48

I am starting a new job, and I have the choice to receive a phone from the company, or to bring my own. I am considering using my own phone, to avoid having an extra device, but I want to better understand the consequences of that decision.

I have an iPhone. A more recent one with iOS 8. I will stay with my current wireless carrier.

I understand they can remotely wipe my phone after I leave the company (or if it's lost or stolen), and I'm okay with that, because I already back up every important app.

I found this Apple article regarding enterprise iPhones, which states these specific things can and cannot be observed by the company:

Examples of what a third-party management server can and cannot see on a personal iOS device.

MDM can see:

  • Device name
  • Phone number
  • Serial number
  • Model name and number
  • Capacity and space available
  • iOS version number
  • Installed apps

MDM cannot see:

  • Personal mail, calendars, and contacts
  • SMS or iMessages
  • Safari browser history
  • FaceTime or phone call logs
  • Personal reminders and notes
  • Frequency of all use
  • Device location

(MDM is Mobile device management)

But I'm not certain if this applies to all iPhones in all enterprises.

Concerns/questions

  • How exactly is this done? They just configure something in settings, and I supply my lock screen passcode to give them permission?
  • Can any of my behavior or data, outside of company-supplied apps, be observed?
  • What apps or "root level" utilities can I expect to have installed?
  • Will any restrictions be placed on how I can use my phone, or on the apps I can install?
  • Is there anything else I need to be aware of?

I found this related question, which discusses BYOD consequences from the company's point of view: What are the problems with bring-your-own-device related to smartphones?

aliteralmind
  • 595
  • 4
  • 7
  • 4
    Have you spoken to the IT team at the new company about what they plan to do? Do you know for a fact that they use MDM to manage BYOD phones? Not every enterprise bothers with the iPhone enterprise management tools, and even those tat do might not want to use them on BYOD. – Graham Hill May 05 '15 at 12:30
  • 16
    There are risks beyond those normally considered security risks: Don't forget that whenever you have your personal phone they can reach you BYOD. Is there any chance of the number going to customers? Awkward co-workers who have "emergencies" when you're asleep? Have you signed up for this sort of availability? Who pays the bills for long company calls (closer to a security risk in that circumstances beyond your control could cost you real money)? Will they prevent you rooting the device *you paid for* regardless of your reasons (perhaps more an android issue)? – Chris H May 05 '15 at 14:07
  • 1
    I've decided on the company-supplied phone. There are just too many unknowns, and too much life-work mixing otherwise. I bought a [nice little shoulderbag](http://www.amazon.com/gp/product/B00DGQ0EVU) in anticipation of having to carry multiple devices. Thanks to all for the enlightening advice. – aliteralmind May 05 '15 at 18:01
  • Might be worth mentioning that a UDID could also be snagged off of any iOS device just by plugging it in via USB (don't think it can be grabbed off WiFi any more). – nhgrif May 06 '15 at 00:04
  • Also note that MDM is not everything. At least one company that I know asks you to install proprietary spyware which is capable of things far beyond what's in your list (such as accessing every file). At that point, one has to wonder who is asking whom for a favor here. After all, using your own devices bears practically no advantage for you (other than not owning two phones) but is very lucrative for the corporation. – Damon May 07 '15 at 07:46
  • Some employers require that you will allow them to wipe the phone if they feel the need. For me, that would be a deal killer. – ddyer May 07 '15 at 19:06

5 Answers5

25

Just wanted to chime in and say that the list you have there isn't entirely 100% accurate, but it is close.

Keep in mind that this will vary per MDM vendor and mobile OS, but MobileIron can see your location if your employer enables the functionality and you choose to accept sharing your location data.

How exactly is this done? They just configure something in settings, and I supply my lock screen passcode to give them permission?

Your employer should direct you to a portal where you register your device and install the MDM application. The employer cannot see/extract nor does it know your personal PIN.

Can any of my behavior or data, outside of company-supplied apps, be observed?

