
Mobile Device Management invades privacy - eadmund
https://blog.cdemi.io/never-accept-an-mdm-policy-on-your-personal-phone/
======
arkadiyt
As a counterpoint, I do recommend installing _your own_ Supervised MDM profile
onto your iOS device. This will:

\- prevent the installation of any other MDM profiles (such as a work profile)

\- allow you to pair-lock your device, which will prevent any forensic tools
from accessing your device (for instance if it gets taken by police or at a
border crossing, even if you're forced to give up your password, they won't be
able to image your device or do other scans).

iOS security researcher (now Apple employee) Jonathan Zdziarski has a blog
post on it:

"Counter-Forensics: Pair-Lock Your Device with Apple’s Configurator":
[https://www.zdziarski.com/blog/?p=2589](https://www.zdziarski.com/blog/?p=2589)

~~~
eridius
IIRC in iOS 11 (if not earlier?) Apple changed it so forensic tools can't suck
data off your phone unless you enter your password while the phone is attached
to the computer. Previously if you unlocked your phone, they could then carry
it off to their computer, attach it, and start vacuuming up your info. But now
unless it's already attached to the computer before you unlock it, you know
they can't do that.

~~~
tinus_hn
You can easily be forced to enter your password while you are in the
‘constitution free zone’ though.

------
techsupporter
My employer recently required that any mobile access (or, really, any access
through a method other than web browser) to any real-time communications
systems for the company, including internal e-mail and instant messaging, must
be through a device that has the chosen MDM solution enabled.

It was at that point that I informed my manager that I would no longer be
checking work e-mail and instant messages on my mobile device unless the
company chose to pay for a company-owned device and require that I carry it.
My manager told me that he intended to do the exact same thing. Informal
surveys of my group show that about 80% of the group are not following work
e-mail or IMs when away from work computers.

I am happy that this is the case but am also disappointed that the remaining
20% are almost entirely the "burn the candle at both ends" segment of our
group and they're forever replying to threads and the like even when off work
on weekend or vacation.

I have read on multiple places that MDMs on an iPhone have quite restricted
access (no SMS/iMessage, pictures, non-MDM e-mail, and the like) unless the
device has been wiped and redone under the All Powerful MDM mode but I don't
know if those people are correct or if they're all going from the same
(possibly inaccurate) source. Therefore, I keep the MDM stuff off of my iPhone
because it is _mine_ and I have data from other unrelated projects and
companies on it that is none of my employer's business nor theirs to have
access to hoover up.

~~~
pjmlp
> I am happy that this is the case but am also disappointed that the remaining
> 20% are almost entirely the "burn the candle at both ends" segment of our
> group and they're forever replying to threads and the like even when off
> work on weekend or vacation.

Really? Off work is off work.

The moment I step out the building door, work is done, finished.

Want to talk with me? Wait for the following day I am at work.

There is nothing the employer can do about it unless it specifically states it
on the work contract, most European countries have laws about being contacted
after work.

~~~
calciphus
Out of curiosity - do you work in the US, and are you am hourly or exempted
worker?

Here's my problem: I try to maintain a good work life balance. I devote time
outside of work to passions, hobbies and relationships. But I am not dogmatic
about hours. My company does not pay me to have my butt in a chair. They pay
me to get the job done.

~~~
pjmlp
In Europe.

I am very dogmatic about hours, because when the next layoff round comes, HR
won't care 1 second about how much overtime people were doing when considering
who to fire.

~~~
calciphus
That makes total sense. Here, they absolutely care about who worked (unpaid)
overtime when deciding who to fire. The people I've seen who are out the door
at 5:01 don't survive those transitions.

I'll admit to more than a little envy!

------
zupzupper
Newer Android OSes have the concept of a "Work profile" that you can enable
for this. The company's MDM goes onto the work profile, along with the
approved work apps. These may be sandboxed copies of existing apps, like in
the case of the google suite, where they're tied to company data and accounts.

The work profile apps and data are the only things the MDM can "see" at that
point on the device.

