Jump to content
Search In
  • More options...
Find results that contain...
Find results in...
JorenBus

I will be getting a company smartphone (iPhone X), what will my company be able to track on my smartphone?

Recommended Posts

On iPhone, MDM is somewhat limited. I can't really see SMS or iMessages. What I can do is sandbox corporate data and ensure it doesn't leave non-corporate storage despite being on your phone. I can also enforce this -- If you disable my device administrator rights, I'll get an alert that it happened your mail/calendar will suddenly become inaccessible. 

 

In the case of the corporate-owned phone I can even lock you out of the device itself since I'm effectively the owner. Do keep in mind since your company pays the bills, they can see usage information in the carrier's portal and can even subscribe to carrier-level location tracking if they want. 

 

That being said, MDM deployments vary wildly by company. As a consultant I've got some clients going full snoop-mode with location tracking and automated check-ins with their field workers, and I've also got some folks who just want to have email on their phone but are required by govt or industry compliance to have some kind of controls in place. Airwatch and MobileIron will request the maximum rights on the device even if it won't utilize it, so you have to ask you company's IT dept for the details. 

 

 


Intel 3570K @ 4.4GHz - Gigabyte 1070 - Samsung 860 EVO - 16GB DDR3

Link to post
Share on other sites
3 minutes ago, jake9000 said:

On iPhone, MDM is somewhat limited. I can't really see SMS or iMessages. What I can do is sandbox corporate data and ensure it doesn't leave non-corporate storage despite being on your phone. I can also enforce this -- If you disable my device administrator rights, I'll get an alert that it happened and access will be shut off. 

 In the case of the corporate-owned phone I can even lock you out of the device itself since I'm effectively the owner. 

  

That being said, MDM deployments vary wildly by company. As a consultant I've got some clients going full snoop-mode with location tracking and automated check-ins with their field workers, and I've also got some folks who just want to have email on their phone but are required by govt or industry compliance to have some kind of controls in place. Airwatch and MobileIron will request the maximum rights on the device even if it won't utilize it, so you have to ask you company's IT dept for the details. 

If they're at a big consultancy (McKinsey, Bain, BCG) etc. then the activity is almost surely being logged like CRAZY. Having access to the strategy of big multinational corporations as well as the higher levels of government means tons of scrutiny. Same if the person works at Microsoft, Amazon or similar. 

Link to post
Share on other sites

Not only that but it gets looked at pretty regularly. I'm not big 4 but I am under SEC's jurisdiction. Even though I'm an IT consultant I'll occasionally get asked about my girlfriend's investments or have security nerds IM'ing me snippets of my audit trail asking what such and such thing is for. I was always under the impression that each employee generated so much data nobody could ever keep track of it, but insider threats are the #1 hot topic right now and data analysis has come incredibly far over the past couple years. 


Intel 3570K @ 4.4GHz - Gigabyte 1070 - Samsung 860 EVO - 16GB DDR3

Link to post
Share on other sites

Yes they can see the kind of pr0n you watch at all times


Ryzen Rig 2: ASrock B450 Pro4 ATX, Ryzen 7 1700 @ 4.2ghz all core 1.4vCore, Sapphire R9 Fury Tri-X Nitro 4gb HBM, 16gb (2x8) 3600mhz V-Color Skywalker, Corsair HX850 PSU, Custom Loop 2x240mm + 1x120mm radiator, 128gb Patriot Scorch NVMe Win 10 boot drive, 500gb Samsung 840 EVO SSD, CoolerMaster HAF XM Case

https://www.3dmark.com/3dm/37004594?

Ryzen Rig 1: ASUS B350-PRIME ATX, Ryzen 7 1700, Sapphire R9 Fury Tri-X Nitro 4gb HBM, 16gb (2x8) 3200mhz V-Color Skywalker, ANTEC Earthwatts 750w PSU, MasterLiquid Lite 120 AIO cooler in Push/Pull config as rear exhaust, 250gb Samsung 850 Evo SSD, Patriot Burst 240gb SSD, Cougar MX330-X Case

https://www.3dmark.com/3dm/37628874?

