
Don’t Put Your Work Email on Your Personal Phone - 3x3matrix
https://onezero.medium.com/dont-put-your-work-email-on-your-personal-phone-ef7fef956c2f
======
kemiller2002
Funny story (well OK, not so funny), I worked at a company where the FBI
decided to pay a visit and investigate some potential naughtiness performed by
members of the senior staff. They asked questions such as "Do you use your
cell phone and personal email for company matters." Guess what a lot of them
said, "Yep, have to." That immediately made their personal equipment, etc. in
scope for the investigation and they confiscated it. Interestingly enough, any
crime discovered while in pursuit of another crime can also be prosecuted.
(Guess how they leverage people to flip.)

After hearing about that, I never attach anything work related to my personal
equipment. There is too much liability. Anytime that anyone even whispers
about me using anything I own for company use, the answer is a resounding
"No." You honestly, don't know who you are really working with/for and what
they are actually like.

~~~
thisisit
Recently my employer has pushed for Okta Identity management. And somewhere in
that plan they somehow thought appropriating employee personal phones was a
good idea. Now we can't login to certain internal apps without a mobile device
because Okta needs one time password/accepting push notification. And the
otp/push notification should necessarily happen on a mobile device. Given that
company hasn't provided any mobile devices to employees, everyone is forced to
use their personal phones.

Any ideas on what happens in such cases?

~~~
wtmt
Can't you ask for a key fob OTP code generator device? Employees who work at
sensitive client sites in many cases wouldn't be allowed to connect their
phones to the Internet and may have restrictions placed on the usage of it. A
separate hardware key generator (which is really a second factor) could
possibly help (depending on the situation and need).

~~~
bradknowles
You can ask, sure.

That doesn't mean that the company will provide any such thing, much like
they're clearly not providing company cell phones to the GP.

------
kpwags
This is certainly a very good reason to not put your work account on your
personal phone, but my primary reason not to is that it's my device and I pay
for the service. If my company needs me to be available beyond my 9-5 workday,
they can pay for it.

If there's an emergency, they can always call, but I don't like being "always
on".

~~~
crazygringo
> _If my company needs me to be available beyond my 9-5 workday, they can pay
> for it._

If you're salaried then they _are_ paying you for it based on the job
requirements, it's part of the job and one of the things that separates hourly
employees from salaried ones.

Unless you're talking about the cost of your cell plan or device? But even
then, a lot of companies will pay for your plan and subsidize part/all of your
device if they have a legitimate work reason to need to contact you and expect
a fairly quick response outside the office.

EDIT: To be clear I'm referring to US law/practices. The _entire_ point of
salaried as opposed to hourly work is that it is based on performance rather
than hours, and it's up to you and your employer to come to agreement on what
performance means. At some companies salary might be for 40 hours, at others
it's for 60 or 80 regularly. It's your own responsibility to find out before
taking the job, and decide for yourself what you're willing to provide or not.

~~~
tharax
No they are _not_. Salary is for 40 hours a week, +/\- 5 hours depending on
temporary circumstances.

Salary is not 40 hours working + 128 hours on call per week.

~~~
michaelmior
This of course depends on your particular employment contract. In some cases,
someone may agree to be on call whenever they're not working and AFAIK (IANAL)
such contracts are legal in some circumstances.

------
souterrain
If your employer subscribes to an ethical model which permits them to abuse
MDM, viewing your web history and tracking your location, you need to do more
than remove your personal device from their control.

You must find a new employer—preferably while you make public this repulsive
behavior.

~~~
alistairSH
How does one know if an employer is abusing MDM? Honest question... I have no
idea. I just point my iPhone's mail app at our Outlook 365 server and that's
it - I assume that installs a profile that allows them some remote access (I
believe they can remote wipe the phone, but maybe not), but no idea how to
tell if they're doing anything else.

Edit - looking at Settings->General->Profiles, there is one entry, which is
for connecting to my Olympus camera. Nothing for the office.

