evergrn

Whenever I'm off work, including all vacations, I need to have work access through my phone and laptop.

Few years ago, my company started requiring that I have this MobileIron app on my phone in order to continue to use another work-related app. The MobileIron app must be set to allow my employer access to knowing my device location.

For work access through my laptop, I found out today the Citrix software (which grants me access to work) can only be enabled if I allow permission for it to monitor my physical location.

So at this point, I have no way to work during my time-off without my employer knowing where I am. I feel like I should be allowed to spend my vacation time without my job knowing whe

Is this becoming a common practice? If so, what is this driven by? Is this somehow important to enhancing IT security? Or is it data collection by employers? Do you think it could be used to monitor employee compliance with the company's Covid-related travel restrictions?

javabytes

Technical capabilities are one thing. What your company chooses to use them for is another.

MDM software is certainly capable of monitoring location. Some companies might use it to help track down a lost or stolen device, some might employ geofencing to take certain actions (or restrict access) if a device leaves authorized locations - for instance send alerts or even automatically wipe a device if it leaves a certain radius, or only allow you to log in from your mobile device while you are at a physical office location or your own registered home address (preventing someone who has stolen your device from accessing company systems elsewhere). Or they may simply log location along with IP address and other data as part of an audit trail never to be examined unless there is an issue.

Your only way of knowing what your company chooses to use location data for is to ask them.

If you’re violating company COVID travel rules (setting aside the question of whether such rules are reasonable), it would be a pretty bad idea to take your company devices along for the ride. They can know, the only question is will they notice, and you’re rolling the dice on that question.

StuckInYYZ

It depends on how granular the device location service is set to. Regardless, they would have at least some idea of where you are as IPs can be mapped to (at the very least) country or province/state (and in some cases, even down to the city). This is all done without accessing a GPS (although if the IP mapping isn't updated by the owners of the address, it can throw things off). Mobile Iron is a mobile device manager (MDM) which would likely have access to the GPS of your phone.

Is this common? Increasingly yes. It really depends on your industry. In some cases, it is for the employee's physical safety... your employer likely doesn't care if you use your work laptop at the local Starbucks or other coffee shop as long as you follow the proper computer hygiene (eg, connect via VPN, use a screen protector, use data encryption, etc.). However there are several implications if you leave your "jurisdiction"...

- data security... I and others have discussed this multiple times... if you were to go to a country that is likely to surveil you (eg, China or Russia), your laptop/phone could become compromised or your connection might not be secure.
- tax issues... while unlikely, there might be tax implications for you or your employer if you work outside a zone you're not meant to (eg, your nominal workplace is in the US and you submit unexpected expenses for the UK... might raise concerns during an audit).
- data access laws... your company data might have "residency: requirements (common for sensitive data)... if you access it from outside the residence, you could be violating a law.
- physical safety... there are a few industries where your physical safety might be at risk. For the employee's benefit, the employer might need to know where you are or have the ability to locate you.

There are a few other scenarios (especially phone and physical location) that come to mind, but this should give you a good start. If you are concerned, I'd check with your IT or HR teams to see why this information is being required/collected (note this may be a sensitive topic to them but most good employers will explain their reasons).

crackjack

Just a question: how does your laptop locate you? Is it Sim-enabled?

Simple solution… don’t work!

(Yeah, I completely screwed that up… thought I was editing the original post. )

MYSTERYouse

If your company is using office 365 exchange emails, they can already have most of the locations you are working from based on the IP addresses (each authentication is recorder with timestamp/location). Exchange can also automatically enroll devices to endpoint manager/defender based on the policies.

javabytes

Combination of IP address and Wi-Fi Positioning System even if it’s not enabled with its own GPS or cellular radio.

pseudoswede

My company uses FortiClient, and they geo-restrict access to US IP addresses only. If you work outside the US, you need to get white-list approval from someone high up in the IT corporate security chain.

evergrn

To clarify, these are not company devices. These are my personal smartphone and laptop which I use to access work, so it's not like they're bound by authorized locations.
I wonder if asking HR questions about what they do with any of these data might be dicey in and of itself, because the way it works at my company is that you have to submit a ticket via the Intranet to ask questions. No questions can be anonymous anymore. I don't know, maybe I'm worrying too much. They've converted everything to Sharepoint, Office 365, Onedrive, etc, about 6 months into pandemic. They've done away with in-house servers and I think they're trying to do away with phones.

All good insights. The 3rd item definitely doesn't apply to us, though, and it's hard to imagine the 4th being applicable either because most employees at my company do zero work outside of the workplace (my position is different and requires availability everyday).

We use Office 365 just for email. I remote into work desktop from my personal laptop via Citrix. I'm sure Citrix, like Office 365, is logging my IP address and applying barriers accordingly. In fact, as of 2-3 years ago I was no longer able to Citrix into work from Hong Kong where I used to go yearly with no issues up to that point. I'm still able to from Canada. And so if IP address is already being registered, then it begs the question as to why there's now the additional requirement of granting Citrix the permission to monitor my physical location.

