Endpoint management (Citrix, MobileIron) Privacy concerns - common corporate practice
#1
Original Poster
Join Date: Feb 2013
Location: Hilton, Hyatt House, Del Taco
Posts: 5,378
Endpoint management (Citrix, MobileIron) Privacy concerns - common corporate practice
Whenever I'm off work, including all vacations, I need to have work access through my phone and laptop.
Few years ago, my company started requiring that I have this MobileIron app on my phone in order to continue to use another work-related app. The MobileIron app must be set to allow my employer access to knowing my device location.
For work access through my laptop, I found out today the Citrix software (which grants me access to work) can only be enabled if I allow permission for it to monitor my physical location.
So at this point, I have no way to work during my time-off without my employer knowing where I am. I feel like I should be allowed to spend my vacation time without my job knowing whe
Is this becoming a common practice? If so, what is this driven by? Is this somehow important to enhancing IT security? Or is it data collection by employers? Do you think it could be used to monitor employee compliance with the company's Covid-related travel restrictions?
Few years ago, my company started requiring that I have this MobileIron app on my phone in order to continue to use another work-related app. The MobileIron app must be set to allow my employer access to knowing my device location.
For work access through my laptop, I found out today the Citrix software (which grants me access to work) can only be enabled if I allow permission for it to monitor my physical location.
So at this point, I have no way to work during my time-off without my employer knowing where I am. I feel like I should be allowed to spend my vacation time without my job knowing whe
Is this becoming a common practice? If so, what is this driven by? Is this somehow important to enhancing IT security? Or is it data collection by employers? Do you think it could be used to monitor employee compliance with the company's Covid-related travel restrictions?
#2
FlyerTalk Evangelist
Join Date: Apr 2009
Location: Bye Delta
Programs: AA EXP, HH Diamond, IHG Plat, Hyatt Plat, Marriott Plat, Nat'l Exec Elite, Avis Presidents Club
Posts: 16,277
Technical capabilities are one thing. What your company chooses to use them for is another.
MDM software is certainly capable of monitoring location. Some companies might use it to help track down a lost or stolen device, some might employ geofencing to take certain actions (or restrict access) if a device leaves authorized locations - for instance send alerts or even automatically wipe a device if it leaves a certain radius, or only allow you to log in from your mobile device while you are at a physical office location or your own registered home address (preventing someone who has stolen your device from accessing company systems elsewhere). Or they may simply log location along with IP address and other data as part of an audit trail never to be examined unless there is an issue.
Your only way of knowing what your company chooses to use location data for is to ask them.
If you’re violating company COVID travel rules (setting aside the question of whether such rules are reasonable), it would be a pretty bad idea to take your company devices along for the ride. They can know, the only question is will they notice, and you’re rolling the dice on that question.
MDM software is certainly capable of monitoring location. Some companies might use it to help track down a lost or stolen device, some might employ geofencing to take certain actions (or restrict access) if a device leaves authorized locations - for instance send alerts or even automatically wipe a device if it leaves a certain radius, or only allow you to log in from your mobile device while you are at a physical office location or your own registered home address (preventing someone who has stolen your device from accessing company systems elsewhere). Or they may simply log location along with IP address and other data as part of an audit trail never to be examined unless there is an issue.
Your only way of knowing what your company chooses to use location data for is to ask them.
If you’re violating company COVID travel rules (setting aside the question of whether such rules are reasonable), it would be a pretty bad idea to take your company devices along for the ride. They can know, the only question is will they notice, and you’re rolling the dice on that question.
Last edited by javabytes; Dec 8, 2021 at 1:41 am
#3
Join Date: Jan 2015
Posts: 2,918
Whenever I'm off work, including all vacations, I need to have work access through my phone and laptop.
Few years ago, my company started requiring that I have this MobileIron app on my phone in order to continue to use another work-related app. The MobileIron app must be set to allow my employer access to knowing my device location.
For work access through my laptop, I found out today the Citrix software (which grants me access to work) can only be enabled if I allow permission for it to monitor my physical location.
So at this point, I have no way to work during my time-off without my employer knowing where I am. I feel like I should be allowed to spend my vacation time without my job knowing whe
Is this becoming a common practice? If so, what is this driven by? Is this somehow important to enhancing IT security? Or is it data collection by employers? Do you think it could be used to monitor employee compliance with the company's Covid-related travel restrictions?