~~~
cannonedhamster
Generally MDM software swallows up everything. It's been a while since I
managed an MDM instance but we could track everywhere the employee went by
default and when I suggested we turn it off there wasn't an option nor did
management want to. We could see every app pretty much everything on the
device. I will never install MDM on my phone after managing it. I've also seen
phones accidentally wiped. Back up your phones.

~~~
godshatter
Does turning off location on your phone mitigate their tracking of where
employees go? I realize the other problems are still there, but I'm wondering
if that would help. I turn on location on my phone once in a blue moon when an
app gets too damn annoying that I actually need to use right then.

~~~
syn0byte
Depends on the MDM and phone really but, No. Triangulating a cellphone on the
network via cell towers is a tried and true feature of wireless
infrastructure. Even your phones GPS capabilities are most likely "A-GPS"
meaning Cellular Assisted; It'll use cell location data when GPS satilites are
slow/unavailable.

GPS toggle isn't doing much of anything besides application permissions
enforcement.

------
robben1234
I'm a remote contractor. Usually, if my customer wants me to install some
tracking software (recording you're present in front of PC, tracking
mouse/keyboard activity, etc) I agree only on one term: they need to send me a
machine with this software so I can use it while doing work. I lose customers
this way, though most of the time people agree to not have this kind of
software involved instead of rejecting offer altogether.

If I worked in an office environment and company wanted me to use tracking
software I'd see no problems with it. But it should be installed on a company
provided phone. Which in the best case I'd leave at office off work, or in
other cases - carry home and store it there.

~~~
flurdy
Tracking software?! I often have remote contracts and have never been
suggested to install any presence or keyboard activity trackers. Sounds
horrible. You are a professional, not a teenager.

I think that would be such a red flag for me of how everything else is at that
client that I would never agree to the contract in the first place.

Since most of my clients allow BYOD I sometimes get asked to ensure I have
antivirus etc installed. Which is ok as long as they don't dictate which
software. So far that has been fine for all clients.

I have some clients that insist on a locked-down laptop to access some parts
of their network, and they happily send me one that I use it for mostly email
only. Having tracking software on it would be pointless as it would only show
5 minutes of email checking activity every 2-3 hours.

Unless by tracking you mean webcam and slack status? That seems acceptable to
me. And as I mostly encourage(insist) that my teams use webcams when they are
remote pairing etc it would be hypocritical of me to say otherwise.

~~~
bklyn11201
Upwork is a giant freelancer market. They pitch their tracking software as
protection for both sides: proof of work.

[https://www.upwork.com/hiring/for-freelancers/using-the-
upwo...](https://www.upwork.com/hiring/for-freelancers/using-the-upwork-team-
app-for-payment-protection-and-collaboration/)

~~~
xtracto
Doesn't CrossOver do that as well?

------
tristor
I work from home/remotely. For years I've followed a simple policy. I don't
use work devices for personal use, and I don't connect my personal devices to
any work accounts. I've never had an employer that's had a problem with this,
and the most I've ever heard is comments about how I'm just inconveniencing
myself because I carry two phones, two laptops. But the reality is, it's been
extremely beneficial when I've had to work in compliance sensitive companies
for exactly the reasons listed here and then some, and it's a minor
inconvenience.

If you're a tech worker you can afford to buy your own personal equipment for
personal use. If the company needs you to have equipment to do work, they can
purchase it for you. Simple as that.

~~~
shalmanese
I love having a work laptop that only has work on it but I've never been able
to have a personal laptop that doesn't eventually get all the work stuff onto
it at some point.

What do you do if you're lying in bed watching a movie when you remember that
you need to schedule a meeting with X for tomorrow at 11am? Do you get out of
your warm bed and pull out your work laptop and add the calendar entry and
then climb back into bed or do you just pause the movie, log in to your work
calendar and make the entry real quick before resuming the movie?

The closest I've ever had to making this a reality was when my work computer
was an iMac so I'd just leave it on 24/7 and RDP into it from home (I lived
within WiFi distance of the office so all this was done via LAN). Even then,
when the work stuff was going to take more than ~5 minutes, I'd still end up
doing it natively from my home computer rather than deal with RDP lag.

edit: I also really struggle with what IM programs to keep on my work laptop
these days. Medium of communication doesn't map cleanly onto work/personal
contacts so I either deal with friends pinging me while at work or missing
vital messages from people expecting a business response/having long
professional conversations using a phone keyboard.

~~~
stevenwliao
> What do you do if you're lying in bed watching a movie when you remember
> that you need to schedule a meeting with X for tomorrow at 11am?

Carry your work phone to bed and use the calendar app.

------
saagarjha
> On Android, there are tools that help prevent IT from reaching into your
> phone. If it’s allowed by your admin, you can create a separate “work”
> profile that contains sandboxed versions of your apps to avoid blurring the
> line between personal and work. The work profile can then be disabled on
> demand and flipped back on only when you need it, providing a level of
> control that iOS doesn’t yet allow.

This is changing with iOS 13 and the introduction of User Enrollment, which
siloes off work data and adds restrictions to what corporate IT can access.