Dwight: The Mixed Metals Loop Media Center.  Ask me about it.

Micro Form Factor Dell OptiPlex 3040: Dell 0MGK50 A02, i3-6100T, 4gb DDR3 1600, Team Group 120gb SSD, Windows 10 Pro, Logitech K400+, M.2 Intel Wifi/Bluetooth

 

A couple laptops and tablets around the house

Link to post
Share on other sites

I don´t get why people want a company device. It is just another thing to carry around. You need your separate devices for non work stuff.

Link to post
Share on other sites
9 hours ago, star_pilot475 said:

4They won’t be able to track anything if you turn all location settings off and use a vpn. That way they might see that you’re in Scotland when you’re in Belgium or whatever. 

The company can config the network to block VPN. Similar to my college Wifi won't allow me to use my VPN at all. 

Link to post
Share on other sites
11 hours ago, JorenBus said:

In October I'll start my first ever job at a big consultancy firm in Belgium, yay. Among other things, I will also get a free smartphone from the company.

This will be an iPhone X.

I get two choices: either transfer my current number to the new SIM and therefore using the iPhone X as my work phone, as well as my personal phone (this is allowed) OR I can request a new number for the iPhone and use the iPhone as my work phone and my current smartphone (OnePlus 3) as my personal phone, which is kinda annoying if I have to have 2 phones on me at all times.

Now if I would get rid of my current smartphone, I would be using the company phone as my personal phone as well.

But right now I'm kinda wondering what they will be able to track if I were to use the iPhone as my personal phone.

In my contract it says that employees must be connected to "[Company] Mobile Device Management" infrastructure at all times.

I'm assuming this is an app that tracks everything on my phone?

If so, I'm wondering what they will be able to track. Like will they be able to read my Facebook Messenger conversations, be able to look at my Snapchats if they wanted to?

I value my privacy and I don't want other people to be able to read my messages if they so desire.

So basically, what can they track/see on this phone and not?

It really depends. They could be tracking nothing but what can be seen on the bill or they can have software like my company does that's required for work and needs to be connected to their network which they can see everything I do


Main Rig CPU: AMD Ryzen 5 2600 GPU: AMD MSI RX580 MB:ASUS TUF Gaming B450M-Plus RAM: Crucial Ballistix 32gb DDR4 3000MT/s CPU Cooler: Stock AMD SSD: Crucial 250gb M.2 + Crucial 500gb SSD HDD: 4TB Seagate Baracude PSU: Corsair CX650M Case: Corsair Carbide 275R KB: Corsair K70 RGB MK.2 SE MOUSE: Corsair M65 Pro RGB HEADSET: Corsair Void Pro RGB

 

Linux Ubuntu Rig (Plex Server) CPU: Intel i3 6100 GPU: N/A MB: Gigabyte GA-B150M-DS3H RAM: Crucial Ballistix 1x8gb DDR4 2400MT/s CPU Cooler: Stock Intel SSD: N/A HDD: 1TB Seagate Barracuda/500GB Seagate Barracudax2 PSU: Corsair CX750M Case: Corsair Spec-01 KB: Same as Main

 

freeNAS Server: CPU: Under Planning GPU: N/A MB: Under Planning RAM: Under Planning CPU Cooler: Under Planning SSD: N/A HDD: Under Planning PSU: Under Planning Case: Under Planning KB: Under Planning

Link to post
Share on other sites
Posted · Original PosterOP
13 hours ago, wANKER said:

If they're doing it right, they should make you sign a mobile usage policy, and in there, it should detail what they can track have access to. 

 

Generally speaking though, when it comes to Apple: 

 

Device location: (usually whenever it checks into the device manager, not real-time)

Data usage 

Installed application 

Installed management profiles 

Mobile number 

Device information - iOS version, IMEI, model etc. 

 

Usually all it comes down to.... 

It of course gives them management control over the device too (remote wipe, lock, locate etc.)

 

It WON'T give them access to what you would usually consider personal data - SMS, browsing history (not through the MDM at least) etc. 

And certainly won't give them access to application data. 

 

So the people saying 'everything' are talking out their arse.

