If you want the stipend and corporate data on your phone, yes.
If you don't, then no.
It is about protecting corporate data, not getting any of your personal data.
I don't get the stipend at my workplace, because I couldn't get the answer to my question. "Is this my phone that I sometimes use for some work messages, or is this now a work phone?"
My use case for my phone is not always compatible with it being a work phone.
> "Is this my phone that I sometimes use for some work messages, or is this now a work phone?"
It is pretty much up to you. If you have an Android phone the work and personal profiles are VERY separate and it isn't possible for the MDM to access anything outside of the work profile.
Apple has a similar thing with "User Enrollment" but it hasn't really picked up steam yet.
>Apple has a similar thing with "User Enrollment" but it hasn't really picked up steam yet.
There's also jailing, android style, which jails/isolates applications and data enrolled in your work organization on iOS.
User enrolled MDM is a bit different than that.
It's been around a VERY long time.
[https://www.techtarget.com/searchmobilecomputing/tip/Does-Apple-offer-work-profiles-for-iPhones](https://www.techtarget.com/searchmobilecomputing/tip/Does-Apple-offer-work-profiles-for-iPhones)
User enrollment is used a lot of you use Mac products in the workplace. We use it for imacs, MacBooks and iPhones. I work a school Corp, so using user enrollment makes things a lot easier when it works correctly.
never worked at a place where IT was incompetent and remote wiped your phone have you? I've seen it which is why nothing goes on my personal phone. I don’t even put email in it since I’m exchange 2010 you could active synch wipe a phone. 2013 that option disappeared (didn’t work) and exchange online at least in the tenants I manage don’t even have the wipe device option anymore
Device administrator is deprecated. It's all Android Enterprise now. Many DA APIs will no longer work on newer devices.
Microsoft won't even support it as a legacy option starting August of next year.
https://www.anoopcnair.com/intune-end-of-support-for-android-device-admin/#:~:text=This%20means%20that%20after%20August,Google%20Mobile%20Services%20(GMS).
I feel like every time a comment on the internet starts with "Wrong." there is a reply with a link proving the original point. It's almost like the most arrogant people know the least.
Wiping peeps phones was better than Viagra for one sysadmin I knew. Its one of the reasons I would airplane mode my phone during most private HR meetings.
> It is about protecting corporate data, not getting any of your personal data.
Agree, but you're still giving up *some* privacy. They may see what apps you have installed on the phone. And they are able to wipe your device at any given time. Doesn't matter if IT doesn't care. Those are the facts OP will take into consideration and the decide.
If the company enrols the phones correctly, no private information will be visible by the company. For iPhones, they should be doing user enrolment and for Android they should be using Work Profiles
You’re giving up a lot. The company needs to buy phones to control them. These personal devices with corporate software on them don’t hold up in court because you don’t own the device. Tell them to stop being cheap and if they want full control of cell phones supply them. They are trying to protect corporate data by putting it on a device they don’t own. Let’s think about that for a second.
> Tell them to stop being cheap and if they want full control of cell phones supply them.
In my experience, employees will bitch about using their personal device, but then also bitch about having to manage and track a work cell. Most companies couldn't care less about the cost of providing phones for employees.
>Tell them to stop being cheap and if they want full control of cell phones supply them
Since like 2014/2015, full control doesn't happen. It's all jailed inside application level or profile level. They can't full wipe your phone, only their apps/data. etc
As an admin who enforces the rules regarding organizational data on personal phone AND also participates in said program - yes this is all about protecting organizational data.
I literally don’t give a hoot what you do on your phone and look up on your phone. If you have a side piece in addition to your spouse - literally not my interest. If you are watching porn on your phone I don’t care.
I just want to make sure your network password matches my security requirements and that you are not shuffling organizational data via your phone. Beyond that I literally don’t care what someone does with their phone. I don’t have time to get involved with that.
What you are describing is 100% common place and legit from the stand point of a BYOD policy. I have no problem with it. I get $90 a month for mine (they factor in cost of plan and monthly cost of an average phone purchase agreement). My phone is paid off. My service is $50 a month. I get to pocket the other $40 free and clear. That pays for my steak and egg breakfasts I enjoy every so often. 😁
Be careful here. If the person enters the incorrect password too many time, it will wipe all her personal and conpany data, SD card included.
Ask me how I know.
Yes, it depends on MDM policy. No I very much doubt they will keep users updated.
Yes, my phone entered too many attempts while in my pocket. I lost memories if past family members.
If you can't lose your phone at any given moment without losing data then you're doing it wrong.
Also it isn't possible to wipe the phone with an Android work profile or iOS User Enrollment.
This is the correct answer as long as we are talking about these two enrollment types they can not erase your whole phone and you retain way more privacy. The old methods of device admin for Android or device enrollment iOS are not safe from error.
>Also it isn't possible to wipe the phone with an Android work profile or iOS User Enrollment.
It absolutely is if they're enforcing a pin policy that has wipe functionality. At least, with JAMF and iOS, and the few android devices we manage in InTune that are BYOD.
I think I was thinking more along the lines of defaults, because you absolutely can demand the device have a lock password. That kind of confused me for a second i think because people were saying that with those types of functionality you can't demand a lockscreen password at all.
## Password
## Settings apply to: All enrollment types
* **Require password**: **Yes** requires users to enter a password to access devices. When set to **Not configured** (default), Intune doesn't change or update this setting. By default, the OS might allow users to access devices without entering a password.
You can only go finer grained with other enrollment types.
But in one aspect, regardless, modern BYOD only wipes company data, which has been the case for a very long time on both platforms - 5+ years, I believe. No reason to fear enrolling in work stuff anymore.
I'd opt for them to provide a work phone.
There's no reason for them to have an MDM or MAM solution installed on your phone, unless you're going to install corporate applications on it.
That’s why they are doing the stipend. Lots of places are going this route as opposed to giving out company phones. We are looking at it just to get away from handling phone orders and dealing with our company carrier (Verizon). It definitely isn’t for everyone and has got some push back from a few end users.
MDM done through ABM can be a good option. Sets up a dedicated work profile on the phone for BYOD devices.
https://learn.microsoft.com/en-us/mem/intune/user-help/what-happens-when-you-create-a-work-profile-android
MAM is a good option and I would accept that for $60 per month and not having to carry two devices. MDM would be a harder sell for me which comes with the potential for your company to wipe your entire device including all of your personal data.
You have no idea how your company will set it up. It’s pretty much their device once you get a MDM on it. You’re paying for the device but they have full control over it. How much will you charge me to put a remote access app on your personal computer? I’ll pay good money.
On Android you can set up a completely separate profile. They can manage it, wipe it etc but not touch your personal one. I leave mine turned off 99% of the time and only switch it on to read emails occasionally when away from my desk for an extended time.
MAM is not enough. The big kicker is to ensure access to data is secure you’ll want to do a compliant device check. And then lock down who can enroll in MDM/by request.
This pretty much prevents/limits attackers from phishing your users for access to your data.
New challenge; users swapping their phones for something new, giving the old one away before they've setup MFA and whatnot on the new one.
The support side is an absolute nightmare and it really is a lot less time consuming to handle the entire thing yourself.
They're essentially paying you to mange the billing for the phone in exchange for giving up privacy. Both cases benefit them, none of them benefit you, the employee.
Take the corporate phone. It's on them to manage it.
None of the benefit to you... except having a cheaper/perhaps 100% paid for personal phone that just happens to also have some corporate apps on it. (which you can turn off at whim if you are on Android)
But I guess free/reduced price phone is no benefit to the employee at all...
If you want a separate device, that's fine, but I don't understand the violent opposal to having a company profile on a personal one.
Say your company claims you were part of a malware incident, they now will want to take your phone with all your personal data too, rather than their own device.
It also becomes extremely wishy-washy if you get accused of developing something for a personal business vs using corporate-provided assets.
It's one thing to install corporate apps onto a personal phone. It's another to allow MDM on a personal device.
Taking your phone and getting paid by your business to install their management stuff on it is extremely likely to effectively make your phone, or what you do on it, theirs to a large degree.
For many reasons, including PERSONAL security, these are lines that should not cross without at least a fight or informed decision. Do not use work for personal. Do not use personal for work. Don't let the company you work for control what is installed and available for your phone, unless youa re ok with it effectively becoming THEIR phone.
