They can also just let you go for someone else who has no clue about this and gladly would use their private phone for work. Depends on the job and company, of course.
That’s dangerous thinking; “if I don’t then someone else will.” That’s a common excuse that thieves use. And it’s you doing the work of your oppressor.
Standing up for what you believe in isn’t always easy, but it’s always the right choice.
This is Walmart in a nutshell. A majority of the work phones at my store (used for stuff like inventory management) are Samsung Galaxy XCover Pros from like 2016. They were trash the day they released and they’re especially trash now. The company is very slowly replacing them with Pixel 8s (like one every six months comes in). It is legitimately frustrating.
that sounds annoying. I’d rather just have it all on the same device. I can enable and disable work apps on a schedule if I’m bothered. I don’t want to deal with two devices really
If youre in the US and your company is paying your phone bill, they are legally allowed to access your location via cell towers at any given moment. That, in combination with the fact that they can also legally take the phone from you (You have company trade secrets on that device if you install their software), I dont see the point in risking not having a 2nd device.
Legitimate Reasons for Employer Device Access
There are valid reasons why an employer might need to access an employee’s phone, regardless of ownership: Legal Compliance: To comply with legal requests such as subpoenas or investigations. Security Breaches: To investigate potential security breaches or data leaks. Violation of Company Policy: To investigate violations of company policies regarding acceptable use. Employee Termination: Upon termination, to retrieve company data and ensure a smooth transition.
Is there anything stopping them from hiding a tracking policy in your contract? Did you fully read the contract to check? Would allowing them to pay for the service count as consent in court? IANAL, but why would you risk it, when you could just have a work phone you only use for work.
What happens if the worker doesn’t have a smartphone, or has one, it breaks and they don’t have money to buy another for while, or what if they install a random app that encrypts their mailbox?
Even if you live in a 3rd world country where employers can force it, it’s a stupid decision for the business.
I don’t understand your line of questioning. If a bad thing happens then a bad thing happens. Potential for bad things indeed makes companies likely to lock down devices if they provide them, hence the qualifier “not all works would allow it.” From an employee perspective, if you have the freedom to do it then more secure OS is more secure.
Not necessarily. Microsoft’s authenticator has an option where you have to tap a notification to approve, which isn’t a standard TOTP thing. If your company requires that version of MFA, you pretty much have to use Microsoft’s authenticator.
Aw shit, this sucks because my company uses this authentication method.
I guess when the change finally happens I’ll just be saying ‘you owe me a phone for this’. Absolutely no way i am going back to Android just for this on my personal phone.
One possible workaround is to add more options to your security info in your work account. For example, I added my number and also a specific password as an option last year when I moved onto Graphene and had to update that info. Would that be an option?
Unsure if that would even work or if those options are more for account recovery (when no longer have access to a specific device)
If i say give me a phone and they say “no, come into the office instead of working from home”, I will produce an old phone faster than ya ckuld blink lol
MS MFA allows to use a different Authenticator App. On the step called “Start by getting the app” you just need to press the blue text above the “next” button which spells “I want to use a different authenticator app”, there you can use whatever you prefer, even WinAuth works with this method.
I believe there’s an admin option to allow 3rd party TOTP generators, so perhaps your IT admin turned it off. M$ doesn’t make it a terribly conspicuous option when setting up 2FA as well.
“root detection” is not actually detecting root as that is very difficult it’s detecting an unlocked bootloader or modified software that didn’t come on your phone(like a custom rom such as graphene os)
Do they mandate the use of MS Authenticator specifically, though?
The option to add that restriction is definitely there, but it’s worth checking your account settings to see if it’ll let you use a different MFA option.
So win win.
Unfortunately not for me. I use Graphene and my company uses M$croslop.
Work stuff should be on a work phone.
I don’t understand why either the worker or the company would ever allow the use of personal devices for work.
Some businesses don’t pay for phones but agreed
That’s their point. If the company requires you to use a phone, they need to provide it.
They can also just let you go for someone else who has no clue about this and gladly would use their private phone for work. Depends on the job and company, of course.
That’s dangerous thinking; “if I don’t then someone else will.” That’s a common excuse that thieves use. And it’s you doing the work of your oppressor.
Standing up for what you believe in isn’t always easy, but it’s always the right choice.
You don’t want to work for a cheap company.
Because they are cheap and their tech lead is probably incompetent.
This is Walmart in a nutshell. A majority of the work phones at my store (used for stuff like inventory management) are Samsung Galaxy XCover Pros from like 2016. They were trash the day they released and they’re especially trash now. The company is very slowly replacing them with Pixel 8s (like one every six months comes in). It is legitimately frustrating.