You can also switch the profile on and off at will, which is nice for
vacations.

~~~
girvo
While that’s true, how many of the devices in use in the wild by regular
people have newer versions of Android available? With that in mind, I think
the article makes sense.

~~~
calciphus
Profiles were introduced in 4.2 on Android, if I recall, almost 4 years ago.
Most Android devices in developed countries are above this version. My
original Nexus 5 had them, and that's some 4 phones ago.

I'm sure you could find a shipping device that lacks them, but not from a
major carrier in most of the world. Of Play-enabled devices, Google puts this
at less than 5% worldwide

------
aynsof
I was asked by a previous employer to perform the rollout of MDM to our mobile
fleet, and I fully agree with everything in the article. Restrictions were
implemented at the whim of my boss.

As an example, he found out there was a feature in the MDM service to block
access to YouTube. He made sure that was ticked. Why? He didn't want people
wasting time on 'his' phones. And the helpdesk would explode every time a new
restriction was rolled out, but he didn't seem to notice or care. In his mind
they were his phones.

~~~
merlincorey
You didn't explicitly state it, so I am just confirming, your previous
employer did not actually purchase or own the phones, but expressed feelings
of ownership over them?

~~~
aynsof
It was a mixture of the two. Some of the phones were purchased by the company,
some were personal devices.

------
morgante
This article is far too hyperbolic. Instead of calmly laying out the privacy
implications and realizing people can choose where to draw the line for
themselves, it draws the line for everyone. It's _my decision_ whether I find
it worthwhile to accept an MDM policy, not the author's. Yes, I know the line
is drawn by humans and not technology—but I am comfortable with and trust
those humans.

I accept that trying to achieve privacy from my employer through technical
means is essentially a losing battle. It would mean taking multiple laptops on
all (frequent) work trips, never checking anything personal at work, and not
being able to effectively check my work from home.

Plus even if I had that full isolation they already can technically access
much of my personal data since they host my email and browser.

The second I lose faith in the security and privacy values of my company, I
would leave—but trying to technically limit myself seems functionally
impossible.

~~~
jakobegger
The most important part is that MDM can install VPN settings and root SSL
certs on your phone, allowing your employer to intercept all traffic to and
from your phone (unless the apps use SSL certificate pinning or end-to-end
encryption).

People probably don‘t expect their employer to be able to intercept eg. their
Facebook messages or private email.

And it‘s trivial to protect against this: Just use your own device for
personal stuff. You probably don‘t need to bring a second laptop on a work
trip, just bring your own phone or tablet for stuff that you don‘t want
someone at your company to track...

~~~
morgante
I agree that people should know the implications, but I know them and am
essentially comfortable with the tradeoffs. After all, I already share much of
my browser history via Chrome anyways.

> And it‘s trivial to protect against this: Just use your own device for
> personal stuff.

I don't consider that trivial. Switching from work email back to personal
email, or checking Facebook while coding is very common for me. More
importantly, I don't particularly care if my employer has the ability to track
my activity.

~~~
jakobegger
If you check Facebook while coding, your productivity might also profit if you
started using a separate device for that :)

~~~
morgante
Thanks for the moralizing point, which is entirely what I objected to in the
original article.

How I manage my personal productivity is my prerogative. Personally I find
that I fluctuate between periods of intense focus (where hours of coding pass
without me even noticing) and times where my brain is tired and I need a
thoughtless distraction.

------
cjcampbell
We work primarily with small businesses in mental health, where a large
percentage of devices are employee managed. The lack of attention to employee
privacy with security needs in these solutions has been an ongoing point of
frustration for us.

A carefully designed MDM solution could greatly simplify compliance and
improve the security baseline for many of these businesses. As the market
stands now, you either get easy to use with no safety rails on one end of the
spectrum or all the power and flexibility and complexity in the world on the
other.

I think there is definitely some opportunity in this area.

------
antoncohen
I have a handy tip for [older] Android. On Android you can setup Users, the
users are like completely different phones (from a software perspective),
different apps, accounts, passcodes.

