:2)
Yeah, good point. I am kind of old school. I forgot the new kids all use slack.
Re: (Score:2)
Yeah, good point. I am kind of old school. I forgot the new kids all use slack.
New kids? I used Slack back when the Linux kernel was 0.9 something.
Re: (Score:2)
Re: (Score:3)
Is at a invasion of privacy that you can reasonably avoid?
Yes. Boss asks me to put my work e-mail on my personal phone. Fine, but please explain exactly how I would go about doing that. [oldphoneworks.com]