this post was submitted on 07 Oct 2024
78 points (98.8% liked)

Asklemmy

43890 readers
773 users here now

A loosely moderated place to ask open-ended questions

Search asklemmy πŸ”

If your post meets the following criteria, it's welcome here!

  1. Open-ended question
  2. Not offensive: at this point, we do not have the bandwidth to moderate overtly political discussions. Assume best intent and be excellent to each other.
  3. Not regarding using or support for Lemmy: context, see the list of support communities and tools for finding communities below
  4. Not ad nauseam inducing: please make sure it is a question that would be new to most members
  5. An actual topic of discussion

Looking for support?

Looking for a community?

~Icon~ ~by~ ~@Double_[email protected]~

founded 5 years ago
MODERATORS
 

I'm non-techy. I work for a public school district and visit with kids in about a dozen schools. I like having my work email on my phone so teachers can get in touch if they need me. For years we've just used the outlook app with no real issues that I've noticed. We're seeing more and more micromanagement and it sucks. We recently got notice that we have to install Cisco Duo on our phones if we want to have our email on it. Should i do that? Or just say no and be ok with being out of contact?

top 50 comments
sorted by: hot top controversial new old
[–] [email protected] 36 points 1 month ago

Main issue is that you have your work e-mail on your pocket, and can see them 24/7

[–] [email protected] 28 points 1 month ago (2 children)

Don't.

Two reasons:

Many employers require you to install phone-management software as part of the data loss mitigation/data exfiltration requirements - and those requirements might be set by their insurers.

This gives them the ability to remotely lock or wipe your phone at any time - useful to them because they remove company data if you lose your phone, or you leave the company, or are suspended for any reason. Obviously that'll also lose any personal data on the phone, but that's your problem, not theirs. They can also monitor its location and similar things.

That's obviously a reason why you should never, ever, use a work-issued device for personal use - besides it being against their acceptable use policy. If your employer requires you to check email then they are required to issue you the means to do so. They cannot insist that you use any personal devices for that.

It's bad for your mental health.

Keep work to work hours. Keep work devices for work. Keep personal hours and devices for your personal use.

This physical separation requires a little discipline but, having been on all sides of this barrier (employer, employee, suffering with poor mental health, and currently, in good mental health) - I know this to be the only way to achieve a health balance.

[–] [email protected] 7 points 1 month ago* (last edited 1 month ago) (1 children)

I'm forgetting the episode but darknet diaries podcast had one where a guy took revenge against a former employer and wiped out an entire schools email system and wiped all phones that has logged into the school email. This was done from compromising the school's outlook admin account.

That was the first time i learned that logging into the employer email could give them the level of control over your device. Fortunately i never have done that for the #2 reason.

load more comments (1 replies)
[–] [email protected] 6 points 1 month ago (1 children)

This is great context, thanks.

A followup question, if you don't mind. I am running stock android 14, which offers multiple users. My main user account is my personal (nothing work related), and a second user account is my work profile, complete with phone-management software. The two accounts are based upon different Google accounts.

If my work were to remote wipe, I have assumed that would only affect the (second) user profile which has those apps, and not the main user account.

Do you know if that is correct?

[–] [email protected] 7 points 1 month ago

If my work were to remote wipe, I have assumed that would only affect the (second) user profile which has those apps, and not the main user account.

My understanding is that these tools offer a factory reset, so they would wipe everything. After all - if the phone is stolen, you wouldn't want to just wipe one profile and leave data within another.

[–] HobbitFoot 22 points 1 month ago (1 children)

Duo is Cisco's version of authentication. The only permissions it has on my phone is notifications.

In its current form, it doesn't appear to let your company's IT department control your phone.

[–] [email protected] 5 points 1 month ago (4 children)

Do you have any concerns about having it? I mostly don't want my phone activities or location tracked.

[–] [email protected] 7 points 1 month ago (1 children)

How specific? Most companies can tell if you are connecting to the mail server from an IP in a different city without needing any app to do that.

