dbuckho

Generally yes/standard. For example we allow access to Microsoft 365 from any device with multi-factor authentication. But if you are off the corporate network or not on a managed device, cut/paste and download will be disabled because once data leaves the work container, the company does not have any further visibility to what happens with that data. Same thing for those accessing a virtual desktop via Citrix -- they can only work in that virtual desktop and not copy data to the local machine. And there are certain access locations (i.e. countries) that are blocked from accessing either of those.

This may be a little deep - but here is a reference document on the full Citrix set of technologies/practices a company could implement to try and protect data in a bring your own device world. Not saying your company is doing all of this - but they may have started using more of the Citrix tools available to them, hence now needing the geo data to feed it.

Reference Architecture - Protect apps and data on bring-your-own-devices

As I said before, it could also just be they moved to Citrix cloud and the input is for performance reasons. But whether for performance or security reasons, it is doubtful there is a human looking at each of your logins, where it was from, and immediately reporting that to HR or your manager. Though if you happen to be the only person logging in for a week from Sochi while enjoying a nice relaxing Black Sea vacation -- it is possible someone from your Infosec team may notice those outliers and have a look to see who it is

yosithezet

You mentioned that Data Residency wouldn't be an issue, but you are working in healthcare, a regulated industry. Does the information you work with include a customer name? Does it include evidence that a procedure was done for someone? Does it include any employee or customer information which could be used to personally identify an individual person?

Besides healthcare regulations, which may very well have data residency requirements, you also need to consider things like GDPR if a single customer is a citizen of a European nation or various nations PDPA laws.

All of that said, MDM on iOS devices, for instance, cannot see everything you are doing. And when you leave a company or remove the MDM from the device, it can remove just the items that are corporate information, etc. Lots of details in all of this and if you aren't worried that you are doing something fishy then there shouldn't be an issue to ask your company for more background on what they are monitoring and who has access in what situations.

gfunkdave

My company uses the Microsoft MDM solutions. When I set it up it gave me a list of things the company could and couldn't do with my phone. It helped me understand better and feel more secure in letting them do the MDM. (They give us an extra $65/month towards our phone bill if we have our company account on the phone too).

evergrn

Yes, my work in healthcare deals with PHI (protected health info). But I'm not aware that there have been any recent changes to HIPAA rules as far as what we are talking about here. So if there are now more red tapes remoting into work during vacation or there's seemingly more privacy infringement against me now as opposed to 2 years ago, then those are not due to any changes in laws and regulations. It's probably due to corporate decisions and how the industry is trending. I could be wrong.

pseudoswede

If you don't like it, then leave your laptop at home. I think any company wants to know where their assets (equipment, not people) are. If your business is only catering to American customers, and your laptop pings somewhere in southeast Asia, Infosec's first thought is that your laptop was stolen and being sold overseas. It's important for them to know that you are the one logging in outside the country. I make it known far and wide within my company when I work remotely overseas; that way, they know that they shouldn't try to get a hold of me late afternoon through evening (and I have a backup contact--and I reset my Outlook OOO daily to reflect that).

(My boss also yells at me if I reply to e-mails while on PTO, so I stopped doing that. It makes going on PTO so much more relaxing.)

StuckInYYZ

It's not necessarily changes to HIPAA, but how they protect the data and potentially their liabilities. Same thing is happening in many sectors. Everyone is trying to secure their data and preventing breaches. This isn't aimed at you specifically. But consider all the measures going on... VPN, geofencing, MFA... then there are the things you don't necessarily see (logging and analysis) VLANs, VPC, authentications, etc.

Think of the damage if you were compromised...Your laptop and phone stolen... the "bad actors" somehow got your credentials... A lot of peoples' medical records could be copied or modified (as an example). The healthcare system you work for could be "punished" in a bad way so they opt to secure things down as much as possible. I know some companies that scan their network monthly for vulnerabilities and have let people go for purposely creating vulnerabilities (some for convenience... like an open file share... some reasons just stupid...eg hosting a minecraft server within the corporate network).

As new vulnerabilities are identified, many companies will come up with a solution/fix to address them. They might be a bit kludgy sometimes, often inconvenient but it is meant for everyone's benefit.

StuckInYYZ

You don't get separation anxiety? I know for me, the first few hours where I can't connect to corporate email I'm already feeling it (I've gotten better over the years). I always make sure that my boss and close teammates can contact me while I'm overseas in an emergency (there's ALWAYS some knowledge that wasn't handed over to your backup)... I'd say 99% of the time they don't bother me, but (for me at least) it makes me feel better that I can be reached if absolutely required.

evergrn

I don't like it, but I can accept it now that I understand all the factors better via this thread.
As far as not doing any work during PTO, maybe that's possible for you and many others but that's never going to happen in my job... not if I want to do my job well and meet my employer's metrics.
I've never minded it either, until this issue came along.

HDQDD

We use MS’s MDM for iOS. Their privacy policy is clear about what it does and doesn’t collect. I was ok with their terms. Previously we used some crap called wireless watchdogs and their policy was extremely vague. So vague that a significant amount of users never bothered to install it and just used the web for email…

The first thing I do when I get a new company laptop is virtualize it and run it on my Mac. Second thing is to disable all the spyware/crapware they put on there (I.e. ZScaler, altiris, etc.). Companies have gotten so cheap they just outsource their spyware to other companies. Might seem like a great cost/headcount reduction idea on paper, but as we’ve seen, it just makes those outsourcing companies giant targets for hackers. (Google: Exchange hack, Kayesa randomware, etc.).

I’m sure I’m probably in violation of any number of IT policies, but they rely on me for a lot of whitehat hacking occasionally, so we’re cool like that. 😎. In fact, I just got them to buy me a new Surf Pro and not put any crapware on there (except for antivirus, which I have no issue with). I have another domain connected box if I need to get on VPN (which is becoming more rare with cloud tools).