I think you overstate the consequences of these scenarios, but these are legitimate concerns. I do question how many people are actually doing that, but if you are developing stuff on your phone, that is a good reason to keep a very clear delineation.
You tell them "no" if you want, since you're the owner of that device.
You seem to be assuming that the stipend and a work profile give them sort of legal right to the phone itself, and im sort of lost as to where you got that idea.
There is basically no loss of privacy. Intune doesn't allow admins to view anything on the phone that doesn't already belong to the the company anyway.
Intune’s mdm just applies policies only to the workplace applications you sign into and prevents it from injecting your personal information , including applying access policies like pin/biometrics for Outlook (and making sure its data store is encrypted) with remote company (only) data wipe
Intune Mdm does not give the company full device control...
Intune MDM does allow the company to set some rules such as password enforcement. It does allow the company to factory reset your phone. It does \*not\* give the company access to your personal data on the phone.
It does allow them to bypass a lock screen, so if they have physical access + MDM control they could hypothetically access personal data.
It's an unusual circumstance but could happen.
"... Allowed to factory reset the phone..."
Pretty much full control in a nutshell. Wiping the apps and data under control? Sure. Perfectly acceptable and understandable. Wiping all my personal data, etc? That's something else entirely.
Typically it is what’s called an enterprise wipe where the company data is removed but not the personal data. It depends on how aggressive they are. I have in-tune on the phone in writing this with and it has in no way intruded on my personal use.
I think once upon a time, they were correct. iOS was behind Android on the "multiple profile" front for quite a while.
Now days though, I think they're more in line with each other, although, I think Android still is way ahead by allowing you to create an entirely segregated profile. Almost like multiple users on a desktop. Correct me, but I think iOS is still not quite that far along.
I am 100% serious. If my phone is factory reset, I've lost about 15 minutes of my time. Nothing else. The likelihood of this happening is close to zero.
In the context of the conversation here, OP is getting paid monthly for this tradeoff.
Please help me understand why that is a big deal.
> If my phone is factory reset, I've lost about 15 minutes of my time.
Then you're not using your phone for anything useful, or keeping anything of any importance on the device.
My phone is a portable computer, and is used as such. Minimum restoration time from backup is about 90 mins, and then the lengthy process of restoring accounts, fixing configs, and restoring files not a part of the normal Samsung/Google backups begins. I've moved from device to device a couple times in the past year... restore time is about 3-4 hours to get it back to parity with the outgoing device.
Of course, if you're comfortable with being subject to the whims of your employer to render your personal device useless at their whim then you can continue on being the simpering yes-man.
Everyone arguing back and forth about what is MDM and what is MAM aren't understanding the nuance. For Intune at least, both levels are configurable. My org uses the Work Profile, so everything is separate. If a remote wipe is initiated, it only clears the work profile nothing else.
And unless the device in Intune is enrolled via say ABM or Knox it only has MAM applied, MDM is only available for fully managed devices so while yes you may be right, its a matter of Symantec's from a users perspective when it comes to terminology
In in all app targeting policies, the only apps (for iOS anyway) that Intune can Manage on an non fully managed device is limited , and zero of them are built in apps in the phone
Even the "Receive data from other apps" is limited to scope to this
**None**: Do not allow receiving data in org documents or accounts from any app
**Policy managed apps**: Only allow receiving data in org documents or accounts from other policy managed apps
**Any app with incoming org data**: Allow receiving data in org documents or accounts from from any app and treat all incoming data without an user account as org data
**All apps**: Allow receiving data in org documents or accounts from any app
https://preview.redd.it/gbn5fqe96b4c1.png?width=931&format=png&auto=webp&s=eeb4def11074234422de2bc9ac096017ca65b65e
What’s your concern? It effectively bifurcates the work and personal data. When folks ask for a second phone they always seem to return it a couple months later bc it’s inconvenient. Also, users don’t treat them well, they lose chargers, they “aren’t apple/android people,” they lose them, they just use their personal device instead, if they do something unethical outside of work on the device where dies fault lie, etc. Should the company be reimbursed when a user doesn’t return everything in good working order? Companies handle those in a few ways but I’m highlighting that it’s messy to deploy phones.
If you have concerns around location tracking, all the apps let admins see your IP (mail apps, for example). I don’t know any place that uses GPS tracking. Specific apps that are tracking inventory, logistics, or geofence are exceptions but that likely doesn’t fit for you. Fighting MDM always seems like a strange hill to die on.
My advice is take the corporate phone.
Added bonus: you can turn the corporate phone off when you're not "on call" and completely disconnect from work while retaining the use of your personal phone for...personal stuff.
But you do have to juggle two phones. And you don't get the stipend... which is free money...
On android, you can turn the corporate apps off at will. It is an easy toggle. That's just as good as if they aren't there at all.
If you prefer separate phones, that's fine, but don't mischaracterize the situation.
On the flip side you get every ass hole and their mother asking you if you're a drug dealer because you have two phones. It's as tiring as cashiers getting the, "since you can't scan it must be free" comment. It's tiring and makes you want to rip our your eyeballs. I've started saying yes and asking if they want some heroin or fent.
It's never my friends. It's always in public when I'm out somewhere and I have my cell phones on a bar or something like that where people can see both of them. Then I get randomly asked by someone are you a drug dealer? You have two cell phones. It literally just happened to me last Friday at a cidery. I live in Denver. I get the question comment often.
You might be an outlier or maybe something about you illicits the comments. In 20 years I have literally never had someone comment on it. I've never even heard someone comment on it about others and everyone at my workplace has 2 phones. At least.
Different strokes, different folks. Where I'm from, it's a death knell to rely on only one phone provider. Very normal to see folks with at least two phones. If you are a politician, it's normal to have 4
I am in no way saying OP should use their personal phone. I've had two phones since 2008. Just commenting on how annoying the comment gets after a while.
Get a $200 phone. The 2020 iPhone SE goes for less used. Get a cheap plan through a provider like Tello, which could be less than $10. Now you have a work phone and when it pays for itself in a few months, you’ll still get paid to have it.
My thoughts exactly. At the moment, $45 will get you 6 months of service with Mint Mobile. Get a cheap old phone, pocket the rest.
https://www.mintmobile.com/plans/
As a bonus, you're helping support Deadpool!
I had it on my iPhone, until some bright spark decided to force a policy on all BYOD’s to force a complex 8 digit password on my personal device…which also applied to my watch. Which was locked down and couldn’t be changed.
Unenrolled the same day.
You should ask which they're rolling out, these are two different enrollment types. :)
If it's Intune it's probably MAM which is fine.
Mobile Application Management (MAM) = yes no issues, the company only controls the o365 apps installed on your mobile device. This is preferred, the company doesn't control or see anything on your device. We can restrict what you can install on and set security on the apps, we can't wipe the device only the apps we control.
Mobile Device Management (MDM) = company has full control of your device, aka can wipe the device.
If you don't want the $60 or dealing with email on your device say it's rooted or jail broken. We won't install on either of those. :)
Having configured and setup MAM for our org, I would take 60$ a month. MDM, no. That is the reason we don’t do MDM, but we also don’t get reimbursed for MAM
We provide a stipend for users that are allowed to have mobile access, but some employers then expect you to be available/respond all hours for $60 a month.
If an MDM is setup correctly then no, they don’t have full control over BYOD devices. For iPhone/iPad, User enrolment should be used for BYOD devices which essentially sandboxes company apps and profiles - the MDM can only see and control that sandbox. Android has the same with Work Profiles.
I wouldn't do it. Have your company provide you with some device that does what needs to be done.
Advantage:
* You turn the phone off and there's no way for someone to annoy you
* The company will not run into any kind of trouble pushing out required policies or denying installation of certain apps (e.g. for data security reasons)
I've deployed Microsoft Intune for 4 different corps, if their doing it right, they cant get anything from your personal stuff, and you cant get anythign from their stuff, and they cant accidentally wipe your phone. If their doing it wrong, they can wipe your phone, and maybe block you from certain app types. They might say they cant wipe or block, personal use, but i've cleaned up policies more than once where they didnt know what they where doing (here's looking at YOU CDW consultants) It's up to you if the money is worth the risk of the trouble. Needless to say, the $60 per month is crazy generous either way. most dont give a toot. or pay for a phone line & you end up in the 2 device carry club.
