This depends on the configuration of the MDM and the MDM vendor. For example, most MDM deployments to Android for instance conform to Android For Work, which functions in practice to a virtual machine from a user’s perspective, and doesn’t have access to a non workspace content. iOS has a similar functionality which, while less commonly used, is there specifically for use on personal devices to sandbox off ‘work’ content where pervasive features like factory resets and access to phone logs and sms records don’t function, and you can’t access the more advanced features without having purchased the device via a corporate account.
SimpleMDM has a credit card-less trial which you could set up to see what features exist and how they work from the vendor side. You won’t have access to some of the ‘supervised’ features without being a business,but you can see the buttons offered when you aren’t a corporate-purchased device readily enough.
For corporate owned devices, the rules are very different though.
I have a little experience with Microsoft’s intune and there are different ways to register devices. Someone feel free to correct me because I don’t feel like logging in to double check. Company owned devices have more control and can restrict apps, lock, full wipe, etc. Personal or “bring your own” devices are much less restricted. I can’t lock, wipe, or restrict apps. For the personal devices, it’s more about giving secure access to the companies resources and not really controlling the device. I work for a small business and only use this to setup access to non important documents for employees in the field so I know just enough to be dangerous.
I can’t read your emails, text messages, I can’t remote into your phone without your permission. The info we have is very limited. You know how we can see that information? If you gave us your phone and password :-)
So if the info it provides is very limited, why are companies pushing for it? Why should I install it on my personal phone so I can access Teams and Outlook?
Because if you are accessing company data, the company needs to ensure it’s safe. If you don’t want outlook or Teams access, you don’t have to enroll your device. In some cases companies will purchase a corporate owned device for you. An MDM allows companies to restrict copying data from work to personal and vice versa. If your device gets stolen and is compromised, it allows the company to wipe it. It can also locate the decide if it’s lost.
An MDM allows companies to restrict copying data from work to personal and vice versa.
So is having MDM useless if you also have corporate webmail? Because not having MDM on my phone means I just go to my webmail site on my phone for email, and I can copy there if I need to.
If your device gets stolen and is compromised, it allows the company to wipe it. It can also locate the decide if it’s lost.
Google’s “Find Device” allows for finding and wiping a device by default on Android.
So it’s really just those two features? Doesn’t really seem worth the hassle unless there’s something else they’re getting out of it.
The data is valuable and it provides some amount of data security. Any MDM worth a shit will wall off your Android with a work profile and that’s the only part that’s actually controlled by the MDM. They can also mandate a minimum level of security before accessing the work profile.
Webmail can be used as a workaround, but allowing it is more of a convenience issue than a security consideration. Depending on your security team it could be a major hole or not an issue. Authentication requirements can offset the vulnerabilities somewhat, such as short timeouts, MFA, etc.
In my experience, users like you are what make MDM a requirement in any environment. People that refuse to participate in any security processes because they think they know better than the people whose job is literally cybersecurity are almost always the cause of major incidents. That’s how my current employer got a huge ransomware attack and why I’m not allowed to install anything on my phone or laptop without spending several hours on hold with the help desk.
Gotta love getting down voted for trying to learn more about a topic. Looks like Reddit culture is seeping in here.
Anyway, when you say:
They can also mandate a minimum level of security before accessing the work profile.
What does that mean? I thought MDM was just making it so I couldn’t copy data and that my employer could wipe/locate my phone. But it sounds like you’re saying it’s actually doing something more like creating a separate environment, almost like a VM, on my phone? Or is it different than that? My work MDM said they want to look at applications that you have installed. That was too much of a privacy invasion for me, so I chose not to use work apps on my phone.
In my experience, users like you are what make MDM a requirement in any environment. People that refuse to participate in any security processes because they think they know better than the people whose job is literally cybersecurity are almost always the cause of major incidents.
Yeah, our IT systems would be exponentially more secure if we didn’t have users too. One can dream, I suppose.
… actually they aren’t wrong. MDMs are given special permissions including but not limited to reading your SMSes and phone records, restricting and monitoring your installed apps and even wiping your device.
