Remote management of employees personal cell phones ...
-
We had looked into a few MDM options a couple of years back and the citrix one (XenMobile IIRC) basically put all of the corporate data into an isolated "bubble" that the company could wipe without touching the personal data on the device, either on corp or BYOD.
-
@Emad-R said in Remote management of employees personal cell phones ...:
@JaredBusch said in Remote management of employees personal cell phones ...:
While I agree with all the arguments above, it is also true that there are things like selective wipe possible. But as stated it comes down to how much you wanna pay for the product to do something like that. As an employee I would be perfectly comfortable with allowing control of my device to a limited sandbox like that.
Of course she wants to have to trust your employer when they say that’s all they can do with the solution they are using.
Well guess what I will just get the cheapest smartphone like Nokia 2.1 and that is my "personal" work phone, I think this is the only way to manage that kinda of crap, Im sure managment will be happy and this is what they want, for employees to PurchaseYOD, which is fine I will handing them a frekn 512mb RAM android phone, let us see what kind of app will be installed there ? hell it will crash every 10 seconds
maybe this
or this
What a freekn shame, i cant beleive I had more freedom in my previous workplace than I have in Canada, and I lived in what you guys call third word developing countries, hell we even made more progress, where I work now everything is blocked, even SSH to other servers that is not company servers are blocked, that mentality is so stupid, and basically tells you we dont trust you. YOu should worry on hiring good people and thats it. Why do you do all the refernces check, and job checks then limit your employees and constantly monitor them ?
If it wasnt for certain family conditions I would go back
We did warn you, didn't we?
-
@Emad-R said in Remote management of employees personal cell phones ...:
@JaredBusch said in Remote management of employees personal cell phones ...:
While I agree with all the arguments above, it is also true that there are things like selective wipe possible. But as stated it comes down to how much you wanna pay for the product to do something like that. As an employee I would be perfectly comfortable with allowing control of my device to a limited sandbox like that.
Of course she wants to have to trust your employer when they say that’s all they can do with the solution they are using.
Well guess what I will just get the cheapest smartphone like Nokia 2.1 and that is my "personal" work phone, I think this is the only way to manage that kinda of crap, Im sure managment will be happy and this is what they want, for employees to PurchaseYOD, which is fine I will handing them a frekn 512mb RAM android phone, let us see what kind of app will be installed there ? hell it will crash every 10 seconds
maybe this
or this
What a freekn shame, i cant beleive I had more freedom in my previous workplace than I have in Canada, and I lived in what you guys call third word developing countries, hell we even made more progress, where I work now everything is blocked, even SSH to other servers that is not company servers are blocked, that mentality is so stupid, and basically tells you we dont trust you. YOu should worry on hiring good people and thats it. Why do you do all the refernces check, and job checks then limit your employees and constantly monitor them ?
If it wasnt for certain family conditions I would go back
It's about way more than the employee.
Nothing in a background check will protect the company against some user installing some infected fake Angry Birds game on their Android phone, which ends up being a gateway for a hacker into private company data, or a way to get any other kind of information making it easier to an attacker to phish..., or a million other things that make sense to secure access to company data that you don't understand.
Don't be so damn narrow-sighted and quick to compare countries that actually try to secure their data from all aspects, from one's that don't know what they are doing.
-
We support several tools for BYOD, VMware Workspace One and Microsoft InTune being the most common.
For the companies that support BYOD, they will ask some specific users to put email and company apps on their phone; but they don't strongly imply or anything toeing legal related.
The MDM solution used is really specific on the data that it can see and has control over. If a user chooses to use their personal device, they are agreeing to have that company data controlled, not their entire device; meaning that if they leave the company then the company can remotely remove that data from their device. The company is also monitoring the usage of that data within that company app, as part of the terms that the user is displayed with upon setting up the app.
If a user is provided a company stipend for a cell phone, by using their personal phone, there may be qualifications of a device that have to be met. These could include: phone call and SMS text messaging availability, photos, email, and specific company apps that run on a certain platform such as Android and/or iOS. Basically, the company will provide a stipend to most modern smart phones, no flip phones as they likely don't have the basic functionality for certain things such as email/etc. If a user is uncomfortable with the company having any access to their device, then they can go without the stipend, but the company is thereby not allowed to attempt contacting the person on their personal device as that's a clear separation; another alternative is a company requiring the employee to carry a company-provided device instead of offering a stipend, with certain hours/days that the employee must respond to inquiries using the device (possibly even limited to whom they are able to respond, i.e. no personal calls made or personal data stored).