 

 

 

 

I do indeed have a document called "Smartphone regulations". It contains all kinds of information, mainly about things you need to do when your device gets lost, damaged and so on. I've read through the entire document and it just briefly mentions the Mobile Device Management infrastructure, and nothing else about what they can track.

They did also say that I won't be able to use a VPN.

13 hours ago, GoodBytes said:

Just to add, on top of what is being said, remember that they get the ISP bill, so they see which phone number where called, and whom you send or receive an SMS.

In Europe, where dual SIM phone is a popular thing, usually people put their personal SIM and work SIM, and the OS does a decent seperation between the two. However, it is best to have 2 seperate phones.

I don't think iPhone supports dual sim though?

6 hours ago, Teddy07 said:

I don´t get why people want a company device. It is just another thing to carry around. You need your separate devices for non work stuff.

Well I can't refuse the company phone, it's mandatory.

3 hours ago, Slurs Gang said:

The company can config the network to block VPN. Similar to my college Wifi won't allow me to use my VPN at all. 

Indeed, it says in my contract that I won't be able to use a VPN.


CPU: Core i5 4690k                                                   Motherboard: Gigabyte Z97M                     RAM: 16GB HyperX Fury Red                             

GPU: RX 580                                                             Storage: Sandisk Ultra II 240GB                  PSU: Seasonic M12II Evo 520W

Case: NZXT S340 red/black                                      Case lighting: NZXT Hue+                          Mouse: Logitech G502

Cooling: Cooler Master Hyper212 Evo                     Operating system: Windows 10 64-bit

Link to post
Share on other sites
15 hours ago, dDave64 said:

 

Yeah. This.

 

The level of granular access they get to the phone is dependent on how much they actually want to see what you’re doing. Some things are harder to see than others but this is the tech world, there is a way. They have a right to see anything their device is being used for.

 

I’ve even see it where an admin can remote into a phone and see what’s on screen currently. In fact, I’ve done it myself as an IT admin. You need a special system for this but it’s out there.

I will say this though. It's not normally our policy to snoop. We all have triggered alerts like overly large amounts of data usage or in one case we had someone trying to access a "free" streaming" site. In the case of BYOD, (bring your own device), we have problems mitigating things like people watching porn on their phones, or downloading an app that really is just spyware, or any number of things, and then plugging them in at work or signing them onto the work WiFi. 

It's like unprotected sex with everyone at the office. 

So we have these kind of features for the purpose of keeping our domains clean and mitigating security risks. Not so that we can see everything you do or where you go. That kind of thing only happens when we have employees that we suspect of either watching Netflix all day or we get an email notification saying that there was something really bad accessed. Otherwise we generally don't look at the logs.

Link to post
Share on other sites
18 hours ago, Slurs Gang said:

The company can config the network to block VPN. Similar to my college Wifi won't allow me to use my VPN at all. 

With the right MDM settings, they wouldn't even be able to change the location settings at all, let alone disable them.


For Sale - iPhone SE 32GB - Unlocked - Rose GoldSold

Spoiler

 

 

* Intel i7-4770K * ASRock Z97 Anniversary * 16GB RAM * 750w Seasonic Modular PSU *

* Crucial M4 128GB SSD (Primary) * Hitachi 500GB HDD (Secondary) *

* Gigabyte HD 7950 WF3 * SATA Blu-Ray Writer * Logitech g710+ * Windows 10 Pro x64 *

 

Link to post
Share on other sites

I would keep my old phone for personal use and the new one for bussiness use. What I would do is to just insert a prepaid sim card into the company phone. 


Sudo make me a sandwich 

Link to post
Share on other sites
On 4/15/2019 at 1:13 PM, Velcade said:

It's best practice to keep work and home separate, this goes for all technology.  It is likely they will be able to monitor a lot on their phone.

 

 

IT be like, nice tinder profile bro, the angle on that dique-pique could be better tho. oh and why did you save that on your  company icloud?

Link to post
Share on other sites

If it's an MDM then it very clearly states what they're controlling when you go into "System - iOS MDM" under General -> Profile -> (Your Company Name) -> More Details -> System -iOS MDM.  People saying "oh they can see everything" :  iOS is different/better about privacy and security, they don't just let shit run wild like Android does.

