Anyone Have Advice How I Should Handle A Company That Wants MDM Software On My Phone, But Won't Pay For A Company Phone?
Posted by Double_N_Glenn@reddit | sysadmin | View on Reddit | 89 comments
Hello everyone. I'm not a system admin, but I do have some basic knowledge and hope you could provide me with some advice. I finished my final interview for a new job (it's non-tech related), but during the meeting, the manager said that we're required to have Teams and Outlook on our phones since we travel a lot and they need to communicate with us while in the field. However, he said that they don't pay for a company phone, and their IT teams needs to download software to our phones to prevent screenshots or copy & pasting text.
That sounded a lot like MDM or MAM software to me, so I'm a little hesitant to allow that on my personal phone. I emailed their HR department to pass on my question to their IT team, and this is how the email chain went (only including the important bits below):
ME -- "I was informed by the hiring manager that [-COMPANY-] does not provide company phones, but we are required to use our own phones for SMS, Teams, and Outlook. I just need further clarification if you monitor data and permissions through the apps themselves, or if you have a third-party monitoring software I'm required to install on my personal device. I use Outlook for personal emails as well, and want to ensure that there is 0 crossover between personal and company data."
THEM -- "Anyone that wants to have company apps on their phone will need to have ONLY our MDM called Intune Company Portal installed on their phone. If they already have an MDM on the phone, then they cannot have PD apps on that phone."
ME -- "Ok. Can you confirm if the only apps that are required on the device are Outlook and Teams? If so, I may just add an LTE tablet to my phone plan to use for work-related messaging apps."
I notice they avoided answering my question about 0 crossover. I also have a freelance side business in something unrelated to this job, but I still don't want MY customer's sensitive information compromised. My personal phone is an iPhone, but I would probably get either a cheap Android phone or tablet if I decided to accept this job.
Do you guys think a new phone or a tablet is the right choice, or am I worrying over nothing and Morozoff's Intune won't be an issue on my personal phone?
TLDR: Company I'm applying for won't pay for phone but requires Outlook, Teams, and Intune MDM on my personal phone. Should I (a) get a second phone, (b) get an LTE tablet for messaging apps, or (c) just keep using my personal phone because I'm over thinking and stressing too much about invasive permissions.
Wildfire983@reddit
I like how OP started I’m not a system admin, and usually they’d just get a bunch of snarky replies saying this isn’t r/helpdesk. But since they clearly researched this first it shows r/sysadmin has a friendly side lol.
dustojnikhummer@reddit
I do think this belongs here IMO, even if for the feedback from the sysadmin side. How would you respond to user with these concerns etc
Double_N_Glenn@reddit (OP)
Thanks. Also, I tried checking Reddit, but I didn’t really see anything that related to my specific case, where the employer didn’t offer some form of compensation. I wanted to make my request specific and provide as much detail as possible, so if someone else reads this in the future, it can hopefully help them understand their situation too.
dustojnikhummer@reddit
As some said, how much is the job paying? Can you get by by purchasing the cheapest possible phone, using it without a SIM card and only having authenticator + MDM on that? It would be a one time purchase.
Considering your pay bump is more than I make per year total (not US) I would say it's worth it.
Of course, I would also treat that as a red flag. If they don't offer any compensation, yet they also require a phone (what if you didn't have a compatible one? rooted, dumb phone etc?) there might be some other internal fuckery. I wonder what their reaction to "I don't own a smartphone, I only got a Nokia 3310"
Double_N_Glenn@reddit (OP)
You guys are actually all great, and this is the most replies I've ever had to a post. I know a little bit about sysadmin work, since I currently work for a web design and IT company. The IT side has a physical office, so sometimes I used to bring my laptop in to get work done out of the house. We'd shoot the shit and talk about all the stupid ticket that would come in, like a client asking why they couldn't share files easily between non-Mac devices after switching their business storage from Drop Box to iCloud 🤦♂️
As the only marketing person in the company, I am in charge of taking care of all our client's needs with social media, Google, and online listings. Maybe we're connected because we all shared a hatred of Google, lol. Honestly, if you think reaching Google support for a job is bad, you should try Meta 🤬
rcp9ty@reddit
Just buy a separate work phone and call it done.
