Maybe I have never worked a corporate-enough job to see this, but at all the tech companies I’ve worked at, the idea of requiring an MDM profile on your personal phone to access work email would be more or less unthinkable. I’ve known engineers to balk at installing a simple, no-permissions-required multi-factor authentication client; I can only imagine the revolt that would ensue were they asked to consent to remote management.
Many companies make MDM mandatory and refuse to pay for a phone. Most people will just comply rather than have _no mobile access_ to their work email at all (which will cause conflict with managers, and may even lose you a job)
I feel like most/many articles such as this are targeted at large enterprises/organisations. I've never been asked to install anything like MDM on my phone for any company I've worked for if needing to/wanting to view work email on my phone. But then I've never worked for a company who has more than around 25 members of staff.
we agree. I understand why employers require MDM, but I've always had a device that is a work-only silo of apps and authorizations because control of my device is important to me.
I feel very sad to hear people install their employer’s MDM on their personal phones.
It’s kind of like your employer wanting a key to your car when it’s in the company lot, or to check your coat pockets when you leave work, or requiring a vial of your blood.
Some would say that I am privileged to say “nope!” to all of the above, but tacitly requiring employees to bring their own devices and then controlling them with MDM is such an inappropriate use of power that we should be protected from it, by right.
I hate that as an admin, I have that power instead of just restricting my ability to remove company email/calendar/contacts only. I have a handful of senior execs who do not want a company phone (or rather give up their personal phone), still want to access company email, but do not want to install MDM because it allows me to completely wipe their device or perform other system-level stuff.
All I want as the admin is to (1) authorize if a device can be used to connect to company resources (2) require minimum level of security (pin/pass unlock) to be available to access company data and (3) de-authorize the device, which immediately deletes ONLY company data.
I don't want anything else. I don't want to sync photos, share clipboard, change security settings, send blaring lost-phone alerts. Those are not my problems. Just let me have an isolated VM-like area where I can allow/disallow the user's access to company data.
My experience with MDM is that it satisfies occasional customer requirements that employees have MDM on devices that they may use to access work information.
And basically the MDM requires that employees have a password set and that's about it.
There are certainly situations where there should be entirely separate work and personal devices but, in my experience, most people freely intermix usage.
I generally agree although you may still be asked to install MDM on that phone to access, say, work email. How obtrusive that MDM is depends on your company’s policies.
Same here. I have been on the other side of the equation too, having to impliment and admin MDM, and every time it made me feel dirty knowing the power it really gave me over an employees personal phone. The worst part about it, especially the more I have adventured into SV land, is how often the culture pretends "we dont do that sort of thing" but being the kind of person who knows lots of lawyers, I read the legal docs and yep, sure enough, the handbooks and vast array of other docs all talk about it in the fine print. So there are employees that balk when I tell them why I don't use company email on my personal phone... and I get a bit frustrated that these are the people who ought to understand this sort of thing!
I will always want separate phones for employers that want to use MDM on the device, or else I just won't do any work on the phone... which unfortunately in some companies is looked down on. Glad I'm in a better environment these days (mdm exists on the sly, but I am not pressured to use email outside work hours) That said, this is also why I don't want to shift into the management path either, because that changes once you are in mgmt.
There is another problem with using your own phone for work: many companies now require you to install their MDM profile to access email or other services. This gives them a lot of power to do whatever they like with the device, remotely. If a security breach occurs and they deem it prudent, they can wipe the phone remotely, for example. And I don't even know what they can access from the phone's content, probably everything.
It's quite simply an issue of ownership: if they don't pay for the phone, they don't get that. If you want root on a device, pay for it and issue it to the user.
So, in that sense a device issued by the employer is better. I'm not installing anyone's MDM profile on my phone, that I pay for, that contains my personal photos, messages, etc.
>When you add a work email address to your phone, you’ll likely be asked to install something called a Mobile Device Management (MDM) profile
...what? The Outlook app containerizes your email accout specifically so that you dont have to do this. Your company can remotely wipe your work account and only your work account.
Of course MDM gives access to your phone - thats its whole purpose.
Most corp IT teams require employees to install a mobile device management profile, which enables you to then run teams, get email access etc. it’s also what gives your company privileges on your phone.
Some MDM profiles can have pretty nasty access enabled (e.g. route all IP traffic via Corp net, access device location at all times, remote wipe etc).
Take a look at what your MDM profile says if you have one installed.
What I don’t really understand is how we ended up at the point where invasive MDM is even acceptable. People mix their work and personal lives all the time: even if I take my work laptop home and use it, it would be a massive overreach to show up at my house and demand that I let them search it. Why do we accept the equivalent for phones? Ok, I put company email on my phone: you should be able to wipe just that and retain a copy (which, running a central server, you do of course). Why should you have any right to do more than that?
TLDR: "do not put work email on personal phone, as the company may ask you to install mobile device management (MDM) to manage your device, which gives them opportunity to spy / control".
This conflates two different things: work email and MDM on personal phone. While I would never install company MDM on my personal phone, many organizations allow you to access work email from personal phone, no MDM strings attached. My 2c.
> When you add a work email address to your phone, you’ll likely be asked to install something called a Mobile Device Management (MDM) profile.
My wife was asked to do this, and (and a discussion with me explaining what that means) she told them they could buy her a phone if they wanted that.
The company I work for does not require it, and I agree to have email and slack on my phone. They don't reach out to me on off hours unless there's a very good reason.
I don't have MDM on my phone (no alt-roots or anything). "Just" the 2FA, gmail and Slack. But I agree, I'm tempted to get the work stuff off and onto an old phone just to have the mental separation.
Part of me thinks that MDM on employee phones has become a something of a checkbox item because customers ask for it but it's not clear to what extent it really protects sensitive customer data (which is what they're concerned about).
reply