This has nothing to do with trusting or distrusting Apple. It's due to avoiding complexity: having to think about a zillion cases of what the employer can and can't do. I don't want to study a 30-page security whitepaper and 300 pages of documentation that probably come with this new enrollment thingie. But if I have two devices--with physical separation--I don't have to think about all sorts of security and privacy gotchas.
Buying a cheap extra work phone and carrying two phones is not that big a burden. Plus you can turn off the work phone during personal time, and turn off the personal phone during work.
I am in another camp. Until recently my employer had a policy of treating our devices somewhat like private devices. We are provided with the device, are allowed to use them at home at will, are full admins. We are only requested to encrypt the harddrive. My employee never had access to my data if I did not provide it to them.
So now two situations changed. Clients of ours force us to use endpoint management to ensure different "security" standards (some not as secure as I had before). Also we got bought by a bigger company and they have rules and regulations for their ~470k employees. These mean we will get some hefty spyware on our devices while still being officially allowed to take the devices home with us, use them privately and so on.
Well. I am not so sure, I will do this in the future. I am not willing to introduce spyware that also scans all devices within the network to my home network. I do not want some admin on the other side of the world to be able to download any file from my device. Or to upload any file onto my device.
So I will probably buy another computer (not having owned a private laptop for quite some time) to use at home. Same with my mobile phone.
On the other hand - I hate to carry two devices with me. For me separating out private/freelance stuff onto one machine and corporate stuff onto another makes things more complicated. And I know convenience kills security.
Sorry for my rant, without providing much to the discussion. I mean - it is my work device and my employer is within their full right to install whatever they wish - once the works council agrees.
Who owns the rights to IP developed on these company-owned laptops? One of the biggest problems with this kind of ‘unspoken flexibility’ is that any side projects you work on are in-part owned by the company, under most standard agreements.
I would not work for a company that would try to ensure it owns all of what I do outside of company time.
> I would not work for a company that would try to ensure it owns all of what I do outside of company time.
You might want to read the laws governing this, notably the "Gesetz über Arbeitnehmererfindungen" (https://www.gesetze-im-internet.de/arbnerfg/) It's fairly short and clear. Work contracts often don't mention that because a lot of what you can invent is already owned by your employer by law.
Notably everything that can be patented and primarily results from your work or your or your experience at work:
(1) Erfindungen von Arbeitnehmern im Sinne dieses Gesetzes können gebundene oder freie Erfindungen sein.
(2) Gebundene Erfindungen (Diensterfindungen) sind während der Dauer des Arbeitsverhältnisses gemachte Erfindungen, die entweder
1. aus der dem Arbeitnehmer im Betrieb oder in der öffentlichen Verwaltung obliegenden Tätigkeit entstanden sind oder
2. maßgeblich auf Erfahrungen oder Arbeiten des Betriebes oder der öffentlichen Verwaltung beruhen.
The rules apply independent of which device you're using though. Compensation might differ slightly, but the rules around that are longer than the law itself :)
I recommend § 18 and § 19 of said "Gesetz über Arbeitnehmererfindungen". They state that inventions that are clearly not done on the employers payroll (to paraphrase this) are so called free (you have to enable your employer to make that call and you could dispute him, if he tries to claim said invention) (§§18).
But you need to enable your employer to use said (free) invention with reasonable terms - but you dictate the terms (§§19). Your employer can dispute the conditions and a court of law then has to decide.
So clearly this law does not enable your employer to claim nearly every invention you could make in your free time.
At least as far as my understanding goes. But I might be totally wrong here. I am somewhat out of my experience here.
The problem in IT is that depending on what you do, everything might be related to a varying degree.
Would be interested to hear about specific court decisions!
In general, this topic is not quite so clear, even in Germany. For a contrary argumentation, have a look at: https://www.lieb-online.com/files/luxe/publikationen/Urheber... (covers both Urheberrecht and Patentrecht, 15 pages, argues seemingly mostly in favour of the employer, but that does not mean they are wrong)
Keywords to search for, if you don't have the time now to read it as a whole:
- Freizeitwerk / freiwilliges Werk (it's a difference! but just because you do something in your freetime it is not necessarily a Freizeitwerk, in case your job is to produce such works and it could be of use to your employer, this is arguably not the case)
- Beweislast (just because you say or mean it to be unrelated to work, does not automatically mean it is -- side note: the bigger your employer, the less you can know about what is in their interest or not)
- Anbietungspflicht (describes the case using work ressources / work time)
- Pflicht zur Anbietung (for the free time stuff which is not "totally unrelated to the interests of your employer" -- so "automatic transition of usage rights via contract" is indeed suspicious and likely to be undermined in court, but they have a say if they want it)
Sounds somewhat like slavery indeed. ;)
See for example: https://www.joelonsoftware.com/2016/12/09/developers-side-pr...