I’m not sure what MDM you’re subjected to but I’ve been an MDM engineer for 7 years using Intune and JAMF and no, no SMS or phone records. Even the phone # is blanked out minus the last 4 digits. Yes we can wipe the devices if it’s lost\compromised but personal versus corporate owned devices are limited. I can’t see what apps you have that were personally installed. And the only info I can get are the device stats (SN, IMEI, storage, battery, memory, etc).
Yeah I have looked at those solutions and one not on your list (MobileIron, not sure if they’re still around). I don’t know why anyone would choose those solutions but good call.
Can you support your claims? I’ve worked with Intune, Jamf, MaaS360, Citrix, and Workspace ONE and none of them could read texts, emails or browser history.
I’d be very interested to learn more about how they can access this information through MDM. We always did it through either the mobile carrier or the admin console for whatever the office/mail suite that was deployed.
I looked through your links. I don’t see anywhere that SMS can be read. The permission kind of makes sense as there is a security component to filter spam/phishing type texts. Sophos themselves claim they don’t store any of that data.
I hadn’t ever seen the call log one and I’m not sure what that would even be used for. It was interesting though.
App lists is common across all MDMs. It’s used to ensure apps are being updated and on fully owned corporate devices some apps will be blocked.
It seems like many don’t really understand how this technology works. That said, it’s better to be overly careful and I agree with others in the comments. If you want me to use a mobile device for work you can provide it, I don’t put MDM on my personal device*.
*the exception being our own MDM we have setup to manage our personal devices more easily.
I looked through your links. I don’t see anywhere that SMS can be read.
From the link, emphasis mine. SMC is the MDM in question
Read SMS or MMS
Allows an application to read SMS messages stored on your device or SIM card.
Malicious applications may read your confidential messages.
SMC usage:
Read the initial configuration and further server notifications. 2. Read all SMS for Backup.
This link provides more information and explicitly states the following:
Sophos Mobile does not track privacy data such as contacts, SMS and call history, browser history, bookmarks, or emails. Sophos Mobile does not access any data outside of the Sophos container.
and
Sophos Mobile does not track privacy data such as contacts, SMS and call history, browser history, bookmarks, emails, or data on the SD card.
Sophos has a strong cybersecurity focus which, I’d imagine, is why they have the message filtering option that they do.
I’m not a Sophos admin, never have been, so I can only speculate but it might be to restore a message that was altered due to the filtering if captured incorrectly.
I’m also not sure why it specifies SMS but not RCS. I do know Sophos uses SMS to communicate between a device and Sophos Central.
Without more context and information it’s hard to say what exactly happening from the permissions KB.
I can’t definitively say it’s not possible but I’ve never heard of an MDM that allows an admin to read user texts. I appreciate the links, it helps to understand where you’re coming from.
I still remain skeptical but, like I said, better to be over cautious than under. I’d be leery of any company that tried requiring me to use my personal device with MDM.
Everywhere I’ve worked with BYOD it’s been optional to use your personal device. If you were in a role that required it you’d get a company provided device.
Please cite any one of your sources. I’ve managed MDM for over a decade and you’re spreading misinformation.
Absolutely none of the MDM products on the market allow for the reading of personal e-mail, SMS, phone records, etc. On the contrary, almost every single one provides an information screen during the enrollment that makes it abundantly clear that they do not (and can not) access that data. Moreover, the “wipe” of data is the removal of company data. It doesn’t wipe your phone, it just removes the work profile (Android) or deprovisions the work profile and associated apps (Apple). All of your non-work-related data is untouched.
Moreover, the “wipe” of data is the removal of company data. It doesn’t wipe your phone, it just removes the work profile (Android) or deprovisions the work profile and associated apps (Apple). All of your non-work-related data is untouched.
These people really don’t know how MDM solutions work.
Can you elaborate? I have simple mdm on my work phone and would like to know exactly what they see and can do
Not that I am hiding anything. It’s more curiosity at this point
Posted from my personal phone
This depends on the configuration of the MDM and the MDM vendor. For example, most MDM deployments to Android for instance conform to Android For Work, which functions in practice to a virtual machine from a user’s perspective, and doesn’t have access to a non workspace content. iOS has a similar functionality which, while less commonly used, is there specifically for use on personal devices to sandbox off ‘work’ content where pervasive features like factory resets and access to phone logs and sms records don’t function, and you can’t access the more advanced features without having purchased the device via a corporate account.