If an employer requires MDM to be installed, and verifies that it is
installed, you can add a second user account and install MDM in there. The
user is so separate that if MDM is used to remote wipe a phone, when MDM is
installed in a secondary user, it doesn't actually wipe the phone, it just
deletes the secondary user. Yes, I actually tested this remote wipe
functionality with an employer's MDM.

On Android 7.0+ the "work profile" is probably a better option
([https://support.google.com/work/android/answer/6191949](https://support.google.com/work/android/answer/6191949)).

------
alangpierce
I have the "Google Apps Device Policy" app on my Android phone so that I can
use work email/Slack/etc, and it has these permissions: Erase all data, Change
the screen lock, Set password rules, Monitor screen unlock attempts, Lock the
screen, Set the device global proxy, Set screen lock password expiration, Set
storage encryption, Disable cameras, Disable some screen lock features. I
explicitly agreed to these permissions when I installed the policy on my
phone.

The obvious intention here is to make sure there are reasonable measures in
place in case my phone is lost or stolen. I think the main possibly-
problematic permission here is "Set the device global proxy", which apparently
could be use to intercept SMS messages (according to the article, I think).
Other than that one, I'm pretty sure most of the scary capabilities listed in
the article (the ones affecting privacy) don't apply here. Maybe other MDMs
have those permissions?

My understanding of the Android security model is that permissions changes
need to be explicitly approved by the user, so I think an app update or config
change wouldn't be able to extend the permissions without my agreement. Also
note that the app is written by Google, so my company isn't even running
custom code on my phone. Even if the permissions do somehow change, I always
have the option to remove the app, which un-applies the policy and disconnects
my work Google account.

I suppose this sort of thing depends on the situation and how much you trust
your employer, but I think that for many cases this article is a bit alarmist.
Note that you run into similar problems if you ever log in with personal
Google on your work computer. Since your employer owns the computer, I believe
they have legal access your Google cookie and could use it to read your email
and anything else associated with your Google account. But I do it anyway
because it's convenient and I trust my coworkers, and I am quite certain that
nobody is reading my personal email. But I also work at a small company where
I know everybody. YMMV.

------
ohazi
This is bullshit. I own my device, and this kind of management shouldn't be
possible on devices that I own.

Can I run some sort of VM or a sandbox to make the server think they're MDMing
my whole phone? I should be able to feed them enough garbage to keep the other
end happy, right? If IT wants to be able to remote wipe my phone, they can
remote wipe my VM instead. Anything less would be absurd.

~~~
innagadadavida
Just get a cheap burner feature phone for work. They’ll get the message. You
might be able to use the same number on two phones on some carriers.

~~~
paulmd
Google Voice can ring multiple phones from a single number.

------
cromulent
Simply connecting an Exchange mail account allows an administrator (or
yourself through the Exchange web app) to remotely wipe the device.

[https://technet.microsoft.com/en-
us/library/aa998614(v=exchg...](https://technet.microsoft.com/en-
us/library/aa998614\(v=exchg.160\).aspx)

~~~
fencepost
This varies by application, at least on Android. The built in client from the
manufacturer or AOSP is far from the only option.

Years ago this was one of the key features of the Nitrodesk software - work
data was all kept within that app and could be wiped by the Exchange admin.
The Exchange client I'm using now (Nine) has an option in settings for the
security model and can either be device or application, with capabilities as
you'd expect.

~~~
cromulent
Yeah, I only know about iOS, where if you use the Outlook app, it will only
wipe that app, but if you connect using the native Mail app, it will wipe your
whole device.

This guy has some more information.

[https://practical365.com/exchange-server/exchange-best-
pract...](https://practical365.com/exchange-server/exchange-best-practices-
automatically-remote-wiping-mobile-devices/)

------
uselpa
You should also be aware that installing an ActiveSync profile (to access
company mail and/or calendar) has a similar effect; ActiveSync has features to
wipe your phone and set up restrictions.

~~~
fwn
That's something I encountered with my universities ActiveSync setup. I
stopped it on Android with Mailwise.

[http://mail-wise.com/faq/#bypass](http://mail-wise.com/faq/#bypass)

But it is probably not wise to do that in a company setup, as it clearly
undermines their control & security efforts.

------
bowlich
The article seems to engage in a bifurcation fallacy in suggesting that if you
have company data on a personal device, then you must or ought to have MDM.

Trusting me to be able to access my work e-mail from my own equipment without
the need to monitor me is perhaps the lowest baseline of trust that I expect
an employer to put in me. Afterall, if they can't trust me to be responsible
with such data why bother giving me access to their systems at all?*

* The exception of course is in cases where they are required to monitor data use by law, e.g. medical. But prefer working in open environments anyways...