Few years ago, my company started requiring that I have this MobileIron app on my phone in order to continue to use another work-related app. The MobileIron app must be set to allow my employer access to knowing my device location.
For work access through my laptop, I found out today the Citrix software (which grants me access to work) can only be enabled if I allow permission for it to monitor my physical location.
So at this point, I have no way to work during my time-off without my employer knowing where I am. I feel like I should be allowed to spend my vacation time without my job knowing whe
Is this becoming a common practice? If so, what is this driven by? Is this somehow important to enhancing IT security? Or is it data collection by employers? Do you think it could be used to monitor employee compliance with the company's Covid-related travel restrictions?
Is this common? Increasingly yes. It really depends on your industry. In some cases, it is for the employee's physical safety... your employer likely doesn't care if you use your work laptop at the local Starbucks or other coffee shop as long as you follow the proper computer hygiene (eg, connect via VPN, use a screen protector, use data encryption, etc.). However there are several implications if you leave your "jurisdiction"...
- data security... I and others have discussed this multiple times... if you were to go to a country that is likely to surveil you (eg, China or Russia), your laptop/phone could become compromised or your connection might not be secure.
- tax issues... while unlikely, there might be tax implications for you or your employer if you work outside a zone you're not meant to (eg, your nominal workplace is in the US and you submit unexpected expenses for the UK... might raise concerns during an audit).
- data access laws... your company data might have "residency: requirements (common for sensitive data)... if you access it from outside the residence, you could be violating a law.
- physical safety... there are a few industries where your physical safety might be at risk. For the employee's benefit, the employer might need to know where you are or have the ability to locate you.
There are a few other scenarios (especially phone and physical location) that come to mind, but this should give you a good start. If you are concerned, I'd check with your IT or HR teams to see why this information is being required/collected (note this may be a sensitive topic to them but most good employers will explain their reasons).
#4
Join Date: Jul 2014
Posts: 1,132
Just a question: how does your laptop locate you? Is it Sim-enabled?
Simple solution… don’t work!
(Yeah, I completely screwed that up… thought I was editing the original post. )
(Yeah, I completely screwed that up… thought I was editing the original post. )
#5
Join Date: Oct 2019
Posts: 13
If your company is using office 365 exchange emails, they can already have most of the locations you are working from based on the IP addresses (each authentication is recorder with timestamp/location). Exchange can also automatically enroll devices to endpoint manager/defender based on the policies.
#6
FlyerTalk Evangelist
Join Date: Apr 2009
Location: Bye Delta
Programs: AA EXP, HH Diamond, IHG Plat, Hyatt Plat, Marriott Plat, Nat'l Exec Elite, Avis Presidents Club
Posts: 16,277
#7
FlyerTalk Evangelist
Join Date: Apr 2001
Location: Denver, CO
Programs: UA Silver, Bonvoy Gold, Hyatt Discoverist
Posts: 21,551
My company uses FortiClient, and they geo-restrict access to US IP addresses only. If you work outside the US, you need to get white-list approval from someone high up in the IT corporate security chain.
#8
Original Poster
Join Date: Feb 2013
Location: Hilton, Hyatt House, Del Taco
Posts: 5,378
MDM software is certainly capable of monitoring location. Some companies might use it to help track down a lost or stolen device, some might employ geofencing to take certain actions (or restrict access) if a device leaves authorized locations - for instance send alerts or even automatically wipe a device if it leaves a certain radius, or only allow you to log in from your mobile device while you are at a physical office location or your own registered home address (preventing someone who has stolen your device from accessing company systems elsewhere). Or they may simply log location along with IP address and other data as part of an audit trail never to be examined unless there is an issue.
Your only way of knowing what your company chooses to use location data for is to ask them.
Your only way of knowing what your company chooses to use location data for is to ask them.
I wonder if asking HR questions about what they do with any of these data might be dicey in and of itself, because the way it works at my company is that you have to submit a ticket via the Intranet to ask questions. No questions can be anonymous anymore. I don't know, maybe I'm worrying too much. They've converted everything to Sharepoint, Office 365, Onedrive, etc, about 6 months into pandemic. They've done away with in-house servers and I think they're trying to do away with phones.