Seriously. It's a work phone it doesn't need to be able to play fortnight and work with a controller. Plus that way if people try to call you on holidays you can turn it off and leave it at home. You don't want work shit on your personal phone believe me I wish I said day one here's my cell phone number and had a burner phone number. If a company lays me off unexpectedly I want to just be able to throw the phone at the ground and say bridge burned I don't want them calling me 3 weeks later when their "intern" that took my job burned out and quit. If a company is trying to save money with byod and control it make sure it's something you don't give a crap about.
Double_N_Glenn@reddit (OP)
I honestly think a Cat22 with a cheap prepaid plan would be fun. Haven't used a flip phone in forever, and would probably get some strange looks when I pull that bad boy out.
I could get a belt phone holster, ortho sneakers, and white crew socks to start looking like my dad, lol.
rcp9ty@reddit
Just remember that you probably need a screen for the authenticator app. And a cameras to troubleshoot teams issues sometimes. But you could get an iPhone SE to make their MDM fun lol... I hate putting mdm on iPhones...
Double_N_Glenn@reddit (OP)
I looked on those online refurbed stores and found I can get a used Samsung tablet or iPad with cellular for under $150. Fair condition is fine with me for this purpose and somehow cheaper than the CAT22 + cheap prepaid plan.
Sufficient-Class-321@reddit
1) InTune shouldn't be a problem as it only affects things within it's 'scope' ie company data
2) It's one or the other, if you're REQUIRED to have those apps on your device, they should at least offer to provide one if you aren't confortable having MDM on the device, it is your device after all, you literally own it
Coupe368@reddit
When you install their outlook you also give them the ability to remotely wipe your phone.
If your phone doesn't do outlook there isn't anything you can do.
https://www.amazon.com/Nokia-Unlocked-Universally-Compatible-Carriers/dp/B0D3RWZ39S
Wildfire983@reddit
False. Only Intune device management can wipe phones. If they’re properly doing MAM they can only wipe the managed app data.
Coupe368@reddit
She says they are putting Intune MDM on her phone.
https://learn.microsoft.com/en-us/intune/configmgr/mdm/deploy-use/wipe-lock-reset-devices?utm_source=chatgpt.com
A full wipe is absolutely an option.
Wildfire983@reddit
Then change your comment to say “when you install company portal you also give them the ability to remotely wipe your phone”
Outlook does not require mdm and Outlook does not allow them to wipe your phone.
Coupe368@reddit
That's not what she said they were doing. I don't think you read her post, you just jumped in to say how wrong I was. Typical internet troll.
Kuipyr@reddit
No it doesn't
Double_N_Glenn@reddit (OP)
Are there any learning resources where I can teach myself more about Microsoft's device management? I'm leaning towards a second device, but my ADHD-ass brain now want's to absorb information like a ShamWow in a hot tub.
Kuipyr@reddit
https://learn.microsoft.com/en-us/intune/intune-service/fundamentals/deployment-guide-enrollment-android
https://learn.microsoft.com/en-us/intune/intune-service/fundamentals/deployment-guide-enrollment-ios-ipados
"BYOD: Android Enterprise personally owned devices with a work profile" for Android and "BYOD: User and Device enrollment" for iOS likely pertain to your situation.
Double_N_Glenn@reddit (OP)
Ok. Sadly, I gathered that Outlook and Teams are required to maintain communication while out in the field. Looks like I'm either buying a new device or reconsidering taking the position.
Coupe368@reddit
They need to issue you a device. Its a major security hole to let end users use their own devices. Also, its just stupid.
