Secure BYOD is mostly unsolved wrt most common/popular Android phones. (Windows is also “a thing” but that didn’t stop Maersk or whoever from getting ransomwared, did it?)
Most serious orgs prohibit BYOD unless you are on Pixel or iPhone where MDM can actually work securely. There is no meaningful way to secure corporate data on an employee-owned Galaxy, for example.
It is the rare corp that can do BYOD securely. The best practice is issuing corporate iPhones to all staff with universal MDM and keeping all corp data physically separate from personal devices.
This also saves your employees’ nudes in a subpoena/discovery situation during a civil action against the corp, which is all too common.
I'd rather not have to carry two mobile phones around which would be the alternative to BYOD.
BYOD is fine if the MDM software does profiles and allows the separation of company data and personal data. That way the company can only wipe its own data and not the personal data.
I can't see BYOD with MDM.
With MDM, it's not YOD. You're just paying for the corporate device out of your pocket, and there's no certainty you'll ever get it back.
There is another problem with using your own phone for work: many companies now require you to install their MDM profile to access email or other services. This gives them a lot of power to do whatever they like with the device, remotely. If a security breach occurs and they deem it prudent, they can wipe the phone remotely, for example. And I don't even know what they can access from the phone's content, probably everything.
It's quite simply an issue of ownership: if they don't pay for the phone, they don't get that. If you want root on a device, pay for it and issue it to the user.
So, in that sense a device issued by the employer is better. I'm not installing anyone's MDM profile on my phone, that I pay for, that contains my personal photos, messages, etc.
Apple and Microsoft have done it where the MDM need not actually be the device so much as the data container for all things Office. Instead of Mobile Device Mgmt, it’s more Mobile Data Mgmt.
This allows the company to wipe data that actually belongs to them, but a policy doesn’t have to let them see your activity, mails, photos, or even what other apps you have.
If your employer is running policies for accessing your private stuff, send the right people some docs on how to protect company data w/o invading your privacy.
Pretty much exactly the same story here, but sadly most of us reading this are in Tech so we know better than to accept a BYOD policy, and our companies are rich enough to accept that and either issue phones or deal with the fact we're going to be out of communication for some period of time.
Other industries are not going to give people the choice, and will force these policies on their captive users. So, we need to push back and make MDMs better to protect those users.
I feel very sad to hear people install their employer’s MDM on their personal phones.
It’s kind of like your employer wanting a key to your car when it’s in the company lot, or to check your coat pockets when you leave work, or requiring a vial of your blood.
Some would say that I am privileged to say “nope!” to all of the above, but tacitly requiring employees to bring their own devices and then controlling them with MDM is such an inappropriate use of power that we should be protected from it, by right.
Maybe I have never worked a corporate-enough job to see this, but at all the tech companies I’ve worked at, the idea of requiring an MDM profile on your personal phone to access work email would be more or less unthinkable. I’ve known engineers to balk at installing a simple, no-permissions-required multi-factor authentication client; I can only imagine the revolt that would ensue were they asked to consent to remote management.
we agree. I understand why employers require MDM, but I've always had a device that is a work-only silo of apps and authorizations because control of my device is important to me.
You may not be able to get your phone on the corporate network without installing their MDM, and you may not want to give your employer the ability to wipe your phone.
+1 on the MDM stuff. I recently had a guy I know lose all his photos after he left a company. The company said that they could only wipe the company partition on his Android phone, but somehow they could wipe the whole thing and pressed the wrong button.
Leaving a job is hard enough without having to disentangle a bunch of devices and accounts. If an employer wants the security of MDM, just have them provide you the device. Otherwise, it's your device, and you can be responsible for deleting the company related content on it when you separate.
The most important part is that MDM can install VPN settings and root SSL certs on your phone, allowing your employer to intercept all traffic to and from your phone (unless the apps use SSL certificate pinning or end-to-end encryption).
People probably don‘t expect their employer to be able to intercept eg. their Facebook messages or private email.
And it‘s trivial to protect against this: Just use your own device for personal stuff. You probably don‘t need to bring a second laptop on a work trip, just bring your own phone or tablet for stuff that you don‘t want someone at your company to track...
One of the problem's with MDM software is that corps want you to login and use your personal phone, I guess to save costs, and to make it easy for you to do work out of your regular business hours.
If a company asked me to use MDM software and set themselves up as a device owner on a phone I purchased and used every day my answer is: hell no
If they want that, they can buy me a phone, and pay for the mobile/data plan. I've worked places that have done this, having 2 phones is a pain, but you only use the corp one at work or if you're oncall.
reply