~~~
Tepix
Exactly. It's surprising that the article doesn't mention iOS 13 and user
enrollment which hopefully solves the issue.

~~~
flatiron
i would laugh if appleconnect/switchboard gets around that somehow.

------
kryogen1c
>When you add a work email address to your phone, you’ll likely be asked to
install something called a Mobile Device Management (MDM) profile

...what? The Outlook app containerizes your email accout specifically so that
you dont have to do this. Your company can remotely wipe your work account and
only your work account.

Of course MDM gives access to your phone - thats its whole purpose.

~~~
drunken-serval
MDM gets applied if you want to access your exchange server with the default
iOS apps because those apps don't have remote management built in.

If you use the Microsoft apps, you don't need to have an MDM applied because
those apps handle the remote management functionality themselves.

~~~
RKearney
No it does not (source: iOS device user and Exchange admin).

Adding an Exchange account to an iOS device optionally allows the Exchange
client to enforce password and screen lock requirements, encryption, and allow
for remote device wiping.

It does not have any access to device location, data, photos, contacts, or
anything else you can think of outside of device passcode, encryption, and
remote wiping.

An MDM profile is a completely separate thing from Exchange. Also, unless the
iOS device is supervised (which has to be done at time of setup and would
require wiping the device if you want to supervise one that's already setup)
you're extremely limited in what you can do and see.

~~~
lunchables
This guy MDMs (and is 100% correct).

Source: We provide employee's with iOS devices and use VMWare Workspace ONE
(formerly AirWatch) along with their Secure E-Mail Gateway and also use
Apple's Device Enrollment Program. This provides for as complete control over
the device as you can get.

------
NSAID
> When you add a work email address to your phone, you’ll likely be asked to
> install something called a Mobile Device Management (MDM) profile. Chances
> are, you’ll blindly accept it. (What other choice do you have?)

I use the Nine mail/calendar app[1] to keep all that contained. It integrates
nicely with the native Android apps but keeps all of the security and control
options within Nine itself. It looks like they are also beta testing an iOS
app but I have no experience with that version of it.

For example, if the mail account security settings require a screen lock code,
Nine will require a code to access the app but this won't affect the actual
phone's unlock screen.

Similarly if a data wipe request is sent from the server it will only affect
Nine.

[1] [https://www.9folders.com/product/](https://www.9folders.com/product/)

~~~
fencepost
You beat me to it. Nine also allows easy connection to multiple Exchange
accounts, has a variety of other nice features and has been around long enough
to have a very solid track record.

This kind of sandboxing is one of the things third party apps like this have
always been known for, going all the way back to a really old one whose name
in blanking on which I believe maintained its own entirely internal calendar,
files, etc. (Dataviz maybe?)

Edit: this may still be useful for some people, but the work profiles
introduced in Android 5+ may make it less relevant at least for anyone at
enterprise scale or otherwise using MDM through a service provider.

------
erinaceousjones
At least if your org is on Office365 and doesn't have too restrictive
policies, you can get your email over standard IMAP. There also exist some
nice man-in-the-middle proxies which pretend to exchange servers that you've
implemented the policies they ask for.

I've got multiple "work" (one is a volunteering role) office365 exchange
accounts on my personal phone, using
[[https://sites.google.com/site/bikomobi/exchained](exchained)](https://sites.google.com/site/bikomobi/exchained\]\(exchained\)).
Seems to work well. I'm sure the respective IT departments would give me a
stern talking to, but there is nothing in either job that is of any sensitive
nature whatsoever so their blanket "ask for admin permissions on my phone"
policies can get f __ __d, frankly.