 

Also keep in mind that at a large corporation, IT departments are going to be lazy/bloated/stupid and not really give a shit about your individual device.  If you're planning on stealing corporate secrets, use a second phone.


Workstation: 8600k @ 4.6Ghz || ASRock Z390 Taichi Ultimate || Gigabyte 1080Ti || G.Skill DDR4-3800 @ 2666 4x8GB || Corsair AX1500i || 25 gallon whole-house loop.

HTPC/GuestGamingBox: Optoma HD142X 1080p Projector || 7600K@ 4.6 || Gigabyte Z270 Gaming 9  || EVGA Titan X (Maxwell) || Corsair RM650x || CPU+GPU watercooled 280 rad pull only.

Server Router (Untangle): 8350K @ 4.5Ghz || ASRock Z370 ITX || 2x8GB || EVGA G3 750W || CPU watercooled, 25 gallon whole-house loop.

Server VM/Plex/HTTPS: E5-2699v4 (22 core!) || Asus X99m WS || GT 630 || Corsair RM650x || CPU watercooled, 25 gallon whole-house loop.

Server Storage: Pent. G3220 || Z87 Gryphon mATX || || LSI 9280i + Adaptec + Intel Expander || 4x10TB Seagate Enterprise Raid 6, 3x8TB Seagate Archive Backup, Corsair AX1200i (drives) Corsair RM450 (machine) || CPU watercooled, 25 gallon whole-house loop.

On the Shelf: EVGA X99 micro2, 780, 740 GT, 210 w/ DVI port unsoldered (Hint: it can be done but it ain't easy). 

Laptop: HP Elitebook 840 G3 (Intel 8350U).

Link to post
Share on other sites
3 hours ago, dalekphalm said:

With the right MDM settings, they wouldn't even be able to change the location settings at all, let alone disable them.

Idk what that is but I can't use my VPN in my college Wifi. If my college can do that than the company can do that too. 

Link to post
Share on other sites

Anything and everything.

 

Do nothing on that phone, unless you want them to know about it.

 

End of story.


Computer's don't make errors. What they do, they do on purpose. By now your name and particulars have been fed into every laptop, desktop, mainframe and supermarket scanner that collectively make up the global information conspiracy, otherwise known as The Beast.

 

You just be careful. Computers have already beaten the Communists at chess. Next thing you know, they'll be beating humans.

Link to post
Share on other sites
13 hours ago, Slurs Gang said:

Idk what that is but I can't use my VPN in my college Wifi. If my college can do that than the company can do that too. 

I'm assuming you're talking about your personal phone? If so, no MDM wouldn't be a factor (MDM is "mobile device management" - it's the mobile equivalent of joining a computer to a corporate Active Directory Domain). MDM's need to be installed and configured.

 

In your case, they are likely blocking VPN protocols or they are blocking the ports themselves that the VPN connects on.


For Sale - iPhone SE 32GB - Unlocked - Rose GoldSold

Spoiler

 

 

* Intel i7-4770K * ASRock Z97 Anniversary * 16GB RAM * 750w Seasonic Modular PSU *

* Crucial M4 128GB SSD (Primary) * Hitachi 500GB HDD (Secondary) *

* Gigabyte HD 7950 WF3 * SATA Blu-Ray Writer * Logitech g710+ * Windows 10 Pro x64 *

 

Link to post
Share on other sites
42 minutes ago, Steven123123 said:

i once knew a drug dealer that balanced having two phones by attaching velcro to the backs of them

I mean... yeah that would work.


For Sale - iPhone SE 32GB - Unlocked - Rose GoldSold

Spoiler

 

 

* Intel i7-4770K * ASRock Z97 Anniversary * 16GB RAM * 750w Seasonic Modular PSU *

* Crucial M4 128GB SSD (Primary) * Hitachi 500GB HDD (Secondary) *

* Gigabyte HD 7950 WF3 * SATA Blu-Ray Writer * Logitech g710+ * Windows 10 Pro x64 *

 

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


×