Most active commenters
  • wkat4242(6)

←back to thread

1192 points gniting | 15 comments | | HN request time: 0.735s | source | bottom
Show context
andsoitis ◴[] No.43519910[source]
> everyone knows all the alls on your phone

On Android phones. iPhone doesn’t have this privacy deficiency.

replies(10): >>43519937 #>>43519943 #>>43520950 #>>43521020 #>>43521389 #>>43521565 #>>43522434 #>>43522575 #>>43523112 #>>43526348 #
1. wkat4242 ◴[] No.43520950[source]
On iOS it's kinda worse in some ways. If you enroll into a company MDM they can see all your apps.

On Android if they use the work profile (which is the standard method these days) they can only see the apps inside there.

replies(4): >>43521149 #>>43521150 #>>43521257 #>>43521463 #
2. fashion-at-cost ◴[] No.43521149[source]
I would have to strongly recommend nobody enroll a personal device in a company MDM. If the company needs you to have mobile connectivity that badly, they can give you a device.
replies(1): >>43526389 #
3. jmb99 ◴[] No.43521150[source]
I mean... isn’t that expected of an MDM? I have always assumed that any company device (i.e. any device enrolled in an MDM) is under 100% control and surveillance of that company. Being able to see my installed apps is the least of my worries.
replies(1): >>43522793 #
4. asah ◴[] No.43521257[source]
get a separate device for work ?
replies(1): >>43521857 #
5. mgriepentrog ◴[] No.43521463[source]
Apple introduced account-driven enrollments in 2021[1], which behaves similar to Android's work profile. Managed apps/data are kept in its own APFS volume, and MDM servers don't have access to anything outside of it. They also disallow system-wide commands like wipe device. The only caveat is you need managed Apple IDs[2] to use this enrollment flow, and I doubt many companies have set it up.

Regardless, MDM installed app visibility is limited to those users who opt-in to an organization managing their personal device, and isn't an effective way to broadly gather what apps a given person has installed. What's described in this post would work on any user/device, and there's no way to deny/opt-out of specific permissions.

[1] https://developer.apple.com/videos/play/wwdc2021/10136/ [2] https://support.apple.com/guide/apple-business-manager/use-m...

replies(2): >>43522615 #>>43522734 #
6. pjerem ◴[] No.43521857[source]
ask a separate device for work.
replies(1): >>43522797 #
7. whs ◴[] No.43522615[source]
I'm working on implementing this for the company, and the annoying limitations on iOS is that you can't clone apps. If you want Gmail (as an example) as managed app, you can't have another Gmail as unmanaged app. While the company can't see inside the Gmail managed app (without the app itself explicitly providing that feature), the company can remove Gmail (and any local data inside the app) at any time.

Fun fact from the MDM implementation - the most private way (at least to the company policies) to have a company-connected device is to buy a separate phone and install company's MDM on it. On company provided devices, the company may locate company's assets at any time but doing so on a personal device is a privacy breach.

replies(1): >>43522750 #
8. wkat4242 ◴[] No.43522734[source]
Yes I know about User Enrolment. The problem is the managed Apple IDs are a complete and total dealbreaker. So I'm not even considering this as an option.

The reason is that Apple demands that the UPN (the account ID) and the email address are the same. For us this is not the case (our UPN is our employee number as an email address, whereas our email address is just our name). And obviously we're not going to change this for ten thousand users because Apple wants to (most of which don't have Apple devices because we're a European company). Also, you have to manually decide what happens to each user that has already created an account with their corporate email address and what to do with the content they purchased on it. This is not feasible for a large corp. We have commented this to our Apple account manager for years and years but they simply don't care. If you work in this realm you probably know that Apple doesn't really care about things that matter for their corporate customers anyway. The consumer is their main client and it shows (unlike with Microsoft where it's the opposite).

So the whole account-driven enrolment (User Enrolment) as well as everything else depending on managed Apple IDs like DEP for Macs is completely out of the window.

The problem in my opinion is that I as an admin can simply query for example all the employees that have something like Grindr installed. Considering the current political climate in the US (or worse, the middle east where this can lead to a death sentence in some cases) it's obvious why this is super bad. And really, why should we be able to do this at all?

9. wkat4242 ◴[] No.43522750{3}[source]
Yes, Apple hates the idea of work-badged apps that Android has. I have to admit, a lot of our users don't grok it either at first. However once they realise the benefits (the company has much less visibility, AND they can turn off the work section completely with the touch of a button) they usually come around pretty quickly.

The bad part of this is that apps have to specifically support the multiple profiles option, otherwise they can't be used for this.

And yes, I agree, that is the best way. We have the same restrictions for personal devices. Though I as an admin know we never use the locate functionality (and I know every person who has access to it).

replies(1): >>43526372 #
10. wkat4242 ◴[] No.43522793[source]
No I (as a mobile admin) don't think it should be like that at all, at least not for BYOD devices.

Android has this really well worked out with their work profile. It's like having a company VM on your phone. Really great separation.

But on Apple we can't use a similar option which I admit does exist, but there's too many strings attached (see the discussion above).

11. wkat4242 ◴[] No.43522797{3}[source]
True, if you use it for work they should provide you one.

The problem is of course carrying two devices with you.

12. illiac786 ◴[] No.43526372{4}[source]
Donyou know if account driven enrolment requires different phone numbers for the MDM managed apps and the personal ones? Specifically for the diaper app for example.
replies(1): >>43541124 #
13. illiac786 ◴[] No.43526389[source]
I think it’s a personal decision. I really, really do not want to carry two huge slabs around. One is already too much.

Account driven MDM enrolment pushes the Pareto front when it comes to privacy/conveniency compromises from my point of view. I will ask my IT if they have already looked at it.

replies(1): >>43541667 #
14. wkat4242 ◴[] No.43541124{5}[source]
I don't believe they do, no. The numbers aren't all that important in terms of MDM. We don't even see the number if someone inserts a second private SIM in their company phone. We consider that personal information we shouldn't even know.
15. fashion-at-cost ◴[] No.43541667{3}[source]
The benefit with the two device approach is when you can not carry both devices for the majority of the time. If i’m not explicitly on call, my work device isn’t with me. Anything anyone says to me will wait until I’m back in the office.

If you have the self control to refuse to ever check Slack and disable all notifications/etc on your personal phone when not on call, this doesn’t apply as much. But for me I default to trying to stay on things and forcing myself to disconnect is a net good, even if it does mean I carry two phones at times. My pockets are large.