~~~
tyingq
Experiences vary. Some stodgy F500's have IMAP and ActiveSync locked down in
various ways that force you to run the Outlook app.

~~~
drunken-serval
The Outlook iPhone app doesn't require MDM.

~~~
tyingq
It can, and their MAM blurs some lines.

------
Communitivity
I had to deal with this a number of years ago, and my response was "If you
want MDM on the device to enable mail, then you buy me a separate device.
Otherwise, I will access mail when I am at my corporate laptop or on the web
via VPN." Never let them MDM your personal device, because they will possibly
auto-wipe your phone if something proprietary or secret leaks out via email
and you are on the distro.

------
giobox
Remember 10 years ago when people were predicting/building technology to let
our phones run multiple "virtual" phone instances on a hypervisor, solving the
work phone/play phone single device dilemma?

I'd still freaking love this feature ten years later. I don't want app level
segregation of work and play, I want them in entirely different "instances" of
my phone.

> [https://arstechnica.com/information-
> technology/2011/09/samsu...](https://arstechnica.com/information-
> technology/2011/09/samsung-boosts-vmware-plan-to-virtualize-android-phones-
> tablets/)

> [https://virtualizationreview.com/articles/2009/01/01/the-
> nex...](https://virtualizationreview.com/articles/2009/01/01/the-next-
> frontier-mobile-phone-hypervisors.aspx)

> [https://gizmodo.com/vmware-for-mobile-devices-lets-you-
> run-w...](https://gizmodo.com/vmware-for-mobile-devices-lets-you-run-
> windows-and-andr-5160685)

~~~
fghtr
I guess you just need a GNU/Linux phone for that. Librem 5 is the hope.

------
mywacaday
Sneaky medium, I used to have a paid account and the page looked like I
couldn't read the article until i resumed the paid membership. Signed out and
clicked on the link again and was able to read the article. Account deleted!

------
travelton
Not sure how complete this list is, but here's Google's MDM knowledge base
articles:
[https://support.google.com/a/answer/7036693](https://support.google.com/a/answer/7036693)

Mobile Reports:
[https://support.google.com/a/answer/6072773](https://support.google.com/a/answer/6072773)

Device Audit:
[https://support.google.com/a/answer/6350074](https://support.google.com/a/answer/6350074)

Mobile Alerts:
[https://support.google.com/a/answer/3230421](https://support.google.com/a/answer/3230421)

Edit: Furthermore, on iOS, you can go to Settings -> General -> Device
Management -> <Select MDM Profile> -> More Details -> MDM Profile. The list of
rights are listed there.

~~~
antidaily
Anything sketchy? I dont have Google Device Management installed.

------
neilv
Thinking ahead to the next time I need it (I haven't tested this), I was
looking into current respectful options for people who are on-call in some
way.

Considerations included not interrupting personal time or reminding people of
work unnecessarily, location privacy, certainly not doing MDM of personal
devices, security simplicity, etc.

The most interesting option was the old-school one-way radio alpha/numeric
pager. It turns out that the Boston hospitals still use these heavily, as do
some EMTs, and they're considered much more reliable than cellular- and WiFi-
connected smartphones.

I'm imagining people on-call have their pager on, and it's only used for
emergencies. There would be a couple/few numeric codes for the few different
appropriate possibilities of importance/urgency/nature/modality, and what you
should do. The most usual code might mean get on email/chat ASAP. Another code
might mean phone devops ASAP. Code "666" apocalypse might mean call a car
service immediately, get on phone/email/chat while you wait, don't delay to
groom or anything.

As a matter of culture, all of the codes are worth bothering someone in their
personal time. For example, maybe there's no code for "hey, if you have a
second, it would save me half an hour if...". (Of course, we have to not raise
the importance/urgency bar too much, or people might end up staying on chat or
something, because the pager's bar is higher than their own.)

~~~
twic
When my company wanted to issue me with a work phone, i looked for the most
pager-like thing around. The only reason i would ever use it is to receive
alerts when i'm on call, and to do 2FA to connect my laptop to the VPN, so i
would like it to have small size, long battery life, and a loud speaker. I
couldn't find anything at all like that.

------
ok_coo
At my current org, it was hinted to us that if we tied (email forwards, etc.)
or added any work account to a personal device, that the personal accounts and
device could be subject to audits.

Don't mix your work and personal stuff. Keep it separate, keep it safe.

------
phjesusthatguy3
Yes, if it's important to your company for you to be able to receive any of
their communications wherever you are, they can pay for a phone plus service
to give to you for that purpose. Don't let them use your personal phone for
that.