The possibility of companies disagreeing is why I keep my work and private life completely separate, and the online portion of the latter does not even use my name nor anything that could be associated with my "offline" identity.
That's a good question, and only answerable by checking what you've signed and what the laws in your jurisdiction are.
Some of the agreements, even in the US, are pretty aggressive about grabbing as much IP from an employee as possible.
Yeah - if I am really, really in a tight spot financially - for as long as it takes to crawl out of such a mess - ok. But regularly? Long term?
Help me to understand.
And I also do not understand how a company could find this morally acceptable to have this idea.
I mean is this really the norm in the US?
The outrage is a bit funny, because that's actually the law in Germany. It doesn't even need to be in the contract. (1) And if you think about it, it makes sense: Otherwise every employee who finds something patentable during working hours just clocks out, goes home and invents it "on his own time." And that would be a problem for an employer, too. So the deal is "employer pays you, and gets first dibs on whatever you invent in the general area that the employer pays you to work in."
I'd rather get paid more today than take a lower salary with the potential to possibly, if I'm really lucky, strike gold with my own invention.
I’m paraphrasing an attorney’s explanations so I can’t cite the code.
Legal precedence around IP ownership - when you've used company-owned machines - is far less clear.
I’m basing this on you mentioning being in Germany and company size. Off topic, but I just went down a small rabbit hole of employers with >400k employees and there’s not many, most of them are either state owned/militaries (I’m assuming Russia’s Gasprom doesn’t have many German employees) or Walmart/McDonald’s (which has far more employees than 470k).
For anyone interested I guessed based on this article.
In the EU I would seriously doubt that your employer is allowed to do this.
Sadly they are. At least as far as any lawyer on this topic currently stated.
I get it. My employer provided phone is a Blackberry Leap.
If so, that should be all my employer expects of me when I'm provided with a company phone. I can't imagine what they would want me to do that would require a smartphone. Anything more complicated would be better accomplished on a laptop.
But there's more to it than that. I can't use the browser to look work-related things up because the blackberry browser hasn't been updated in years. I end up using my own device which defeats the purpose.
1 - some employees do not read policies (despite some really explicit training during onboarding) and disable the password so they don't have to type it during login;
2 - apple software is hot shit and somehow filevault disabled itself on an employee laptop. I'm 100% sure that it was previously enabled. It required multiple support calls, an OS reinstall, and a full machine wipe performed at an apple store to get it re-enabled, so I believe the employee who says he didn't disable it.
Either way, I had to install an mdm to make sure that there always is a password on the machine, a lockout time, and filevault enabled. That mdm, unfortunately, gives me far more control than I want, but there's nothing I can do about that; it's a package deal. I'd prefer not to install them, but one idiot disabling passwords, even after very specific training, because it's inconvenient to type them ruined it for everyone.
And the answer roughly comes down to (1) it trained me out of trusting, even in a small shop; and (2) now that I know these things happen, I have to protect against them. If I abuse what the mdm gives me, I expect my employees to fire me. ie quit.
I never got the BYOD thing.
My employer should provide the required tools, if not, then the work is done within the constraints of what is available.
I’d rather buy and manage my own device, which is then powerful enough for my needs.
But some of the differences lie in understanding how to work around constraints.
I've been putting off requesting some specific administered software removal from my own machine for months because I keep getting caught up in much more pressing work. In most cases I'm able to just work around it. In other cases, it just eats up time. But I can see the path through to a solution more clearly than any corporate wrangling.
In smaller or more nimble companies you or rather your line manager can influence hardware budget as an offset of your salary v productivity. Also in some larger organisations where departments/teams are more autonomous and have more slack your manager may be able to influence that.
But in many large organisations, those who decides what standardised underpowered hardware you shall have may never have even met your line manager and they can not influence that policy.
I have once worked with a client that handed out a completely hamstrung laptops with barely any memory and slow disks to all contractors. Project builds would take 30 minutes or more, and I'd watch paint dry by reading slashdot(a long time ago), jousting on chairs in the corridor etc... Plus more time lost as you don't realise instantly when the build has finished and the time to reload all the context back into your own brain's memory...
The difference in cost between a top spec machine and the one they handed out was less than the invoice cost of the lost productivity in a day or two. I was there for two years... Granted after a while I did get better and better machines but never good.
Though I no longer really work for clients that do that, and my last few contracts have been BYOD which is fine by me. As long as they provide a quality external monitor and the sit-stand desk then I'll bring my own macbook.
Honestly, I've been there; coding on a single 15" screen. Eventually most employees brought in a second monitor from home.