SimpleMDM has a credit card-less trial which you could set up to see what features exist and how they work from the vendor side. You won’t have access to some of the ‘supervised’ features without being a business,but you can see the buttons offered when you aren’t a corporate-purchased device readily enough.
For corporate owned devices, the rules are very different though.
I have a little experience with Microsoft’s intune and there are different ways to register devices. Someone feel free to correct me because I don’t feel like logging in to double check. Company owned devices have more control and can restrict apps, lock, full wipe, etc. Personal or “bring your own” devices are much less restricted. I can’t lock, wipe, or restrict apps. For the personal devices, it’s more about giving secure access to the companies resources and not really controlling the device. I work for a small business and only use this to setup access to non important documents for employees in the field so I know just enough to be dangerous.
I can’t read your emails, text messages, I can’t remote into your phone without your permission. The info we have is very limited. You know how we can see that information? If you gave us your phone and password :-)
So if the info it provides is very limited, why are companies pushing for it? Why should I install it on my personal phone so I can access Teams and Outlook?
Protection from liability and often a requirement of insurance.
Because if you are accessing company data, the company needs to ensure it’s safe. If you don’t want outlook or Teams access, you don’t have to enroll your device. In some cases companies will purchase a corporate owned device for you. An MDM allows companies to restrict copying data from work to personal and vice versa. If your device gets stolen and is compromised, it allows the company to wipe it. It can also locate the decide if it’s lost.
So is having MDM useless if you also have corporate webmail? Because not having MDM on my phone means I just go to my webmail site on my phone for email, and I can copy there if I need to.
Google’s “Find Device” allows for finding and wiping a device by default on Android.
So it’s really just those two features? Doesn’t really seem worth the hassle unless there’s something else they’re getting out of it.
The data is valuable and it provides some amount of data security. Any MDM worth a shit will wall off your Android with a work profile and that’s the only part that’s actually controlled by the MDM. They can also mandate a minimum level of security before accessing the work profile.
Webmail can be used as a workaround, but allowing it is more of a convenience issue than a security consideration. Depending on your security team it could be a major hole or not an issue. Authentication requirements can offset the vulnerabilities somewhat, such as short timeouts, MFA, etc.
In my experience, users like you are what make MDM a requirement in any environment. People that refuse to participate in any security processes because they think they know better than the people whose job is literally cybersecurity are almost always the cause of major incidents. That’s how my current employer got a huge ransomware attack and why I’m not allowed to install anything on my phone or laptop without spending several hours on hold with the help desk.
Gotta love getting down voted for trying to learn more about a topic. Looks like Reddit culture is seeping in here.
Anyway, when you say:
What does that mean? I thought MDM was just making it so I couldn’t copy data and that my employer could wipe/locate my phone. But it sounds like you’re saying it’s actually doing something more like creating a separate environment, almost like a VM, on my phone? Or is it different than that? My work MDM said they want to look at applications that you have installed. That was too much of a privacy invasion for me, so I chose not to use work apps on my phone.
Yeah, our IT systems would be exponentially more secure if we didn’t have users too. One can dream, I suppose.
… actually they aren’t wrong. MDMs are given special permissions including but not limited to reading your SMSes and phone records, restricting and monitoring your installed apps and even wiping your device.
I’m not sure what MDM you’re subjected to but I’ve been an MDM engineer for 7 years using Intune and JAMF and no, no SMS or phone records. Even the phone # is blanked out minus the last 4 digits. Yes we can wipe the devices if it’s lost\compromised but personal versus corporate owned devices are limited. I can’t see what apps you have that were personally installed. And the only info I can get are the device stats (SN, IMEI, storage, battery, memory, etc).
Intune and JAMF are not the only MDMs on the market. There are others that do offer these capabilities, at least on Android.
