Endpoint management (Citrix, MobileIron) Privacy concerns - common corporate practice
#16
Join Date: Jun 2004
Location: Santa Monica, CA
Programs: AA EXP 1MM, UA Silver, HHDmd, MBvLTPLT, PCAmb/Dmd, HYT Dis
Posts: 1,579
dbuckho : Are things I'm describing in line with the setup at yours and many other companies? If this is standard, then I won't get worked up over it. I'm in heathcare btw. None of the work I do remotely is revenue-generating or billable.
This may be a little deep - but here is a reference document on the full Citrix set of technologies/practices a company could implement to try and protect data in a bring your own device world. Not saying your company is doing all of this - but they may have started using more of the Citrix tools available to them, hence now needing the geo data to feed it.
Reference Architecture - Protect apps and data on bring-your-own-devices
As I said before, it could also just be they moved to Citrix cloud and the input is for performance reasons. But whether for performance or security reasons, it is doubtful there is a human looking at each of your logins, where it was from, and immediately reporting that to HR or your manager. Though if you happen to be the only person logging in for a week from Sochi while enjoying a nice relaxing Black Sea vacation -- it is possible someone from your Infosec team may notice those outliers and have a look to see who it is
#17
Moderator, El Al and Marriott Bonvoy, FlyerTalk Evangelist
Join Date: Feb 2005
Location: SIN
Programs: SQ*G, Mar LTT, Hyatt Glb, AA LTG, LY, HH, IC, BA, DL, UA SLV
Posts: 12,019
Besides healthcare regulations, which may very well have data residency requirements, you also need to consider things like GDPR if a single customer is a citizen of a European nation or various nations PDPA laws.
All of that said, MDM on iOS devices, for instance, cannot see everything you are doing. And when you leave a company or remove the MDM from the device, it can remove just the items that are corporate information, etc. Lots of details in all of this and if you aren't worried that you are doing something fishy then there shouldn't be an issue to ask your company for more background on what they are monitoring and who has access in what situations.
#18
FlyerTalk Evangelist
Join Date: Nov 2002
Location: ORD
Posts: 14,231
All of that said, MDM on iOS devices, for instance, cannot see everything you are doing. And when you leave a company or remove the MDM from the device, it can remove just the items that are corporate information, etc. Lots of details in all of this and if you aren't worried that you are doing something fishy then there shouldn't be an issue to ask your company for more background on what they are monitoring and who has access in what situations.
#19
Original Poster
Join Date: Feb 2013
Location: Hilton, Hyatt House, Del Taco
Posts: 5,378
Yes, my work in healthcare deals with PHI (protected health info). But I'm not aware that there have been any recent changes to HIPAA rules as far as what we are talking about here. So if there are now more red tapes remoting into work during vacation or there's seemingly more privacy infringement against me now as opposed to 2 years ago, then those are not due to any changes in laws and regulations. It's probably due to corporate decisions and how the industry is trending. I could be wrong.
#20
FlyerTalk Evangelist
Join Date: Apr 2001
Location: Denver, CO
Programs: UA Silver, Bonvoy Gold, Hyatt Discoverist
Posts: 21,551
Yes, my work in healthcare deals with PHI (protected health info). But I'm not aware that there have been any recent changes to HIPAA rules as far as what we are talking about here. So if there are now more red tapes remoting into work during vacation or there's seemingly more privacy infringement against me now as opposed to 2 years ago, then those are not due to any changes in laws and regulations. It's probably due to corporate decisions and how the industry is trending. I could be wrong.
(My boss also yells at me if I reply to e-mails while on PTO, so I stopped doing that. It makes going on PTO so much more relaxing.)
#21
Join Date: Jan 2015
Posts: 2,918
Yes, my work in healthcare deals with PHI (protected health info). But I'm not aware that there have been any recent changes to HIPAA rules as far as what we are talking about here. So if there are now more red tapes remoting into work during vacation or there's seemingly more privacy infringement against me now as opposed to 2 years ago, then those are not due to any changes in laws and regulations. It's probably due to corporate decisions and how the industry is trending. I could be wrong.