~~~
blfr
But I still don't want to carry two phones.

Which is why I only redirect my company phone regular voice calls to the
private one when I'm out of office. If it's urgent, call. If it's not, I'll
get to it when I'm in the office.

~~~
phjesusthatguy3
That is totally understandable, and I hope you don't get in trouble when law
enforcement comes looking for your personal device that somehow got caught up
in their list of devices to look for.

~~~
tamaharbor
You watch too many movies.

~~~
phjesusthatguy3
I've been a party to too many situations where this sort of thing happens.

I'm not making this up, y'all; I've sat there with the other side's data
collection party when _my_ boss was telling me to let him collect the data.

------
pmlnr
This is not about work email, this is about MDM software. The title is
confusing.

~~~
carlob
There are a lot of companies that require you to enable MDM before you can
setup an email account, I've seen it on android back in the day when I had a
smartphone.

FWIW when that happened I just started using the cruddy web interface.

------
Kaotique
Weird title. It has nothing to do with e-mail. It is the MDM that is the
problem.

------
daveslash
I actually gave up my smart phone a year ago. I've been with a feature phone
(Nokia 3310) for a full year now. My position at work is this: _" Given that
I'm at my workstation 85% of my day, if I'm important enough to need to check
e-mail 'on the go' or outside of work, I'm important enough for the company to
get me a second phone - one dedicated to work and work only."_

------
Uptrenda
If you have a recent Samsung phone there is a feature called 'Knox' that
splits off your personal files from the work-related stuff. Knox is like a
secure container that's fully isolated from the rest of the phone -- like a
phone within a phone. Knox cannot access your personal files so the assertion
that it can 'wipe your data' or spy on you would be incorrect (it only works
with the container.)

What the article mentions about tracking is a legit concern though, IMO.
Within a container it's still possible to access the GPS sensors. I'm not sure
if the user can block this / opt-out? It's possible that an app may have to
request permissions to use the GPS. In any case, I would say the situation is
still better and more transparent on Samsung devices than this article would
imply. I don't know about other devices but I can tell you Apple phones don't
yet have an equivalent secure container solution (like Knox or Enclaves) so
I'd be more concerned about the security situation on those devices.

~~~
lgunsch
This is true of Android work profiles too. The MDM solutions I've seen use
Android work profiles underneath, so your never in risk of your work accessing
personal photos or data. The work profile and all work apps are in the septate
container.

------
welly
I feel like most/many articles such as this are targeted at large
enterprises/organisations. I've never been asked to install anything like MDM
on my phone for any company I've worked for if needing to/wanting to view work
email on my phone. But then I've never worked for a company who has more than
around 25 members of staff.

~~~
nness
Company size and industry definitely play a significant role in the roll-out
of managed device policies. Some organizations are required to pass specific
ISO/IEC standard certifications with regards to their security policies.
Managed-devices with remote-wipe capabilities being one such requirement.

------
languagehacker
This headline's a little sensationalist. There are a lot of workplaces that
don't use MDM.

Don't put your employer's MDM on your own phone. Make them buy you a work
phone.

------
jshowa3
I don't put it in my phone because it gives the company an out to turn your
phone into an IT BYOD asset. This makes it subject to a wipe if you ever left
the company.

------
evantahler
Or... just use the web app to check your mail. If you want notifications, this
seems like a great use for PWA.

~~~
yoz-y
Depends, some companies have mail accessible only from trusted devices web app
or not.

------
Double_a_92
My boss had his phone completely wiped because his kids tried to unlock it a
couple of times. Apparently we had that behaviour programmed as a company
policy...

------
amerine
What if you have multiple iOS devices and you MDM one of them connected to the
same iCloud account, what risk exposure do I have? The same?

------
jofer
This "stop and think" warning is very good, but let's be honest, in many roles
you can't say "no" anymore. Most companies require a significant subset of
employees to use their personal device for work and have corporate accounts
active on it.

It may not be true for you personally, but I bet it is for most people who
have on-call rotations.

Features like Android's separate profiles are critical. We need similar
sandboxing on all platforms. I don't think we can change the 24/7 availability
culture, but we can change things from a software side to make it less
onerous.

