Viewing 40 posts - 1 through 40 (of 52 total)
  • Company Endpoint Manager on personal device – am I being paranoid?
  • ebennett
    Full Member

    Our company is requiring any devices which access company info (inc. emails) to enrol into MS endpoint manager. For personal devices which only access email it can apparently only remote wipe the outlook app, but has no other control. However, I also use Outlook for personal email so I’m not sure if it would distinguish between the accounts. Something about the idea of giving the company privileges over my personal phone doesn’t sit right with me (what happens when I leave?) – am I just be being paranoid? I could refuse to access emails on my personal phone but it’s convenient for travel.

    MoreCashThanDash
    Full Member

    We are not allowed to access work stuff on personal devices. My employer would be deeply concerned if it happened, in fact, its a disciplinary matter.

    If you need phone access for work they should provide a phone with the necessary security installed.

    Kryton57
    Full Member

    +1 MCTD.

    Just take two phones, you won’t be the first or the last.

    Fresh Goods Friday 696: The Middling Edition

    Fresh Goods Friday 696: The Middlin...
    Latest Singletrack Videos
    mert
    Free Member

    If they need you to access company emails on a phone, they need to give you that phone. Either that or accept that you might not access emails until you have access to company equipment.

    (also, unless you’re being paid to work, don’t work…)

    matt_outandabout
    Full Member

    Work phone for work stuff.
    Personal phone for personal stuff.

    The *only* crossover is the staff all have my personal number for an emergency when travelling etc.

    garage-dweller
    Full Member

    My mantra on this is simple.

    You (work) want your emails on a mobile device, you supply the device and data and you can have any security you like.

    I use my work phone for work and my personal phone for everything else. I only carry both in the week and I’ve been doing that for 17 years.

    I certainly wouldn’t want work scrubbing bits of my phone and I wouldn’t have personal accounts in the same app as work ones even if it does work well for that reason.

    weeksy
    Full Member

    I use my personal phone as the phone for dialling facility, but not accessing anything like email. If they want email, i get a company phone… No way would i allow their software on my peronsal phone… BUT… if i wanted to get email, that’s the trade-off.

    gregsd
    Free Member

    Could you use Outlook web access on the phone?

    intheborders
    Free Member

    You know the answer, don’t set it up.

    I remember when this first came in where I was working, 2010.

    I didn’t set it up and haven’t at any subsequent company – also very handy that I only access my work emails on my work laptop in work time. And I do travel as a part of my job, just takes a bit of discipline (and forwarding travel emails to my Hotmail).

    Working in IT for 40 years gives me the experience & knowledge to not trust other people with my tech.

    willard
    Full Member

    TL;DR: What they said above. Use a company phone for work and a personal phone for personal. It makes things a lot easier in the long run.

    A lot of people here (Sweden) see a company as their three yearly mobile phone renewal service and don’t have a personal phone. That’s fine for them, but I’m not sure they undertand that, if the company own the device, has it enrolled in MDM/InTune and has information on it, then the personal data is fair game on a wipe. It’s not _their_ phone.

    The risk of personal devices accessing work information is always that you could poorly protect the device (according to company InfoSec policy) or copy data to a cloud service that then leaks confidential information somehow.

    ebennett
    Full Member

    Thanks all, good to know I’m not just being paranoid! Day-to-day I don’t really need work email on my phone and I’m strict about out of hours checking, but historically it’s been useful for trips abroad with work. Haven’t had to do those for a few years (obv.) but there are a few planned for the next 6 months. I’ll just delete the account from my phone and tell them they need to give me a phone if they want me checking emails while I’m away!

    matt_outandabout
    Full Member

    I’ll just delete the account from my phone and tell them they need to give me a phone if they want me checking emails while I’m away!

    Holiday or work?

    I *don’t* check emails or work things on holiday. That’s why we have colleges who pick things up in my absence. The *only* work contact on holiday has been my CEO on occasion texting me good news of a £1m+ funding award or similar good news.

    sillysilly
    Free Member

    If you ever use your CO’s wifi and the co is public I wouldn’t worry. Their goal is likely just to tick a certification box, save money and save you from carrying 2 phones everywhere. They should have documented privacy policy that explains exactly what they have access to / why. They will already know you spend all day on STW and don’t care.

    If at small co with a nosy nerd running the program and no policy then hell no. Open to abuse outside of any privacy concerns if not set up correctly.

    ebennett
    Full Member

    Holiday or work?