- data security... I and others have discussed this multiple times... if you were to go to a country that is likely to surveil you (eg, China or Russia), your laptop/phone could become compromised or your connection might not be secure.
- tax issues... while unlikely, there might be tax implications for you or your employer if you work outside a zone you're not meant to (eg, your nominal workplace is in the US and you submit unexpected expenses for the UK... might raise concerns during an audit).
- data access laws... your company data might have "residency: requirements (common for sensitive data)... if you access it from outside the residence, you could be violating a law.
- physical safety... there are a few industries where your physical safety might be at risk. For the employee's benefit, the employer might need to know where you are or have the ability to locate you.
- tax issues... while unlikely, there might be tax implications for you or your employer if you work outside a zone you're not meant to (eg, your nominal workplace is in the US and you submit unexpected expenses for the UK... might raise concerns during an audit).
- data access laws... your company data might have "residency: requirements (common for sensitive data)... if you access it from outside the residence, you could be violating a law.
- physical safety... there are a few industries where your physical safety might be at risk. For the employee's benefit, the employer might need to know where you are or have the ability to locate you.
If your company is using office 365 exchange emails, they can already have most of the locations you are working from based on the IP addresses (each authentication is recorder with timestamp/location). Exchange can also automatically enroll devices to endpoint manager/defender based on the policies.
You would think that it should be getting easier and easier to work from anywhere in the world. Instead it's getting harder.
Should it be getting easier, or getting harder? I want it to get easier (with more security AND privacy). But I don't know what the right answer is.
Last edited by evergrn; Dec 9, 2021 at 12:14 am
#9
Join Date: Jun 2004
Location: Santa Monica, CA
Programs: AA EXP 1MM, UA Silver, HHDmd, MBvLTPLT, PCAmb/Dmd, HYT Dis
Posts: 1,579
I run this stuff for my company.
Generally enabling the location is for the machines on the backend to use - to improve security or performance. For example if they have moved to Citrix cloud the session is now being streamed from Citrix’s infrastructure and network vs. your company’s data center - and Citrix may have an ability to move the session closer to you network-wise for better performance (whereas your company would have just had a single point to stream it to you). Or there may now be some additional security features available in Citrix that require location as input.
That said, StuckinYYZ listed several areas where the machines may have rules that if violated/triggered alert humans because of a compliance reason. Most companies take their tax obligations pretty seriously so working out of your home country for a prolonged period of time might trigger something. The team running these tools might be asked for reports on staff after an earthquake or other natural disaster. But also most large companies will have lawyers involved in the process around employee data collection and some level of safeguards in place before anyone accesses individual employee data like the kind mobile device management tools collect. Even if legal signs off on the data being collected, it is likely to only be viewed in aggregated form unless there is an incident, and many jurisdictions like the EU have pretty stringent rules around it. Controls at small or mid sized companies may be more lax or not in place.
There should be a remote use policy or other information somewhere on your intranet that you can dig into some of the specifics around the data being collected. And I would not be afraid to ask IT or HR about it - we get asked for it by employees all the time.
Generally enabling the location is for the machines on the backend to use - to improve security or performance. For example if they have moved to Citrix cloud the session is now being streamed from Citrix’s infrastructure and network vs. your company’s data center - and Citrix may have an ability to move the session closer to you network-wise for better performance (whereas your company would have just had a single point to stream it to you). Or there may now be some additional security features available in Citrix that require location as input.
That said, StuckinYYZ listed several areas where the machines may have rules that if violated/triggered alert humans because of a compliance reason. Most companies take their tax obligations pretty seriously so working out of your home country for a prolonged period of time might trigger something. The team running these tools might be asked for reports on staff after an earthquake or other natural disaster. But also most large companies will have lawyers involved in the process around employee data collection and some level of safeguards in place before anyone accesses individual employee data like the kind mobile device management tools collect. Even if legal signs off on the data being collected, it is likely to only be viewed in aggregated form unless there is an incident, and many jurisdictions like the EU have pretty stringent rules around it. Controls at small or mid sized companies may be more lax or not in place.
There should be a remote use policy or other information somewhere on your intranet that you can dig into some of the specifics around the data being collected. And I would not be afraid to ask IT or HR about it - we get asked for it by employees all the time.
