|
Celexi posted:I tried the keyboard sound thing using 3 different microphoners and so far it can't figure out what my keyboard is doing even remotely. and it is a cheap mechanical keyboard lol
|
#
?
Apr 8, 2023 20:47
|
|
|
|
| # ? Dec 1, 2023 23:46 |
|
|
ok someone correct me if I’m wrong my company is a contractor for BigTech Co. and I’ve recently been added to that team as part of the remote onboarding process, BigTech Co. requires that we do an ID verification process. one of the steps of that verification process is a) adding the BigTech Co. email to our device accounts b) Installing an App on our phone 2) On iOS going to Settings -> General -> Device Management and “Trusting” BigTech Co. this is essentially just adding the certificates so that BigTech Co can remotely manage my device no? I ask because my employer does not give us work devices as we do not use our phones for work purposes so I’m 100% not comfortable doing this If it’s just a siloed certificate for the purposes of Id verification that I can just remove afterwards then that’s less worth escalating for dpkg chopra fucked around with this message at 14:11 on Apr 10, 2023 |
|
#
?
Apr 10, 2023 14:09
|
|
|
sounds like you're getting the full mdm experience on your personal device i wouldn't recommend it if you have a choice
|
|
#
?
Apr 10, 2023 14:13
|
|
|
yeah, buy a cheap phone and put it on that instead.
|
|
#
?
Apr 10, 2023 14:37
|
|
|
if you don’t use your personal phone for work stuff then they have absolutely no cause to ask you to do poo poo on your personal phone also don’t use your personal phone for work stuff
|
|
#
?
Apr 10, 2023 14:45
|
|
|
the gently caress kind of “ID verification” is that anyway
|
|
#
?
Apr 10, 2023 14:45
|
|
|
yeah. i think this is where op can judge for themselves, if it must be buy a cheap phone for this task (you can get a perfectly passable android for very little), but if there's any room whatsoever do complain and make a ruckus, because other employees are otherwise silently getting hosed
|
|
#
?
Apr 10, 2023 14:47
|
|
|
dpkg chopra posted:ok someone correct me if I’m wrong If you installed an MDM profile then yes they can manage your device. They might also install some certificates related to that and/or you have to trust the certificate that signed the MDM profile, but the key part is the profile itself. You can see the profile details to see what it will apply, but generally speaking an MDM profile is going to give them full access to do whatever they want to your device. If they are using office 365 instead of some also-ran, you could add the email to the Outlook app which can silo email securely within the app itself. This allows management of that account data without full device access, so long as its setup by the company. If you add the email account to ios itself, they're going to want to manage your entire device.
|
|
#
?
Apr 10, 2023 15:07
|
|
|
the only company related app you should have on your phone is microsoft authenticator for MFA
|
|
#
?
Apr 10, 2023 15:08
|
|
|
I’m like…. 99% sure that ‘fully managed MDM’ on a personal iPhone gets a company very little. https://www.apple.com/business/docs/resources/Managing_Devices_and_Corporate_Data.pdf Apple intentionally makes a distinction between corporate owned and personal.
|
|
#
?
Apr 10, 2023 15:16
|
|
|
thats how google onboards iphones. iirc the mdm only gives remote wipe and some settings (eg enforce an n character passcode). im sure they'd love to have more, but i think apple has it pretty locked down what mdm can do unless you just don't care, make somebody buy you a workphone
|
|
#
?
Apr 10, 2023 15:22
|
|
|
i am a moron posted:I’m like…. 99% sure that ‘fully managed MDM’ on a personal iPhone gets a company very little. what i would like to see is an explicit mention that it doesn't mean they get to install (something effectively amounting to) a root certificate. because that is not that little.
|
|
#
?
Apr 10, 2023 15:23
|
|
|
The only company apps you should have installed should go on the company owned phones, and they should be charged at the office and they should go in the desk drawer at the office when you leave.
SIGSEGV fucked around with this message at 15:54 on Apr 10, 2023 |
|
#
?
Apr 10, 2023 15:24
|
|
|
remote wipe is a very huge concern on a personal phone because they’ll send that command as soon as you no longer work for that company. since it’s contract work that makes it sound preplanned.
|
|
#
?