However, they can force you to do that if they are reimbursing you for the expense of the phone. Regardless, its best practice to have a separate work issued phone so you can turn it off and security can wipe the phone if it becomes lost.
I would avoid letting them have access to my device, but I work in security and we issue devices because so can control the security of the device.
Sounds like your employer is really cheap.
sup3rmark@reddit
reconsider the position. if they are this shady about this, there'll certainly be worse that you won't find out until it's too late.
GroundbreakingCrow80@reddit
It wipes the o365 data.
MaNoCooper@reddit
Only corporate 365 data. Not personal data.
Stonewalled9999@reddit
Not correct
angrydeuce@reddit
I'm a strong believer in two phones, mainly because its the only way to enforce work/life balance in this day and age. My employer provides us phones, and when I'm not working or on call said work phone is sitting on the charger and in general not being touched.
I would either buy the cheapest phone you can find that supports the work apps and have that be your work phone, or I would decline the offer. Even if my employer offered to pick up my personal phone plan, I would still use that money to purchase a secondary line and device.
I've also had my personal number for 20 years now and I'll be damned if I'll let it get polluted by ancient work contacts and out of date websites or email signatures still floating around out there. Two phones for life!
Double_N_Glenn@reddit (OP)
Everything you said is what I'm leaning towards. If I only need Outlook and Teams, then I think adding a tablet to my data plan may be cheaper than a second phone. The next step is fining out exactly how much the pay will be to let me know if I'm pulling the trigger.
angrydeuce@reddit
yeah i've never understood the reticence people seem to have to managing two devices. At my firm there are some people that choose to eschew their personal device in lieu of the work phone so they can cut down their own expenses, which is totally fine on the company's end since they have them secured, but then when they leave the company it's always such a pain in the ass to separate those two facets when moving to their own device again...and believe me, there are ex coworkers of mine that ported their personal number in to use at work that get calls from clients out of the blue like 5+ years later, because the email that came up in the search was from 2017 that and their email signature had their cell in it. Screw all that noise lol
Honestly if all they want is video calling then you probably could just skip a carrier entirely and get a wifi only device, especially if you have unlimited data on your personal line, it might be even cheaper to just get hotspot functionality turned on for like whatever a month and piggyback the garbagio wifi only tablet through that.
dustojnikhummer@reddit
I'm moving to my private phone (to save on LTE SIM card) but I'm also using https://play.google.com/store/apps/details?id=com.oasisfeng.island&hl=en&pli=1 for "work profile". No MDM. If I leave this job I just remove the second SIM from the tray.
narcissisadmin@reddit
Google Voice number
dustojnikhummer@reddit
As far as they are concerned you don't own a smartphone.
HellDuke@reddit
This will vary by country, but in some, that would be illegal. For example, if I want to use my personal phone for work I can, but the company has no say in the matter on how the phone is managed, they cannot dictate what software is on it, they can only forbid me from using it if they worry about data leaks. But then, if a phone is necessary, it's on them to provide one
alpha417@reddit
Requires? A term of your employment requires this?
sup3rmark@reddit
This. A company can't require you to install software on (or even have) a personal device, at least in the US. There are laws (at least in some states) that prohibit employers from requiring employees to pay for uniforms - things like a cell phone could fall under that category.
narcissisadmin@reddit
Yes, but they can also fire you without cause.
Double_N_Glenn@reddit (OP)
I'll have to look into that. This is a global company from what I gathered in the interview, but I'm based in Delaware, US.
alpha417@reddit
This is an HR question, not a r/sysadmin question, honestly.
suspicion intensifies.
Double_N_Glenn@reddit (OP)
Yeah, you're right. I'll request more specifics from them next week when I hear back if I got the job offer or not.
alpha417@reddit
Wait, so do you have a job offer or not?
Either way, this sounds like you're all worked up and confused over a shitty job offer. Good luck.