~~~
cannonedhamster
A company cannot force you to use your hardware to run their business at least
not without compensation. Having a phone number that can be paged is
significantly different than installing MDM software that can track literally
everywhere you go, wipe your phone without your permission, etc. If a company
is saying you "must" install something in your personal device without any
compensation on top of your regular paycheck this is incorrect. If you use
your own car for work you're typically compensated with mileage or you can
write it off on your taxes.

------
bluedino
Don't work anything on your personal anything.

------
X6S1x6Okd1st
This appears to be why you shouldn't put an MDM on your phone.

I have my work slack and email on my phone, just with notifications turned off
on both. There was nothing about installing an MDM.

------
y04nn
I've seen the same thing with Chrome. If you log into Gmail it automatically
link the browser with the corporate account for all Google services. And if
you go on the settings page (chrome://settings/) it shows "Your Browser is
Managed by Your Organization". This allow the manager to automatically install
extensions, filter websites... I removed the auto managed browser while being
connected and it wasn't an easy task unfortunately.

------
jonny789
Similar could be the case, when an office gmail account is used by a number of
employees for viewing & replying official emails.

One employee who is logged in using office gmail in his/her android phone. The
person (other employee) knowing the password can easily view most of the phone
activity by visiting
[https://activity.google.com](https://activity.google.com) (which includes
search history with location).

------
Pfhreak
Interesting that this was just about spying, when the real reason to keep work
email off your phone (imo) is to maintain work life balance. If I can access
my work email on my phone, I will access my work email on my phone.
Constantly. I'm bad enough with my phone and my personal email.