    Only ever work – never check on holiday! It’s a small company (~100 people) and I think they’ve just had an “oh shit” moment around security and have communicated it poorly. I trust them not to be dicks about it, but it just doesn’t sit right with me.

    MSP
    Full Member

    As many have already suggested above, the real boundary should be formed before it even gets to installing company software on personal devices. IMO it is important to prevent work encroaching into your personal life.

    Companies now give employees laptops and phones because they know they will end up doing extra work time with them. WFH in covid times probably blurred the lines even more, I am now getting back into the habit of leaving mine locked in my desk at work unless I am on call.

    sl2000
    Full Member

    Doesn’t worry me. Shouldn’t be any of my data (photos etc) that’s not backed up so no issue to wipe the phone – and if I lose the phone I’d want it wiped anyway.

    However, I also use Outlook for personal email so I’m not sure if it would distinguish between the accounts.

    They’re not deleting the emails, just removing the data from the phone. Your personal emails live on Microsoft’s servers not your phone.

    Having said that, I wouldn’t want to use Outlook for both personal and work emails on one device.

    stuart_c
    Free Member

    What kind of shady stuff are you all doing on your phone that you’re worrying about someone “seeing”??

    Where I work there is a clear policy that personal devices should be avoided for work data whenever possible, if they think you will ever need anything remotely then a phone/tablet is provided. Pretty clear cut.

    I have not had a “personal phone” in probably 10 years and never had any issues. I’m aware it’s saving me £20-30 each month and I don’t job hop all the time to leave gaps in ownership. Last time I moved jobs I was without a company phone for 2 weeks, I didn’t die from not having a phone…..

    Unless you think your company will be actively dickish about phone usage then I can’t see a problem either way, but if they are awkward then I suspect it’s just a crap company to work for anyway and phones are the least of your problems.

    scuttler
    Full Member

    There are a couple of ways companies do this

    Mobile Device Management – usually for devices they own that control the whole device, the apps etc – very invasive but very appropriate if they’ve issued the device to you for work use

    Mobile Application Management – usually for devices you own where they control only an app or set of apps at the app level. Outlook and Teams are good examples whereby they can manage and wipe the company data in the app but not (unless you go mad with permissions) do much else. For example Outlook doesn’t need to know your location. If like the OP suggests in their case a single app is used for personal and work it could be messy. This is ideal for employees who want work data on a personal device because it suits them.

    As such it’s important decision criteria to understand whether your employer is proposing MDM or MAM – if they can’t be clear it tells you everything you need to know.

    I generally agree with work issuing you with a device to do work on but I did find a middle ground. If you have any old / spare phones at home (I have teenagers) take one of those, wipe it, set it up for work and use wifi / tethering to your personal phone to communicate. It works well, enforces the physical and mental separation and costs (assuming a spare phone) nowt. It doesn’t actually have to work like a phone from a dialing sense as most communication is via IP (messaging, zoom etc). Plus if work need to ring you then they definitely should have issued you with a phone.

    thepurist
    Full Member

    Could you use Outlook web access on the phone?

    Its what I do if I choose to check work email when not at work. I have to flick the “desktop view” option in my phone browser to get it to load but can then switch that back off once I’m in.

    I did have a work iPhone but the layers of security and passwords they mandated were ridiculous and I used it so rarely that I’d forgotten the details each time so it needed resetting which could only be done by the it team in work hours…

    IHN
    Full Member

    I’ve got (work) Outlook and Teams on my personal phone. It’s my choice, it allows me to be away from the desk in the day (nipping to the shops for example) and still be able to keep an eye on stuff, or if I’m a bit late starting in the morning I can do some email checking whilst walking the dog.

    I do have to have MS Authenticator and Company Portal installed as well, but I’m happy with it all because of the convenience it gives me.

    jeffl
    Full Member

    We get a work phone if needed but also have a BYOD policy. From memory work will pay you a few quid a month if you use your own phone, although they provide a SIM so you get a work number. For both we use intune or endpoint security and it can only delete your work account and associated stuff.

    Personally I have the work SIM in my personal phone as it means I don’t have to carry two phones around. But emails stay on my work phone and laptop. Mostly home based nowadays but if traveling on work time then my laptop is out on the train, so no real need for the work phone.

    Dunno what I’m trying to say, but in your position I’d be like, give me a phone.

    jam-bo
    Full Member

    I use the Microsoft apps in iOS to access mail/teams on a personal phone. I get paid an allowance for phone use. I ahve the notifications off on the apps, and delete them when I’m on holiday. People have my phone number but I’m quite comfortable ignoring calls I’m not interesting in answering.

    iOS sandboxes the apps so there isn’t the same ties and remote management into the OS as if you sign in using the built in mail/calendar apps etc.

    scuttler
    Full Member

    What kind of shady stuff are you all doing on your phone that you’re worrying about someone “seeing”??