-
@scottalanmiller said in Remote management of employees personal cell phones ...:
And then they said "We want to get back the thing we just gave up."
Which do they want, to not pay for the phones, or to control the data? They have to choose.Not really. Proper MAM/MDM systems can surgically handle company data on a personal device...
-
The app keeps only an encrypted cache. It validates the account is active every xxx minutes, days, hours. encypted cache auto purged at xxx hours without communication with corp network.
-
The app usage is Geo-fenced to specific areas.
-
When possible, data doesn't actually live on the phone. You have a SSO app on the phone that validates your access (and other criteria like network or location) and then brokers access to the other apps, or externally hosted SaaS assets.
This is how we do it. No need to brick my phone to take out company data, or turn anyone's smart phone dumb.
-
-
@Emad-R said in Remote management of employees personal cell phones ...:
What a freekn shame, i cant beleive I had more freedom in my previous workplace than I have in Canada, and I lived in what you guys call third word developing countries, hell we even made more progress, where I work now everything is blocked, even SSH to other servers that is not company servers are blocked, that mentality is so stupid, and basically tells you we dont trust you. YOu should worry on hiring good people and thats it. Why do you do all the refernces check, and job checks then limit your employees and constantly monitor them ?
Huh - I can't say i agree with you at all. Why do you need access to non company servers over SSH? This is their network and they are trying to protect it. I suppose the company could have been burned by a previous employee, therefore they don't trust their employees, but really it seems much more likely that they are simply trying to protect themselves from crap they don't need ON their network - like SSH traffic to servers they don't control.
-
@StorageNinja said in Remote management of employees personal cell phones ...:
@scottalanmiller said in Remote management of employees personal cell phones ...:
And then they said "We want to get back the thing we just gave up."
Which do they want, to not pay for the phones, or to control the data? They have to choose.Not really. Proper MAM/MDM systems can surgically handle company data on a personal device...
-
The app keeps only an encrypted cache. It validates the account is active every xxx minutes, days, hours. encypted cache auto purged at xxx hours without communication with corp network.
-
The app usage is Geo-fenced to specific areas.
-
When possible, data doesn't actually live on the phone. You have a SSO app on the phone that validates your access (and other criteria like network or location) and then brokers access to the other apps, or externally hosted SaaS assets.
This is how we do it. No need to brick my phone to take out company data, or turn anyone's smart phone dumb.
What MDM are you using?
-
-
@IRJ said in Remote management of employees personal cell phones ...:
@flaxking said in Remote management of employees personal cell phones ...:
@IRJ said in Remote management of employees personal cell phones ...:
@flaxking said in Remote management of employees personal cell phones ...:
@IRJ said in Remote management of employees personal cell phones ...:
@flaxking said in Remote management of employees personal cell phones ...:
@IRJ said in Remote management of employees personal cell phones ...:
You can certainly do this with Intune and office 365. Basically you'd be able to wipe all corporate data as long as it's kept in office 365.
With Office 365 MDM, you can't disable the ability to do a full remote wipe. You do have more control over that with GSuite. Does Intune give you more control?
I'm pretty sure you can do what I described, but I'm not 100% sure.
It's not a question of what you can do, it's a question of what can the IT department be prevented from doing. The difference between wiping company data and wiping the whole phone just being different buttons does not reassure me.
This is how you do it - from MS link I posted earlier
"Enable your users to more securely access corporate information using the Office mobile and line-of business apps they know, while ensuring security of data by helping to restrict actions like copy, cut, paste, and save as, to only those apps managed by Intune."
If you restrict actions like copy, cut, paste, saving, screenshots, etc then you keep the data inside Office Mobile. Then you just remove the Office Mobile app remotely.
Are you able to enable remote removal of the app with just this feature?
You actually dont even have to do that. If they cannot login they cannot get to any of the data.
Assuming an encrypted cache, this sounds like a viable option. We have 100 Intune licences, so I can insist on being one of the users managed by Intune rather than Office365 MDM. But based on my recent experiences, I'm not too keen to have email or Teams on my phone.
-
@flaxking said in Remote management of employees personal cell phones ...:
@IRJ said in Remote management of employees personal cell phones ...:
@flaxking said in Remote management of employees personal cell phones ...:
@IRJ said in Remote management of employees personal cell phones ...:
@flaxking said in Remote management of employees personal cell phones ...:
@IRJ said in Remote management of employees personal cell phones ...:
@flaxking said in Remote management of employees personal cell phones ...:
@IRJ said in Remote management of employees personal cell phones ...:
You can certainly do this with Intune and office 365. Basically you'd be able to wipe all corporate data as long as it's kept in office 365.