Apr 10, 2023 15:24
|
|
|
Cybernetic Vermin posted:what i would like to see is an explicit mention that it doesn't mean they get to install (something effectively amounting to) a root certificate. because that is not that little. Honestly if you’ve ever managed BYOD apple phone via MDM you know what they are saying here is explicitly true. You can require passcode complexity, block rooted/jailbroken phones, and require certain iOS levels. The rest of your access via MDM is limited to corp data/apps. No location data or anything else. SIGSEGV posted:The only company apps you should have installed should go on the company owned phone, and they should be charged at the office and they should go in the desk drawer at the office when you leave. I’ll take the $100 stipend 
|
|
#
?
Apr 10, 2023 15:27
|
|
|
hobbesmaster posted:remote wipe is a very huge concern on a personal phone because they’ll send that command as soon as you no longer work for that company. since it’s contract work that makes it sound preplanned. It can’t wipe the entire phone, just company data lol
|
|
#
?
Apr 10, 2023 15:28
|
|
|
what is the mechanism for differentiation here?
|
|
#
?
Apr 10, 2023 15:29
|
|
|
Cybernetic Vermin posted:what is the mechanism for differentiation here? There is an entire enrollment process for iPhones that start at point of purchase. You can’t flip BYOD phone to corporate owned
|
|
#
?
Apr 10, 2023 15:30
|
|
|
Shaggar posted:If you add the email account to ios itself, they're going to want to manage your entire device. I've always been a bit confused about this, because Amazon didn't require it, so it's absolutely not a requirement for any compliance thing. And it seemed like it could remote wipe just the email/whatever, without any MDM installed. so why doesn't everybody do that?
|
|
#
?
Apr 10, 2023 15:30
|
|
|
And to be clear: if you want to worry about MDM on your own mobile phone, I wouldn’t say it’s the worst thing to be leery about especially on an android. But having worked with it directly with BYOD iPhones I’m personally not concerned when company’s want to put MDM on my personal phone cause they really can’t do poo poo with it
|
|
#
?
Apr 10, 2023 15:33
|
|
|
i am a moron posted:There is an entire enrollment process for iPhones that start at point of purchase. You can’t flip BYOD phone to corporate owned right, and i am not being disingenuous, just wondering how it works: what is the mechanism for something to be considered corporate data?
|
|
#
?
Apr 10, 2023 15:34
|
|
|
work profile makes it way more tolerable on android -- mdm can be configured to only apply to the "work" profile, so your personal profile remains untouched
|
|
#
?
Apr 10, 2023 15:34
|
|
|
Cybernetic Vermin posted:right, and i am not being disingenuous, just wondering how it works: what is the mechanism for something to be considered corporate data? Oh gotcha. It’s limited to apps installed by the MDM itself
|
|
#
?
Apr 10, 2023 15:37
|
|
|
They can also see what apps you have installed to see if you have a jailbreak app. They could also see you have grinder and 20 different poly dating apps. Also just looked at mine and I can’t have erotica in Apple Books  .
|
|
#
?
Apr 10, 2023 15:41
|
|
|
i am a moron posted:Oh gotcha. It’s limited to apps installed by the MDM itself i'm not sure what the process is for this kind of enrolment, but in my direct experience, allowing the device management that you are prompted for when adding an account from exchange/microsoft online allows remote lock and complete remote wipe. there is a newer option from ios 14 or so that allows a selective wipe of only the data synced to the account, but that is an admin-side option, the complete device wipe is still available to the administrator. this is only if you use the native ios mail app though. the outlook app, for example, is completely sandboxed and adding an account to it does not allow device wipe, only the app data.
|
|
#
?
Apr 10, 2023 15:51
|
|
|
yeah it's kind of important to distinguish between exchange MDM and apple's MDM
|
|
#
?
Apr 10, 2023 16:11
|
|
|
looks like apple has support for user based profiles that work similar to how outlook/azure app-based profiles work, but theres nothing that prevents your company from installing a device based profile to completely manage your device.
|
|
#
?
Apr 10, 2023 16:18
|
|
|
Err yes there is you read apples documentation it’s literally impossible lol page 2 of the link I posted You can’t get full corporate control over an iPhone you didn’t purchase as a company and isn’t enrolled via ABM. And those warnings about remote wipe still ONLY apply to business data not your entire phone i am a moron fucked around with this message at 18:22 on Apr 10, 2023 |
|
#
?
Apr 10, 2023 18:13
|
|
|
dpkg chopra posted:ok someone correct me if I’m wrong On iPhone you can have a managed device or a supervised device. Supervised is far more powerful in the remote management options but require the device to be set up using ABM at purchase or with configurator(and then wiped). Managed will still provide lot of data so I strongly advise to contact your company to have them send you a cheap burner phone.
|
|
#
?