SMS reading:
https://support.sophos.com/support/s/article/KB-000034436?language=en_US
Call log reading:
https://knowledgebase.42gears.com/article/how-to-view-call-logs-on-android-phones-remotely-using-suremdm/
And app lists:
https://help.ivanti.com/mi/help/en_us/cld/admin/ivanti/91/all/en-us/App_Inventory.htm
Yeah I have looked at those solutions and one not on your list (MobileIron, not sure if they’re still around). I don’t know why anyone would choose those solutions but good call.
I also don’t know why anyone would use these either FWIW
Can you support your claims? I’ve worked with Intune, Jamf, MaaS360, Citrix, and Workspace ONE and none of them could read texts, emails or browser history.
I’d be very interested to learn more about how they can access this information through MDM. We always did it through either the mobile carrier or the admin console for whatever the office/mail suite that was deployed.
SMS reading:
https://support.sophos.com/support/s/article/KB-000034436?language=en_US
Call log reading:
https://knowledgebase.42gears.com/article/how-to-view-call-logs-on-android-phones-remotely-using-suremdm/
app lists:
https://help.ivanti.com/mi/help/en_us/cld/admin/ivanti/91/all/en-us/App_Inventory.htm
I looked through your links. I don’t see anywhere that SMS can be read. The permission kind of makes sense as there is a security component to filter spam/phishing type texts. Sophos themselves claim they don’t store any of that data.
I hadn’t ever seen the call log one and I’m not sure what that would even be used for. It was interesting though.
App lists is common across all MDMs. It’s used to ensure apps are being updated and on fully owned corporate devices some apps will be blocked.
It seems like many don’t really understand how this technology works. That said, it’s better to be overly careful and I agree with others in the comments. If you want me to use a mobile device for work you can provide it, I don’t put MDM on my personal device*.
*the exception being our own MDM we have setup to manage our personal devices more easily.
From the link, emphasis mine. SMC is the MDM in question
2. Read all SMS for Backup.
Yep, it’s part of their message filtering that I mentioned.
This link provides more information and explicitly states the following:
and
Sophos has a strong cybersecurity focus which, I’d imagine, is why they have the message filtering option that they do.
…why would they need to backup all SMS messages for a filtering option? That just plain does not compute.
The short answer is to restore it:
I’m not a Sophos admin, never have been, so I can only speculate but it might be to restore a message that was altered due to the filtering if captured incorrectly.
I’m also not sure why it specifies SMS but not RCS. I do know Sophos uses SMS to communicate between a device and Sophos Central.
Without more context and information it’s hard to say what exactly happening from the permissions KB.
I can’t definitively say it’s not possible but I’ve never heard of an MDM that allows an admin to read user texts. I appreciate the links, it helps to understand where you’re coming from.
I still remain skeptical but, like I said, better to be over cautious than under. I’d be leery of any company that tried requiring me to use my personal device with MDM.
Everywhere I’ve worked with BYOD it’s been optional to use your personal device. If you were in a role that required it you’d get a company provided device.
Please cite any one of your sources. I’ve managed MDM for over a decade and you’re spreading misinformation.
Absolutely none of the MDM products on the market allow for the reading of personal e-mail, SMS, phone records, etc. On the contrary, almost every single one provides an information screen during the enrollment that makes it abundantly clear that they do not (and can not) access that data. Moreover, the “wipe” of data is the removal of company data. It doesn’t wipe your phone, it just removes the work profile (Android) or deprovisions the work profile and associated apps (Apple). All of your non-work-related data is untouched.
Quick Sources for Intune and JAMF – do your own googling for others:
https://learn.microsoft.com/en-us/mem/intune/protect/privacy-data-collect
https://www.jamf.com/blog/apple-mobile-device-management-faq/
So you’re not aware of Sophos’s MDM offering? That explicitly states they can make copies of all SMS messages?
https://support.sophos.com/support/s/article/KB-000034436?language=en_US
How about call logs, with SureMDM?
https://knowledgebase.42gears.com/article/how-to-view-call-logs-on-android-phones-remotely-using-suremdm/
Also I said nothing about personal emails.
No, the ‘wipe’ can be a full factory reset.
https://learn.microsoft.com/en-us/mem/intune/remote-actions/devices-wipe
Edit: typo