With Office 365 MDM, you can't disable the ability to do a full remote wipe. You do have more control over that with GSuite. Does Intune give you more control?
I'm pretty sure you can do what I described, but I'm not 100% sure.
It's not a question of what you can do, it's a question of what can the IT department be prevented from doing. The difference between wiping company data and wiping the whole phone just being different buttons does not reassure me.
This is how you do it - from MS link I posted earlier
"Enable your users to more securely access corporate information using the Office mobile and line-of business apps they know, while ensuring security of data by helping to restrict actions like copy, cut, paste, and save as, to only those apps managed by Intune."
If you restrict actions like copy, cut, paste, saving, screenshots, etc then you keep the data inside Office Mobile. Then you just remove the Office Mobile app remotely.
Are you able to enable remote removal of the app with just this feature?
You actually dont even have to do that. If they cannot login they cannot get to any of the data.
Assuming an encrypted cache, this sounds like a viable option. We have 100 Intune licences, so I can insist on being one of the users managed by Intune rather than Office365 MDM. But based on my recent experiences, I'm not too keen to have email or Teams on my phone.
what experience is that?
-
Not to derail or side track, one of the issues I have with BYOD is the phone number that the individual has. I am sure there is an answer I have just not thought about. I have pushed for 100% company issued phones due to the nature of a cell number being a point of contact. I am in an industry that has turnover. When field personnel build a relationship with our customer and leave, the number goes with them if it is not ours. Any thoughts?
We use Meraki MDM paired with Apple Configurator profiles. FYI.
-
@popester said in Remote management of employees personal cell phones ...:
Not to derail or side track, one of the issues I have with BYOD is the phone number that the individual has. I am sure there is an answer I have just not thought about. I have pushed for 100% company issued phones due to the nature of a cell number being a point of contact. I am in an industry that has turnover. When field personnel build a relationship with our customer and leave, the number goes with them if it is not ours. Any thoughts?
We use Meraki MDM paired with Apple Configurator profiles. FYI.
This is semi easy - a PBX/SIP app on the phone tied to your PBX. The number belongs to you (the company) the app just logs in and accepts calls.
-
@Dashrender said in Remote management of employees personal cell phones ...:
What MDM are you using?
We "own" workspace one/AirWatch.
-
@Dashrender said in Remote management of employees personal cell phones ...:
Huh - I can't say i agree with you at all. Why do you need access to non company servers over SSH?
In any regulated industry preventing the efiltration of data is a hard requirement. allowing outbound SSH would make it trivial for people to sneak data out (or bad stuff in).
-
@Dashrender said in Remote management of employees personal cell phones ...:
@flaxking said in Remote management of employees personal cell phones ...:
@IRJ said in Remote management of employees personal cell phones ...:
@flaxking said in Remote management of employees personal cell phones ...:
@IRJ said in Remote management of employees personal cell phones ...:
@flaxking said in Remote management of employees personal cell phones ...:
@IRJ said in Remote management of employees personal cell phones ...:
@flaxking said in Remote management of employees personal cell phones ...:
@IRJ said in Remote management of employees personal cell phones ...:
You can certainly do this with Intune and office 365. Basically you'd be able to wipe all corporate data as long as it's kept in office 365.
With Office 365 MDM, you can't disable the ability to do a full remote wipe. You do have more control over that with GSuite. Does Intune give you more control?
I'm pretty sure you can do what I described, but I'm not 100% sure.
It's not a question of what you can do, it's a question of what can the IT department be prevented from doing. The difference between wiping company data and wiping the whole phone just being different buttons does not reassure me.
This is how you do it - from MS link I posted earlier
"Enable your users to more securely access corporate information using the Office mobile and line-of business apps they know, while ensuring security of data by helping to restrict actions like copy, cut, paste, and save as, to only those apps managed by Intune."
If you restrict actions like copy, cut, paste, saving, screenshots, etc then you keep the data inside Office Mobile. Then you just remove the Office Mobile app remotely.
Are you able to enable remote removal of the app with just this feature?
You actually dont even have to do that. If they cannot login they cannot get to any of the data.
Assuming an encrypted cache, this sounds like a viable option. We have 100 Intune licences, so I can insist on being one of the users managed by Intune rather than Office365 MDM. But based on my recent experiences, I'm not too keen to have email or Teams on my phone.
what experience is that?
Nothing to do with the application, just to do with being always working. I did a 108 hour week followed by a 90 hour, followed by a 70 hour. I've now removed all work communication from my phone in order to try to get some peace when I can.