Never accept an MDM policy on your personal phone

In this new age of BYOD (Bring Your Own Device), employees can bring personally owned devices (laptops, tablets, smartphones, etc...) to their workplace, and to use those devices to access privileged company information and applications. The intent of MDM is to optimize the functionality and security of these devices while minimizing cost and downtime.

MDM stands for Mobile Device Management, and is a way to ensure employees stay productive and do not breach corporate policies. There are various MDM solutions available, but the most common ones right now are:

  • Google Apps Mobile Managment
  • VMware AirWatch
  • IBM MaaS360
  • Microsoft Intune

In essence, there is nothing wrong with MDM. In fact, I would say, it is a vital part of the infrastructure to keep an organization's data secure. However, this comes at a cost: it invades your personal privacy.

Invasion of Personal Privacy

Once an MDM Policy is installed on your phone, regardless of which third-party software you are using, it has the highest privileges on your phone if you're using Android (Device Administrator) or Supervised mode in iOS.

Some policies are configured server-side and can be pushed any time to your phone without consent or notification. So, yes, an organization may state that even though they are installing an MDM policy on your phone, they are only going to use it for creating a separate work profile and enforcing a password policy. Except, there is no way to verify that and to stop them from changing that in the future.

How does it invade your privacy?

One of the big advantages of MDM, is that users do not even know how much the administrator actually knows.

Depending if you have an Android or Supervised iOS phone, once an MDM Policy is installed on your phone, administrators may:

  • Track your phone (and you) in real-time by using the phone's GPS on Android and some iOS MDMs
  • Read text messages (on Android) by deploying routing text messages through an SMS Gateway
  • See private photos and videos, at least, by intercepting your cloud backups through VPN and organization forced SSL Decryption (both on unsupervised iOS and Android)
  • Check your browsing history, same as above
  • Browse list of Apps Available on your phone such as dating applications on Androids
  • Perform an SSL MITM Attack which exposes your banking details, private conversations, credit card information, medical searches and all of your internet traffic through VPN and organization forced SSL Decryption (both on unsupervised iOS and Android)
  • Stop you from rooting/jailbreaking your personal phone
  • Remotely wipe your personal phone whenever they feel there is a need
  • Remotely lock your personal phone whenever they feel there is a need
  • Restrict or disable backups like iCloud.
  • Force you to stop using some apps

As you can see, once an MDM Policy is installed on your personal phone, your phone is no longer yours.

As some people on reddit have pointed out, iOS and Android handle MDM very differently, with iOS being more sensitive towards user privacy. On iOS, to achieve most of these things, you phone has to be supervised, which would mean a total wipe of your personal phone.

Yes, organizations will often use the excuse that although they know they can perform all this, they won't and that you have to trust them. You shouldn't. Even if you actually trust your sysadmins:

  • Your organization's policies might change in the future
  • Your sysadmins might change in the future
  • Your organization might force sysadmins to do stuff
  • Your sysadmins might get compromised
  • Their systems might get compromised

So, in essence, it is irrelevant which of these spying features your organization promises not to use, once an MDM profile is installed, they can do whatever they want and it's just humans that dictate where the line should be drawn.

There is no outcome in which it is worthwhile for someone to accept an MDM policy on his personal phone.

What is the solution?

I believe that the solution to this is quite simple. If the company has a strict policy on their data, it is irresponsible of you to keep your organization's data on your personal phone without the company having handle on that data. This means remove all your emails, chats, pictures of whiteboards, passwords and everything that is your organization's property.

However, this doesn't mean that you should allow your organization to invade your personal privacy just because you need to have company data on your phone; just get a company phone.

According to a report by bitglass, which examined perspectives on BYOD gathered from 2,242 end users and mobile security administrators, 57 percent of employees and 38 percent of IT professionals chose not to participate in BYOD programs because they did not want their employer’s IT department to have visibility into their personal data and applications.

What's more, employee privacy represents a significant issue in more than a third of organizations that had deployed MDM or MAM solutions. Privacy is even an issue for security administrators - while many IT leaders want the same freedom to access corporate data from personal devices 40% chose not to participate in the very mobile policies they were helping their organisations enforce.

MDM-Flowchart

TL;DR: NEVER EVER INSTALL MDM ON THE SAME PHONE YOU HAVE YOUR PERSONAL DATA ON

BYOD to work is not going away anytime soon, but someone needs to have a serious look at how the both can co-exist together without invading user privacy.

Personally, unless the MDM Specifications change to block these privacy invading techniques at the lowest level possible, I will never trust an MDM policy on my phone, and so should you!