Double_N_Glenn@reddit (OP)
Sorry, I'm tired and stressed. I had my 3rd round of interviews. I think I nailed it and would be surprised if they didn't extend the offer to me. Yesterday, in the final interview, the manager made the comments about the phone requirements. I emailed their HR department that night, and got an email back today. It was weighing on my mind, so I came to consult the wise counsel of my fellow Redditors.
alpha417@reddit
r/lostredditors welcomed all.
This is off topic for here.
Kuipyr@reddit
This is false, companies can require you to install software on personal devices with only a handful of states requiring a stipend for doing so. Regardless we are talking about the U.S. the county with non-existent worker's rights. Good luck proving you were fired for refusing to install software on your personal devices.
Math_comp-sci@reddit
Depending on the state you live in it is illegal to require that employees use their personal phone for work.
Double_N_Glenn@reddit (OP)
I checked. There are 9 states with laws addressing that, and my state is not one of them :(
GinAndKeystrokes@reddit
I know this sub has a feeling towards using a personal device for work. And I sympathize and empathize. But most companies I've worked for have given a stipend for this, and I've never seen a competent company let you get any meaningful data sent to your phone.
Using intune/company portal (Azure) we've never wiped anyone's phone after a term, and even if they wiped mine, I have redundancy.
Double_N_Glenn@reddit (OP)
I'm not worried about the wiping per-se, since I have iCloud backups. The thing I am worried about is what they can see or control on my phone. I have a personal Outlook email, and it's better using the Outlook app than Apple's shitty mail app that keeps forgetting your account login information. I don't want them to see or disrupt my personal emails if I can sign into both on the same app.
Sandfish0783@reddit
Either they pay for a company phone, they pay for your phone plan, or you don’t install the apps.
You don’t need or want them on your device. They do, and that’s not your problem. If they push it, “I don’t have a personal device anymore”
Valkeyere@reddit
I've used this one, though in unrelated context.
Salesman insisting on my mobile number to buy something.
Sorry, don't have a mobile, or landline at home either.
Double_N_Glenn@reddit (OP)
(248) 434-5508 is literally a Rick Roll number. Keep it on a business card in your wallet the next time someone asks, lol.
Any_Falcon_7647@reddit
This sub leans very strongly towards never using personal devices for work stuff. Just to get that out of the way.
Those two features can be done via MAM policies though it sounds like they may still require MDM? The company and/or IT department doesn’t sound very competent though. Personally I’m okay with MAM-WE and personal phones, but I wouldn’t do MDM on my device.
HR says “anyone that wants it.” So I guess it still isn’t confirmed if you can reject it?
Also; you can’t have two company enrollments in outlook if they both use MDM or MAM. It conflicts and will force you to remove one. Company + personal account is fine.
How bad do you need this job and is it worth paying out of pocket for a phone + plan?
Double_N_Glenn@reddit (OP)
This job's listed pay is almost $10k a year more than what I'm making now. I'm underpaid and completely burnt out at my current job.
To be honest, I believe that based on my skills, I'm worth even more than what this job is offering, but it's the first prospect to respond to my applications in over 2 months, and I just really want to leave where I'm at.
Yeah, this new job may require me to buy an additional device, but at least they have boundaries on the time you are required to be available on call. I said to someone else that I don't get many messages from coworkers, but when I do, it's usually my boss calling my cell phone at odd hours asking if I saw an email a client sent about needing emergency help with their advertising campaigns, or fixing issues with their Google or Social Media listings.
BadgeOfDishonour@reddit
If you are buying a device for the sole purpose of work, you may be able to write some of that off on your taxes. Check with a tax expert to be certain.
Double_N_Glenn@reddit (OP)
Thanks for the great advice! I'll message my accountant tomorrow :)
wrt-wtf-@reddit
Basic principle is that if they need you to have a specific tool for the job and they have full control over said tool. They pay for it.
