Remote management of employees personal cell phones ...

StorageNinja

@scottalanmiller said in Remote management of employees personal cell phones ...:

And then they said "We want to get back the thing we just gave up."
Which do they want, to not pay for the phones, or to control the data? They have to choose.

Not really. Proper MAM/MDM systems can surgically handle company data on a personal device...

1. The app keeps only an encrypted cache. It validates the account is active every xxx minutes, days, hours. encypted cache auto purged at xxx hours without communication with corp network.

2. The app usage is Geo-fenced to specific areas.

3. When possible, data doesn't actually live on the phone. You have a SSO app on the phone that validates your access (and other criteria like network or location) and then brokers access to the other apps, or externally hosted SaaS assets.

This is how we do it. No need to brick my phone to take out company data, or turn anyone's smart phone dumb.

Dashrender

@Emad-R said in Remote management of employees personal cell phones ...:

What a freekn shame, i cant beleive I had more freedom in my previous workplace than I have in Canada, and I lived in what you guys call third word developing countries, hell we even made more progress, where I work now everything is blocked, even SSH to other servers that is not company servers are blocked, that mentality is so stupid, and basically tells you we dont trust you. YOu should worry on hiring good people and thats it. Why do you do all the refernces check, and job checks then limit your employees and constantly monitor them ?

Huh - I can't say i agree with you at all. Why do you need access to non company servers over SSH? This is their network and they are trying to protect it. I suppose the company could have been burned by a previous employee, therefore they don't trust their employees, but really it seems much more likely that they are simply trying to protect themselves from crap they don't need ON their network - like SSH traffic to servers they don't control.

Dashrender

@StorageNinja said in Remote management of employees personal cell phones ...:

@scottalanmiller said in Remote management of employees personal cell phones ...:

And then they said "We want to get back the thing we just gave up."
Which do they want, to not pay for the phones, or to control the data? They have to choose.

Not really. Proper MAM/MDM systems can surgically handle company data on a personal device...

1. The app keeps only an encrypted cache. It validates the account is active every xxx minutes, days, hours. encypted cache auto purged at xxx hours without communication with corp network.

2. The app usage is Geo-fenced to specific areas.

3. When possible, data doesn't actually live on the phone. You have a SSO app on the phone that validates your access (and other criteria like network or location) and then brokers access to the other apps, or externally hosted SaaS assets.

This is how we do it. No need to brick my phone to take out company data, or turn anyone's smart phone dumb.

What MDM are you using?

flaxking

@IRJ said in Remote management of employees personal cell phones ...:

@flaxking said in Remote management of employees personal cell phones ...:

@IRJ said in Remote management of employees personal cell phones ...:

@flaxking said in Remote management of employees personal cell phones ...:

@IRJ said in Remote management of employees personal cell phones ...:

@flaxking said in Remote management of employees personal cell phones ...:

@IRJ said in Remote management of employees personal cell phones ...:

You can certainly do this with Intune and office 365. Basically you'd be able to wipe all corporate data as long as it's kept in office 365.

With Office 365 MDM, you can't disable the ability to do a full remote wipe. You do have more control over that with GSuite. Does Intune give you more control?

I'm pretty sure you can do what I described, but I'm not 100% sure.

https://support.office.com/en-us/article/Choose-between-MDM-for-Office-365-and-Microsoft-Intune-c93d9ab9-efb2-4349-9b93-30c30562ee22

It's not a question of what you can do, it's a question of what can the IT department be prevented from doing. The difference between wiping company data and wiping the whole phone just being different buttons does not reassure me.

This is how you do it - from MS link I posted earlier

"Enable your users to more securely access corporate information using the Office mobile and line-of business apps they know, while ensuring security of data by helping to restrict actions like copy, cut, paste, and save as, to only those apps managed by Intune."

If you restrict actions like copy, cut, paste, saving, screenshots, etc then you keep the data inside Office Mobile. Then you just remove the Office Mobile app remotely.

Are you able to enable remote removal of the app with just this feature?

You actually dont even have to do that. If they cannot login they cannot get to any of the data.

Assuming an encrypted cache, this sounds like a viable option. We have 100 Intune licences, so I can insist on being one of the users managed by Intune rather than Office365 MDM. But based on my recent experiences, I'm not too keen to have email or Teams on my phone.

Dashrender

@flaxking said in Remote management of employees personal cell phones ...:

@IRJ said in Remote management of employees personal cell phones ...:

@flaxking said in Remote management of employees personal cell phones ...:

@IRJ said in Remote management of employees personal cell phones ...:

@flaxking said in Remote management of employees personal cell phones ...:

@IRJ said in Remote management of employees personal cell phones ...:

@flaxking said in Remote management of employees personal cell phones ...:

@IRJ said in Remote management of employees personal cell phones ...:

You can certainly do this with Intune and office 365. Basically you'd be able to wipe all corporate data as long as it's kept in office 365.