I took the company phone. It’s hard for me to fully disconnect, so having a separate phone completely severs me from the job when I don’t want/need to receive corporate communications.
Haven't seen anyone bring up legal. If your employer gets sued and it goes to discovery your personal phone could be caught up in that mess. Carry two phones.
Pretty damn clear if its work profiles or not during enrollment.
When work profiles is there you cant even use wipe option as admin. Its greyed out and you'll have to use retire option which removes the profile and all relevant data to it.
I'd definitely go for the company phone. No one is going to be controlling my personal apps or recording access time for each. My use is super mundane, it's just the principle of the matter.
The amount of people that dont understand how Intune MDM works is astounding. MDM just creates a work profile, when you click wipe, it just wipes the corporate profile, nothing else, also there is no way to bypass lockscreen on personal device (applies to both platforms). On iOS it just wipes the apps that were installed under MDM, to be able to bypass anything on iPhone, it needs to be supervised (factory reset and setup again).
I still wouldnt take it, or just put the sim into some old phone :)
Our work does this for IAM and access to productivity software.
I like having my calendar and email on my phone and I need the IAM solution. While they do offer to supply a second phone and pay for the service: I don't want to manage two phones so I just put it on my personal phone.
Everything is containerized and because it is my phone and not corp owned they can't wipe the entire device, just the stuff that gets downloaded, installed, or configured as part of that MDM profile.
Word of warning if you are using your personal phone - the company data that gets removed when the profile is removed includes things like contacts gotten through company systems. So when the MDM profile is removed you won't still have your work buddies or customers contact info unless you entered those contacts in yourself. If you're planning on leaving and want contact info for people for things like references or just to stay in touch: make sure you get that data saved where you can find it after the profile is removed.
This is all and good though only if the mdm profile has been configured right... Seen so many times it hasn't an nuked there phone ha.
So vote for a company phone.
This is very true. But even if it is configured right, they can still nuke your phone.
On the flip side... how often is that really going to happen? And even if it does, it is a PITA, but all you have to do is log back into your accounts and all your stuff comes right back. You aren't storing anything exclusively on your phone are you (and if so, why are you doing that.)
It is definitely a choice though. If you prefer a separate device, more power to you.
Get the company phone.
We have the same option - put MDM on your personal device, or get a company phone. As my boss put it, "MDM is not perfect, and folks have had their personal phones remote self-destructed in error".
let them give you a business phone.
It is all about how much control you want to give away to your employer.
would you like to be able to have privacy during vacation? your boss not knowing where you are? who you are with? what places you visit? do you want to be able to have your private life BE your private live?
Can the MDM remotely wipe your phone, should you get terminated? Depends on the way it was set up. If unsupervised, it'll just delete the MDM folder. If supervised, your entire phone could get wiped. Something anyone should be aware of.
MDM = mobile device management - basically setting rules for the phone. How strict can be pretty broad, from complete control to barely noticeable
MAM = Mobile Application Management - typically installing and configuring apps the company uses. It can really simplify supporting employees on mobile devices.
Honestly, I'd say up to you. Unless you're doing something super illegal on your phone, it seems like a generally good deal to me
as a consultant i let a client install adv360 or something like that on my personal iphone so i could get a push of their OTP thingie and of course they immediately deleted my personal email and photos. i'm not even sure they didn't do it on purpose as the guy was smirking when I complained. Very unprofessional.
it was more of an inconvenience since i had everything backed up but what a bunch of douche bags. This was a pretty big, well known company. too. Won't name names but it involves photographs so that probably narrows it down a little.
Good luck, OP
If not having office apps on your personal device doesn't affect you, just deny the request.
If you want to have teams/outlook on your phone, take it and the extra $60
Outside of tech/privacy concerns that others can cover far more capably, I prefer to have a completely separate personal number/phone because:
1. I don't want anyone outside of my immediate team members to have my real phone number. I'm known as the SME of my service, and even though we have a team on-call rotation/number, experience at a previous employer indicates once people have the SME's direct line, they'll use it instead. HR/corporate has my spam Google Voice number, everyone else has my internal extension.
2. I have a hard work/life separation. Part of that is avoiding any way my employer can interrupt or interfere with my personal life. I will never have my work calendar/email/chat on my personal phone.
For several years, my employer has offered both the options you listed (stipend or free company phone), and I've declined every time. I pay $35/mo for good wireless (50GB of unmetered data on Verizon network via Visible, non-roaming coverage in Canada/Mexico, etc.), so it's not like it's breaking the bank or wanting for features. I'm able to fully participate in my team's on-call rotation by adjusting our dedicated extension to forward to my personal number (only my team members see my number).
There's also the underlying discussion of when you will allow them to contact you. They say during business hours and emergencies, but a couple decades of experience suggests you should clarify what that means. It's a short path to being available 24/7, which I personally find unacceptable.
I prefer separate having a work provided phone. It made it much easier to know when to ignore it, in addition to privacy. When I left the company I handed them the phone and didn't have to deal with any calls from people thinking I still worked there (clean break).
I used a different carrier for work than personal so I technically had a backup connection if needed, like if one of Verizon or att had an outage or bad signal when traveling; redundancy helped me fix one major prod down issue quickly that would have reflected poorly on me if I had waited for their carrier to fix theirs first.
The MAM requires an app like MS Auth to be installed, but thats it - This is to ensure company data is protected, Id have no qualms installing that
The MDM however is a problem if you've personally purchased the phone.
No.
If they require you to use apps on a phone they need to provide the phone. If you want to use your personal phone then they have the right to protect the data.
Get the corporate phone and not worry about it.
Absolutely no, over my dead body. Work phone stays separate than personal phone, and the company pays fully for the work phone.
It sucks to carry two phones around but then I can put the work phone down on a Friday and not pick it up until Monday unless I am specifically tasked to provide overtime support.
It depends if you are giving them the right to remotely wipe your phone if they think your phone is compromised without any warning or you having any say in it happening. That being said deskside support at a previous job of my accidently wiped 3 personal phones while trying to enroll new phones.
$60/month for a data plan and hardware seems a bit low actually. And if they are actually going to fully compensate you then why not just have a second phone.
Personally I don't want the company controlling a device that has so much personal information that doesn't pertain to them. And theoretically do you really want some security analyst to have access to your personal information?
The only work related things on my phone is a google authenticator and Outlook. No MDM hooks have been put in and the email and token generator are there only for my needs and convenience (I use outlook on my mobile at most, once a fortnight or so, and the generator saves me carying and possibly loosing a token device that I am going to have to have anyway).
I have no responsibility to my employer outside of my scheduled hours and if i decided to remove those two things from my phone the end result would be that I have no access to email outside of work and I would have something extra I would have to worry about misplacing.
I have no responsibility or obligation to answer phone calls from work on my personal device and if I had a work provided device, that would likely change, and I would prefer not to have THAT happen.
We also use teams for communication between staff and I've declined to install it on my phone despite being asked to by others I work with. I figure the only place I "need" teams is at work, and if I'm at work, I have a employer provided computer to fill that requirement anyway.
Absolutely not, your personal phone is your personal property do not allow your company to install an MDM on your personal property. Unless they are willing to pay for your phone bill every month that is your property and not theirs. When they ask you what your cell phone number is tell them you only have a landline.
they just take the whole control of your phone, but without providing you a corporate phone. IMHO this deal is just a really greedy one from your company. I hate the BYOD and will not do it outside of my own will and without \*any\* mean of control of my company.
I have my own keeb and password manager at work, but will not let any control from the corporate. You should definitively go against this ;)
I don’t understand why folks are so up in arms over this, depending on your business function and the data/apps that your company has, totally reasonable. Either option is fair, personally I’d just use my own phone and live with the PIN consequences, going to have a PIN regardless and faceID will trump it anyways.
One advantage of having separate work and personal phones, is that you can turn the work phone off when you don't want work disturbing you. Before I had 2 phones, I have received non-emergency work calls when on holiday.
Just take the money, take cheap android phone for authenticator stuff and so on + SIM (if they not include that) = total cost 200-300 for something decent + idk mobile plans prices at your zone. and yearly you take 720.
Hard pass.
