My company just started requiring Microsoft Intune Company Portal app to use Teams and Outlook. From a friend in IT infosec at another company said the app can push apps, require certain settings, password requirements, or OSs, and can see a lot of stuff on your phone. I don’t think this level of intrusion into my personal phone is warranted or ethical. Be warned. I’m just going to uninstall and suffer the internal political consequences.
Do not ever ever ever load company stuff on a personal device.
Keep that veil of separation IP between company and personal.
If company demand you use a mobile device, let them provide it and carry 2 phones.
Remember if company info touches a device it can be subpoenaed and siezed if the company is sued.
Company data and data charges on your phone are not reimbursed.
Used to be if the company wiped their partition, it wiped the whole phone…this has been corrected, but just proves the point to keep things separate.
Do not ever ever ever load company stuff on a personal device.
My job issues cell phones for work. I was told that it is permissible to use these phones for personal, and many coworkers do in fact do this.
No fucking thanks.
We disabled the microsoft store on our public machines. The reason is simple. The microsoft store install programs that require local admin. Microsoft sales div bypasses security for money and after a while it was easier to get rid of them.
yeah, no.
I have a work phone and my phone because of this.
If you do want to still use your personal phone and are on Android, use Shelter to make a Work profile and install Teams into that. Then it will install the Intune app just on your Work profile. You can turn work apps off with one button, and it gives your work zero access to your personal side of the phone.
Imho any company that require you to install apps on your phone should provide their own hardware. No way I’m installing stalkerware on my personal device.
I required them to give me a phone if they wanted extra control. So they gave me one. And then I refused to carry it around outside work hours, because I’m not paid for that and refuse to carry 2 devices and must have my personal device. So I never used the phone for work, it became an android auto device that sat in my car.
If you’re hourly, that totally makes sense, but if you’re salary then in a lot of places in the world they kind of semi-own your ass and you do have to check messages outside of “work hours” since those technically don’t exist for you. Some companies might enforce the standard 8-5, Monday through Friday and encourage only working 40 hours a week (and those are good companies), but legally they don’t have to limit it to just that on salary.
I’ve only never heard of that shit from the US. Hourly is hardly a thing elsewhere, unless for delivery drivers and similar.
Yes, if you want company data on a device then the company would be remiss to not want some level of control over that device. This isn’t some big brother-esque conspiracy. They want to ensure you’re not stealing company information or doing something stupid which might cause company data to be leaked or stolen by a bad actor. This is pretty common cyber security stuff. Now if the company REQUIRES you to have company data on your phone and does not have the option to provide a company phone to you then I can see a reason to be upset.
-someone who works in cybersec for a large company
This is correct.
In order to keep your work data in a company managed container, the Company Portal app is required on Android. Even if the information they can gather is limited (ie simpler App management policies) it does open the door to potential privacy risk.
You don’t own the data in the corporate systems. Your rights to privacy vary by jurisdiction. If you don’t want the app, you may be entitled to remove the company data from your device. It’s unfortunate and a pain in the butt.
This situation is the latter, not the formeredit: my response was confusing.My sitch is personal phone/company info
That’s still not clear as there are two versions of that.
-
If your situation is that you are required to have company data on your personal phone and so requires you to have this app on your phone then that is infuriating.
-
If the situation is that you are allowed to have company data on your personal phone but you are required to have the app if you choose to have the data then that’s not infuriating IMO.
I’m responsible for the security in our company and we have the second version where people can choose to have the company data on their personal device if they also allow that app. If they choose not to use their personal phone for company work then that’s fine and they don’t need the app.
And when I say choose I mean that you should have a real choice. Not a choice where you are considered not to be a team player or other such BS if you don’t agree.
-
They need to provide a device if they’re requiring the use of this software.
Your line needs to be:
“It is inappropriate for me to store or access company data on my personal device. If you want me to be reachable outside of the office other than through phone or text, I will need a company device.”
This. As an IT administrator I can absolutely understand the need to adhere to certain baseline requirements for devices accessing company data. And I know my best bet to have control over that is with company supplied hardware. Not BYOD, fuck that.
Even though phone or text. If you want not then a cursory via or call, you need to provide a phone.
When I started my current job, the first moderately healthy work environment I’ve ever been in, I had trouble getting outlook on my phone because of this issue. I went to my boss and told him “I’ve been having some trouble getting work emails on my phone-“ and he interrupted me with a “Why the hell would you want to check emails at home?”
Great point! No one asked me to, just assumed I should out of habit.
You are correct. If you were never required to use your personal device before you have the right to fight this. We had something similar here and if people complained they needed to be accommodated. The belief was if we just tell them to do it the majority will and say nothing. It was true, but a handful did not. This wasnt requiring teams or intune though, we have company phones for that. This was requiring the authenticator app fpr MFA for the company. Of course not everyone in the company has a company phone. I would imagine the same applies to this situation.
If they want to control your device they must buy and pay for the device. Don’t use it for personal things.
The last time I had that on a phone, it was a company phone. Seeing as they were paying for it, I didn’t mind. That is the only way I would tolerate this.
It depends on the registration profile they require. If they have you register it as a company owned phone vs a BYOD device.
BYOD registration creates a separate partition on your phones hard drive for the apps installed via the company portal. They cannot see all apps on the device, or any web traffic, sms, phone calls etc. they cannot lock the device or wipe the device in its entirety, only the apps on the company partition.
So in short, it depends on how the IT / Security department setup the device registration, and the registration process will notify you of the access level and allow you to accept / deny.
happy cake day!
The issue is they just triggered it without communication. That’s a breach of respect.
Depending on the industry / region in which you work, they will have regulatory obligations to protect sensitive data such as PII and PHI. From a business perspective they are trying to remove liability and decrease of obvious attack vectors they have limited control over. From an individual perspective, they are implementing controls that protect the privacy rights of their customers. As a security professional, it’s good to see. Personally I would always prefer to keep work and personal items separate to reduce the chance that I’m the cause of a breach.
They can send emails to their coworkers to communicate. They don’t. I understand there might be reasons they rolled it out.
Make them give you a company phone, intune is absolutely too much control on a personal device.
Can even remotely wipe it they feel like it. I don’t think legally they can require you to install it. I haven’t for my phone. If they want to talk to me off the clock they can buy me a work phone.
Not necessarily. IIRC, only fully managed devices can be remotely wiped. OP’s phone probably isn’t fully managed.
I have to have it as well… Thankfully GOS let’s me lock it down enough I don’t think I have to worry about them wiping it. When I log into our Azure admin portal and look at my normal user account it doesn’t even show that I have teams on my phone. While I’m sure that’s less than ideal from a business security thing, its not my lane to fix it and I think I prefer it that way.
