Can an employer see cellular network traffic routed through company-owned device?

Question

When on the road, I have a company issued iPad with Verizon service, my personal ipad (wifi only version), and my iPhone.

If I turn on the hotspot on my company iPad, then connect my personal devices, can my employer see the websites I visit or the passwords I'm typing in or any other network traffic? I know they can see how much data is being used on the bill each day and what time of day and all that.

If they can see some info, will turning on a vpn connection in my personal devices stop that? Or would I have to turn a VPN on on the company iPad? or would I have to do both? And if I have to do both, wouldn't that greatly slow down the Internet connection?

I don't work in an office, I work out of state and stay in hotels. Hotel wifi is routinely very slow, sometimes to the point of not even being able to use it at all. For those reasons, I sometimes like to use company LTE. I like to use the hotspot for surfing the web, face timing my family, sending pics and text through iMessages.

Any explanation of what they can and can't do, or what info they might could get from the carrier would be great.

Answer 1

Some carriers have (very expensive) plans that connect the IP part of the mobile connection to an L2TP or IPSec gateway, making your mobile appear as if it were on the company's network. If such plans are in use, then it's the same as if you were browsing directly from the company's Wi-Fi or Ethernet networks.

Using a VPN terminated on your mobile device will help in regards to network monitoring (your company will only see an outgoing VPN connection to a server you control), that is, if their network will actually allow you to VPN out to an untrusted (to the eyes of the company) server - after all, outgoing encrypted connections can be used for sensitive data exfiltration or malware traffic. If this even works, it'll most likely be forbidden by your IT acceptable use policy and definitely raise some red flags on the sysadmin's side.

Note that no matter which network monitoring solutions might be in place, you still can't be safe as the company-provided device shouldn't be trusted - it's most likely managed by an MDM solution and the sysadmins have root access to the device. See the nice picture your girlfriend sent you ? The sysadmins are already looking at it. The super secure HTTPS-enabled webmail you're used to accessing ? The sysadmins can look at them because their CA certificate is in the device's trust store and they can thus impersonate any site by issuing valid (to the eyes of that device) certs.

I suggest you at least make it clear with the IT department whether you're allowed to use company-provided mobile network access for personal usage and whether you can VPN out to your personal server (or a third-party VPN service). If you are allowed, you should initiate the VPN connection from a trusted (non-work) device like your computer, and only use the company-provided hardware as a hotspot. In any case, don't trust their hardware with personal files even if they allow you to do so - the fact that you're allowed to use them doesn't mean they aren't allowed to look at what you do.

Answer 2

Follow these steps :

           +------------------------------------+
           |                                    |
           | Check iOS version of company iPad  |
           |                                    |
           +-----------------------+------------+
                                   |
                                   |
                             +-----+-------------+
                             v                   v
                       +-----------+       +-----------+
                       | iOS < 9.3 |  +---^+ iOS > 9.3 |
                       +-----------+  |    +-----------+
                             |        |          |
             +---------------+        |          v
             v                        |   +------+------+
  +----------+---------+              |   |Goto Settings|
  | Look for Cydia App |              |   +------+------+
  +----------+---------+              |          v
             |                        |  +-------++--------+
     +-------+-------+                |  |General > Profile|
     v               v                |  +-------++--------+
+-------+-----+    +----+-----+       |          |
| Found Cydia |    | No Cydia +-------+          |
+-------+-----+    +----------+                  |
        |                                +-------+---------+
        v                                v                 v
+--------+-------+              +---------+-------+  +------+----------+
|Buy your OWN LTE+^-------------+You see a profile|  | They don't want |
+----------------+              +-----------------+  | To Monitor You. |
                                                     +-----------------+

Now there are possibilities that the company is already routing your connection through there VPN. Most of the connections are on SSL and it is pretty secure unless you check the profiles that are there on your iPad. If you are not a person of high risk, they won't care to monitor you.

Make sure that you don't visit any website that doesn't have SSL. Also for added security you can use VPN on your iPad if your IT policy allows.

Theoretically, if they are routing your connection from their internal network (Probably Not) they can see the DNS queries as they are unencrypted (Correct me if I am wrong). Hence they can see which websites (Hostnames) are you visiting.