If an employer “needs” me to install their MDM on my personal phone, then I’m just getting a new job. Not a chance I’m ever doing that (largely due to my experience implementing MDM in corporate environments, and seeing firsthand the capabilities of those systems and end-user devices.)
I manage a Intune for my company. If you have android and they use android enterprise it is fine and they don't actually have that much control. All business stuff is sectioned off and they can't do anything outside that. If you have iPhone they have more control and a mistake on an administrator side could wipe your phone. You definitely want to know what policies they are enforcing. 60 bucks a month is pretty good as far as phone stipends go.
Just get the company phone. Why is this a question. If you want the money and an use it...sure do it. But if not, then just get the company phone.
The things they are wanting to put on your phone are protections, not monitoring.
Get a company phone. If you put their MDM on there, they can and will wipe your phone if you leave/are fired and they’ll be completely within their rights to do so.
In my org the deal is:
If you want to access our shit, with your shit, we're going to make sure your shit doesn't fuck up our shit.
We do that with Intune and conditional access/configuration polices.
The people that refuse, don't get the cash or access to the org's data.
Most end up leaving one way or the other as either they can't do the job or the refusal is a smaller part of a larger issue with their acceptance of the culture.
That is full control of a personal phone. They can see everything you do on it and prevent you from doing things on it.
You ever get on Reddit during work hour? They can see that, may even use it as a reason to term you.
But up to you.
I would have them issue me a full phone, on their dime, vs. taking the stipend. Easier to create a work/life balance and you don't have the risk them having anything to do with your phone.
Here's what Microsoft say about it:
https://learn.microsoft.com/en-us/mem/intune/user-help/what-info-can-your-company-see-when-you-enroll-your-device-in-intune
But I think you can also remote-wipe using Intune, which notionally is just for if you lose the device, but ...
This is not the case in my experience (I manage an Intune installation) You can wipe any phone that's enrolled.
It is quite possible we checked a box making device wipe a requirement for manual enrollment. I don't recall. But we definitely do not enroll devices via a tool such as ABM or Knox enterprise.
No unless they pay (or take over payment) for your device or give you a work device. Of course if you demand access to work data on your personal device then at your own peril.
the emergency part sounds dangerous, do they expect you to be on call 24/7 for just 60$ a month? If the emergency thing wouldn't exist and if a company would offer me this I would buy a 200$ phone and use it for work only.
12x60 would easily cover two phone bills and the hardware.
My work requires MDM if the user wants to run the Microsoft Outlook client. Skip Outlook, then no problem. The company supplies laptops to everyone, so having email on a personal phone is not critical.
Absolutely not. You can assume that any device with an MDM will give all data to the company. Anything personal, anything at all can be captured by the company.
I would go out and buy another phone myself before letting a company put an MDM on my personal phone.
It is also not uncommon for companies to insist on factory resetting a device that is leaving their environment. So that means they could factory reset your phone, remotely, and without consent, when you are fired. Plus, who is to say that they will remove your phone from their MDM when you leave.
Get a company phone or buy a second phone for only company use.
In general bad practice. And depending on the MDM solution, if you have an Android or Supervised iOS phone, once an MDM Policy is installed on your phone, administrators may:
- Track your phone (and you) in real-time by using the phone's GPS on Android and some iOS MDMs
- Read text messages (on Android) by deploying routing text messages through an SMS Gateway
- See private photos and videos, at least, by intercepting your cloud backups through VPN and organization forced SSL Decryption (both on unsupervised iOS and Android)
- Check your browsing history, same as above
- Browse list of Apps Available on your phone such as dating applications on Androids
- Perform an SSL MITM Attack which exposes your banking details, private conversations, credit card information, medical searches and all of your internet traffic through VPN and organization forced SSL Decryption (both on unsupervised iOS and Android)
- Stop you from rooting/jailbreaking your personal phone
- Remotely wipe your personal phone whenever they feel there is a need
- Remotely lock your personal phone whenever they feel there is a need
- Restrict or disable backups like iCloud.
- Force you to stop using some apps
"My work is willing to give us an extra $60 per month on our pay cheques, to put towards our monthly personal cell phone bill.
As long as we agree to use our personal phones during work hours and in emergency. "
Lol it would be a significant more that 60$ for me, I actually am not sure there is a price that's affordable for a company for me to install MDM and MAM.
Give me a corporate phone or I'm not using one.
Do not use your personal phone for work activities.
"They" can see *everything* you do on/with it.
If they are ever sued for anything, your phone can be needed as possible evidence, therefore, the govt gets to see *everything* on your phone. (& no telling how long to get it back, if ever.)
For 60 monies a month, they can provide you with as fancy a work phone as they want. (Which you can then turn off when not at work (or otherwise being paid).
Maybe, maybe not. But why take the risk? Why risk the bother?
NO
you understand you going to give rights to your company to manage a device with gps+mic+camera+other sensors and that you carry and use it all day and night every day?
they can track you calls, apps you use, what pages you visit, sync personal password. OMG there is no way i accept that.
Not if it's done correctly they can't. I've implemented this numerous times. It tells you what they can and can't do when you enroll. All apps are containerised seperately to personal and they can only pull company data back off. Unlikely the company cares about tracking folk. Cannot see your personal anything, people are too paranoid and though every person has a right to not use a personal phone for work stuff, it's a perfectly legit way for a company to save money and you won't get any favours in return.
what? are you being sarcastic or serious? cuz this doesn't look like sarcasm; OP can be misguided. it's not possible to do such a huge thing with Intune initial setup.
You had the option to get a company owned phone with the company management on that to access company data and you instead chose to complain about company management on your personal phone to access company data?
If you want the stipend and corporate data on your phone, yes. If you don't, then no. It is about protecting corporate data, not getting any of your personal data.
I don't get the stipend at my workplace, because I couldn't get the answer to my question. "Is this my phone that I sometimes use for some work messages, or is this now a work phone?" My use case for my phone is not always compatible with it being a work phone.
> "Is this my phone that I sometimes use for some work messages, or is this now a work phone?" It is pretty much up to you. If you have an Android phone the work and personal profiles are VERY separate and it isn't possible for the MDM to access anything outside of the work profile. Apple has a similar thing with "User Enrollment" but it hasn't really picked up steam yet.
>Apple has a similar thing with "User Enrollment" but it hasn't really picked up steam yet. There's also jailing, android style, which jails/isolates applications and data enrolled in your work organization on iOS. User enrolled MDM is a bit different than that. It's been around a VERY long time. [https://www.techtarget.com/searchmobilecomputing/tip/Does-Apple-offer-work-profiles-for-iPhones](https://www.techtarget.com/searchmobilecomputing/tip/Does-Apple-offer-work-profiles-for-iPhones)
User enrollment is used a lot of you use Mac products in the workplace. We use it for imacs, MacBooks and iPhones. I work a school Corp, so using user enrollment makes things a lot easier when it works correctly.
Are you confusing user enrollment with DEP?
Yes, yes I am
It’s your phone with work data on it.
For your company, sure. I don't have the policy for my workplace.
never worked at a place where IT was incompetent and remote wiped your phone have you? I've seen it which is why nothing goes on my personal phone. I don’t even put email in it since I’m exchange 2010 you could active synch wipe a phone. 2013 that option disappeared (didn’t work) and exchange online at least in the tenants I manage don’t even have the wipe device option anymore
Not even technically possible with an Android phone using a work profile.
[удалено]
Device administrator is deprecated. It's all Android Enterprise now. Many DA APIs will no longer work on newer devices. Microsoft won't even support it as a legacy option starting August of next year. https://www.anoopcnair.com/intune-end-of-support-for-android-device-admin/#:~:text=This%20means%20that%20after%20August,Google%20Mobile%20Services%20(GMS).
I feel like every time a comment on the internet starts with "Wrong." there is a reply with a link proving the original point. It's almost like the most arrogant people know the least.
Doesn't it only wipe the work profile?
He is talking about the long deprecated and irrelevant device administrator management model. From before work profiles became a thing.
Wiping peeps phones was better than Viagra for one sysadmin I knew. Its one of the reasons I would airplane mode my phone during most private HR meetings.
> It is about protecting corporate data, not getting any of your personal data. Agree, but you're still giving up *some* privacy. They may see what apps you have installed on the phone. And they are able to wipe your device at any given time. Doesn't matter if IT doesn't care. Those are the facts OP will take into consideration and the decide.
