Don’t Put Your Work Email on Your Personal Phone

[Trik'Stari]

6 hours ago, jstudrawa said:

So incorrect and social justice warrior loaded.

 

Many companies don't require it but you benefit greatly from having work email on your phone.  No they don't spy on you, there are very few major corporations that put anything on your phone at all.  The majority just have you add an account to Outlook's app.  Easy peasy.

 

No need to stand on a soapbox about it.  It's not the end of the world and saying they're not worth working for is naïve as hell.  

 

Most times the expectation that you'll have email on your phone, work extra hours outside of the 9-5 grind, weekends, parking tolls, continuing education, etc... these are all usually built in your salary and acceptable.   When you get paid to be a part of the growth and leadership of the company it's all part of it.

 

Hard line in the sand just makes you an asshole at the office.  Companies want people who are part of the solution and work toward growth, not nit pick over childish things like email on a phone.

 

 

I've no problem with email on my phone. My problem comes when you want to install something on my device.

 

Also I don't work outside normal hours without getting paid, but then again I'm hourly. It's definitely one thing I would specify when taking a salary position that I either get overtime or will not work outside normal working hours.

 

You can call me childish or naive if you want, but you're wrong. I've seen firsthand how companies go way overboard with demanding salary employees work extra hours without pay, to a ridiculous extent.

 

As for things like parking/tolls? I'd expect to be reimbursed or to pay with the companies money. That's how my current company operates. If I have to spend my own money to get a project done, the company reimburses me on top of what I already make.

[caldrin]

Not all our users where I work need a mobile but some still want to have emails on their phone.

 

So we give them a choice you either comply to the requirements.. i.e. us being able to wipe company data off the phone when we want to or you dont have access

But its their choice, if they are a user that requires a mobile and access to emails outside of the office then the company will provide them a phone.
Use Intune and conditional access here to lock down access and set requirements. 

[Ethariel01]

ActiveSync and personal phone no problem worked fine, when it came to MDM and being told 'Not to Worry' we won't remote wipe your phone unless you tell us it's lost...................... I'll have a new company phone then please (for the 3 or 4 days a year I don't have a laptop about).

[Dedayog]

2 hours ago, Trik'Stari said:

I've no problem with email on my phone. My problem comes when you want to install something on my device.

 

Also I don't work outside normal hours without getting paid, but then again I'm hourly. It's definitely one thing I would specify when taking a salary position that I either get overtime or will not work outside normal working hours.

 

You can call me childish or naive if you want, but you're wrong. I've seen firsthand how companies go way overboard with demanding salary employees work extra hours without pay, to a ridiculous extent.

 

As for things like parking/tolls? I'd expect to be reimbursed or to pay with the companies money. That's how my current company operates. If I have to spend my own money to get a project done, the company reimburses me on top of what I already make.

Then you obviously work in a service or manufacturing  company or do not work a management position.  Neither is bad nor good, just shows mindset usually or expectations of company.

 

There is a marked difference between being an install tech for an internet company vs being Controller for a real estate developer for example.  When the CEO sends an email out, I check it and provide any assistance I can.  If I am busy, I say so and get to it in the morning.  

 

If I have a meeting at another developers office or attend a function, I can afford a $6 parking fee for it.  I view it as part of my salary and position.  I COULD get reimbursed from the company, but a few bucks here and there isn't a big deal.  Nor is logging into the bank at night to verify escrow funds, putting in a few hours on the weekend to finalize financial reports or review a pro forma for a new shopping center, etc.

 

I think its all relative to your position and job, but some are sticklers for every dollar and dime.  Tho most don't look at it from the other side of things.

 

Do you install software on company owned devices/computers?

 

Do you use company resources for personal issues?  Their phones?  The time they are paying you for?  

 

Hell I am on this forum during work, so it's a give and take.  Work and life are fluid, not black and white.  

[linkboy]

This is why I use Nine on my Note 8. It sandboxes my work email so I didn't have to install Google Device Manager (we use all Google software). Plus, it's a damn good email app.

 

I like having access to my email, it helps me plan out my day. I was out sick on Tuesday, got a lot of emails from customers with questions, and was able to knock them out first thing Wednesday morning and not be blindsided by a mass amount of emails.

 

I don't answer them outside of work, but I like having the access.

[Velcade]

14 hours ago, Trik'Stari said:

"You don't get to install something on my device, that's my property. If you want me to carry a device that enables me to work, that you can install things on, then you need to provide that device. End of story. No exceptions."

This has always been my policy.  I've never had a company push back on this.  If you want me to have mobile email, give me a company phone.