Behavior - yes, if you take into account location data.

Data outside of company supplied apps - no.

However, your employer can see a list of all apps installed on your phone, so you may think twice before installing any "questionable" apps.

What apps or "root level" utilities can I expect to have installed?

Not sure how to answer this one exactly. It sounds like you are asking if they can install the equivalent of a rootkit on your phone? Realistically I'm inclined to answer no.

Will any restrictions be placed on how I can use my phone, or on the apps I can install?

Yes, your employer can black list apps.

Is there anything else I need to be aware of?

Yes, please refer to the infographic below. (location)

Privacy in a BYOD World

k1DBLITZ
  • 3,933
  • 14
  • 20
  • 3
    I'm surprised that younger employees are more concerned than older. My guess would have been that they are more post-privacy-era. – Hagen von Eitzen May 05 '15 at 19:43
  • 11
    @HagenvonEitzen Younger people probably keep more data and more private data on their device than older people. – SpellingD May 06 '15 at 07:21
  • 3
    Perhaps younger people just tend to be more aware in terms of privacy, which makes them also more concerned about it? – Erathiel May 06 '15 at 12:02
  • 3
    I've drawn a couple conclusions myself. Chances are that older people have been working for their employer for decades and so there is more trust. Older people may also be less likely to have apps installed, or use the camera/video recorder. I know several older folks who own smartphones but use them like a standard cell phone. Likewise, younger folks may be more likely to use a multitude of apps from banking to snapchat - and likewise are more likely to engage in promiscuous behavior which could be embarrassing or damaging if discovered by an employer. Just a theory. – k1DBLITZ May 06 '15 at 12:34
13

My company is currently going through the process of implementing an MDM for all work phones... So perhaps something that I can help with.

The company will install profiles and policies onto the mobile device which (On top of what you have outlined above in image) can enforce the following:

  • Constant VPN connection (Ability to intercept network traffic to and from your device)
  • Advanced Content Filtering
  • Activation Lock Bypass Code
  • Password Policy Enforcement

This is by no means an exhaustive list, just sharing the knowledge that I have a working experience with thus far.

For what its worth, I would always steer clear of BYOD unless absolutely necessary, i just don't like anybody else having access to my primary device.

Aaron Dobbing
  • 473
  • 3
  • 13
  • Regarding intercepting network traffic. Should I interpret that as absolutely everything I do on my phone, or receive on my phone, can be observed? Even when I'm not at work? Even though I have my own separate carrier contract? So they can watch me browse the web? Intercept my usernames and passwords? Watch me view my personal email? Regarding filtering, does that mean, for example, they can choose the websites that I can or cannot see when I use iOS Safari? Forgive my paranoia/naïveté, I'm trying to understand this. – aliteralmind May 05 '15 at 13:08
  • 1
    It would be very extreme and unlikely, but essentially they could sniff any unencrypted network traffic going through your device via the VPN. By Enforcing a VPN connection they would be directing all network data streams (wifi, 3g, 4g etc) through their network initially. I wouldn't suggest that it would be something to worry about, just something to consider. – Aaron Dobbing May 05 '15 at 13:11
  • 3
    By either enforcing a proxy or installing a trusted CA certificate could they not also do all that on HTTPS traffic as well? I'm not terribly familiar with iPhone, but it seems to me that is a technically possible situation. Legal matters aside, after all, IANAL. – Rod MacPherson May 05 '15 at 13:15
  • 6
    @RodMacPherson Yes, they can install their own CA certificate, use the VPN to intercept all traffic, and see the contents of all encrypted traffic as well. – Grant May 05 '15 at 14:30
  • A work phone I can see being sent through a VPN, but if they're enforcing it for personal phones used in lieu of the work phone (for work), then that's a serious privacy concern, and I really hope no company has that policy. – Chris Cirefice May 08 '15 at 22:29
  • @ChrisCirefice It is a perfectly reasonable policy. If a user opts to use their own device to handle potentially sensitive data, corporate emails and the like then a company should be able to implement security based policies in order to best protect their business. – Aaron Dobbing May 11 '15 at 06:57
  • @AaronDobbing Sure, if that's the case then I hope the company has a few clauses in the contract preventing them from (legally/intentionally) intercepting anything except for what **needs** to be protected. With all the work corporations do in government, one can only hope that they aren't acting as mini-NSAs as well. – Chris Cirefice May 11 '15 at 12:58
4