[–] [email protected] 6 points 1 month ago (1 children)

Just within the city, doing paperwork from home instead of at a campus.

[–] [email protected] 7 points 1 month ago* (last edited 1 month ago) (1 children)

your IP will be the easy give away if they care to audit. a possible solution is to VPN to the campus and nat your traffic from a campus IP, but now we are getting into additional questionable action.

[–] [email protected] 3 points 1 month ago (1 children)

If they’re on their phone they should just make sure they don’t connect to their home WiFi or their campus WiFi on their phone during work hours. All anyone will see them connecting with then is their cell network IP, prolly just an ipv6 address, and there won’t ever be an obvious tell that they are in a specific location in town.

load more comments (1 replies)
[–] HobbitFoot 6 points 1 month ago

If you are accessing your work email through your phone, you're going to be pinging the server with your phone's IP address. Duo isn't adding any tracking beyond that.

[–] [email protected] 5 points 1 month ago (1 children)

Duo tracks your location. Not exact location but IP address and city.

[–] [email protected] 3 points 1 month ago

Only IP address. Location days from IP address is a guess at best

[–] [email protected] 5 points 1 month ago

I’ve got duo; we had to have it at my uni for 2FA for our school emails. As far as I can tell it really isn’t very invasive. That said, I do think it tracks general location but I don’t believe it goes further than that.

[–] [email protected] 19 points 1 month ago (2 children)

If you have an android phone you can make a work and home profile so the two sessions are totally separate. It does mean swapping back ans forth between profiles.

[–] [email protected] 11 points 1 month ago (1 children)

No more swapping on modern Android. The apps just run side-by-side.

[–] [email protected] 3 points 1 month ago (2 children)

Im still having to swap User in the MultiUser profiles, if I want them sandboxed as separate. Do you have another method?

load more comments (2 replies)
[–] [email protected] 2 points 1 month ago (2 children)

Yeah, I'm android, so I'll look into that.

[–] [email protected] 14 points 1 month ago* (last edited 1 month ago) (1 children)

I work in IT and have implemented quite a few MDM systems. For Android, a work profile will be entirely isolated personal data wise. IT can't see anything beyond the work walls, however, there are a few shared things.

If work enforces a tougher screen lock setting, it'll take precedence over your regular lock screen setting. You might also have a few other things change while it's active, like display time out (if work has a shorter setting).

We can also see certain shared info like device serial number, IMEI number, OS version, security update version etc. Depending on the configuration, GPS/location info can be obtained as well (via an force-installed policy app for example)

You can pause the profile at anytime which suspends ALL work profile app activity (So if there was an app they install that they could get GPS info from, that app would no longer be functional until unpaused again (no it can't "run in the background" and collect info on the background either, it's wholly suspended)) and the pause feature can be set on a schedule so if you have a 9-5 you can set it to that and avoid the whole "always available" problem.

[–] [email protected] 5 points 1 month ago (2 children)

I wish work profiles were more separate. My company's work profile ended up locking me out of my phone (including the personal profile) and forced me to wipe and start over with it. They disabled fingerprint unlock and required my unlock password to change monthly, and I got the periodic "you have to change your password NOW" notice while plugged into my car with Android Auto. I couldn't enter a new password and the phone never unlocked again.

I know, probably a super rare set of circumstances, but I'm not going to allow my work to root my phone again. They can buy me a phone if they need so much control.

[–] [email protected] 6 points 1 month ago

Periodically rotating passwords is against NIST policy. Ask IT why the insist on using it when everyone, even the government, says it's insecure

load more comments (1 replies)
[–] [email protected] 6 points 1 month ago (4 children)

Well then, lemme give you something more specific to look into:

Most Android Phones kinda hide the option to turn the Work-Profile on. But it is implemented at the core of android and should really be available on any android device thats from the last 5 years.

Once you turn it on once you will be always able to see it. And you will also get one of those buttons available in your notification center. Just like those, that turn on and off your Wifi - this one will turn on your work profile. Or off - if Off, alllll the apps installed in the work profile will be disabled completely until you enable the work profile again.