Apr 10, 2023 18:13
|
|
|
afaik configurator doesn't work anymore? i'm not sure you can do that with modern ios versions
|
|
#
?
Apr 10, 2023 18:48
|
|
|
Beeftweeter posted:afaik configurator doesn't work anymore? i'm not sure you can do that with modern ios versions I've used it two days ago on an iPadOS 16.4 device to enroll it onto ABM so no, it still works fine.
|
|
#
?
Apr 10, 2023 19:13
|
|
|
SlowBloke posted:I've used it two days ago on an iPadOS 16.4 device to enroll it onto ABM so no, it still works fine. oh huh. maybe i was thinking of configuration utility? i haven't done MDM stuff in a real long time
|
|
#
?
Apr 10, 2023 19:21
|
|
|
i am a moron posted:Err yes there is you read apples documentation it’s literally impossible lol page 2 of the link I posted regardless of what apple's documentation states, i literally just tested this in microsoft 365 on an iphone SE that was my old personal phone and has never in any way been tied to the microsoft 365 tenant or had any kind of corporate profile installed on it. specifically i created a test user, and added the mailbox to ios mail from the mail settings page, configured it as an "exchange" account, and did the automatic sign-in with all defaults. the only consent i was prompted for was the organization's microsoft 365 "new app" consent page to allow apple mail to access the organization. once approved, the account was added on the device. when i opened the microsoft exchange admin, and browsed to the mobile device details page, i had the option to "wipe device" or "remote wipe data only". choosing "wipe device" immediately forced a factory reset on the phone, which is now sitting at the activation screen. so yes, your exchange admin absolutely can remotely wipe your device to factory defaults if you add an exchange account to the native ios mail app.
|
|
#
?
Apr 10, 2023 19:42
|
|
|
do not put work poo poo on your personal phone.
|
|
#
?
Apr 10, 2023 19:48
|
|
|
Zamujasa posted:do not put work poo poo on your personal phone.
|
|
#
?
Apr 10, 2023 19:48
|
|
|
infernal machines posted:regardless of what apple's documentation states, i literally just tested this in microsoft 365 on an iphone SE that was my old personal phone and has never in any way been tied to the microsoft 365 tenant or had any kind of corporate profile installed on it. Yea this is accurate (and hilarious) apparently in certain conditions so if your company is cheap and using EAC and you’re using the native mail app be careful. Doesn’t apply if you’re using Outlook. If your company isn’t stupid as hell you shouldn’t be able to use the native app and they’re using InTune where this isn’t a thing
|
|
#
?
Apr 10, 2023 19:53
|
|
|
i am a moron posted:If your company isn’t stupid as hell lol
|
|
#
?
Apr 10, 2023 20:10
|
|
|
I have dug up an oldass iPhone 7 and done the needful BigTech Co.’s id verification app wants a QR code and the webpage that hands them out doesn’t work for whatever reason and hopefully will stay that way forever
|
|
#
?
Apr 10, 2023 20:22
|
|
|
dpkg chopra posted:BigTech Co.’s id verification app wants a QR code and the webpage that hands them out doesn’t work for whatever reason and hopefully will stay that way forever  on the vein of id verification... I hate having to sign up for irs and experian and all that poo poo as an american because if you don't set up your account then someone else will do it and I imagine that id theft is a real pain in the rear end to address even worse is experian because they take account creation as a carte blanche justification to spam the heck out of you america in 2023, baby!
|
|
#
?
Apr 10, 2023 21:07
|
|
|
|
| # ? Dec 1, 2023 23:46 |
|
|
Beeftweeter posted:oh huh. maybe i was thinking of configuration utility? i haven't done MDM stuff in a real long time The apple original MDM solution that talked to an Apple MacOS Server (Profile Manager and Managed Preferences) is no longer functional, maybe you were remembering that? Every active MDM solution will ask you to tinker with Configurator 2 (forcing you to get at least one MacBook and one iPhone since there is no windows build) Intune has this flow to enable supervised on devices purchased outside of ABM https://techcommunity.microsoft.com/t5/intune-customer-success/how-to-manually-add-devices-in-apple-business-manager-abm-or/ba-p/2328462
|
|
#
?
Apr 11, 2023 06:41
|
|