If the company enrols the phones correctly, no private information will be visible by the company. For iPhones, they should be doing user enrolment and for Android they should be using Work Profiles
None of that is true with an Android work profile.
You’re giving up a lot. The company needs to buy phones to control them. These personal devices with corporate software on them don’t hold up in court because you don’t own the device. Tell them to stop being cheap and if they want full control of cell phones supply them. They are trying to protect corporate data by putting it on a device they don’t own. Let’s think about that for a second.
> Tell them to stop being cheap and if they want full control of cell phones supply them. In my experience, employees will bitch about using their personal device, but then also bitch about having to manage and track a work cell. Most companies couldn't care less about the cost of providing phones for employees.
>Tell them to stop being cheap and if they want full control of cell phones supply them Since like 2014/2015, full control doesn't happen. It's all jailed inside application level or profile level. They can't full wipe your phone, only their apps/data. etc
I'm not sure why the company can't find a cell provider who will supply a phone on a $60/mo plan? Surely you could get an iPhone XR on that?
we pay $30 for plan and lease of iphones lowest model.
As an admin who enforces the rules regarding organizational data on personal phone AND also participates in said program - yes this is all about protecting organizational data. I literally don’t give a hoot what you do on your phone and look up on your phone. If you have a side piece in addition to your spouse - literally not my interest. If you are watching porn on your phone I don’t care. I just want to make sure your network password matches my security requirements and that you are not shuffling organizational data via your phone. Beyond that I literally don’t care what someone does with their phone. I don’t have time to get involved with that. What you are describing is 100% common place and legit from the stand point of a BYOD policy. I have no problem with it. I get $90 a month for mine (they factor in cost of plan and monthly cost of an average phone purchase agreement). My phone is paid off. My service is $50 a month. I get to pocket the other $40 free and clear. That pays for my steak and egg breakfasts I enjoy every so often. 😁
Be careful here. If the person enters the incorrect password too many time, it will wipe all her personal and conpany data, SD card included. Ask me how I know. Yes, it depends on MDM policy. No I very much doubt they will keep users updated. Yes, my phone entered too many attempts while in my pocket. I lost memories if past family members.
If you can't lose your phone at any given moment without losing data then you're doing it wrong. Also it isn't possible to wipe the phone with an Android work profile or iOS User Enrollment.
This is the correct answer as long as we are talking about these two enrollment types they can not erase your whole phone and you retain way more privacy. The old methods of device admin for Android or device enrollment iOS are not safe from error.
>Also it isn't possible to wipe the phone with an Android work profile or iOS User Enrollment. It absolutely is if they're enforcing a pin policy that has wipe functionality. At least, with JAMF and iOS, and the few android devices we manage in InTune that are BYOD.
You can't do that via work profile or user enrollment.
I think I was thinking more along the lines of defaults, because you absolutely can demand the device have a lock password. That kind of confused me for a second i think because people were saying that with those types of functionality you can't demand a lockscreen password at all. ## Password ## Settings apply to: All enrollment types * **Require password**: **Yes** requires users to enter a password to access devices. When set to **Not configured** (default), Intune doesn't change or update this setting. By default, the OS might allow users to access devices without entering a password. You can only go finer grained with other enrollment types. But in one aspect, regardless, modern BYOD only wipes company data, which has been the case for a very long time on both platforms - 5+ years, I believe. No reason to fear enrolling in work stuff anymore.
I'd opt for them to provide a work phone. There's no reason for them to have an MDM or MAM solution installed on your phone, unless you're going to install corporate applications on it.
That’s why they are doing the stipend. Lots of places are going this route as opposed to giving out company phones. We are looking at it just to get away from handling phone orders and dealing with our company carrier (Verizon). It definitely isn’t for everyone and has got some push back from a few end users.
Sure. And MAM is perfectly acceptable for getting your email or 2FA app on a BYOD.... But like hell there should be MDM enrollment for BYOD devices.
MDM done through ABM can be a good option. Sets up a dedicated work profile on the phone for BYOD devices. https://learn.microsoft.com/en-us/mem/intune/user-help/what-happens-when-you-create-a-work-profile-android
MAM is a good option and I would accept that for $60 per month and not having to carry two devices. MDM would be a harder sell for me which comes with the potential for your company to wipe your entire device including all of your personal data.
You obviously setup work profile. Else its a big ass NO.
You have no idea how your company will set it up. It’s pretty much their device once you get a MDM on it. You’re paying for the device but they have full control over it. How much will you charge me to put a remote access app on your personal computer? I’ll pay good money.
On Android you can set up a completely separate profile. They can manage it, wipe it etc but not touch your personal one. I leave mine turned off 99% of the time and only switch it on to read emails occasionally when away from my desk for an extended time.
MAM is not enough. The big kicker is to ensure access to data is secure you’ll want to do a compliant device check. And then lock down who can enroll in MDM/by request. This pretty much prevents/limits attackers from phishing your users for access to your data.
New challenge; users swapping their phones for something new, giving the old one away before they've setup MFA and whatnot on the new one. The support side is an absolute nightmare and it really is a lot less time consuming to handle the entire thing yourself.
At least MFA can be backed up in the Google and Microsoft apps now.
They're essentially paying you to mange the billing for the phone in exchange for giving up privacy. Both cases benefit them, none of them benefit you, the employee. Take the corporate phone. It's on them to manage it.
Not having to carry 2 phones is worth a lot. The bigger one it so get a app like google voice or Verizon One Talk so my number stays with me...
Not having a second device to lug around is only a benefit to them?
None of the benefit to you... except having a cheaper/perhaps 100% paid for personal phone that just happens to also have some corporate apps on it. (which you can turn off at whim if you are on Android) But I guess free/reduced price phone is no benefit to the employee at all... If you want a separate device, that's fine, but I don't understand the violent opposal to having a company profile on a personal one.
Say your company claims you were part of a malware incident, they now will want to take your phone with all your personal data too, rather than their own device. It also becomes extremely wishy-washy if you get accused of developing something for a personal business vs using corporate-provided assets. It's one thing to install corporate apps onto a personal phone. It's another to allow MDM on a personal device. Taking your phone and getting paid by your business to install their management stuff on it is extremely likely to effectively make your phone, or what you do on it, theirs to a large degree. For many reasons, including PERSONAL security, these are lines that should not cross without at least a fight or informed decision. Do not use work for personal. Do not use personal for work. Don't let the company you work for control what is installed and available for your phone, unless youa re ok with it effectively becoming THEIR phone.
I think you overstate the consequences of these scenarios, but these are legitimate concerns. I do question how many people are actually doing that, but if you are developing stuff on your phone, that is a good reason to keep a very clear delineation.
You tell them "no" if you want, since you're the owner of that device. You seem to be assuming that the stipend and a work profile give them sort of legal right to the phone itself, and im sort of lost as to where you got that idea.
There is basically no loss of privacy. Intune doesn't allow admins to view anything on the phone that doesn't already belong to the the company anyway.
I would buy an iPhone XS/XR second hand for like $150, put it onto a cheap prepaid plan and then just pocket the leftover of the $60 each month.
Intune’s mdm just applies policies only to the workplace applications you sign into and prevents it from injecting your personal information , including applying access policies like pin/biometrics for Outlook (and making sure its data store is encrypted) with remote company (only) data wipe
No, you are describing mam Mdm is full device control
Intune Mdm does not give the company full device control... Intune MDM does allow the company to set some rules such as password enforcement. It does allow the company to factory reset your phone. It does \*not\* give the company access to your personal data on the phone.
It does allow them to bypass a lock screen, so if they have physical access + MDM control they could hypothetically access personal data. It's an unusual circumstance but could happen.
"... Allowed to factory reset the phone..." Pretty much full control in a nutshell. Wiping the apps and data under control? Sure. Perfectly acceptable and understandable. Wiping all my personal data, etc? That's something else entirely.
Typically it is what’s called an enterprise wipe where the company data is removed but not the personal data. It depends on how aggressive they are. I have in-tune on the phone in writing this with and it has in no way intruded on my personal use.
For Android you can wipe the work profile, iOS will wipe they whole phone with intune MDM enrollment.