From a security stand point, you will generally prefer to have your own device. This just keeps everything separate. Even if you backup your phone and all your data, it is probably better to keep it separate. This also assume that the company permits by policy and by technical controls the ability for you to independently backup your device. You also run the risk of accidentally using the wrong email or commingling information in ways you do not intend. You can also turn off your work phone on the weekend and you don't need to worry about people calling your for business on that number if you ever leave the company.

In terms of monitoring your traffic, if you connect over their network through a forced proxy or by using their wifi, they almost certainly have the potential to monitor your traffic as opposed to your personal phone going over the cell company's service (the cell company could of course monitor you in that situation).

Beyond the fact of having one less small physical thing to hold, there are generally more cons than pros. I see no reason to save your company money by using your phone (unless perhaps they then pay for your plan?).

MDM can be applied in various different ways depending on the organization and the MDM vendor. Not all vendors provide all features and they extent to which you have control over your own phone will vary based on the configuration chosen by your IT department.

Eric G
  • 9,691
  • 4
  • 31
  • 58
4

Your employer will "supervise" the device by connecting it to a computer running Apple Configurator which will restore it and apply a configuration profile with a certificate in it.

That will allow them to push more profiles to your device remotely, and these profiles may include other certificates that can be used to intercept secure connections from your device.

I don't know whether they let you use your own Apple ID on the device or use a company-supplied one; if it's the former your data (pictures, music, app data, call log, local contacts/calendars, etc) will be safe as Apple doesn't provide any feature allowing to access this kind of data from an MDM solution. In the latter case, the device may be configured to backup to their Apple ID's iCloud and they can later restore that on a different device and get your data.

I would be very careful about contacts, notes and emails - contacts may be local (and unreachable from MDM) but nothing prevents them from secretly uploading a new profile that configures their LDAP/CardDAV server for contacts on your iPhone, and all new contacts you'd add will be added on that remote server under their control. Same for calendars. It isn't entirely secret as you can check whether such accounts were added by checking the currently installed profiles in the device's settings, but is checking every time you add a new contact/appointment/note convenient ? I don't think so.

They can also configure either a global HTTP proxy or a VPN (that will be always on) to route your traffic through their network, and coupled with their certificate installed on the device they'll be able to intercept and decrypt all "secure" (HTTPS) communications from your device. Only apps that explicitly use certificate pinning will be protected from this. This will allow them to access your browsing history and frequency of use.

If you can negotiate with the company's sysadmin to manually install a profile (without supervising the device) that enforces whatever security/password policies they want, eventually an on-demand VPN (you can specify which domains/IPs should go through the VPN and which ones don't, so it's possible to only enable it for work-related servers while leaving your other traffic untouched) but no certification authorities then go for it. Make sure you carefully review the profile (the device displays everything the profile will do) before installing it.

Otherwise don't. It's a bad idea.

4

Use the company phone for business and keep things separate. Only an optimistic and idealistic person would hope or expect that you will not encounter any issues going forwards.

Sometimes you need to keep things separate, this is one of those times, who knows what the future will hold and what kind of situation you might find yourself in where data on one side is 'hazardous' to data on the other side.

Of course a lot can depend on your lifestyle though sharing location and other data from your personal life may not be advisable in your professional life and vice-versa, avoid the constraint and carry two phones.

Eric G
  • 9,691
  • 4
  • 31
  • 58
Ed Daniel
  • 464
  • 2
  • 6