Results of enabling it and using my phone as I normally would:
- Some websites don't display images. I've no idea what they encode to, but they won't display. Fine, don't care.
- Animated GIFs don't play in Messages when coming in via SMS (perhaps iMessage too, haven't tried). Annoying when people communicate in animated GIFs, but... people just expect my tech to be weirdly broken, so this doesn't actually impact things significantly.
And that's it. I couldn't tell you the performance delta in casual internet use, though I don't use my phone very heavily either.
Sorry, I'm not sure that I follow. Why would it be a bad idea if some IT departments enabled Lockdown Mode (LM) via MDM..?
The article says that in LM, you can't enrol the device in MDM -- I suppose that if you want LM functionalities, it makes some sense that you wouldn't want parts of your device to be remotely controllable by an entreprise (or your MDM profile overriding some of the Lockdown options..?)
But... I don't understand what you mean by it being a bad thing that IT admins would want Lockdown Mode for everyone. Thanks
There are a lot of cases where you have to be available on chat. Either sit at your desk and do nothing for 12 hours straight, or do anything you want and just have your phone on you. This could either be a slow day at work, or an actual off day like being on call on a Saturday. A lot of companies aren't going to buy you a separate work phone.
If there's a lazy security option that can be enabled, a lot of companies are just going to inappropriately turn it on because it doesn't bother them that your phone can't do anything fun. That doesn't cost them money. Even if you're a web designer for a small shoe store where obviously nuclear power plant level of security doesn't really make sense.
I remember android phones like 10 years ago or so had some corporate policy option so any time the screen is locked, you need to enter a 20 character password that has uppers, lowers, capitals, symbols, and numbers.
Any patterns / words it decided were too easy to guess were rejected for a password. This wasn't a "Lock after an hour of inactivity." It was "Lock immediately, and set screen timeout to 30 seconds."
I feel very sad to hear people install their employer’s MDM on their personal phones.
It’s kind of like your employer wanting a key to your car when it’s in the company lot, or to check your coat pockets when you leave work, or requiring a vial of your blood.
Some would say that I am privileged to say “nope!” to all of the above, but tacitly requiring employees to bring their own devices and then controlling them with MDM is such an inappropriate use of power that we should be protected from it, by right.
Apple and Microsoft have done it where the MDM need not actually be the device so much as the data container for all things Office. Instead of Mobile Device Mgmt, it’s more Mobile Data Mgmt.
This allows the company to wipe data that actually belongs to them, but a policy doesn’t have to let them see your activity, mails, photos, or even what other apps you have.
If your employer is running policies for accessing your private stuff, send the right people some docs on how to protect company data w/o invading your privacy.
Just to add to this: Many IT Security departments reflexively enable the "most secure sounding" option, even if it makes no sense, stops people working, or conflicts with other requirements. Generally there can be no meaningful debate about these settings, because nobody wants to personally wear the risk of disabling a security setting that is already enabled.
In my career I've always tried to enforce only the seamless security that users don't even notice, the ones that "work in the background". Most SecOps people have the opposite notion of this, thinking that systems aren't really secure unless they're in-your-face to the point of being obnoxious and interfering with regular business activities.
It's not secure if it's not theatre.
A random example is the "usage terms" that large orgs make everyone click through when they log in. These do nothing. Some text has never in the history of the world stopped a hacker hacking into a system. Illegal access is illegal whether you tell users about it or not. Crimes are crimes even if you don't have the legal code printed out and visible wherever that crime may be committed. The only users who will actually see the text are staff with contracts, staff that have their details registered with HR, staff that can be conveniently arrested by the police if they break the law. You know who doesn't see that disclaimer? Hackers.
Why does this matter anyway, you ask? Why not just "click accept" and move on with your life? Well... because when you log onto a shit-slow corporate terminal services desktop, that's a process that takes 2-5 minutes on a good day. Roughly half-way-through the process will stop and wait for 30 seconds for that acceptance click. No click, and the whole thing is aborted. It's a test to see if you have the patience to sit there, wasting minutes of your precious life on Earth watching a screen change colours while the system loads, click, and only then have a brief moment of freedom to do other things while the loading continues.
I put up with this every day, because some dingbat in legal thought that crimes will occur if they don't force 15,000 employees to click 'Accept' on text none of them have ever read. Every day.
It's a thousand cuts like that add up to corporate misery, to the point where big vendors are being irresponsible to the public by adding anti-human features like this.
I refuse to sign in to my work gmail on my android exactly for this reason. It basically wants to lock down my phone. It doesn’t do that for my iPhone though, but I’m not logged in their either, FWIW.
I refuse to use my personal devices for work, as a matter of principle. Need me to be on call?, flip phones are pretty darn cheap.
My work allows us to sign into Teams, Outlook, and Slack without installing MDM profiles which is very nice. I keep notifications off of course, but can access them if needed.
Thats literally just a really shitty IT department poorly managing their MDM. And on Android at least the "work profile" is generally completely separate from your usual stuff and (if enrolled properly) the company cannot control major aspects of your phone (just the work profile). The company can remote wipe the work related sections, for example, but not your entire device.
There are settings though for passcode enforcement and whatnot
> The article says that in LM, you can't enrol the device in MDM
My understanding is that you can't change the MDM settings/enrollment while in Lockdown, but you can enroll in it, and then enable Lockdown, and be fine.
Yes, because they require it for internal apps. But as "user enrollment" so they are very limited in what they can do. See the table at the bottom of this page[1].
For context this is relatively new and is different from the older way of doing things (device enrollment).
Does your employer provide a cell phone subsidy? That is how most places do it, they give you some amount of money every month and you sign something that they can enforce policy and seize your device as required.
This is the best news. Otherwise, you can bet your IT department would be throwing that switch on for everyone.