[dalekphalm]

9 hours ago, jstudrawa said:

So incorrect and social justice warrior loaded.

 

Many companies don't require it but you benefit greatly from having work email on your phone.  No they don't spy on you, there are very few major corporations that put anything on your phone at all.  The majority just have you add an account to Outlook's app.  Easy peasy.

 

No need to stand on a soapbox about it.  It's not the end of the world and saying they're not worth working for is naïve as hell.  

 

Most times the expectation that you'll have email on your phone, work extra hours outside of the 9-5 grind, weekends, parking tolls, continuing education, etc... these are all usually built in your salary and acceptable.   When you get paid to be a part of the growth and leadership of the company it's all part of it.

 

Hard line in the sand just makes you an asshole at the office.  Companies want people who are part of the solution and work toward growth, not nit pick over childish things like email on a phone.

 

 

I was gonna say, in most cases people are probably just using the Outlook App for a personal phone's work email - I'm sure some companies will insist on an MDM, but at the same time, if they've already provided remote access (Example: OWA for o365) and you know the login info, they can't really stop you from configuring the email yourself.

9 hours ago, Warcorer said:

I agree with jstidrawa's post, I work and manage MaaS360 MDM and were soon changing over to Meraki's Systems Manager (MDM). We don't spy on anyone's device at all, we even have it in our policy that we are unable to view any other information on the user's device as well as verbally stating the same thing during a new employee's training. We use an MDM because it gives us access to selectively wipe the user's work email in case they lose their device, the device is stolen, or if the employee leaves the company. As we have a BYOD policy at my work almost all of the user's do bring their own devices and we also can provide devices if necessary but so far no one has wanted or had the need to.

We use Meraki MDM and as far as I'm aware, it's not possible to use it to spy on a user (for iOS certainly, I assume same restrictions for Android). Most (if not all) MDM's are going to be the same - in iOS's case, MDM's rely on Apple's PUSH commands. And AFAIK, there's no PUSH command that allows you to read data off the device remotely.

 

With that in mind, some MDM suites may include third party software that installs directly onto the phone and allows full control and spying. This software is not an MDM in-and-of-itself. An MDM is a management profile, not a third party piece of software.

7 hours ago, Maticks said:

most of these device controls that you get as an adminstrator mostly through Exchange.

All you get access to is Wipe the phone or remove the account from the device setup.

 

I have not seen any of these let people access a phones photo's, web history or other content.

I would imagine any application trying to do this would find itself remove from Google or Apple store right away.

 

I personally have one phone with my work and personal email.

If you have a worry about content on your phone or programs, sites you are visiting on your phone.

you probably should have a second phone, but being on work wifi running these things is likely a bigger problem than content stored on your device.

Yes indeed. It's a lot easier for a company to snoop your network traffic (Maybe not the specifics, but fairly easy to see the sites you go to, for example) - and of course they'll have full access to the emails sent via work email - but unless they're using third party software installed directly onto the phone, they are not using an MDM to spy on you.

 

With that in mind, being one of the IT SysAdmins, even if an MDM was on my phone, I'd feel confident it wouldn't be remotely wiped without my permission. But if I wasn't in that position, I simply wouldn't allow an MDM onto my device. That's a choice each person needs to make on their own.

[wANKER]

Linking to an Exchange account DOES NOT install an MDM profile. 

Exchange device management is very limited, and does not extend to monitoring. 

 

Installing an MDM profile onto a phone is more than just 'Ok' - on iOS at least, you first have to Trust the publisher and then install the profile, all with user interaction and a clear explanation of what the profile allows. 

 

I manage and develop our MDM platform, of around 300 iOS devices, and honestly wouldn't even say you can use it for spying if you wanted. 

For devices enrolled into the platform as corporate owned, the monitoring extends to: 

• Location of the device 
• Data usage 
• Applications installed
• Encryption status 
• Passcode Status 
• Mobile number 
• SIM Number 
• Roaming status 
• etc. 
• etc. 

If the devices are enrolled as employee owned, then that data is even more limited/protected. 

 

Companies DO NOT GIVE A FUCK 

All they care about is that their data is secure. 

Which is the primary reason for an MDM. 

Want corporate email/resources on your own phone? Guess what, I'm going to want to known if it's encrypted, secure, and have the ability to wipe or trace it if need be. 

 

I've not had much experience with Android as far as device management is concerned, but Apple/iOS is absolutely solid on user privacy. 

There's a reason we have to get our carrier to submit devices we purchased to Apple, then from Apple to our MDM to give us a small amount of control. 