Why pixel 8 in particular? Wouldn’t an A series pixel be cheaper.
my work pays my cell phone bill if I install Microsoft teams, and frankly that’s a pretty good deal
With that money, get a second one and it’s it only during work ours. Doesn’t even need connection, use WiFi of tethering.
that sounds annoying. I’d rather just have it all on the same device. I can enable and disable work apps on a schedule if I’m bothered. I don’t want to deal with two devices really
deleted by creator
If youre in the US and your company is paying your phone bill, they are legally allowed to access your location via cell towers at any given moment. That, in combination with the fact that they can also legally take the phone from you (You have company trade secrets on that device if you install their software), I dont see the point in risking not having a 2nd device.
you’re gonna have to cite some sources here because I don’t think there is actually a legal requirement for these things.
the work apps require Internet access to even open and the contents are encrypted. this has all been figured out
https://www.aeanet.org/can-an-employer-take-your-phone/#Can_an_Employer_Take_Your_Phone_Exploring_Workplace_Device_Confiscation
Let’s be generous and say your employer considers your phone a personal device even though they pay for the service.
https://legalclarity.org/can-my-employer-track-my-work-phone-location/
Is there anything stopping them from hiding a tracking policy in your contract? Did you fully read the contract to check? Would allowing them to pay for the service count as consent in court? IANAL, but why would you risk it, when you could just have a work phone you only use for work.
So does my company
So didn’t have to instsll intune or anything?
yeah but you can disable most of it’s invasive permissions so I’m ok with it
Not all works would allow it, but why not Graphene on work phones.
What happens if the worker doesn’t have a smartphone, or has one, it breaks and they don’t have money to buy another for while, or what if they install a random app that encrypts their mailbox?
Even if you live in a 3rd world country where employers can force it, it’s a stupid decision for the business.
I don’t understand your line of questioning. If a bad thing happens then a bad thing happens. Potential for bad things indeed makes companies likely to lock down devices if they provide them, hence the qualifier “not all works would allow it.” From an employee perspective, if you have the freedom to do it then more secure OS is more secure.
I have a work phone.
If didn’t have a personal phone, it wouldn’t matter.
If it breaks, they have insurance to replace it immediately.
There’s no risk it will stop working because I didn’t pay the bill.
And I can’t install random crap because it’s locked down.
And they have options like remotely wipe the device, if they think something weird is happening.
From my side. The phone is turned off the microsecond I clock out.
I can tell you what we do. Here’s your yubikey. Then most find a new phone after a couple weeks.
It’s a dark pattern but you can use any MFA provider with Microsoft services.
Not necessarily. Microsoft’s authenticator has an option where you have to tap a notification to approve, which isn’t a standard TOTP thing. If your company requires that version of MFA, you pretty much have to use Microsoft’s authenticator.
Aw shit, this sucks because my company uses this authentication method.
I guess when the change finally happens I’ll just be saying ‘you owe me a phone for this’. Absolutely no way i am going back to Android just for this on my personal phone.
One possible workaround is to add more options to your security info in your work account. For example, I added my number and also a specific password as an option last year when I moved onto Graphene and had to update that info. Would that be an option?
Unsure if that would even work or if those options are more for account recovery (when no longer have access to a specific device)
If it cane down to it, I’m sure you could find an old phone or tablet to use just for that for work.
Yeah, this is what might be the final outcome
If i say give me a phone and they say “no, come into the office instead of working from home”, I will produce an old phone faster than ya ckuld blink lol
The crazy part is the old phone will be orders of magnitude less secure than your current one.
Old phone with remote desktop.
Works like a charm for many of these types of things. You can also forward notifications into NTFY or Matrix.
MS MFA allows to use a different Authenticator App. On the step called “Start by getting the app” you just need to press the blue text above the “next” button which spells “I want to use a different authenticator app”, there you can use whatever you prefer, even WinAuth works with this method.
This depends on settings I think. I’ve had that option not being available on a certain client where I could only use their authenticator app.
My school_requires_ MS authentication and removed this ability and broke any third party authenticators currently in use.
I’ve used the FOSS app Aegis on Android for MFA of what I think was a Microsoft login (it was a website for a railway technical authority in the UK).
The app is on fdroid:
https://f-droid.org/packages/com.beemdevelopment.aegis
Thats intetesting, Iam using aegis in private.
So does mine, and Oracle… But that just means no slop installed
Gursd they’ll have to buy you a work phone
No they haven’t . I get every month money for using my device for work (bring your own device).
Is that money enough to buy a phone? If not, they’re not paying you enough for that.
If so, then you should actually spend that money on what it’s meant for
Can’t use freeOPT?
Not sure about this one, but many don’t expose the key used to generate the codes, it’s linked to your user.
So it’s not trivial/possible to use a FOSS alternative.
This happens with okta too.
No MS authenticator also requires internet and gives saysbis this you. Also requires a number.
You can use a different authenticator with M$ accounts. Just choose to set up with a different app. Aegis is nice.
Iam using aegis for my private logins. As I understand does Aegis not support MS Entra Logins.
I believe there’s an admin option to allow 3rd party TOTP generators, so perhaps your IT admin turned it off. M$ doesn’t make it a terribly conspicuous option when setting up 2FA as well.
My admin is unable to do this. 😒
deleted by creator
Great, so you have nothing to worry about, unless your Graphene phone is rooted. (Which would defeat the entire point)
The article is shit. Microsoft is not blocking any GrapheneOS. It is only blocking rooted phones.
“root detection” is not actually detecting root as that is very difficult it’s detecting an unlocked bootloader or modified software that didn’t come on your phone(like a custom rom such as graphene os)
Do they mandate the use of MS Authenticator specifically, though?
The option to add that restriction is definitely there, but it’s worth checking your account settings to see if it’ll let you use a different MFA option.
The whole company uses Microsoft. I guess there is no chance for me.