I’ve had a company require employees to install MDM on personal phones (remote control/management) to be allowed to use them for 2fa app or email access… there was a surprised Pikachu when I refused. Eventually they issued me a company phone, because it was impossible to do most tasks without 2fa. That device was on 9 to 5 only.
I have an MDM on my work phone and I can’t even access PlayStore anymore. It only allows Company Allowed Apps which is to say nothing. YouTube is broken because MDM somehow controls my DNS records. Firefox cannot be installed so Ads everywhere. Chrome only and it can only go to approved websites because Yahoo is safe but Ars Technica is not???
Why would anyone want that on a device they pay for?
MDM can be configured in 2 modes, one with company owned devices and one with bring your own device. But there are lots of settings that can be done, usually it is configured with work and personal profiles and the work one has all the restrictions in place and the personal has no limits. Maybe just some device features can be also enforced, like forbid the OEM unlock and ADB.
I work in IT and endpoint management is among my tasks. Knowing the things we can do to smartphones that are controlled by our mdm is enough to where I would never agree to having thatopn my personal device. I even refused to get a company provided smartphone.
It was kind of fun, because I joined the company as a part of acquihire and they came to my entire team to install MDM on our laptops. It turned out we were mostly running Linux, while their MDM was Windows and MacOS only. They left…
They came back 2 weeks later to tell us it would be best if we installed Windows. We told them “no, thank you” to which they responded with surprised pikachu, because they were used to their suggestions being treated as commands. So they left again.
A month later they came back to tell us we really should install Windows to which we responded that we’d have to rebuild out entire tooling and we’re on tight deadlines as-is. It’s important to note that their Windows setup didn’t allow VMs…
Some time later we got an email to let us know MDM vendor will soon have Linux beta. Does it support Arch and Nixos? They’ll get back to us on that. And we started researching how hard would it be to run BSD on a laptop ;-)
Ah, the confidence boost you get when you know your job is absolutely secure and the only reason you don’t quit is because of a retention bonus :D
Because the only 2FA allowed was onelogin push. Don’t ask me why.
They also used an “enterprise” VPN that was acquired by some larger company, was pretty much abandoned at that point and only worked with a proprietary client that took days to set up on Linux - this was fun for me and all my colleagues who ended at that sad company as a result of an acquihire and were 80% devs running linux.
I’ve had a company require employees to install MDM on personal phones (remote control/management) to be allowed to use them for 2fa app or email access… there was a surprised Pikachu when I refused. Eventually they issued me a company phone, because it was impossible to do most tasks without 2fa. That device was on 9 to 5 only.
But why would anyone?
I have an MDM on my work phone and I can’t even access PlayStore anymore. It only allows Company Allowed Apps which is to say nothing. YouTube is broken because MDM somehow controls my DNS records. Firefox cannot be installed so Ads everywhere. Chrome only and it can only go to approved websites because Yahoo is safe but Ars Technica is not???
Why would anyone want that on a device they pay for?
Is my MDM different from their MDM?
MDM can be configured in 2 modes, one with company owned devices and one with bring your own device. But there are lots of settings that can be done, usually it is configured with work and personal profiles and the work one has all the restrictions in place and the personal has no limits. Maybe just some device features can be also enforced, like forbid the OEM unlock and ADB.
Remote control of your personal phone for work? That sounds dodgey, I would definitely refuse. Would anyone actually accept that?
Also, 2fa is a really shit excuse for that.
Less than 2% of workforce got issued a company phone for that reason.
Any device required MDM installed to get access to VPN that got you to company network, to get 2fa app, SSO or email.
Sounds like they’re respecting work life balance in a round-about way.
What the fuck? Are there really people who allow that?
Over 98% did. My job was security adjacent so I’ve had some insight into those metrics
I work in IT and endpoint management is among my tasks. Knowing the things we can do to smartphones that are controlled by our mdm is enough to where I would never agree to having thatopn my personal device. I even refused to get a company provided smartphone.
Same.
It was kind of fun, because I joined the company as a part of acquihire and they came to my entire team to install MDM on our laptops. It turned out we were mostly running Linux, while their MDM was Windows and MacOS only. They left…
They came back 2 weeks later to tell us it would be best if we installed Windows. We told them “no, thank you” to which they responded with surprised pikachu, because they were used to their suggestions being treated as commands. So they left again.
A month later they came back to tell us we really should install Windows to which we responded that we’d have to rebuild out entire tooling and we’re on tight deadlines as-is. It’s important to note that their Windows setup didn’t allow VMs…
Some time later we got an email to let us know MDM vendor will soon have Linux beta. Does it support Arch and Nixos? They’ll get back to us on that. And we started researching how hard would it be to run BSD on a laptop ;-)
Ah, the confidence boost you get when you know your job is absolutely secure and the only reason you don’t quit is because of a retention bonus :D
deleted by creator
Why not just a physical TOTP token? There’s ones that do 100 Tokens, probably won’t need more than that. Smartphone for 2fa seems overkill.
Because the only 2FA allowed was onelogin push. Don’t ask me why.
They also used an “enterprise” VPN that was acquired by some larger company, was pretty much abandoned at that point and only worked with a proprietary client that took days to set up on Linux - this was fun for me and all my colleagues who ended at that sad company as a result of an acquihire and were 80% devs running linux.