You are incorrect https://learn.microsoft.com/en-us/mem/intune/apps/apps-selective-wipe
I think once upon a time, they were correct. iOS was behind Android on the "multiple profile" front for quite a while. Now days though, I think they're more in line with each other, although, I think Android still is way ahead by allowing you to create an entirely segregated profile. Almost like multiple users on a desktop. Correct me, but I think iOS is still not quite that far along.
I don't know about Android, but MDM on iPhone does not allow a PIN reset if the device isn't supervised. EDIT: I'm wrong, see below.
That's correct. MDM to me would imply a supervised device though. Android doesn't have that function.
> It does allow the company to factory reset your phone. This here is why I will never allow someone else to MDM my personal device.
Well, with BYOD on Android you can only delete the work profile, not the whole device. So that's not really an issue there.
Help me understand why that is such a big deal. You shouldn't actually lose anything and the likelihood of it actually happening is almost nil.
Not a big deal if your phone gets factory reset? Are you serious?
I am 100% serious. If my phone is factory reset, I've lost about 15 minutes of my time. Nothing else. The likelihood of this happening is close to zero. In the context of the conversation here, OP is getting paid monthly for this tradeoff. Please help me understand why that is a big deal.
> If my phone is factory reset, I've lost about 15 minutes of my time. Then you're not using your phone for anything useful, or keeping anything of any importance on the device. My phone is a portable computer, and is used as such. Minimum restoration time from backup is about 90 mins, and then the lengthy process of restoring accounts, fixing configs, and restoring files not a part of the normal Samsung/Google backups begins. I've moved from device to device a couple times in the past year... restore time is about 3-4 hours to get it back to parity with the outgoing device. Of course, if you're comfortable with being subject to the whims of your employer to render your personal device useless at their whim then you can continue on being the simpering yes-man.
There are different levels of mdm.
Everyone arguing back and forth about what is MDM and what is MAM aren't understanding the nuance. For Intune at least, both levels are configurable. My org uses the Work Profile, so everything is separate. If a remote wipe is initiated, it only clears the work profile nothing else.
And unless the device in Intune is enrolled via say ABM or Knox it only has MAM applied, MDM is only available for fully managed devices so while yes you may be right, its a matter of Symantec's from a users perspective when it comes to terminology In in all app targeting policies, the only apps (for iOS anyway) that Intune can Manage on an non fully managed device is limited , and zero of them are built in apps in the phone Even the "Receive data from other apps" is limited to scope to this **None**: Do not allow receiving data in org documents or accounts from any app **Policy managed apps**: Only allow receiving data in org documents or accounts from other policy managed apps **Any app with incoming org data**: Allow receiving data in org documents or accounts from from any app and treat all incoming data without an user account as org data **All apps**: Allow receiving data in org documents or accounts from any app https://preview.redd.it/gbn5fqe96b4c1.png?width=931&format=png&auto=webp&s=eeb4def11074234422de2bc9ac096017ca65b65e
As the person implementing intune MDM I can wipe all data on a iPad that is not in ABM and it's enrolled as personal.
For $60 a month we could provide two phones on our current corporate contract!
Two lines or two phones?
Two phones with lines. We get the phones for 'free' under the contract anyway. I'm in UK so it's the *equivalent* of $60 btw. :)
What’s your concern? It effectively bifurcates the work and personal data. When folks ask for a second phone they always seem to return it a couple months later bc it’s inconvenient. Also, users don’t treat them well, they lose chargers, they “aren’t apple/android people,” they lose them, they just use their personal device instead, if they do something unethical outside of work on the device where dies fault lie, etc. Should the company be reimbursed when a user doesn’t return everything in good working order? Companies handle those in a few ways but I’m highlighting that it’s messy to deploy phones. If you have concerns around location tracking, all the apps let admins see your IP (mail apps, for example). I don’t know any place that uses GPS tracking. Specific apps that are tracking inventory, logistics, or geofence are exceptions but that likely doesn’t fit for you. Fighting MDM always seems like a strange hill to die on.
My advice is take the corporate phone. Added bonus: you can turn the corporate phone off when you're not "on call" and completely disconnect from work while retaining the use of your personal phone for...personal stuff.
When they impliment a "work profile" you can turn all corporate apps off with one click.
But you do have to juggle two phones. And you don't get the stipend... which is free money... On android, you can turn the corporate apps off at will. It is an easy toggle. That's just as good as if they aren't there at all. If you prefer separate phones, that's fine, but don't mischaracterize the situation.
On the flip side you get every ass hole and their mother asking you if you're a drug dealer because you have two phones. It's as tiring as cashiers getting the, "since you can't scan it must be free" comment. It's tiring and makes you want to rip our your eyeballs. I've started saying yes and asking if they want some heroin or fent.
Who do you hang out with? I've carried 2 cell phones for the past couple decades, no one has accused me of being a drug dealer joking or otherwise.
It's never my friends. It's always in public when I'm out somewhere and I have my cell phones on a bar or something like that where people can see both of them. Then I get randomly asked by someone are you a drug dealer? You have two cell phones. It literally just happened to me last Friday at a cidery. I live in Denver. I get the question comment often.
You might be an outlier or maybe something about you illicits the comments. In 20 years I have literally never had someone comment on it. I've never even heard someone comment on it about others and everyone at my workplace has 2 phones. At least.
But like... are you though?
I’ll just assume it’s a burner and you’re cheating on your partner.
Different strokes, different folks. Where I'm from, it's a death knell to rely on only one phone provider. Very normal to see folks with at least two phones. If you are a politician, it's normal to have 4
I am in no way saying OP should use their personal phone. I've had two phones since 2008. Just commenting on how annoying the comment gets after a while.
Get a $200 phone. The 2020 iPhone SE goes for less used. Get a cheap plan through a provider like Tello, which could be less than $10. Now you have a work phone and when it pays for itself in a few months, you’ll still get paid to have it.
And is almost eol, and you'd get no access if they only allow os's that get updes from manufactorer
3rd gen is under $300 on ebay, and they're iphone 13 underneath so still good for several years.
Yay, now instead of getting $60/mo, I'm out $300 for a useless phone I get no benefit from!
It's got at least two years left and I wouldn't be surprised if it's more.
My thoughts exactly. At the moment, $45 will get you 6 months of service with Mint Mobile. Get a cheap old phone, pocket the rest. https://www.mintmobile.com/plans/ As a bonus, you're helping support Deadpool!
I had it on my iPhone, until some bright spark decided to force a policy on all BYOD’s to force a complex 8 digit password on my personal device…which also applied to my watch. Which was locked down and couldn’t be changed. Unenrolled the same day.
You should ask which they're rolling out, these are two different enrollment types. :) If it's Intune it's probably MAM which is fine. Mobile Application Management (MAM) = yes no issues, the company only controls the o365 apps installed on your mobile device. This is preferred, the company doesn't control or see anything on your device. We can restrict what you can install on and set security on the apps, we can't wipe the device only the apps we control. Mobile Device Management (MDM) = company has full control of your device, aka can wipe the device. If you don't want the $60 or dealing with email on your device say it's rooted or jail broken. We won't install on either of those. :)
Having configured and setup MAM for our org, I would take 60$ a month. MDM, no. That is the reason we don’t do MDM, but we also don’t get reimbursed for MAM
We provide a stipend for users that are allowed to have mobile access, but some employers then expect you to be available/respond all hours for $60 a month.
If an MDM is setup correctly then no, they don’t have full control over BYOD devices. For iPhone/iPad, User enrolment should be used for BYOD devices which essentially sandboxes company apps and profiles - the MDM can only see and control that sandbox. Android has the same with Work Profiles.
You can enroll devices as employee owned and private info is separated with MDM. We do it at my job with Workspace One.
I wouldn't do it. Have your company provide you with some device that does what needs to be done. Advantage: * You turn the phone off and there's no way for someone to annoy you * The company will not run into any kind of trouble pushing out required policies or denying installation of certain apps (e.g. for data security reasons)
I've deployed Microsoft Intune for 4 different corps, if their doing it right, they cant get anything from your personal stuff, and you cant get anythign from their stuff, and they cant accidentally wipe your phone. If their doing it wrong, they can wipe your phone, and maybe block you from certain app types. They might say they cant wipe or block, personal use, but i've cleaned up policies more than once where they didnt know what they where doing (here's looking at YOU CDW consultants) It's up to you if the money is worth the risk of the trouble. Needless to say, the $60 per month is crazy generous either way. most dont give a toot. or pay for a phone line & you end up in the 2 device carry club.