If you are desperate for the job. Get a 2nd phone and track everything with that phone so that you can claim tax against it. As a 100% use for work that makes things really easy come tax time. Turn it off when you're not using it.
Double_N_Glenn@reddit (OP)
Oh shit, that's a good idea. Didn't even think about tax write-offs.
GCanuck@reddit
Unless this job pays you in blow jobs from the Swedish Bikini Team, I'd run. If they require you to have a phone, they should supply a phone. If they can't they're too cheap to be taken as a serious employer.
The simple answer is: No I will not permit company MDM on my personal phone.
Double_N_Glenn@reddit (OP)
I've never been to Sweden. Are they that good?
GCanuck@reddit
To be fair, they are/were not Swedish. They were a marketing stunt for an American beer company in the 90s.
https://en.wikipedia.org/wiki/Swedish_Bikini_Team
Double_N_Glenn@reddit (OP)
Omg, It's like when I was a kid I thought the GoDaddy commercials were advertising internet *corn sites.
BadSausageFactory@reddit
We use intune and require it for personal mobile devices (which we do not provide) but it's also entirely voluntary and we provide a company laptop. Your idea of a separate tablet is the cleanest if you have the option. Not working there at all and telling them why would be the ideal but we can't all have that. Good luck.
Double_N_Glenn@reddit (OP)
The funny thing is, my current job doesn't use any MDM or MAM, and I'm still free to sign in to my work account from my mobile Outlook app if I want. They control things from the 365 admin center, and block sharing company files on our SharePoint server with anyone outside the company that hasn't been approved.
Like, if they're that worried that I'm gonna copy & paste or screenshot something, what's stopping me from taking taking a photo of my phone with another device or just, I don't know, writing it down on paper??
Impossible_IT@reddit
Just buy a prepaid flip phone or smart phone.
brekfist@reddit
This is the answer. Buy a phone that can't do MDM. Many android's lack google store.
cad908@reddit
My company gives a choice: they’ll provide a company phone (either apple or android, but an older model) or they’ll give an allowance ($60/mo) if you use your personal phone, but then you have to install their instance of the google policy manager, and they can monitor and brick your phone.
I wouldn’t give the company access to your personal phone without compensation.
sryan2k1@reddit
Stop using personal devices for work.
Valkeyere@reddit
And stop using them at work! :P unless on the shitter.
Double_N_Glenn@reddit (OP)
Can I shit on my device so I don't have to use it anymore?
BadgeOfDishonour@reddit
It's your device, not theirs. You dictate its use. You can say "no". Or you could offer to rent them use of your phone, which they can put MDM software on - say $500/month? At that rate, you could buy a new phone and just have their crap on it.
JLVIT90@reddit
This happens way more than it should especially in SMB private environments. If they don’t have a BYOD policy enforcing this and/or it’s not required, then you are not obligated to do so. I also would not put work apps/email on your personal phone. Unless it’s policy and they reimburse you for data, then sure. Gotta stand your ground on this.
Quietech@reddit
You could take an old phone and set it up with a internet only sms option. Don't pay for a plan. Just have it on wifi for teams and such. Your phone could hotspot if you really wanted to.
Yes, not taking the job is an option, but that's really up to you and your wallet.
Double_N_Glenn@reddit (OP)
I do have an old iPhone 7 lying around in great condition. However, I believe support just ended for that phone this year.
Majik_Sheff@reddit
If they want control of the device, they can provide the device.
This is a company concerned with being able to spy on/micromanage you but cheap enough to not properly invest in the security they profess to care about.
Priorities are skewed, and middle management is outsized.
Just walk away.
riegz@reddit
If is intune MAM policies, they will only have control over corporate data/apps/profiles. No cross over concerns. If it is MDM, then they can control the full device. Personally I'd use a different device and keep things separate.
Double_N_Glenn@reddit (OP)
Yeah. I specifically asked if it was MDM or MAM, and the HR person responded that it's MDM. That's what I was worried about.