[HarryNyquist]

8 hours ago, mr moose said:

I've got a better reason not to put your work email on your private phone,  Personal life and time away from work is very important, it's your time not your bosses. 

 

Don't take your work home with you unless work is your R&R. 

Putting email on your personal phone is a quick way to get burnt out. I would wager 80% of jobs do not require 24/7 around-the-clock email watching. If it's a big enough deal that someone needs to contact you, they can contact you. That's how it's always worked in my experience.

[wANKER]

3 hours ago, Ethariel01 said:

ActiveSync and personal phone no problem worked fine, when it came to MDM and being told 'Not to Worry' we won't remote wipe your phone unless you tell us it's lost...................... I'll have a new company phone then please (for the 3 or 4 days a year I don't have a laptop about).

Would you not want your phone to be wiped if you lost it anyway?

[dalekphalm]

4 minutes ago, wANKER said:

Would you not want your phone to be wiped if you lost it anyway?

1. If it's an iOS device, the owner can do that remotely via FindMyiPhone/iCloud anyway

2. Some people may not trust their IT department to accidentally send such a command - yeah that'd be a huge red flag, but most people don't have much of a choice in terms of who they work for.

 

I think it's more about control. They want to be the ones making that decision, not their employers.

[2FA]

We use Intune and Outlook at work but employees have the option of using their own phone or a company phone. We only use Intune to make sure the device is secure and don't monitor anything else. Also, most employees don't even have access to their email outside of the workplace if I'm not mistaken. I have it on my personal phone because I'm technically on call for issues regarding the networking equipment but those issues are rare and I'm not about to use a second phone for that nor make the company phone my primary (I don't care for iPhones).

[wANKER]

9 minutes ago, dalekphalm said:

1. If it's an iOS device, the owner can do that remotely via FindMyiPhone/iCloud anyway

2. Some people may not trust their IT department to accidentally send such a command - yeah that'd be a huge red flag, but most people don't have much of a choice in terms of who they work for.

 

I think it's more about control. They want to be the ones making that decision, not their employers.

Oh I totally agree. 

 

It all comes down to principal rather than factual reason and understanding. 

If people took the time to actually read their work's IT policy, and the data usage policy of MDMs etc., I can garuntee they wouldn't have a problem. 

But instead it's just, YOU WANT TO INSTALL SOMETHING ON MY PHONE???!?!?!? SPYING ?!?!?!?!? NOPE NOPE I'LL LEAVE THE COMPANY FUCK YOU

[dalekphalm]

For those interested, here's an example of what an MDM (Microsoft InTune - though other MDM's are similar) can see on a personal (or even corporate) device:

https://practical365.com/clients/mobile-devices/can-microsoft-intune-see-managed-mobile-devices/

 

The biggest concerns would be a total list of applications (because you might not want your employer seeing you have WeedMaps installed, for example - or "CuteAnimePorn" or whatever you get up to in your personal time). You can also potentially see the phone number associated with the device, and of course, you can remotely unlock or wipe the device.

 

You cannot read emails (unless they're corporate emails - and in that case, you're not doing that through the MDM, but directly through the email service) or see web traffic or see text messages or essentially access any of the actual data on the device.

 

There are still ways it could be potentially abused, which the article goes into (such as remotely unlocking a device and then literally snooping through it), but these are things that can and should be addressed via clear policies, and trust. And of course, strict and swift discipline if someone on the Admin side violates that trust.

[Leviathan-]

4 hours ago, wANKER said:

Linking to an Exchange account DOES NOT install an MDM profile. 

Exchange device management is very limited, and does not extend to monitoring. 

 

Installing an MDM profile onto a phone is more than just 'Ok' - on iOS at least, you first have to Trust the publisher and then install the profile, all with user interaction and a clear explanation of what the profile allows. 

 

I manage and develop our MDM platform, of around 300 iOS devices, and honestly wouldn't even say you can use it for spying if you wanted. 

For devices enrolled into the platform as corporate owned, the monitoring extends to: 

• Location of the device 
• Data usage 
• Applications installed
• Encryption status 
• Passcode Status 
• Mobile number 
• SIM Number 
• Roaming status 
• etc. 
• etc. 

If the devices are enrolled as employee owned, then that data is even more limited/protected. 

 

Companies DO NOT GIVE A FUCK 

All they care about is that their data is secure. 

Which is the primary reason for an MDM. 

Want corporate email/resources on your own phone? Guess what, I'm going to want to known if it's encrypted, secure, and have the ability to wipe or trace it if need be. 

 

I've not had much experience with Android as far as device management is concerned, but Apple/iOS is absolutely solid on user privacy. 