Very handy for splitting private and work stuff - since you can just turn off work profile when you walk out of the office and wont be bothered anymore.

Lets get to the turnings thing on part:

You simply need one app to activate the work profile.

"Shelter" --> this app is not on the google playstore.

This app is in the F-Droid Store. Since this is also a new thing lemme explain this real quick. F-Droid is an store just like Google Play Store. You can download and install apps from there. It comes as an app for your device, or you can just simply browse it in the webbrowser and download the apps you want from it from there. The F-Droid Store is well known in the Opem Source Community and is the Go-To Place if you want privacy respecting apps. - I am saying this to make sure you can trust this new and to you unknown store.

Soooo. Back to the topic. Download either the complete F-Droid Store and in this app then search for the "Shelter" app - or simply download the shelter app once from the Website of F-Droid directly. Keep in mind if you go with the downloading F-Droid route: on its first launch, F-Droid will take ~30 secs to update its repositories and you wont find any apps in the search menu. So let it stay put for a few secs before starting your search.

To make it as less of a hassle as possible ill go forward and describe the route where we will install the app directly from the website.

  1. Go here: https://f-droid.org/packages/net.typeblog.shelter/
  2. Click download F-Droid (for the full F-Droid Route)
  3. Or simply download "Shelter" directly by looking furhter down at the latest App Versions. Scroll down one of the paragraphs until you see the Linked Text "Download APK" (or similar - i have the UI on german, so idk what exactly the text will be. Just look for "APK")
  4. Once its downlaoding and you have made sure your browser actually downloads it (chrome warns you about downloading APKs)
  5. Click the install/open button on the just downloaded APK.
  6. It will say that the setting for enabling app installation from untrusted sources is turned off right now - and the reason why it cannot be installed.
  7. Go to your system settings and search for "sources" -- it should get you right to this exact setting. Turn it on/enable it.
  8. Go back to your browser and click install again. Then you will be prompted/asked if you want to enable, that your Browser is capable of installing APPS. Accept that -- later you can disable both of those settings again. On this path we only need them for the initial installation.
  9. The app should be installed now.
  10. Search for the "Shelter" app in your app menu and open it.
  11. It will prompt you lots of stuff and explain many things. Read through them. It wont take long but will make you understand how it works better.
  12. Once set up - look for the play store app in the work profile. If you cant find it - use the Shelter app to clone apps from your personal profile to the work profile - such ass the playstore, or simply install the Cisco app once in normal profile and clone it over to work. Then delete it again from the normal profile. Though i would prefer getting the playstore and getting cisco directly from there - since this way you will auto-recieve updates and such.
  13. Learn to use work apps and how to disable them (look for the previously mentioned toggle in your notification center - you might have to edit this zone to find the button hidden under those not displayed by default)
  14. At this point you can install your apps for your work profile and disable your browser from being allowed to install apps and disabling the "apps from third party sources" option all together. (Though this one only, if you didnt choose the Full F-Droid installlation path. If you chose the full install path, this option will be neccesary for F-Droid to install updates in the future)

I hope this helps ya!

load more comments (4 replies)
[–] [email protected] 14 points 1 month ago (1 children)

Please don't be a hero. Work your 40 hours and then stop. You didn't clarify, but I'm slightly worried that you want to be more connected which might lead you to increase your workload or working hours, and that will make your job less sustainable in the long run, and we really want people like you to stick around for many years to come.

[–] [email protected] 10 points 1 month ago (3 children)

Oh no, I'm definitely not looking to put in more than 40 hours. I spend most of my day driving from school to school and i just want my teachers to be able to reach me- without giving my cell to everyone. Also, i share a one-room office with 15 people, so i like to do meetings and paperwork from home even though I'm not supposed to. Thank you for your concern.

load more comments (3 replies)
[–] [email protected] 13 points 1 month ago (3 children)

Ask for a physical device like a yubikey instead of the duo app.