MakeItJumboFrames@reddit
I don't know your company but we are rolling out MAM and have users and leads mix the words up. If its truly MDM, don't do it. If its MAM then iOS requires the MS Authenticator and not the Intune Company Portal (Company Portal for mobile is Android for MAM).
You could do what you said and buy a second device. I got a used Android off Amazon for 250 USD or so and use that for MAM to keep everything separate. Though I have wifi everywhere I go except the car so I don't need to add an extra line.
If MDM as well they should absolutely be giving you a company phone as thats designed for Company Owned phones.
Double_N_Glenn@reddit (OP)
Actually, I didn't think about that. I may not need a second phone plan or LTE tablet if I just hot spot my phone. I would probably need to be strategic about it though. Their policy is I get an email about a job, and then I need to be out the door in 15 minutes. They will apparently follow up with a phone call if I don't respond in 10 after sending me the message.
Not a problem if I'm at home, but I foresee it being an issue if on the road. I need to check if it's cheaper to just hot spot when I'm out, or add another line.
Valkeyere@reddit
My phone. Mine. They ain't installing shit.
If it's a requirement they can afford to buy me a company phone.
I'm okay with not accessing company data from my personal device, which is the only reason to want MDM on my personal device.
funky_bebop@reddit
Ask for a stipend then.
Smoking-Posing@reddit
Its simple: Hard NO. If they want all that then they get you a company phone.
No company phone? No deal. Also, they can't fire or dismiss you for it either, not legally at least.
Eddit13@reddit
no. is a complete sentence
UNAHTMU@reddit
I would go to my junk drawer, find the first phone that turns on and give them that. It plays snake so not sure if their mdm app will run on that. I draw the line at them having my phone number for sms otp.
usa_reddit@reddit
Just get a second work phone and call it good. Keep your personal business and work business separate. When you leave for the day, leave your work phone at work.
Double_N_Glenn@reddit (OP)
Well, I'll probably need to turn it off, but get what you're saying. I work from home full-time at my current job, but haven't had a performance review or raise in 3 years. It feels like they've forgotten I exist. I just do my tasks that get added to my list, log my time, and nobody really messages me anymore. It's honestly depressing and I want to move on.
This new job opportunity is full-time on call, and I travel from my home to the surrounding areas when a job comes in. However, they said because I'm on the road a lot, they need us to use our phones for messages since they don't expect us to haul a laptop and have WIFI signal everywhere.
GroundbreakingCrow80@reddit
Use an old phone even. Especially if you're going to be around wifi
BarracudaDefiant4702@reddit
Tell them they need to bump your base pay by $1K to cover this unexpected requirement.
alivefromthedead@reddit
Run.
QuesoMeHungry@reddit
I’d buy an old unsupported iPhone and tell them it’s what you use and let them try to MDM ancient tech.
dmills_00@reddit
Not an IPhone, ebay Nokia 3310... Classic bit of kit.
Double_N_Glenn@reddit (OP)
I mean, I'm still rocking the iPhone 11, so won't be long till it's obsolete.
Wildfire983@reddit
On Intune if you had an Android phone, company portal only needs to be installed to be an authentication broker for MAM to work. If you don’t enroll, company portal is harmless.
Since you have an IPhone, the authentication broker is Microsoft Authenticator and Company Portal isn’t required for MAM at all. If they’re requesting you enrol with Company Portal that means they are managing your device, and thus can wipe it on you.
Personally I’d just get another phone for business and keep them separate.
We’re overhauling all this at my work right now. We tried to be super conservative on what we’re doing with BYOD and not requiring device management at all, but people are still freaked out that we’re doing this to spy on them. Worst part is if your role requires use of a phone we give you one. Every one using BYOD is choosing to for their own benefit. I’ve been telling people if they refuse to comply with the MAM requirements, then OWA in a browser is still available for them. /negotiations