    You <————————————————————————–> The point.

    alan1977
    Free Member

    I manage this exact scenario in my business
    using Microsoft Intune
    Beyo the company managed apps, we cannot access anything. In fact i have it set up so that the Coporate email is in an entirely different Outlook to personal, this is Android, Iphone is slightly different and you cant have an entirely seperate (duplicate) app i dont think
    I can see nothing
    I can ensure my company data isn’t allowed to be accessed from any apps i dont want it to be accessed from. i can ensure the user has a password on their device, if not then access to the apps is restricted. In al lhonesty, it’s mostly to protect the end user from themselves.. Won’t believe the maount of messes ive had to clear up or investigate after a sensitive data can get out and about…
    If you want to access email on your device then abide by it, if you dont want to thats your choice. If we want people to haveemail, we provide a device, but they can access their stuff o ntheir own phone assuming they work woith the restrictions in place.

    TiRed
    Full Member

    Work phone for work. Work phone for home. Work pay for phone and data and I use. I moved my personal number to the phone years ago. I don’t get work calls anyway. If I did, the. I would separate the two. It’s all backed up on iCloud and you don’t HAVE to read work emails when not working.

    molgrips
    Free Member

    Look at it from the other perspective. You email a company (either personally or from your own work). That company then allows your email and information to leave their company onto an employee’s personal device. That company has now completely lost control of the information, and so have you. You’ve got no idea what’s happening to it. If that information is shown to have been used for something other than its intended purpose, you have no way of knowing how.

    If that happened and caused a problem, you’d be pissed off, and so would the company you emailed because they’d be in deep shit. It’s the digital equivalent of photocopying important documents and leaving them on a train or on a table in a pub. So your work wants to protect their data because they NEED to by law. This is what is meant by information security and it’s important.

    So either they give you a phone, or you use a Samsung that lets you segregate work and personal data. I don’t know if other Android phones let you do this. Samsung’s feature is called Knox and it’s specifically approved by the company I work for, who take this stuff seriously. We get training every year on it; it’s not my job but I know about it because everyone has to.

    Remote wiping – they can wipe my phone but I suspect it’ll only wipe the work half. If they wipe it all, then no big deal because everything on my personal side is also on some cloud or other. As it should be, because phones are quite easy to lose.

    As for accessing emails outside work – it doesn’t have to be toxic. I am contactable all the time because a lot of what I do is genuinely interesting to me. I will chat about it or email because I don’t mind, but I will ignore out of hours if I do. But I will also mooch off during the day and go biking or to the shops or whatever, and I can do that because I have Slack and email on my phone. Find what works for you, don’t let work become toxic, but that might mean either not being contactable outside work OR being contactable :). It also helps that absolutely no-one actually phones anyone any more, it’s all via Slack. I have a work sim and personal SIM in my phone – I think all Galaxy S devices support this now – but really only for data use in non-roaming countries, back when I used to do travel. Also helps that everyone at work is super-respectful of private time too.

    bfw
    Full Member

    With my work hat on (Infra and IT head) I would not force my workforce this because the resulting backlash is we have to supply phones to everyone, which we currently dont. I would say no to MDM on my own phone, but then I was in the travel business so no need to be silly secure maybe?

    From a personal perspective and on an iphone, you could use one account on the generic Mail app and one on the Outlook app. I did exactly this with Google.

    molgrips
    Free Member

    With my work hat on (Infra and IT head) … I was in the travel business so no need to be silly secure maybe?

    How long ago was this?!

    If you are still a head of IT then don’t let your employer see this…

    footflaps
    Full Member

    I don’t have a company phone and access work stuff on my personal phone via the MS Apps. It’s very easy separating work from home life I have notifications disabled for everything (personal and work) and if I’m not working I just don’t open the MS Apps to see if I have an email.

    All the MS Apps are set to require fingerprint + 2FA (by work) so as secure as a work phone would be.

    They don’t require an end point manager, but if they did I’d probably decline and ask for a work phone, which I’d just leave switched off in a drawer for the next 5 years!

    snotrag
    Full Member

    If you need phone access for work they should provide a phone with the necessary security installed.

    If they need you to access company emails on a phone, they need to give you that phone

    Work phone for work stuff.
    Personal phone for personal stuff.