~~~
unethical_ban
"Sorry boss, I didn't know it was risky to download company data to my Android
4 device and also install Candie Croosh Castle that needs access to Photos,
Files and Media"

It's as much about ignorance as it is about malice.

------
sergers
I tried to get outlook for my work on personal device, wanting to use the app
for push notifications.

They wanted MDM, I tried to deploy in my "secure folder"(formerly Samsung
Knox), but would block my phone as incompatible platform.

They could enable this, but my company doesn't want to and no reason given

~~~
joezydeco
I just use the Outlook web portal. No MDM needed.

~~~
sergers
Yea that's what I am doing now, but don't have the push notifications to make
it useful.

I am not required to access my work emails outside of my core hours, but it
comes in handy if I could get notified of a new email directly to me (I get
100+ emails a day with maybe 10 requiring me to do something).

I like to be prepared knowing what I need Todo before I come into my office
the next morning.

------
stinos
No-one mentions performance impact of this. Maybe there is none or it's so
small it goes unnoticed? I'm just wondering about that because in quite some
companies I've seen the same issues; mostly on Windows, but I wouldn't be
surprised the same happens on other OS: you let your device get managed by the
company allowing it to push whatever onto it. Couple of months later
performance comes to a grinding halt because of way too much unneeded stuff
running, over-hungry virus scanners, bugs in managment scripts etc. It's
horrifying to see a brand new workstation loosing all it's snappiness while an
unmanaged +5year old one still runs smooth.

------
EamonnMR
I remember that this was a big deal when they introduced something similar at
my previous company. It added something not mentioned in this article-If I
recall correctly, it enabled IT to wipe your device at will. I declined.

~~~
chime
I hate that as an admin, I have that power instead of just restricting my
ability to remove company email/calendar/contacts only. I have a handful of
senior execs who do not want a company phone (or rather give up their personal
phone), still want to access company email, but do not want to install MDM
because it allows me to completely wipe their device or perform other system-
level stuff.

All I want as the admin is to (1) authorize if a device can be used to connect
to company resources (2) require minimum level of security (pin/pass unlock)
to be available to access company data and (3) de-authorize the device, which
immediately deletes ONLY company data.

I don't want anything else. I don't want to sync photos, share clipboard,
change security settings, send blaring lost-phone alerts. Those are not my
problems. Just let me have an isolated VM-like area where I can allow/disallow
the user's access to company data.

~~~
jeremyjh
> I don't want anything else. I don't want to sync photos, share clipboard,
> change security settings, send blaring lost-phone alerts. Those are not my
> problems. Just let me have an isolated VM-like area where I can
> allow/disallow the user's access to company data.

Good for Enterprise (now owned by Blackberry) does this. I do not know if it
is really a secure enclave, but their app is its own universe and was the only
part of my phone that was controlled by my employer at my last job. The
drawback is that its their own universe - you are using their mail program,
calendar, browser rather than your personal favorites. But it sure beats the
MDM policy.

------
pravula
Sad that Samsung EOLed their Knox ecosystem. There seems to be a market for
it.

------
wallace_f
The author is unclear of an issue I'm not 100% sure on -- once MDM is
installed is it really "no longer your phone?"

Can't you just factory reset your phone, login to your accounts and download
your data again?

------
valuearb
I ripped the MDM off my iPhone. Wasn’t worried about the, tracking my porn
habits, just got sick of being forced to update my passcode every few months.

Fortunately (?) I can access schedule and email with iPhone app.

------
paultopia
Burner androids are cheap.

------
dingo_bat
I use Samsung's knox VM thing. The corporate policy is applied only on the
virtual phone that checks office email and calendar.