There's a reason we have to get our carrier to submit devices we purchased to Apple, then from Apple to our MDM to give us a small amount of control. 

As an Administrator, this is true. Do not yell into the air that your company is spying on you because they require MDM if you want e-mail. That's what Facebook is for. Your Administrator is almost always going to be on your side, we really do not care what you do on your personal devices. If your on a company device/network, bet your ass we know about it.
 

I'm not going to get into the technical about what Intune or JAMF can and can't do except for the following for personal devices.

1. Your apps are not visible unless they are company apps or managed apps IE) Outlook, Word, Skype for Business etc. Find all the weed you want on that map.
2. Your location is not visible or retrievable unless the device is iOS and it is Supervised, meaning it's 100% company owned and it's not yours. That device is managed.

[TetraSky]

I've known about this ever since I tried to add my school's email to the gmail app on Android, it asked me if I wanted to make it the device's administrator... and if I selected no, it wouldn't add the email... So I uninstalled Gmail and just installed Outlook(free), which let me add the email just fine without having it be the device administrator. (Though the option is still there if I want it)

[Chett_Manly]

If you believe your work is going to spy on you using the e-mail client on your phone, maybe just go find another job. 

 

I have my works G-Mail on my phone, and I am not afraid, because I know who I work for. Good people.

[AnonymousGuy]

iOS already isolates what you can do with MDM and makes it very clear what you're getting into.  They don't get carte blanche like they probably might be able to do on Android.

 

I value being able to keep up on emails and IM's more than the zero-chance our IT department cares about what apps I have installed.  I have perfectly fine work-life balance.  

[Trik'Stari]

10 hours ago, jstudrawa said:

Then you obviously work in a service or manufacturing  company or do not work a management position.  Neither is bad nor good, just shows mindset usually or expectations of company.

 

There is a marked difference between being an install tech for an internet company vs being Controller for a real estate developer for example.  When the CEO sends an email out, I check it and provide any assistance I can.  If I am busy, I say so and get to it in the morning.  

 

If I have a meeting at another developers office or attend a function, I can afford a $6 parking fee for it.  I view it as part of my salary and position.  I COULD get reimbursed from the company, but a few bucks here and there isn't a big deal.  Nor is logging into the bank at night to verify escrow funds, putting in a few hours on the weekend to finalize financial reports or review a pro forma for a new shopping center, etc.

 

I think its all relative to your position and job, but some are sticklers for every dollar and dime.  Tho most don't look at it from the other side of things.

 

Do you install software on company owned devices/computers?

 

Do you use company resources for personal issues?  Their phones?  The time they are paying you for?  

 

Hell I am on this forum during work, so it's a give and take.  Work and life are fluid, not black and white.  

I do work in service. IT infrastructure service and deployment.

 

I have a company email, although I'm currently locked out of it, not sure why. I expect they set a timed deletion for the account when I gave 3 weeks notice a while back. But then the job I was leaving for fell through (bullshit with a staffing agency. They didn't even bother to tell me until I called the day before my last day and asked why they hadn't sent me any information regarding where I was supposed to go or who I was supposed to report to the following monday) and ended up staying. I assume they forgot to tell the data-center people to not delete my email account.

 

Mostly I nitpick every little thing, because that's the way they behave towards us. Even down to the way we image computers on our imaging cells. They want us to image in a way that's less efficient and more physically laborious, rather than a way that gets the same amount of work done, but means we sit there for 10-40 minutes (depending on the model type) waiting for the image to finish.

 

I tend to find that management creates their own problems by being assholes about the smallest, most unimportant things.

[GoodBytes]

What I don't get with these MDM that companies likes to put, is that nothing stops the employee to use the phone web browser of their choice to just use the web version. Some companies even support POP/IMAP, so you can by-pass the need of the MDM and use a mail that allows manual configuration of POP or/and IMAP.

[dalekphalm]

8 minutes ago, GoodBytes said:

What I don't get with these MDM that companies likes to put, is that nothing stops the employee to use the phone web browser of their choice to just use the web version. Some companies even support POP/IMAP, so you can by-pass the need of the MDM and use a mail that allows manual configuration of POP or/and IMAP.

MDM's are not for managing email, they're for managing the device itself. And you can use them to do things like enforce a passcode requirement (so that if your phone is stolen, the work email is protected).

 

Furthermore, with some email providers, you can disable POP/IMAP access, or disable web access - that depends on your specific email implementation though.