But if this is the case I believe strongly, that the employer must provide the necessary tooling.
These state, that there needs to be proof of several data security aspects on all devices of all people working in a facility for one of these companies/clients as a contractor:
- Anti Virus software up to date
- Firewall active
- Harddisk encrypted
- Ability to remotely lock device
- Ability to remotely wipe device
To ensure that this is in place at all times on all devices one needs a programatic solution - Endpoint Management. And as this needs to be root (for remote wipe) - this could be seen as spyware (as I like to call it internally).
So yeah - there are a lot of companies/industries enforcing this. As someone above said - banking is another industry, insurance, medical and other high profile stuff with sensitive data might come to mind.
The text does not say this - but this I added just from experience. And I actually hope that someday companies like mine could go the Apple way and ensure Endpoint Management on a per user account basis. That way I could still take home my company laptop and use it privately with a different user.
I strongly believe all this software only enlarges the potential attack surface.
Not sure if this "zoo" of software is more of a security theater and a legal protection to be able to tell everybody "we did all we could possibly do" in case of an attack/hack/what not.
But even if I strongly suspect my device was more secure before, I know, that lot's of less tech-savvy people will have at least some standard (encrypted SDD, and such) enforced. So I am not yet decided if in the end the net benefit is positive.
It all about fulfilling IT and law checklists.
You say spyware; I say software that guarantees there is a password, that there is a reasonable lock-out time, that encryption is enabled, etc. Leaking data because you let your most gullible employee install whatever he or she liked on their laptop and phone (eg facebooks spyware certs so they can read all your traffic) is going to get you in trouble in a hurry.
For example, CCPA. Which applies to a lot of us in 6 months.
> duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information
I am undecided if in the end the additional software is a net positive. I am totally on your side that some basic security measures need to be enforced. And I know that this might be possible in terms of culture and processes like onboarding with a small number of employees.
And I know, that in a global corp this isn't feasible.
Non the less am I not sure that just throwing software at a basic problem of awareness really helps in the end. Esp. if the to be enforced standards like ISO 27001 are in some cases weakening the security.
I am enforced to use shorter passwords now. And I need to rotate them after a specific amount of time. I automatically have software installed (because next to security stuff we get some additional software) that does not exactly have a reputation of being secure.
So while there is light there is also quite some shadow.
If in the end this proves to be net positive. We will have to wait and see.
Any yes: I call it spyware. It has its own SSL certs, could potentially open my connections, monitors all and every connection my device makes, can (without me knowing) download any file on my device. And also can plant any file on my device without my knowledge.
As root it can add any additional functionality without my knowledge. And it does, as far as I have been told, scan any network I connect to for unmanaged devices and transmits (to quote) "a rich set of information for the located assets, including the hostname, MAC and IP addresses, device manufacturer, operating systems, open ports, applications, and historical information such as the first and last time the asset was seen on the network."
And it is not only being marketed as being compliant to GDPR, but actively helping and supporting companies to become compliant with this exact feature.
I also talked them out of requiring virus detection on our macs, but this took a lot of work to avoid trusting (most) laptops.
But also thanks a lot for the idea to do this and try that. Not sure if it works with being ISO 27001 certified - but at least one can try.
They (the company) better be the ones buying it. You shouldn’t have to pay to give your employer the ability to contact you outside of normal work hours.
In which case it's not really BYOD anymore. :)
The company could provide a device for that of course, but people often don't want that or it isn't reliable: they don't want an extra device to carry around, they don't remember to keep it charged, they forget to take it with them far more often than their own phone, ... So as well as the cost aspect BYOD can make thing more convenient in other ways.
It's also worthwhile to set up a separate home LAN for work stuff. This not only protects you, but it also ensures that work data is kept away from roommates, guests, etc. Prosumer-level routers and access points like Ubiquiti can broadcast multiple SSIDs and tag traffic on each with a different VLAN. Not at all hard to set up and definitely worth the peace of mind.
BYOD are a cost cutting measure by the office, but if you buy a second device then the cost isn't cut, it's transfered. To you. So congratulations on your pay decrease.
I've lived under both regimes, and definitely preferred the multiple device one. It had its moments of inconvenience, but I loved putting the work phone in a drawer on Friday night and leaving it there until Monday morning.
The reality is, convenience wins again here. I, for one, don't give a shit what control my company has over my phone. Not only has nothing ever happened as a result of me using a BYOD policy, the overall rate in the industry seems acceptably low too.
I only have 24 hours in my day, I can't be worrying about things that aren't likely to effect me in any material way. I simply don't have time.
What happens more often: car accidents due to speeding or people being fired because their company tracks where they are and doesn't approve? Do you still speed?