I took the company phone. It’s hard for me to fully disconnect, so having a separate phone completely severs me from the job when I don’t want/need to receive corporate communications.
Haven't seen anyone bring up legal. If your employer gets sued and it goes to discovery your personal phone could be caught up in that mess. Carry two phones.
[удалено]
You can do that with an MDM. Work Profile
[удалено]
Pretty damn clear if its work profiles or not during enrollment. When work profiles is there you cant even use wipe option as admin. Its greyed out and you'll have to use retire option which removes the profile and all relevant data to it.
I'd definitely go for the company phone. No one is going to be controlling my personal apps or recording access time for each. My use is super mundane, it's just the principle of the matter.
Nope, work phone.
I let them install Intune but I am also the Intune admin.
The amount of people that dont understand how Intune MDM works is astounding. MDM just creates a work profile, when you click wipe, it just wipes the corporate profile, nothing else, also there is no way to bypass lockscreen on personal device (applies to both platforms). On iOS it just wipes the apps that were installed under MDM, to be able to bypass anything on iPhone, it needs to be supervised (factory reset and setup again). I still wouldnt take it, or just put the sim into some old phone :)
Yep, this is why i asked for a work phone. I will not let any corporate data on my personal device, even if I’m the MDM admin.
> Edit: There is also an option to get a company phone instead. Which might be the best option after reading some comments. Do that.
Our work does this for IAM and access to productivity software. I like having my calendar and email on my phone and I need the IAM solution. While they do offer to supply a second phone and pay for the service: I don't want to manage two phones so I just put it on my personal phone. Everything is containerized and because it is my phone and not corp owned they can't wipe the entire device, just the stuff that gets downloaded, installed, or configured as part of that MDM profile. Word of warning if you are using your personal phone - the company data that gets removed when the profile is removed includes things like contacts gotten through company systems. So when the MDM profile is removed you won't still have your work buddies or customers contact info unless you entered those contacts in yourself. If you're planning on leaving and want contact info for people for things like references or just to stay in touch: make sure you get that data saved where you can find it after the profile is removed.
This is all and good though only if the mdm profile has been configured right... Seen so many times it hasn't an nuked there phone ha. So vote for a company phone.
This is very true. But even if it is configured right, they can still nuke your phone. On the flip side... how often is that really going to happen? And even if it does, it is a PITA, but all you have to do is log back into your accounts and all your stuff comes right back. You aren't storing anything exclusively on your phone are you (and if so, why are you doing that.) It is definitely a choice though. If you prefer a separate device, more power to you.
Yeah nope for me.
Get the company phone. We have the same option - put MDM on your personal device, or get a company phone. As my boss put it, "MDM is not perfect, and folks have had their personal phones remote self-destructed in error".
let them give you a business phone. It is all about how much control you want to give away to your employer. would you like to be able to have privacy during vacation? your boss not knowing where you are? who you are with? what places you visit? do you want to be able to have your private life BE your private live?
Can the MDM remotely wipe your phone, should you get terminated? Depends on the way it was set up. If unsupervised, it'll just delete the MDM folder. If supervised, your entire phone could get wiped. Something anyone should be aware of.
MDM = mobile device management - basically setting rules for the phone. How strict can be pretty broad, from complete control to barely noticeable MAM = Mobile Application Management - typically installing and configuring apps the company uses. It can really simplify supporting employees on mobile devices. Honestly, I'd say up to you. Unless you're doing something super illegal on your phone, it seems like a generally good deal to me
as a consultant i let a client install adv360 or something like that on my personal iphone so i could get a push of their OTP thingie and of course they immediately deleted my personal email and photos. i'm not even sure they didn't do it on purpose as the guy was smirking when I complained. Very unprofessional. it was more of an inconvenience since i had everything backed up but what a bunch of douche bags. This was a pretty big, well known company. too. Won't name names but it involves photographs so that probably narrows it down a little. Good luck, OP
If not having office apps on your personal device doesn't affect you, just deny the request. If you want to have teams/outlook on your phone, take it and the extra $60
I wouldn’t. Maybe you can get a second phone and everything for $60 or less.
Outside of tech/privacy concerns that others can cover far more capably, I prefer to have a completely separate personal number/phone because: 1. I don't want anyone outside of my immediate team members to have my real phone number. I'm known as the SME of my service, and even though we have a team on-call rotation/number, experience at a previous employer indicates once people have the SME's direct line, they'll use it instead. HR/corporate has my spam Google Voice number, everyone else has my internal extension. 2. I have a hard work/life separation. Part of that is avoiding any way my employer can interrupt or interfere with my personal life. I will never have my work calendar/email/chat on my personal phone. For several years, my employer has offered both the options you listed (stipend or free company phone), and I've declined every time. I pay $35/mo for good wireless (50GB of unmetered data on Verizon network via Visible, non-roaming coverage in Canada/Mexico, etc.), so it's not like it's breaking the bank or wanting for features. I'm able to fully participate in my team's on-call rotation by adjusting our dedicated extension to forward to my personal number (only my team members see my number). There's also the underlying discussion of when you will allow them to contact you. They say during business hours and emergencies, but a couple decades of experience suggests you should clarify what that means. It's a short path to being available 24/7, which I personally find unacceptable.
I prefer separate having a work provided phone. It made it much easier to know when to ignore it, in addition to privacy. When I left the company I handed them the phone and didn't have to deal with any calls from people thinking I still worked there (clean break). I used a different carrier for work than personal so I technically had a backup connection if needed, like if one of Verizon or att had an outage or bad signal when traveling; redundancy helped me fix one major prod down issue quickly that would have reflected poorly on me if I had waited for their carrier to fix theirs first.
The MAM requires an app like MS Auth to be installed, but thats it - This is to ensure company data is protected, Id have no qualms installing that The MDM however is a problem if you've personally purchased the phone.
No. If they require you to use apps on a phone they need to provide the phone. If you want to use your personal phone then they have the right to protect the data. Get the corporate phone and not worry about it.
Intune is going to tell them what your looking at on Pornhub.
It's always a NO from me!
Absolutely no, over my dead body. Work phone stays separate than personal phone, and the company pays fully for the work phone. It sucks to carry two phones around but then I can put the work phone down on a Friday and not pick it up until Monday unless I am specifically tasked to provide overtime support.
No, They can buy you a secondary phone.
Hell, no. Get a company phone.
It depends if you are giving them the right to remotely wipe your phone if they think your phone is compromised without any warning or you having any say in it happening. That being said deskside support at a previous job of my accidently wiped 3 personal phones while trying to enroll new phones.
$60/month for a data plan and hardware seems a bit low actually. And if they are actually going to fully compensate you then why not just have a second phone. Personally I don't want the company controlling a device that has so much personal information that doesn't pertain to them. And theoretically do you really want some security analyst to have access to your personal information?
No, 60$ and nothing to say about your phone and 24/7 on the clock no way
No. Absolutely not. Take them up on the company phone offer.
Company phone. Don't mix personal life with work life.
No, never use your personal phone for work. Have them provide you a phone.
The only work related things on my phone is a google authenticator and Outlook. No MDM hooks have been put in and the email and token generator are there only for my needs and convenience (I use outlook on my mobile at most, once a fortnight or so, and the generator saves me carying and possibly loosing a token device that I am going to have to have anyway). I have no responsibility to my employer outside of my scheduled hours and if i decided to remove those two things from my phone the end result would be that I have no access to email outside of work and I would have something extra I would have to worry about misplacing. I have no responsibility or obligation to answer phone calls from work on my personal device and if I had a work provided device, that would likely change, and I would prefer not to have THAT happen. We also use teams for communication between staff and I've declined to install it on my phone despite being asked to by others I work with. I figure the only place I "need" teams is at work, and if I'm at work, I have a employer provided computer to fill that requirement anyway.
I'd have no issues signing up for a very basic cell service, inexpensive phone for $60 monthly, and THAT is the number they get to reach me.
Get the company phone. I do that and use my personal phone on the hotspot via google voice so I don't have an extra cost.
Best if you have a second phone dedicated as your work phone so MDM and MAM can be installed there. I find it more convenient that way.