    I use my work phone for work and my personal phone for everything else.

    Etc, etc, I could go on.

    I spent years letting employers take the piss out of me – using my own phone for work, giving my personal number out. Spending my own cash to claim it back a month later, using my own car, etc etc etc…

    Eventually, I found an employer that actually treats people properly, and realised that I had been taken for a ride.

    Need a phone for work? They supply it. Expense? Company card. Going somewhere? Company car, pool car, or rental.

    Honestly, I’ve been there myself. All this ‘oh well its useful to be able to check in every so often on a weekend’ type stuff, you are just being taken for a ride. If you need to do that (I understand that bit, I do it myself), then they need to supply the kit. Dont kid yourself.

    bfw
    Full Member

    molgrips
    Full Member
    With my work hat on (Infra and IT head) … I was in the travel business so no need to be silly secure maybe?

    How long ago was this?!

    If you are still a head of IT then don’t let your employer see this…

    Decision driven by my management team. We are using Google and we decided to give access over security on personal phones. Their decision. We have full auditing of user actions and flags set to large usage, ie losts of mails being forwarded. We have 2FA in place.

    Horses for courses… When I worked for the police or university it was the opposite.

    footflaps
    Full Member

    I spent years letting employers take the piss out of me – using my own phone for work, giving my personal number out. Spending my own cash to claim it back a month later, using my own car, etc etc etc…

    Personally that’s what I’ve chosen. I just don’t want to have two phones, so turned down a company one.

    bfw
    Full Member

    My wifes company phone has been left in a drawer for the past two phones and maybe 5 plus years. My company cannot afford 400 phones, they choose, they decide on taking or not taking the risk. Full MDM seems excessive when ultimately we have full auditing and have control of the account from the account.

    slowoldman
    Full Member

    IMO the only access a company can expect is remote access from YOUR device to THEIR backend systems, i.e. you log onto the company’s servers. Nothing is held on your device other than probably a token system which allows you access. There is no need for the company to be able to access your device and personally I would not accept such a system.

    matt_outandabout
    Full Member

    What kind of shady stuff are you all doing on your phone that you’re worrying about someone “seeing”??

    I am not.

    My objection is more around company culture expecting people to respond when out of hours, on holiday or weekends. Just no.

    willard
    Full Member

    The ultimate decision should be, as @bfw has shown above, a decision by senior leadership. That decision process should be driven by risk, recorded (assuming the organisation work roughly according to ISO) and reviewed on a regular basis. If nothing else, there’s a legal basis in protecting confidential information (GDPR/SCHREMS2) with large fines if the business is found lacking.

    In an ideal world, an AUP for the users would set out what the company expects of the user (and vice versa!) and people would play along with it. Unfortunately, I’ve seen first hand that people ignore this in corporate environments, despite education and enforcement, which is usually why rules get brought in and more and more restrictive (which then causes people to complain more about the policies).

    Anyway, rant over. Just use a separate device. It’s easier.

    beej
    Full Member

    Technology has moved on. What’s available now for enterprises to manage devices is very different to a few years ago. Depending on what your company plans to use and how they run it, work can be safely partitioned from personal on a single device.

    (Disclosure – I’m a Microsoft Technology Strategist)

    We use Android for Work and whatever the iOS equivalent is. So my personal device has a separate partition for all the work apps and data and this is managed by our IT people. I can turn this off in a single click from the swipe-down settings shortcut page. This is fairly new for us, maybe a year or so? It also requires a minimum Android version on the phone.

    More here:
    https://learn.microsoft.com/en-us/mem/intune/user-help/what-happens-when-you-create-a-work-profile-android

    I’ve gone from carrying two phones to one. When I’m on holiday I turn off the work partition. I’ve still got a work mobile but don’t use it, I’m just keeping it for international trips.

    db
    Full Member

    I’m still a 2 phone person, and 2 ipads and 2 laptops! Work stuff can all just be left at home or handed back when/if I leave.

    bfw
    Full Member

    My objection is more around company culture expecting people to respond when out of hours, on holiday or weekends. Just no.

    Amen to that.

    mjsmke
    Full Member

    My works gone this way too. From last month we would need to install the Microsoft app to access our work accounts from home. Most people just refused to install it. Kinda good in a way; if I’m off sick or a snow day etc, I simply can’t do any work. What a shame.

    It would be a disaster if there was another lockdown. Can’t teach from home if I can’t log in.

Viewing 40 posts - 1 through 40 (of 52 total)

You must be logged in to reply to this topic.