MobileIron on BYOD
#1
MobileIron on BYOD
My company provides devices (iPhone 5s) and supports a BYOD policy (as well as own cellular provider). For years the company provided devices have been delivered with MobileIron installed. Those of us that BYOD have had access to the exchange service via the built in email client. Now, however, they would like the BYOD users to install MobileIron on our personal devices to access the exchange service and will be suspending access to non-MobileIron users... here's my questions...
1) does anyone have any experience with MobileIron on a BYOD device. My company is telling me that it will enable the auto lock function and passcode function as well as allow them to delete corporate emails. I fear/think that it will allow them to do more.
2) does anyone know any iOS mail clients that spoof a desktop connection or client? we will still have access via desktop clients.
thanks
FDW
1) does anyone have any experience with MobileIron on a BYOD device. My company is telling me that it will enable the auto lock function and passcode function as well as allow them to delete corporate emails. I fear/think that it will allow them to do more.
2) does anyone know any iOS mail clients that spoof a desktop connection or client? we will still have access via desktop clients.
thanks
FDW
#2
FlyerTalk Evangelist
Join Date: Feb 1999
Location: Seat 1A, Juice pretty much everywhere, Mucci des Coins Exotiques
Posts: 34,339
Yes they can wipe your entire phone with an MDM (like MobileIron) installed. And I think some snooping, but I haven't followed the latest developments with the current iOS.
But as the old saying goes, if you aren't doing anything wrong, you shouldn't care if they are watching.
But as the old saying goes, if you aren't doing anything wrong, you shouldn't care if they are watching.
#4
Join Date: Oct 2014
Location: London, UK
Programs: BA Exec Club Gold
Posts: 335
Yes.
It's all about policy enforcement. Once you accept the "device template", the MDM client can implement ANY controls on the device that the admin seems fit - including as mentioned above total wipe without notice, the restriction of application types, forcing browsing through a proxy server managed by the company and other nasty such things.
Bottom line - I would NEVER accept an MDM client on a personal device. If a company put this restriction on BYOD, I would stop and force them to supply a device that met my needs.
Assuming your company use O365, the outlook web client works very well on an iphone without needing MDM.
It's all about policy enforcement. Once you accept the "device template", the MDM client can implement ANY controls on the device that the admin seems fit - including as mentioned above total wipe without notice, the restriction of application types, forcing browsing through a proxy server managed by the company and other nasty such things.
Bottom line - I would NEVER accept an MDM client on a personal device. If a company put this restriction on BYOD, I would stop and force them to supply a device that met my needs.
Assuming your company use O365, the outlook web client works very well on an iphone without needing MDM.
#5
Join Date: Jan 2012
Location: Mid Atlantic US
Programs: Hilton: Diamond/Everything else: Kettle...
Posts: 107
If you're connecting to a Microsoft Exchange Server at all (at least with Exchange 2010), the server admin can send a remote wipe (it's a built in function...). For my company, it's part of the statement of user responsibility, letting the use know that, if necessary, we can send a remote wipe to the phone...
J
J
#6
Yes they can wipe your entire phone with an MDM (like MobileIron) installed. And I think some snooping, but I haven't followed the latest developments with the current iOS.
But as the old saying goes, if you aren't doing anything wrong, you shouldn't care if they are watching.
But as the old saying goes, if you aren't doing anything wrong, you shouldn't care if they are watching.
I guess my work is just going to have to adjust to me being less available and responsive via email. Immediate access will move to every couple hours at best; not at all on the weekend.. I'm not installing anything that'll give my work access to my personal device...
Yes.
It's all about policy enforcement. Once you accept the "device template", the MDM client can implement ANY controls on the device that the admin seems fit - including as mentioned above total wipe without notice, the restriction of application types, forcing browsing through a proxy server managed by the company and other nasty such things.
Bottom line - I would NEVER accept an MDM client on a personal device. If a company put this restriction on BYOD, I would stop and force them to supply a device that met my needs.
Assuming your company use O365, the outlook web client works very well on an iphone without needing MDM.
It's all about policy enforcement. Once you accept the "device template", the MDM client can implement ANY controls on the device that the admin seems fit - including as mentioned above total wipe without notice, the restriction of application types, forcing browsing through a proxy server managed by the company and other nasty such things.
Bottom line - I would NEVER accept an MDM client on a personal device. If a company put this restriction on BYOD, I would stop and force them to supply a device that met my needs.
Assuming your company use O365, the outlook web client works very well on an iphone without needing MDM.
If you're connecting to a Microsoft Exchange Server at all (at least with Exchange 2010), the server admin can send a remote wipe (it's a built in function...). For my company, it's part of the statement of user responsibility, letting the use know that, if necessary, we can send a remote wipe to the phone...
J
J
thanks!
FDW
Last edited by FlyingDoctorwu; Jul 8, 2016 at 7:59 am
#7
FlyerTalk Evangelist
Join Date: Nov 2002
Location: ORD
Posts: 14,231
If you use MS's Outlook app, it will only wipe the account info off the app.
In any case, seeing as how your company has always been able to wipe your phone and hasn't, why are you worried? It's a baseline condition of having an Exchange account configured that is managed by someone else. Why would your company's IT go around arbitrarily wiping peoples' devices?
#8
If you use the built in iOS mail and account, Exchange can wipe the whole phone.
If you use MS's Outlook app, it will only wipe the account info off the app.
In any case, seeing as how your company has always been able to wipe your phone and hasn't, why are you worried? It's a baseline condition of having an Exchange account configured that is managed by someone else. Why would your company's IT go around arbitrarily wiping peoples' devices?