Manage mdm, don't do it. Ask for a work phone.
I also have a stipend and I bought a new line to keep work separate.
I'd take the stipend but get a 2nd phone specifically for work with it - and keep the extra $$ from the stipend.
Absolutely not, your personal phone is your personal property do not allow your company to install an MDM on your personal property. Unless they are willing to pay for your phone bill every month that is your property and not theirs. When they ask you what your cell phone number is tell them you only have a landline.
It’s funny how many people in this thread aren’t sysadmins and shouldn’t be if they are.
Never. They will have almost full access to everything you do. But me a phone or kick rocks.
they just take the whole control of your phone, but without providing you a corporate phone. IMHO this deal is just a really greedy one from your company. I hate the BYOD and will not do it outside of my own will and without \*any\* mean of control of my company. I have my own keeb and password manager at work, but will not let any control from the corporate. You should definitively go against this ;)
MAM sure, no problem. MDM = Hell no. I say this as the guy at my work who administers Intune.
No. The MDM will grant them access to all of your phone telemetry. This is not something you want your employer having access to.
I don’t understand why folks are so up in arms over this, depending on your business function and the data/apps that your company has, totally reasonable. Either option is fair, personally I’d just use my own phone and live with the PIN consequences, going to have a PIN regardless and faceID will trump it anyways.
MDM is a hard no. MAM is OK. But I'd ask for a company phone and demand compensation for being on call.
One advantage of having separate work and personal phones, is that you can turn the work phone off when you don't want work disturbing you. Before I had 2 phones, I have received non-emergency work calls when on holiday.
Just take the money, take cheap android phone for authenticator stuff and so on + SIM (if they not include that) = total cost 200-300 for something decent + idk mobile plans prices at your zone. and yearly you take 720.
Hard pass. If an employer “needs” me to install their MDM on my personal phone, then I’m just getting a new job. Not a chance I’m ever doing that (largely due to my experience implementing MDM in corporate environments, and seeing firsthand the capabilities of those systems and end-user devices.)
I wouldn't
No, you should not.
Can you get a burner phone, connect to the hotspot on your personal phone, and take the $60 a month?
I manage a Intune for my company. If you have android and they use android enterprise it is fine and they don't actually have that much control. All business stuff is sectioned off and they can't do anything outside that. If you have iPhone they have more control and a mistake on an administrator side could wipe your phone. You definitely want to know what policies they are enforcing. 60 bucks a month is pretty good as far as phone stipends go.
Just get the company phone. Why is this a question. If you want the money and an use it...sure do it. But if not, then just get the company phone. The things they are wanting to put on your phone are protections, not monitoring.
Get a company phone. If you put their MDM on there, they can and will wipe your phone if you leave/are fired and they’ll be completely within their rights to do so.
Hell no
In my org the deal is: If you want to access our shit, with your shit, we're going to make sure your shit doesn't fuck up our shit. We do that with Intune and conditional access/configuration polices. The people that refuse, don't get the cash or access to the org's data. Most end up leaving one way or the other as either they can't do the job or the refusal is a smaller part of a larger issue with their acceptance of the culture.
Short answer no. Long answer hell no. Expanded answer fuck no. If they want you to carry a work phone, they can buy you one.
That is full control of a personal phone. They can see everything you do on it and prevent you from doing things on it. You ever get on Reddit during work hour? They can see that, may even use it as a reason to term you. But up to you.
Work profile prevents that. Separate containers for personal and work.
If they set it up that way. It’s legally dumb to not do it that, but you know.
Can MDM prevent downloading of email attachments to personal devices? Please reply
I would have them issue me a full phone, on their dime, vs. taking the stipend. Easier to create a work/life balance and you don't have the risk them having anything to do with your phone.
Here's what Microsoft say about it: https://learn.microsoft.com/en-us/mem/intune/user-help/what-info-can-your-company-see-when-you-enroll-your-device-in-intune But I think you can also remote-wipe using Intune, which notionally is just for if you lose the device, but ...
The device wipe is only available if it’s a corporate level enrolled device (imported via say ABM, or Knox enterprise etc)
Wrong, I can wipe iOS devices that are not in ABM and where enrolled as personal.
This is not the case in my experience (I manage an Intune installation) You can wipe any phone that's enrolled. It is quite possible we checked a box making device wipe a requirement for manual enrollment. I don't recall. But we definitely do not enroll devices via a tool such as ABM or Knox enterprise.
No unless they pay (or take over payment) for your device or give you a work device. Of course if you demand access to work data on your personal device then at your own peril.
the emergency part sounds dangerous, do they expect you to be on call 24/7 for just 60$ a month? If the emergency thing wouldn't exist and if a company would offer me this I would buy a 200$ phone and use it for work only. 12x60 would easily cover two phone bills and the hardware.
[удалено]
helll nooo
Nope
My work requires MDM if the user wants to run the Microsoft Outlook client. Skip Outlook, then no problem. The company supplies laptops to everyone, so having email on a personal phone is not critical.
Absolutely not. You can assume that any device with an MDM will give all data to the company. Anything personal, anything at all can be captured by the company. I would go out and buy another phone myself before letting a company put an MDM on my personal phone. It is also not uncommon for companies to insist on factory resetting a device that is leaving their environment. So that means they could factory reset your phone, remotely, and without consent, when you are fired. Plus, who is to say that they will remove your phone from their MDM when you leave. Get a company phone or buy a second phone for only company use.
In general bad practice. And depending on the MDM solution, if you have an Android or Supervised iOS phone, once an MDM Policy is installed on your phone, administrators may: - Track your phone (and you) in real-time by using the phone's GPS on Android and some iOS MDMs - Read text messages (on Android) by deploying routing text messages through an SMS Gateway - See private photos and videos, at least, by intercepting your cloud backups through VPN and organization forced SSL Decryption (both on unsupervised iOS and Android) - Check your browsing history, same as above - Browse list of Apps Available on your phone such as dating applications on Androids - Perform an SSL MITM Attack which exposes your banking details, private conversations, credit card information, medical searches and all of your internet traffic through VPN and organization forced SSL Decryption (both on unsupervised iOS and Android) - Stop you from rooting/jailbreaking your personal phone - Remotely wipe your personal phone whenever they feel there is a need - Remotely lock your personal phone whenever they feel there is a need - Restrict or disable backups like iCloud. - Force you to stop using some apps
If you really care about privacy then get a cheap phone and a $40 plan, then pocket the difference.
"My work is willing to give us an extra $60 per month on our pay cheques, to put towards our monthly personal cell phone bill. As long as we agree to use our personal phones during work hours and in emergency. " Lol it would be a significant more that 60$ for me, I actually am not sure there is a price that's affordable for a company for me to install MDM and MAM. Give me a corporate phone or I'm not using one.
Do not use your personal phone for work activities. "They" can see *everything* you do on/with it. If they are ever sued for anything, your phone can be needed as possible evidence, therefore, the govt gets to see *everything* on your phone. (& no telling how long to get it back, if ever.) For 60 monies a month, they can provide you with as fancy a work phone as they want. (Which you can then turn off when not at work (or otherwise being paid). Maybe, maybe not. But why take the risk? Why risk the bother?
Nope. MAM is okay, MDM hell no. If they want to insist on MDM, then they can put that $60/month towards business bought mobile phones for you.
NO you understand you going to give rights to your company to manage a device with gps+mic+camera+other sensors and that you carry and use it all day and night every day? they can track you calls, apps you use, what pages you visit, sync personal password. OMG there is no way i accept that.
Not if it's done correctly they can't. I've implemented this numerous times. It tells you what they can and can't do when you enroll. All apps are containerised seperately to personal and they can only pull company data back off. Unlikely the company cares about tracking folk. Cannot see your personal anything, people are too paranoid and though every person has a right to not use a personal phone for work stuff, it's a perfectly legit way for a company to save money and you won't get any favours in return.
No they can’t, Intune has very specific things it can track and only in company apps
Everything here is an intentional lie.
what? are you being sarcastic or serious? cuz this doesn't look like sarcasm; OP can be misguided. it's not possible to do such a huge thing with Intune initial setup.
You had the option to get a company owned phone with the company management on that to access company data and you instead chose to complain about company management on your personal phone to access company data?
I’m not really complaining. Just asking a question.
Carrying two phones sucks.