I hate that as an admin, I have that power instead of just restricting my ability to remove company email/calendar/contacts only. I have a handful of senior execs who do not want a company phone (or rather give up their personal phone), still want to access company email, but do not want to install MDM because it allows me to completely wipe their device or perform other system-level stuff.
All I want as the admin is to (1) authorize if a device can be used to connect to company resources (2) require minimum level of security (pin/pass unlock) to be available to access company data and (3) de-authorize the device, which immediately deletes ONLY company data.
I don't want anything else. I don't want to sync photos, share clipboard, change security settings, send blaring lost-phone alerts. Those are not my problems. Just let me have an isolated VM-like area where I can allow/disallow the user's access to company data.
Maybe I have never worked a corporate-enough job to see this, but at all the tech companies I’ve worked at, the idea of requiring an MDM profile on your personal phone to access work email would be more or less unthinkable. I’ve known engineers to balk at installing a simple, no-permissions-required multi-factor authentication client; I can only imagine the revolt that would ensue were they asked to consent to remote management.
I feel very sad to hear people install their employer’s MDM on their personal phones.
It’s kind of like your employer wanting a key to your car when it’s in the company lot, or to check your coat pockets when you leave work, or requiring a vial of your blood.
Some would say that I am privileged to say “nope!” to all of the above, but tacitly requiring employees to bring their own devices and then controlling them with MDM is such an inappropriate use of power that we should be protected from it, by right.
we agree. I understand why employers require MDM, but I've always had a device that is a work-only silo of apps and authorizations because control of my device is important to me.
You may not be able to get your phone on the corporate network without installing their MDM, and you may not want to give your employer the ability to wipe your phone.
What I don’t really understand is how we ended up at the point where invasive MDM is even acceptable. People mix their work and personal lives all the time: even if I take my work laptop home and use it, it would be a massive overreach to show up at my house and demand that I let them search it. Why do we accept the equivalent for phones? Ok, I put company email on my phone: you should be able to wipe just that and retain a copy (which, running a central server, you do of course). Why should you have any right to do more than that?
My company isn't nearly as high profile or security focused and we're not allowed to use our own computers for any work related purposes,and our work laptops run threat detection software and we have a whitelist of software we're allowed to install.
I'm surprised that LastPass's policies aren't at least that strict.
My company has what I think is a big hole in this policy in that we're allowed to use our own phone for email, a few corporate apps (like Jira) and our corporate password manager (not LastPass), but IT doesn't do any management of phones (other than being able to wipe them remotely if you're connected to the company email server). I suspect that the company doesn't want to spend the money on giving everyone a managed phone.
Same here. I have been on the other side of the equation too, having to impliment and admin MDM, and every time it made me feel dirty knowing the power it really gave me over an employees personal phone. The worst part about it, especially the more I have adventured into SV land, is how often the culture pretends "we dont do that sort of thing" but being the kind of person who knows lots of lawyers, I read the legal docs and yep, sure enough, the handbooks and vast array of other docs all talk about it in the fine print. So there are employees that balk when I tell them why I don't use company email on my personal phone... and I get a bit frustrated that these are the people who ought to understand this sort of thing!
I will always want separate phones for employers that want to use MDM on the device, or else I just won't do any work on the phone... which unfortunately in some companies is looked down on. Glad I'm in a better environment these days (mdm exists on the sly, but I am not pressured to use email outside work hours) That said, this is also why I don't want to shift into the management path either, because that changes once you are in mgmt.
Many companies make MDM mandatory and refuse to pay for a phone. Most people will just comply rather than have _no mobile access_ to their work email at all (which will cause conflict with managers, and may even lose you a job)
I don't have MDM on my phone (no alt-roots or anything). "Just" the 2FA, gmail and Slack. But I agree, I'm tempted to get the work stuff off and onto an old phone just to have the mental separation.
I feel like most/many articles such as this are targeted at large enterprises/organisations. I've never been asked to install anything like MDM on my phone for any company I've worked for if needing to/wanting to view work email on my phone. But then I've never worked for a company who has more than around 25 members of staff.
Agreed. For a while my company allowed Office 365 access from my cell phone without installing anything but now they require inTune and reserve the right to wipe phones but promise to never do it. I guess I will stop using Outlook on my phone...
I generally agree although you may still be asked to install MDM on that phone to access, say, work email. How obtrusive that MDM is depends on your company’s policies.
Apple and Microsoft have done it where the MDM need not actually be the device so much as the data container for all things Office. Instead of Mobile Device Mgmt, it’s more Mobile Data Mgmt.
This allows the company to wipe data that actually belongs to them, but a policy doesn’t have to let them see your activity, mails, photos, or even what other apps you have.
If your employer is running policies for accessing your private stuff, send the right people some docs on how to protect company data w/o invading your privacy.
I was asked by a previous employer to perform the rollout of MDM to our mobile fleet, and I fully agree with everything in the article. Restrictions were implemented at the whim of my boss.
As an example, he found out there was a feature in the MDM service to block access to YouTube. He made sure that was ticked. Why? He didn't want people wasting time on 'his' phones. And the helpdesk would explode every time a new restriction was rolled out, but he didn't seem to notice or care. In his mind they were his phones.
This makes no sense. My employer provisions me an work phone so that they manage it end-to-end with MDM, and ensure that it stays physically separate from non-corporate assets. If this product just lets me use my work phone on my personal phone, then it completely defeats the purpose, and my employer might as well just allow use of work communications on personal devices.
I fail to see the issue. Hell my company went further: only their registered devices can even login to access company emails (including via web!) and other services.
Not only it protects them, it enforces the work/personal hardware separation for me, which is good. My work hardware (which is pretty much a laptop and a phone) has no traces of my personal stuff and my personal has no traces of my work stuff and can't even it I wanted it to.
I genuinely don't understand the mixing of personal and work environments. Why would anyone possibly be interested in carrying their work phones with them after their done with work?
There is another problem with using your own phone for work: many companies now require you to install their MDM profile to access email or other services. This gives them a lot of power to do whatever they like with the device, remotely. If a security breach occurs and they deem it prudent, they can wipe the phone remotely, for example. And I don't even know what they can access from the phone's content, probably everything.
It's quite simply an issue of ownership: if they don't pay for the phone, they don't get that. If you want root on a device, pay for it and issue it to the user.
So, in that sense a device issued by the employer is better. I'm not installing anyone's MDM profile on my phone, that I pay for, that contains my personal photos, messages, etc.
All I want as the admin is to (1) authorize if a device can be used to connect to company resources (2) require minimum level of security (pin/pass unlock) to be available to access company data and (3) de-authorize the device, which immediately deletes ONLY company data.
I don't want anything else. I don't want to sync photos, share clipboard, change security settings, send blaring lost-phone alerts. Those are not my problems. Just let me have an isolated VM-like area where I can allow/disallow the user's access to company data.
reply