You don’t want an MDM policy on your personal phone

Most people have a smartphone these days and a lot of them use a personal device both for work and in private. Lugging around two phones is a hassle so many people will opt to use their personal phone for work as well. The employer may even agree to pay your subscription for you. Unfortunately, to manage the phone and the data and apps on it your employer will most likely require you to enroll the device in their mobile device management solution of choice. That’s where the problem starts. Here’s why you don’t want an MDM policy on your personal phone.

Conflict of interest

From the point of view of an employer, requiring the use of MDM is a perfectly logical decision. Your employer has a responsibility to manage and protect company information. There are often legal obligations in place as well. MDM protects company information and aides with compliance so your employer has a legitimate interest in wanting to manage aspects of how you use your phone.

On the other hand, you as the owner of the device may use it for business purposes but you also use it for many other things. Mobile phones are a replacement for our watch, our wallet and our camera. We use them for banking, to order a ride or to book a vacation. They store information about people we know and give us access to social media. Many people use them for dating as well. Our phones know where we are all the time. In short, they contain a wealth of information about us and a lot of that information we probably don’t want to share with our employer.

You may not realize it but by allowing the installation of an MDM policy on your personal phone, your employer can gain access to a lot of that information.

You don’t want an MDM policy on your personal phone

Just say no

As someone who is responsible for information security, I see MDM as a vital tool for any organization which takes information security seriously and which uses mobile devices. There is nothing wrong with MDM solutions themselves. That being said, as an employee of an organization which employs MDM and company owned phones, I decided to purchase a separate phone for private use.

That means I carry around two smartphones instead of one but it also makes sure my employer doesn’t get access to any of the following:

  • Private photos and videos
  • Personal texts
  • My browsing history
  • My location (in real time, if need be)
  • The apps I have installed
  • Or, worst of the worst, perform a Man in the Middle attack on my banking, credit card, insurance, etc.

It also means my employer can’t do the following:

  • Remotely wipe my device
  • Remotely lock me out of my device
  • Restrict or disable access to certain apps
  • Force me to use certain apps
  • Stop me from jailbreaking/rooting my phone
  • Change any number of personal settings, like my wallpaper, etc.

While iOS devices care a bit more about user privacy than most Android devices, the list above is almost identical for both mobile operating systems. Once an MDM policy is in place, it gives employers virtually unrestricted access to your device.

Policy, Shmolicy

An honest employer will admit that it’s true they can do all these things. They’ll probably also try to reassure you by saying that they have policies in place to prevent abuse. They may say they don’t have time to look into each of their employees in such detail. That MDM will only be used to ensure information security. Such assurances aren’t worth the paper they are printed on.

There are also these things to consider:

  • You as the user have no way of seeing what your employer logs and retrieves
  • Company policy can change
  • There may be sysadmins with less scruples than curiosity
  • Your sysadmin team my change
  • Sysadmins may be forced to give people access to your personal information
  • Your employer may be acquired by another company with different ideas
  • The MDM solution may be infiltrated by hackers

In short, for you as the user there are no benefits to accepting an MDM policy and potentially major drawbacks. You don’t want an MDM policy on your personal phone!

Separate worlds

Ideally, you should separate the two worlds completely. If you need to access company information on a mobile phone (or another device), use a device supplied by your employer, enrolled in MDM. Use this device according to the rules set out by your employer and use it exclusively for work. Do not put personal information or accounts on this device.

Use your personal phone for personal activities. You don’t want an MDM policy on your personal phone. Under no circumstance should you enroll this device in MDM and under no circumstance should you access company information on this device. Doing so is irresponsible since the data can not be managed and protected by the data owner (your company) and you risk violating both company policy and possibly the law.

Do not mix these two worlds! While carrying two phones is a hassle, there is a benefit too. Separating your personal and work apps like this, means you can actually disconnect from work. No more quickly checking work email, no work calls on your day off and no instant messages from colleagues. Weekends are yours again.

What are your thoughts on this? Would you accept an MDM policy on your personal phone?