Everywhere I've worked I've told my manager I turn off work when I leave
(unless I'm oncall). I've never had this be a concern, across three large
companies.

~~~
davidf560
Having work apps on your phone is not mutually exclusive to having work/life
balance though.

I have work apps on my personal device primarily for when I'm away from my
desk during work hours. I disable notifications etc. outside of work hours.

I wouldn't say I'm really happy with it, but it does permit me some freedom to
be away from my desk without the risk of missing something important during
the day. It's a trade-off I've decided I'm willing to make.

Work also provides guest wifi which is conveniently configured by the Android
for Work profile, so data usage while at the office isn't really a concern.

------
_bxg1
I only have my work Slack, not email, on my phone because of this.

Something I've wondered: why do they only do this for native email? Why can I
use Slack without it? In college even our student email accounts had MDM
(which was pretty silly), but I worked around it by just viewing my email in
the web browser. Are locally-stored emails somehow more vulnerable than my
browser cache and the messages stored in the Slack app, or are those just
loopholes?

------
HankB99
How many companies provide a company phone and allow the employee to use it
for personal stuff? I thought that was the norm. I would question any company
that expected me to provide my own phone to perform their tasks. Of course if
they paid me enough, this would be negotiable.

Regardless, if I installed their remote monitoring S/W on my phone or used
their phone, I would abandon any expectation of privacy on that device.

------
lixtra
One option is to use Blackberry Work[1] which gives your it department just
control over an encrypted container, not the whole phone.

[1]
[https://www.blackberry.com/us/en/forms/campaigns/q2_19/byo](https://www.blackberry.com/us/en/forms/campaigns/q2_19/byo)

------
drcube
I've had a couple employers offer to transfer my personal number to my work-
provided cell phone. I said no thanks, and carried two phones around instead.
But it was a surprisingly popular option among my coworkers. They'd rather let
their boss own their personal, everyday smartphone than carry around two
phones.

------
burnte
When I came in to my current company last year, the only way to get work email
was by enrolling your phone in our "company portal" which was based on MS's
Intune, part of their 365 offering, which by the way is horrible. There was no
IT director and the lawyer and CFO who drove the plan had draconian rules, so
bad that only a few people ever enrolled, and those who did regretted it, as
their phones would be wiped several times as unqualified people "poked around"
in the system. Exchange and outlook alone can handle email data safely with
remote wipe of company data without total MDM and device 0wnership. I changed
to that immediately, and in the past year we've needed to wipe only two
people's phones, and it went without a hitch. MD is a tool that frequently is
more than required for the situation.

------
algaeontoast
This should also apply for work slack.

At this point, especially if I’m working at a company that isn’t a startup, I
will not work somewhere that expects me to have slack available at “all
times”. After hours if I’m not on call I simply do not respond.

For this reason I’ll never do dev ops work haha

------
XorNot
And this is why I really want a phone which can run virtualized Android
environments.

------
RHSeeger
> When you add a work email address to your phone, you’ll likely be asked to
> install something called a Mobile Device Management (MDM) profile.

My wife was asked to do this, and (and a discussion with me explaining what
that means) she told them they could buy her a phone if they wanted that.

The company I work for does not require it, and I agree to have email and
slack on my phone. They don't reach out to me on off hours unless there's a
very good reason.

------
mortenjorck
Maybe I have never worked a corporate-enough job to see this, but at all the
tech companies I’ve worked at, the idea of requiring an MDM profile on your
personal phone to access work email would be more or less unthinkable. I’ve
known engineers to balk at installing a simple, no-permissions-required multi-
factor authentication client; I can only imagine the revolt that would ensue
were they asked to consent to remote management.

------
ptero
TLDR: "do not put work email on personal phone, as the company may ask you to
install mobile device management (MDM) to manage your device, which gives them
opportunity to spy / control".

This conflates two different things: work email and MDM on personal phone.
While I would never install company MDM on my personal phone, many
organizations allow you to access work email from personal phone, no MDM
strings attached. My 2c.

------
Havoc
Our IT policy is pretty broad and obnoxious so i just carry two phones.
Couldn’t be arsed to try and keep things separately with policy and software.

------
jimmaswell
Seems like I have Company Portal installed but it's not activated, and the
permissions don't mention being able to look at browsing history. Just "Erase
all data", "Monitor unlock attempts" and some things like that. Some lesser
things on "Outlook Device Policy" which is also not activated. PingID,
Outlook, and Amazon Workspaces are on here.

------
what-the-grump
Dont put your work email on your phone, because it comes a discovery item in
court including all your texts, emails, etc. MDM aside.

------
rconti
Or, you could check to see if any of this applies to you, rather than
panicking. Blogpost would have been helpful had it provided more detail:

[https://support.apple.com/en-us/HT202837](https://support.apple.com/en-
us/HT202837)

------
dkersten
Why anyone would allow an employer to install MDM software on their personal
device is beyond me.

------
nerdjon
I don't believe I ever actually accepted this on my iPhone.

But trying to search around I can't find anything about how to actually find
out. Does anyone know?

I assume Settings >> General >> Profiles, but it is empty so not sure.

~~~
travelton
If your device is enrolled in MDM, it would be listed there in Profiles. So
your device is probably not enrolled in an MDM policy.

------
timwis
I'm surprised it's not more common for phones to support two sims and have an
almost dual boot like separation of them (more like desktop computers having
multiple user accounts)

------
carrja99
While you're at it, leave slack off your personal phone too.

------
cj
Our company uses G Suite's Advanced MDM on a G Suite Enterprise account. I
administer its configuration.

Unless I'm missing something, there's not an obvious way to "spy" on
employees, which this article is claiming. Perhaps it's possible, but if it
is, it would require _a lot_ of deliberate effort to accomplish. For example,
there's not an out of the box way to track employee location. There's not a
way to track employee internet browsing history out of the box.

TLDR: using G Suite Advanced MDM, there are not out of the box solutions for
tracking or spying on employees in the ways suggested in the article. It might
be technically possible, but to accomplish it, your company would need to make
a (large) deliberate effort to do this.

~~~
helen___keller
>There's not a way to track employee internet browsing history out of the box.

Some large enterprises use MDM to deploy certificates and proxy policies that
essentially force you into a MitM situation, with the intention of tracking
browser usage.

Location is a bit more tricky. I would say that's less common, but I've seen
MDM solutions that offer location tracking as a feature

~~~
cj
Yes, there are probably sketchy MDM providers that specialize in employee
tracking / spying.

