• 520@kbin.social
    link
    fedilink
    arrow-up
    28
    arrow-down
    25
    ·
    11 months ago

    … actually they aren’t wrong. MDMs are given special permissions including but not limited to reading your SMSes and phone records, restricting and monitoring your installed apps and even wiping your device.

    • Eddie Trax@dmv.social
      link
      fedilink
      English
      arrow-up
      51
      arrow-down
      6
      ·
      edit-2
      11 months ago

      I’m not sure what MDM you’re subjected to but I’ve been an MDM engineer for 7 years using Intune and JAMF and no, no SMS or phone records. Even the phone # is blanked out minus the last 4 digits. Yes we can wipe the devices if it’s lost\compromised but personal versus corporate owned devices are limited. I can’t see what apps you have that were personally installed. And the only info I can get are the device stats (SN, IMEI, storage, battery, memory, etc).

    • LilB0kChoy@midwest.social
      link
      fedilink
      arrow-up
      41
      arrow-down
      5
      ·
      edit-2
      11 months ago

      Can you support your claims? I’ve worked with Intune, Jamf, MaaS360, Citrix, and Workspace ONE and none of them could read texts, emails or browser history.

      I’d be very interested to learn more about how they can access this information through MDM. We always did it through either the mobile carrier or the admin console for whatever the office/mail suite that was deployed.

        • LilB0kChoy@midwest.social
          link
          fedilink
          arrow-up
          6
          arrow-down
          2
          ·
          11 months ago

          I looked through your links. I don’t see anywhere that SMS can be read. The permission kind of makes sense as there is a security component to filter spam/phishing type texts. Sophos themselves claim they don’t store any of that data.

          I hadn’t ever seen the call log one and I’m not sure what that would even be used for. It was interesting though.

          App lists is common across all MDMs. It’s used to ensure apps are being updated and on fully owned corporate devices some apps will be blocked.

          It seems like many don’t really understand how this technology works. That said, it’s better to be overly careful and I agree with others in the comments. If you want me to use a mobile device for work you can provide it, I don’t put MDM on my personal device*.

          *the exception being our own MDM we have setup to manage our personal devices more easily.

          • 520@kbin.social
            link
            fedilink
            arrow-up
            1
            ·
            11 months ago

            I looked through your links. I don’t see anywhere that SMS can be read.

            From the link, emphasis mine. SMC is the MDM in question

            Read SMS or MMS
            Allows an application to read SMS messages stored on your device or SIM card.
            Malicious applications may read your confidential messages.
            SMC usage:

            1. Read the initial configuration and further server notifications.
              2. Read all SMS for Backup.
            • LilB0kChoy@midwest.social
              link
              fedilink
              arrow-up
              0
              ·
              edit-2
              11 months ago

              Yep, it’s part of their message filtering that I mentioned.

              This link provides more information and explicitly states the following:

              Sophos Mobile does not track privacy data such as contacts, SMS and call history, browser history, bookmarks, or emails. Sophos Mobile does not access any data outside of the Sophos container.

              and

              Sophos Mobile does not track privacy data such as contacts, SMS and call history, browser history, bookmarks, emails, or data on the SD card.

              Sophos has a strong cybersecurity focus which, I’d imagine, is why they have the message filtering option that they do.

              • 520@kbin.social
                link
                fedilink
                arrow-up
                1
                ·
                11 months ago

                …why would they need to backup all SMS messages for a filtering option? That just plain does not compute.

                • LilB0kChoy@midwest.social
                  link
                  fedilink
                  arrow-up
                  1
                  ·
                  11 months ago

                  The short answer is to restore it:

                  1. Restore SMS backup

                  I’m not a Sophos admin, never have been, so I can only speculate but it might be to restore a message that was altered due to the filtering if captured incorrectly.

                  I’m also not sure why it specifies SMS but not RCS. I do know Sophos uses SMS to communicate between a device and Sophos Central.

                  Without more context and information it’s hard to say what exactly happening from the permissions KB.

                  I can’t definitively say it’s not possible but I’ve never heard of an MDM that allows an admin to read user texts. I appreciate the links, it helps to understand where you’re coming from.

                  I still remain skeptical but, like I said, better to be over cautious than under. I’d be leery of any company that tried requiring me to use my personal device with MDM.

                  Everywhere I’ve worked with BYOD it’s been optional to use your personal device. If you were in a role that required it you’d get a company provided device.

    • n1ckn4m3@kbin.social
      link
      fedilink
      arrow-up
      26
      arrow-down
      7
      ·
      edit-2
      11 months ago

      Please cite any one of your sources. I’ve managed MDM for over a decade and you’re spreading misinformation.

      Absolutely none of the MDM products on the market allow for the reading of personal e-mail, SMS, phone records, etc. On the contrary, almost every single one provides an information screen during the enrollment that makes it abundantly clear that they do not (and can not) access that data. Moreover, the “wipe” of data is the removal of company data. It doesn’t wipe your phone, it just removes the work profile (Android) or deprovisions the work profile and associated apps (Apple). All of your non-work-related data is untouched.

      Quick Sources for Intune and JAMF – do your own googling for others:
      https://learn.microsoft.com/en-us/mem/intune/protect/privacy-data-collect
      https://www.jamf.com/blog/apple-mobile-device-management-faq/