[GoodBytes]

9 minutes ago, dalekphalm said:

MDM's are not for managing email, they're for managing the device itself. And you can use them to do things like enforce a passcode requirement (so that if your phone is stolen, the work email is protected).

Yes, I know that. But you need it if you want to access your corporate e-mail, calendar, and sometimes even company WiFi.

My point is, most companies, also have a web version of the e-mail. If the company uses Office 365, good chances that it has the web version. Nothing stops you of opening Chrome or Safari or whatever, and go to office355 website and login with your company credentials, and access your e-mail that way.

 

 

9 minutes ago, dalekphalm said:

Furthermore, with some email providers, you can disable POP/IMAP access, or disable web access - that depends on your specific email implementation though.

That is correct. But some companies don't, hence my point that if they didn't disable it, you can use that as a by-pass from needing to install MDM (and probably go against your employer contract, but the the point is that there is not much point in MDM for many companies as it is not properly enforced due to different ways to by-pass it)

[dalekphalm]

4 minutes ago, GoodBytes said:

Yes, I know that. But you need it if you want to access your corporate e-mail, calendar, and sometimes even company WiFi.

No. You don't. An MDM is not required to access those things. It can be a requirement of your company, but it's not a requirement unless they make it one.

4 minutes ago, GoodBytes said:

My point is, most companies, also have a web version of the e-mail. If the company uses Office 365, good chances that it has the web version. Nothing stops you of opening Chrome or Safari or whatever, and go to office355 website and login with your company credentials, and access your e-mail that way.

Sure. Unless they disable OWA in o365, which would prevent that.

4 minutes ago, GoodBytes said:

That is correct. But some companies don't, hence my point that if they didn't disable it, you can use that as a by-pass from needing to install MDM (and probably go against your employer contract, but the the point is that there is not much point in MDM for many companies as it is not properly enforced due to different ways to by-pass it)

Indeed. Some companies do things. Other companies do different things.

 

The whole point is that if you're doing stuff like accessing work email in a way that's against policy, then there's a serious work trust relationship issue to begin with, and either you should quit, or you should be fired (depending on context).

 

MDM's largely have nothing to do with email. MDM's are about enforcing device policies, like things like ensuring a lock code exists, or restricting apps or enforcing other apps or lots of other things. MDM's can do email related things, but that's not what an MDM is specifically about.

 

If a company is paying for an MDM just for email related things on BYOD devices, they're probably wasting their money.

[GoodBytes]

6 minutes ago, dalekphalm said:

No. You don't. An MDM is not required to access those things. It can be a requirement of your company, but it's not a requirement unless they make it one.

I have yet to work at a company that doesn't force MDM to access your company e-mail/calandar Exchange Server.

 

Quote

Sure. Unless they disable OWA in o365, which would prevent that.

Indeed. Some companies do things. Other companies do different things.

Yup.

 

Quote

The whole point is that if you're doing stuff like accessing work email in a way that's against policy, then there's a serious work trust relationship issue to begin with, and either you should quit, or you should be fired (depending on context).

Yup. 

 

Quote

MDM's largely have nothing to do with email. MDM's are about enforcing device policies, like things like ensuring a lock code exists, or restricting apps or enforcing other apps or lots of other things. MDM's can do email related things, but that's not what an MDM is specifically about.

(and tracking personal activity that can be used against you and falls with the above point), but yea.

 

Quote

If a company is paying for an MDM just for email related things on BYOD devices, they're probably wasting their money.

My point exactly.

Again, I said, "some company", not all.

 

 

As pointed by the OP, if it MDM bugs you, use 2 different phones, or I would like to add: you can see in having a dual account on your phone. One for personal, and the other for work. Or you can by-pass this, if the company has openings, but of course, you need to see with your employer contract that you signed.

 

[dalekphalm]

2 minutes ago, GoodBytes said:

I have yet to work at a company that doesn't force MDM to access your company e-mail/calandar Exchange Server.

And? That's a company decision, not a technical requirement.

2 minutes ago, GoodBytes said:

 

Yup.

 

Yup. 

 

(and tracking personal activity that can be used against you and falls with the above point), but yea.

What personal activity can they track? MDM's can't spy on you. They have specific information they can see, like what apps are installed (but only if the device is configured as a company owned one - devices configured as personal devices will hide this info), but they won't be able to see your text messages or your web traffic.

2 minutes ago, GoodBytes said:

My point exactly.

Again, I said, "some company", not all.

I'm really not sure what your point is, actually.

 

Yeah some people will be able to bypass having to install an MDM by using Webmail, or a third party email client. Those people either don't trust their employers (and should quit), or are violating company policy (and should be fired).