Last edited by dbuckho; Dec 9, 2021 at 12:48 am
#10
Join Date: Jan 2015
Posts: 2,918
To clarify, these are not company devices. These are my personal smartphone and laptop which I use to access work, so it's not like they're bound by authorized locations.
I wonder if asking HR questions about what they do with any of these data might be dicey in and of itself, because the way it works at my company is that you have to submit a ticket via the Intranet to ask questions. No questions can be anonymous anymore. I don't know, maybe I'm worrying too much. They've converted everything to Sharepoint, Office 365, Onedrive, etc, about 6 months into pandemic. They've done away with in-house servers and I think they're trying to do away with phones.
I wonder if asking HR questions about what they do with any of these data might be dicey in and of itself, because the way it works at my company is that you have to submit a ticket via the Intranet to ask questions. No questions can be anonymous anymore. I don't know, maybe I'm worrying too much. They've converted everything to Sharepoint, Office 365, Onedrive, etc, about 6 months into pandemic. They've done away with in-house servers and I think they're trying to do away with phones.
The 3rd item could still apply. That's the sensitive information category... often you're looking at regulated industries, although anything (eg corporate trade secrets) could also apply in this case). If you don't have employees outside Canada or the US, a good practice is to filter out traffic from outside Canada or the US. To base your filter solely on IP address (which isn't always up to date) could cause you issues so they might be using location services to verify.
Interesting. As I said above, my company also appeared to have installed geo-restrictions based on IP addresses a couple years ago.
You would think that it should be getting easier and easier to work from anywhere in the world. Instead it's getting harder.
Should it be getting easier, or getting harder? I want it to get easier (with more security AND privacy). But I don't know what the right answer is.
You would think that it should be getting easier and easier to work from anywhere in the world. Instead it's getting harder.
Should it be getting easier, or getting harder? I want it to get easier (with more security AND privacy). But I don't know what the right answer is.
#11
FlyerTalk Evangelist
Join Date: Apr 2001
Location: Denver, CO
Programs: UA Silver, Bonvoy Gold, Hyatt Discoverist
Posts: 21,551
Interesting. As I said above, my company also appeared to have installed geo-restrictions based on IP addresses a couple years ago.
You would think that it should be getting easier and easier to work from anywhere in the world. Instead it's getting harder.
Should it be getting easier, or getting harder? I want it to get easier (with more security AND privacy). But I don't know what the right answer is.
You would think that it should be getting easier and easier to work from anywhere in the world. Instead it's getting harder.
Should it be getting easier, or getting harder? I want it to get easier (with more security AND privacy). But I don't know what the right answer is.
#12
Original Poster
Join Date: Feb 2013
Location: Hilton, Hyatt House, Del Taco
Posts: 5,378
Thanks a lot for the additional valuable insight! I don't like the intrusion, but you guys are helping me understand that there are valid reasons for it.
dbuckho : Are things I'm describing in line with the setup at yours and many other companies? If this is standard, then I won't get worked up over it. I'm in heathcare btw. None of the work I do remotely is revenue-generating or billable.
dbuckho : Are things I'm describing in line with the setup at yours and many other companies? If this is standard, then I won't get worked up over it. I'm in heathcare btw. None of the work I do remotely is revenue-generating or billable.
#13
Join Date: Jan 2015
Posts: 2,918
For my company, I believe the geo-restrictions were put into place because my company got HITRUST certification (since we deal with PHI and HIPPA regulations). Because of that, I also no longer am allowed to have local admin rights to my work laptop, which is a MAJOR annoyance. I typically spend 4 weeks in Sweden every summer--working and taking PTO, often depending on the weather. The approval process is simply a formality (unless, I guess, if I was constantly violating security policies), and it's a small price to pay to be able to be able to work where I want.
#14
FlyerTalk Evangelist
Join Date: Nov 2002
Location: ORD
Posts: 14,231
Losing local admin is becoming more common as some forms of malware use local admin privileges to install or cause other issues. With ransomware and keyloggers growing, it's becoming more common to lock down the system as required. Increasingly software can only be installed using curated "app stores" to limit the damage. proxies and DNS filters are also being mixed in to limit liabilities (and to keep certain issues from occuring).
#15
Join Date: Jan 2015
Posts: 2,918
True, but it might not run properly. And if you need to make system-wide calls, it's better to have the permissions... Ransomware is a good example of this.