If you use MS's Outlook app, it will only wipe the account info off the app.
In any case, seeing as how your company has always been able to wipe your phone and hasn't, why are you worried? It's a baseline condition of having an Exchange account configured that is managed by someone else. Why would your company's IT go around arbitrarily wiping peoples' devices?
But from what I understand by intalling a MDM they will have potentially many many more capabilities and control over my device, which they haven't really fully disclosed either...
Sounds like the simplest route to go is to delete the exchange account and access only via the web client
FDW
#9
Join Date: Dec 2002
Location: Oregon
Programs: AA EXP, AS 75K, UA 1MM Gold, HH Diamond, Hyatt Explorist, IHG Plat, National EE, Hertz PC
Posts: 4,001
So it is news to me that they have always had the ability to wipe my device... that baseline condition was never disclosed to me.. I only figured that I was configuring an email account/calendar/directory... basically like configuring my gmail account..
But from what I understand by intalling a MDM they will have potentially many many more capabilities and control over my device, which they haven't really fully disclosed either...
Sounds like the simplest route to go is to delete the exchange account and access only via the web client
FDW
But from what I understand by intalling a MDM they will have potentially many many more capabilities and control over my device, which they haven't really fully disclosed either...
Sounds like the simplest route to go is to delete the exchange account and access only via the web client
FDW
I remember having the ability to remote wipe Exchange ActiveSync connected devices all the way back in Exchange 2003. My first smartphone was a Windows Mobile device circa 2005 and Exchange already supported that functionality at the time I hooked up that device.
Edited to add: Looks like it was Exchange Server 2003 SP2 that added this functionality. In any case, a LONG LONG time ago.
https://en.wikipedia.org/wiki/Exchange_ActiveSync
As for some of the things your Exchange 2010 server can do to your device, here is a small list:
Originally Posted by Wikipedia
- Minimum password length
- Timeout without user input
- Require password
- Require alphanumeric password
- Number of failed attempts
- Allow attachment download
- Maximum attachment size
- Enable password recovery
- Allow simple password
- Password expiration (Days)
- Enforce password history
- Encrypt storage card
- Disable removable storage
- Disable camera
- Disable SMS text messaging
- Disable Wi-Fi
- Disable Bluetooth
- Disable IrDA
- Allow internet sharing from device
- Allow desktop sharing from device
- Disable POP3/IMAP4 email
- Allow consumer email
- Allow web browser
- Allow unsigned applications
- Allow unsigned CABs
- Application allow list
- Application block list
- Require signed S/MIME messages
- Require encrypted S/MIME messages
- Require signed S/MIME algorithm
- Require encrypted S/MIME algorithm
- Device encryption
- Minimum number of complex characters
Last edited by elCheapoDeluxe; Jul 8, 2016 at 9:13 am
#10
FlyerTalk Evangelist
Join Date: Nov 2002
Location: ORD
Posts: 14,231
So it is news to me that they have always had the ability to wipe my device... that baseline condition was never disclosed to me.. I only figured that I was configuring an email account/calendar/directory... basically like configuring my gmail account..
But from what I understand by intalling a MDM they will have potentially many many more capabilities and control over my device, which they haven't really fully disclosed either...
Sounds like the simplest route to go is to delete the exchange account and access only via the web client
FDW
But from what I understand by intalling a MDM they will have potentially many many more capabilities and control over my device, which they haven't really fully disclosed either...
Sounds like the simplest route to go is to delete the exchange account and access only via the web client
FDW
In any case, as I mentioned, you can also install the Outlook app on your phone, which sandboxes your work stuff. If Outlook receives a remote wipe command, it will just wipe the app, not the phone. Be sure to remove the Exchange account from your main phone settings, though.
But it doesn't really matter that much in the first place if you back up your phone to iCloud. You can always just restore everything from back up in the worst case.
This seems to me an instance of making a mountain out of a mole hill.
#11
FlyerTalk Evangelist
Join Date: May 2002
Location: Pittsburgh
Programs: MR/SPG LT Titanium, AA LT PLT, UA SLV, Avis PreferredPlus
Posts: 31,007
I'm not going to let anyone access my device, even though they always have been able to.
I'm going to significantly impact my ability to communicate and execute my job.
I'll show them....
Odd to me. YMMV, I suppose.
#12
Join Date: Sep 2015
Location: Chicago
Posts: 244
Our company did this for a while and when they decided to rescind the BYOD policy, they required everyone to bring in their devices for "imaging" and then have their devices wiped by information security. I suppose you could object, but at the risk of losing your job and being sued or something, and the documents they signed when opting in for BYOD basically allowed the company to do anything. Fortunately, I always kept my personal and work phones separate.
#13
FlyerTalk Evangelist
Join Date: Feb 1999
Location: Seat 1A, Juice pretty much everywhere, Mucci des Coins Exotiques
Posts: 34,339
What might be better is to setup forwarding from your exchange account to your personal email, or create a new gmail account just for your work emails. Then you can easily access your email on your personal device. Of course you won't be able to send email from your work domain, but maybe you can work around that.
#14
Join Date: Jun 2007
Location: gggrrrovvveee (ORD)
Programs: UA Pt, Marriott Ti, Hertz PC
Posts: 6,091
What might be better is to setup forwarding from your exchange account to your personal email, or create a new gmail account just for your work emails. Then you can easily access your email on your personal device. Of course you won't be able to send email from your work domain, but maybe you can work around that.