I'm speaking to what's possible to accomplish out of the box with G Suite's
Advanced MDM offering, without an extreme amount of additional effort.

(This is relevant because, when prompted to install a MDM profile, the MDM
provider such as G Suite is visible to the end user)

~~~
helen___keller
I mention this because one of the top use cases for MDMs is deploying said
MitM setups. It's common in certain industries, like for banks and for
schools. Saying this from experience because I worked for a company that
produced both an MDM product and a MitM product.

For an MDM solution on iOS there's a big list of supported profiles you can
deploy after the MDM profile is installed ( see
[https://developer.apple.com/business/documentation/MDM-
Proto...](https://developer.apple.com/business/documentation/MDM-Protocol-
Reference.pdf) under "request types").

If the device belongs to the organization, you might not even know these
profiles are installed, if it's a BYOD environment you know you are installing
the MDM profile and if you open the settings page you can manually inspect
which other sub-profiles have been installed by the MDM.

But you're right the MitM itself isn't built into the MDM, because that's a
totally different product category ("Secure Web Gateway"). The MitM setup only
works if you have an MDM to enforce the certificates and proxy setup upon the
user.

------
wtmt
> These tools often allow administrators to pry into how the phone is used as
> well, retrieving call logs, SMS history, and in the most extreme cases, full
> logs of web browsing.

I doubt any of these (call logs, SMS, web history) are possible on iOS even
with an MDM profile installed, unless it's call logs from the company's own
VoIP app or web history from its own browser app. SMS? Nope. On Android all
these are possible for any app that's given the permissions, even without MDM.

Can anyone who knows more validate or confirm the veracity of this claim in
the article?

------
anoncow
I have two phones. My work email is installed on my work phone. My personal
phone doesn’t get used much. Sometimes I leave it at home.

------
ggregoire
Anyway, you probably don't have a role in your organization that requires you
to check your work emails outside of the office.

------
Fradow
> you’ll likely be asked to install something called a Mobile Device
> Management (MDM) profile. Chances are, you’ll blindly accept it.

Say WHAT? That's the entire premise of the article. Any sane person who have
even a vague idea of what a MDM is will answer with a resounding NO.

Is there actually serious companies who ask their employees to install a MDM
on their personal phone? The moment you install a MDM on a phone, that phone
is no longer your own, it now belongs to the company.

~~~
saagarjha
> Is there actually serious companies who ask their employees to install a MDM
> on their personal phone?

Every company that does BYOD?

~~~
davidf560
Can confirm; the Fortune 500 company I work for has pretty extensive support
for BYOD. Managers can be stodgy about providing work phones, plus carrying
two devices is a pain.

I use Android so I'm relying on the Android for Work sandboxing, but
truthfully I don't know the exact details of what that does and does not allow
my employer to access. It does bother me, but I don't feel like I have a whole
lot of choice. Being able to respond to Google Chat messages at any time (when
away for lunch, for example), is feeling more and more like a
requirement/expectation.

Also, commuting on the train pretty much requires mobile Hangouts support
(which Google effectively makes impossible to use via a website if you're on
Android), unless you want to always be at your desk in the office prior to the
first meeting each day.

------
S_A_P
Good advice for many reasons, but unless you let your company root your
device, they cant track you and your behavior.

------
bootsz
While I sympathize with the privacy concerns, carrying two phones around is
pretty much a dealbreaker for me.

~~~
cascom
It can be annoying sometimes, but honestly it can also be pretty cathartic to
leave your work phone behind when you go for a bike ride, or out to dinner
with friends etc.

------
tgsovlerkhgsel
Misleading title. Should be "Don't put your work's MDM on your personal
phone".

------
Aeolun
I did the opposite. Put all my personal stuff on my work phone. No way am I
going to carry around two of those bulky monsters. The only bad part is that a
bunch of my online identities are now directly coupled to work, unless I can
convince them to let me keep the phone if I ever leave.

------
phnofive
The title is misleading; MDM should not be equivocated with “work email”.

------
marssaxman
Well, yeah. Was this not obvious? Are people actually _doing_ this?

If an employer wants me to be reachable by phone they can give me a work
phone. Why would I voluntarily turn my personal phone into a work phone?