Think of the damage if you were compromised...Your laptop and phone stolen... the "bad actors" somehow got your credentials... A lot of peoples' medical records could be copied or modified (as an example). The healthcare system you work for could be "punished" in a bad way so they opt to secure things down as much as possible. I know some companies that scan their network monthly for vulnerabilities and have let people go for purposely creating vulnerabilities (some for convenience... like an open file share... some reasons just stupid...eg hosting a minecraft server within the corporate network).
As new vulnerabilities are identified, many companies will come up with a solution/fix to address them. They might be a bit kludgy sometimes, often inconvenient but it is meant for everyone's benefit.
#22
Join Date: Jan 2015
Posts: 2,918
You don't get separation anxiety? I know for me, the first few hours where I can't connect to corporate email I'm already feeling it (I've gotten better over the years). I always make sure that my boss and close teammates can contact me while I'm overseas in an emergency (there's ALWAYS some knowledge that wasn't handed over to your backup)... I'd say 99% of the time they don't bother me, but (for me at least) it makes me feel better that I can be reached if absolutely required.
#23
Original Poster
Join Date: Feb 2013
Location: Hilton, Hyatt House, Del Taco
Posts: 5,378
If you don't like it, then leave your laptop at home. I think any company wants to know where their assets (equipment, not people) are. If your business is only catering to American customers, and your laptop pings somewhere in southeast Asia, Infosec's first thought is that your laptop was stolen and being sold overseas. It's important for them to know that you are the one logging in outside the country. I make it known far and wide within my company when I work remotely overseas; that way, they know that they shouldn't try to get a hold of me late afternoon through evening (and I have a backup contact--and I reset my Outlook OOO daily to reflect that).
(My boss also yells at me if I reply to e-mails while on PTO, so I stopped doing that. It makes going on PTO so much more relaxing.)
(My boss also yells at me if I reply to e-mails while on PTO, so I stopped doing that. It makes going on PTO so much more relaxing.)
As far as not doing any work during PTO, maybe that's possible for you and many others but that's never going to happen in my job... not if I want to do my job well and meet my employer's metrics.
I've never minded it either, until this issue came along.
#24
Join Date: Dec 2009
Location: RDU
Programs: DL DM+(segs)/MM, UA Ag, Hilton DM, Marriott Ti (life Pt), TSA Opt-out Platinum
Posts: 3,227
We use MS’s MDM for iOS. Their privacy policy is clear about what it does and doesn’t collect. I was ok with their terms. Previously we used some crap called wireless watchdogs and their policy was extremely vague. So vague that a significant amount of users never bothered to install it and just used the web for email…
The first thing I do when I get a new company laptop is virtualize it and run it on my Mac. Second thing is to disable all the spyware/crapware they put on there (I.e. ZScaler, altiris, etc.). Companies have gotten so cheap they just outsource their spyware to other companies. Might seem like a great cost/headcount reduction idea on paper, but as we’ve seen, it just makes those outsourcing companies giant targets for hackers. (Google: Exchange hack, Kayesa randomware, etc.).
I’m sure I’m probably in violation of any number of IT policies, but they rely on me for a lot of whitehat hacking occasionally, so we’re cool like that. 😎. In fact, I just got them to buy me a new Surf Pro and not put any crapware on there (except for antivirus, which I have no issue with). I have another domain connected box if I need to get on VPN (which is becoming more rare with cloud tools).
The first thing I do when I get a new company laptop is virtualize it and run it on my Mac. Second thing is to disable all the spyware/crapware they put on there (I.e. ZScaler, altiris, etc.). Companies have gotten so cheap they just outsource their spyware to other companies. Might seem like a great cost/headcount reduction idea on paper, but as we’ve seen, it just makes those outsourcing companies giant targets for hackers. (Google: Exchange hack, Kayesa randomware, etc.).
I’m sure I’m probably in violation of any number of IT policies, but they rely on me for a lot of whitehat hacking occasionally, so we’re cool like that. 😎. In fact, I just got them to buy me a new Surf Pro and not put any crapware on there (except for antivirus, which I have no issue with). I have another domain connected box if I need to get on VPN (which is becoming more rare with cloud tools).
Last edited by HDQDD; Dec 16, 2021 at 8:00 pm