Use the web browser to access email.

[–] [email protected] 23 points 1 month ago (1 children)

I have a 6 year old work ipad and we buy our own toner cartridges for our office printer. They're not buying anything. They put millions into door-swiping, staff-tracking security but we have playgrounds that don't have fences. Public education is super fucked up.

[–] [email protected] 8 points 1 month ago

I think they cost $20. Either this, nothing, or give in and give them access.

load more comments (2 replies)
[–] [email protected] 12 points 1 month ago (1 children)

+1 to being out of contact – It can honestly wait until the next time you’re near a work computer. (I’m hoping a work laptop or something is involved here.)

[–] [email protected] 2 points 1 month ago (2 children)

Yeah, i have a work iPad with me most of the time, so it should ding if it's getting Wi-Fi, but it's usually in my backpack. Also, i know they can track the location of it so i sometimes leave it at home on purpose. Would forwarding my work emails to a gmail or proton account be an option?

[–] [email protected] 9 points 1 month ago

Forwarding your work email to a different service provider will probably violate PII and will also set off some flags.

[–] [email protected] 9 points 1 month ago

Would forwarding my work emails to a gmail or proton account be an option?

I give it 100% chance of it being a problem.

[–] [email protected] 12 points 1 month ago

I've managed Duo installations. The administrator can see your phone number, your device os and version, history of authentication attempts.

[–] [email protected] 10 points 1 month ago* (last edited 1 month ago) (1 children)

People have already answered well enough though many of them mention IP addresses and you said you were non techy so wanted to add this

Giving away your IP address is not that big a deal, you do it every time you visit a website without a VPN or connect to pretty much any web service

(You still shouldn't post it publicly of course but it's unlikely your employer is going to dox you, and if they do it's probably illegal)

[–] [email protected] 10 points 1 month ago (1 children)

I would never mix private data with work related data. You should get a second phone for work related things. As pointed out by others, it may be technically possible to have both on the phone without interfering with each other (which also would be more convenient), but keeping things separated physically has another advantage: Data you are handling/ generating at work belongs to your employer. This means that he can demand (problbly backed up by law) to search your phone when things should go south in the future. You don't want your employer to have a peek at your personal phone, do you? Also, your employer might want you to install tracking/ logging software to make sure you really do the work. By having a dedicated phone for work related stuff your private stuff is out of focus.

[–] [email protected] 7 points 1 month ago

You should get a second phone for work related things

Slight correction: OP's employer should get him a second device if they require him to access work email away from his office during work hours.

[–] [email protected] 6 points 1 month ago (1 children)

You can always get a cheap prepaid burner

[–] [email protected] 9 points 1 month ago* (last edited 1 month ago) (1 children)

~~You~~ Your employer can always get a cheap prepaid burner

FTFY

[–] [email protected] 2 points 1 month ago

Ha! When I started here 20 years ago they had just gotten rid of pagers.

[–] [email protected] 5 points 1 month ago

It's a slippery slope. They may require your phone to have password or Microsoft intune. Plus, they will know you have it on your phone.

[–] [email protected] 4 points 1 month ago (1 children)

Duo is just a widely used third party multifactor authentication app, which is useful for organizational cybersecurity.

I had it on my phone for years working at a hospital and really never had any privacy concerns with it the way I have with other apps. The convenience of being able to respond to work emails on your phone is totally worth it

[–] [email protected] 4 points 1 month ago (1 children)

Duo does location tracking. It also can perform device attestation

[–] [email protected] 2 points 1 month ago

Are you sure it has permission to track your location? I'm not seeing that one. Either way, they share nothing with your employer

[–] [email protected] 3 points 1 month ago

I use a S23 Ultra and have my work profile on a sandbox environment with Knox, I can also turn it off at the end of the day and while normally work could have access to my personal data, knox blocks that.

[–] [email protected] 3 points 1 month ago (3 children)

If it's Android, set up a work profile and put the VPN and email on that.

load more comments (3 replies)
load more comments
view more: next β€Ί