Interesting. As I said above, my company also appeared to have installed geo-restrictions based on IP addresses a couple years ago.
You would think that it should be getting easier and easier to work from anywhere in the world. Instead it's getting harder.
Should it be getting easier, or getting harder? I want it to get easier (with more security AND privacy). But I don't know what the right answer is.

dbuckho

I run this stuff for my company.

Generally enabling the location is for the machines on the backend to use - to improve security or performance. For example if they have moved to Citrix cloud the session is now being streamed from Citrix’s infrastructure and network vs. your company’s data center - and Citrix may have an ability to move the session closer to you network-wise for better performance (whereas your company would have just had a single point to stream it to you). Or there may now be some additional security features available in Citrix that require location as input.

That said, StuckinYYZ listed several areas where the machines may have rules that if violated/triggered alert humans because of a compliance reason. Most companies take their tax obligations pretty seriously so working out of your home country for a prolonged period of time might trigger something. The team running these tools might be asked for reports on staff after an earthquake or other natural disaster. But also most large companies will have lawyers involved in the process around employee data collection and some level of safeguards in place before anyone accesses individual employee data like the kind mobile device management tools collect. Even if legal signs off on the data being collected, it is likely to only be viewed in aggregated form unless there is an incident, and many jurisdictions like the EU have pretty stringent rules around it. Controls at small or mid sized companies may be more lax or not in place.

There should be a remote use policy or other information somewhere on your intranet that you can dig into some of the specifics around the data being collected. And I would not be afraid to ask IT or HR about it - we get asked for it by employees all the time.

StuckInYYZ

It could be a sensitive topic to ask HR, but especially since they're your personal devices and they're using an MDM of some sort, there are boundaries and legal requirements. It will be up to you to decide how much personal risk you're willing to endure. Since you mention you have to citrix in (sounds like XenDesktop) it sounds like they're trying to reasonably manage data loss. There was a push towards the "work from home" strategy which means pushing data into the cloud which is what it appears your employers did.

Fair enough. I tried to mention what was off the top of my head. Not all of them would necessarily apply. #4 likely wouldn't apply but in several other segments (eg electrical line workers) it would be important.

The 3rd item could still apply. That's the sensitive information category... often you're looking at regulated industries, although anything (eg corporate trade secrets) could also apply in this case). If you don't have employees outside Canada or the US, a good practice is to filter out traffic from outside Canada or the US. To base your filter solely on IP address (which isn't always up to date) could cause you issues so they might be using location services to verify.

As mentioned above, your employer might have had issues where the address blocks in use might not have been updated with general location information (eg, the address block might say you're in mainland China instead of HK). Address blocks could have been incorrectly updated with incorrect information. I've seen some examples where the IP says they're in one part of Europe, but then after further investigation, the IP really pointed to the Middle East. It doesn't happen too often, but with IPv4 addresses hitting the capacity limit, it does happen.

It should be easier, but there are so many things in play and with security becoming more important as part of the requirements, it likely won't be getting any easier. It sounds like your employer is just implementing some operational security requirements. It might sound and feel like it is becoming a hassle, but if it's just geo-restrictions then it's not too bad. As mentioned in another thread, I've had to use "burner" laptops and phones going into China. Primarily because I wouldn't always have full control over my gear while there (eg, airport security control, if I happen to leave my hotel room to grab some food... )... even just accessing the internet while there could put you at risk. Now some of these might be extremes, but they're still valid. As the world is becoming more and more hostile, I'd say just roll with it. Eventually it might get easier as new methods to secure your computers and connections are developed.

pseudoswede

For my company, I believe the geo-restrictions were put into place because my company got HITRUST certification (since we deal with PHI and HIPPA regulations). Because of that, I also no longer am allowed to have local admin rights to my work laptop, which is a MAJOR annoyance. I typically spend 4 weeks in Sweden every summer--working and taking PTO, often depending on the weather. The approval process is simply a formality (unless, I guess, if I was constantly violating security policies), and it's a small price to pay to be able to be able to work where I want.

evergrn

Thanks a lot for the additional valuable insight! I don't like the intrusion, but you guys are helping me understand that there are valid reasons for it.

dbuckho : Are things I'm describing in line with the setup at yours and many other companies? If this is standard, then I won't get worked up over it. I'm in heathcare btw. None of the work I do remotely is revenue-generating or billable.

StuckInYYZ

Losing local admin is becoming more common as some forms of malware use local admin privileges to install or cause other issues. With ransomware and keyloggers growing, it's becoming more common to lock down the system as required. Increasingly software can only be installed using curated "app stores" to limit the damage. proxies and DNS filters are also being mixed in to limit liabilities (and to keep certain issues from occuring).

gfunkdave

Though I've also seen apps (and heard of malware) that installs in the user's local profile directory, which removes the need for admin rights to install. Spotify's Windows app is an example.

StuckInYYZ

True, but it might not run properly. And if you need to make system-wide calls, it's better to have the permissions... Ransomware is a good example of this.