When I hand my phone to my kids to play a game, I don't want them to have access to my email / text messages / contacts etc.
It's ridiculous that a 1000€ device is restricted to single user mode.
It's even worse for iPads -- they are perfect devices for sharing in the family, but only a single person can use them for Email / iMessage / Whatsapp / Facetime / ...
But I don't have any hopes that Apple will fix this. They want everyone in the family to own their own set of iDevices.
Of course, Android has both.
I just want Face ID to recognize that it's my kid, and not show them notifications for my work related stuff, and just let them play Minecraft and Monument Valley or whatever they want.
It’s also yet another way that locked-down devices allow manufacturers to advance their interests at the expense of consumers. There’s a Jailbreak tweak that enables multiple profiles...
Did Android do away with work profiles recently? I used to have one and then following an update from the Enterprise, the apps were commingled and there was no way to explicitly "turn off work".
Yes. This is a true thing that users fear. It tends to happen because they're using phones that don't allow any more constrained option.
It's nice to see iOS catching up with Android in this.
It kind of makes sense for them to do that if your device is stolen, but I still just don't like handing over control of my device like that.
They typically also enforce other annoying policies, such as not allowing rooted devices, not allowing swipe patterns and requiring a PIN/password. The VMWare one even required that all browsing went through their shitty browser app (and presumably they got all my history).
Again, some of this makes sense from an enterprise point of view, but as a user it's annoying and feels invasive.
I once watched an employer go from unwilling to adopt MDM to requiring it for accessing substantive systems on personal devices. The CEO lost his phone, and suddenly appreciated what MDM was good for.
Users were given a choice: MDM, sandboxed if they had a device with modern technology, or no significant access on personal devices. A lot of users had phones that didn't offer sandboxing, so myself and several others found ourselves explaining quite often that there literally was no option available where remote wipe wasn't possible. If they didn't like that, well, they didn't actually need access from their phones, so...
Anyway. I'm quite glad Apple is starting to actually catch up a bit.
I don't know how many corps care about this, but when I did that kind of job, I refuse to have my corp have access to a user's personal data, and be able to brick their personal device, etc. It's not acceptable from a privacy POV and not acceptable from an employee backlash POV. Anyway it was an easy choice because we never had sensitive data that could make it to a phone/tablet. In an environment more like that, I would probably have instituted some kind of privacy waiver that an employee would have to sign in order to BYOD (apple brand). That probably wouldn't fly today, in europe. GDPR and all that.
I say my view of it isn't comprehensive, but a requirement that all devices be under MDM even if those devices don't have access to customer data, is quite an overreach.
Given the general situation with data breaches and so forth, I wouldn't be shocked if, down the road, more and more companies decide that there's just too much risk with BYOD and require employees to use locked-down company-provided devices.
I don't live to work and there's no reason to hand over any more info about my personal life than necessary.
I think Apple's solution to the problem might work. As long as the companies data is separate from mine, what I do on my phone is private, and basic functionality like screenshots are available on my phone, the solution looks good to me.
It might. As long as IT/Security can be convinced that it fulfills their goals. That doesn't seem like a sure thing.
Shame that Apple doesn't take this one step further and do it system-wide.
Other examples: App Store itself, Siri, cross-app sharing... it always starts with just-Apple-apps before expanding.
See https://developer.apple.com/business/documentation/Configura... and go to page 95, where it describes the OnDemandRules key for VPN configuration, which supports matching criteria based on domain names, SSID, interface type, and server reachability.
EDIT: I misunderstood. The point is not to get the VPN to auto-connect, but to use the VPN for only certain domains.
Per-site VPNs are possible in Safari, which is a poor approximation that keeps the VPN active (consuming battery) as long as Safari is active.
There were a few (software) restrictions placed on the devices, namely that you had to have password lock turned on, and a password complexity policy. But after that they really did not interfere at all. When I left I reset that phone myself, and then bought a new iPhone and used the backup (not including OS) of that phone off of iCloud (of course minus the Apple email account they just turned off, and a couple of Apple-only apps I was using).
Other than some basic access controls on systems (especially around iOS sources), and a lot of prototype-asset-tracking (I ran a lab with a lot of that), Apple really does trust their developers to do the right thing. If they trust you to have the information, then they trust you not to share it without a lot of big-brother monitoring.
And there really is very little in the way of an IT department at Apple as you would normally think of it. They provided the network and the printers, but setting up your own computer was usually up to you and whatever help you got from your team (who really were the ones who knew what you needed for resources).
it's a thrice-removed description, but at a surface level it sounds better than android profiles, at least for work/home device sharing.
for sharing with family members (parents/kids, eg) it doesn't sound so awesome. hey, if it means kids have to have their own tablet, well more power to apple then!