With Office 365 MDM, you can't disable the ability to do a full remote wipe. You do have more control over that with GSuite. Does Intune give you more control?

I'm pretty sure you can do what I described, but I'm not 100% sure.

https://support.office.com/en-us/article/Choose-between-MDM-for-Office-365-and-Microsoft-Intune-c93d9ab9-efb2-4349-9b93-30c30562ee22

It's not a question of what you can do, it's a question of what can the IT department be prevented from doing. The difference between wiping company data and wiping the whole phone just being different buttons does not reassure me.

This is how you do it - from MS link I posted earlier

"Enable your users to more securely access corporate information using the Office mobile and line-of business apps they know, while ensuring security of data by helping to restrict actions like copy, cut, paste, and save as, to only those apps managed by Intune."

If you restrict actions like copy, cut, paste, saving, screenshots, etc then you keep the data inside Office Mobile. Then you just remove the Office Mobile app remotely.

Are you able to enable remote removal of the app with just this feature?

You actually dont even have to do that. If they cannot login they cannot get to any of the data.

Assuming an encrypted cache, this sounds like a viable option. We have 100 Intune licences, so I can insist on being one of the users managed by Intune rather than Office365 MDM. But based on my recent experiences, I'm not too keen to have email or Teams on my phone.

what experience is that?

popester

Not to derail or side track, one of the issues I have with BYOD is the phone number that the individual has. I am sure there is an answer I have just not thought about. I have pushed for 100% company issued phones due to the nature of a cell number being a point of contact. I am in an industry that has turnover. When field personnel build a relationship with our customer and leave, the number goes with them if it is not ours. Any thoughts?

We use Meraki MDM paired with Apple Configurator profiles. FYI.

Dashrender

@popester said in Remote management of employees personal cell phones ...:

Not to derail or side track, one of the issues I have with BYOD is the phone number that the individual has. I am sure there is an answer I have just not thought about. I have pushed for 100% company issued phones due to the nature of a cell number being a point of contact. I am in an industry that has turnover. When field personnel build a relationship with our customer and leave, the number goes with them if it is not ours. Any thoughts?

We use Meraki MDM paired with Apple Configurator profiles. FYI.

This is semi easy - a PBX/SIP app on the phone tied to your PBX. The number belongs to you (the company) the app just logs in and accepts calls.

StorageNinja

@Dashrender said in Remote management of employees personal cell phones ...:

What MDM are you using?

We "own" workspace one/AirWatch.

StorageNinja

@Dashrender said in Remote management of employees personal cell phones ...:

Huh - I can't say i agree with you at all. Why do you need access to non company servers over SSH?

In any regulated industry preventing the efiltration of data is a hard requirement. allowing outbound SSH would make it trivial for people to sneak data out (or bad stuff in).

flaxking

@Dashrender said in Remote management of employees personal cell phones ...:

@flaxking said in Remote management of employees personal cell phones ...:

@IRJ said in Remote management of employees personal cell phones ...:

@flaxking said in Remote management of employees personal cell phones ...:

@IRJ said in Remote management of employees personal cell phones ...:

@flaxking said in Remote management of employees personal cell phones ...:

@IRJ said in Remote management of employees personal cell phones ...:

@flaxking said in Remote management of employees personal cell phones ...:

@IRJ said in Remote management of employees personal cell phones ...:

You can certainly do this with Intune and office 365. Basically you'd be able to wipe all corporate data as long as it's kept in office 365.

With Office 365 MDM, you can't disable the ability to do a full remote wipe. You do have more control over that with GSuite. Does Intune give you more control?

I'm pretty sure you can do what I described, but I'm not 100% sure.

https://support.office.com/en-us/article/Choose-between-MDM-for-Office-365-and-Microsoft-Intune-c93d9ab9-efb2-4349-9b93-30c30562ee22

It's not a question of what you can do, it's a question of what can the IT department be prevented from doing. The difference between wiping company data and wiping the whole phone just being different buttons does not reassure me.

This is how you do it - from MS link I posted earlier

"Enable your users to more securely access corporate information using the Office mobile and line-of business apps they know, while ensuring security of data by helping to restrict actions like copy, cut, paste, and save as, to only those apps managed by Intune."

If you restrict actions like copy, cut, paste, saving, screenshots, etc then you keep the data inside Office Mobile. Then you just remove the Office Mobile app remotely.

Are you able to enable remote removal of the app with just this feature?

You actually dont even have to do that. If they cannot login they cannot get to any of the data.

Assuming an encrypted cache, this sounds like a viable option. We have 100 Intune licences, so I can insist on being one of the users managed by Intune rather than Office365 MDM. But based on my recent experiences, I'm not too keen to have email or Teams on my phone.

what experience is that?

Nothing to do with the application, just to do with being always working. I did a 108 hour week followed by a 90 hour, followed by a 70 hour. I've now removed all work communication from my phone in order to try to get some peace when I can.