Needs an option for “my employer turned on shitty Microsoft ten-billion-factor auth settings”.
To login to my work Microsoft account requires a passcode and then three face scans.
I had an employer want that too, but we protested. Basically making that the case that they'd need to provide us with phones so that we don't have to install invasive apps on our personal devices. We ended up getting tiny hardware tokens that go on a key ring and couldn't access GPS, cameras, microphones, sensor data, network, etc even if it wanted to.
This has always boggled my mind - If you don't trust me to pick a decent password and maintain my own machine, why in God's name would you trust me to write code or deploy/maintain company infrastructure?
1. Even if they trust you, they might not be willing to extend that trust to non-technical staff (or even non-infra staff) and having a global policy is the easiest. 2. Even if they trust you, your employer's customers definitely don't, and a lot of big contracts will have security exhibits that explicitly require MFA if you're handling their data.
They _don't_ trust you to do that stuff. Not unilaterally at least. In a healthy system you generally aren't able to change anything without sign off from multiple other people.
If I have a group of N people who I individually don't trust not to use mike1234 as a password, I wouldn't trust them as a collective either - at least until N gets impractically large.
Also the argument they make is, they don't trust every single component of your machine, and want to mitigate the damage caused by an attacker or malware breaking in and impersonating you.
Nah, it's not lack of trust, it's just compliance and plausible deniability.
But that's ok your work phone right? At least I hope you didn't agree to have it installed on your private phone. For work phone I guess a good strategy is to avoid installing anything non-work related, so the temptation to use it for anything is low.
Not GP, but I'm okay installing that stuff on my personal phone because it's isolated via Android Work Profile.
How is that keeping Microsoft from accessing your GPS, sensor data, wifi, camera/microphone etc? Sure, they can't get at SMS or your other apps and your work won't have access to your entire device but it means MS can still access your location (using GPS and nearby bluetooth/wifi), record audio/video, read/control sensors (accelerometer, proximity, gravity, temperature, pressure, magnetic field etc), have full network access, etc and can record and collect that data whenever they feel like it for the most part.
That's true with a separate work phone too right? And once I turn off the AWP for the day, all of that stops.
A work phone I could leave in a lead lined box until I needed to log into the company network. My personal device is often carried with me and in use at other times. If your IT people let you pause your work profile indefinitely that could help protect you though.
There's different kinds of intune enrollment. Generally if it's not a company phone, they can only see your IMEI, last 4 of your phone number, OS version etc. They'll be able to isolate and control the work apps but nothing else because it's in a separate profile.
No way I'm doing anything work related on any of my personal devices. I have a separate work phone. I turn it off at the end of the work day, and leave it at work.
I used to answer emails from bosses and managers while at home (at a previous employer), but it gets out of hand quickly and then they expect you to do it. Never again. Set boundaries immediately. At 15:00 I'm gone.
Leaving it at work goes one step further than my flow. I have AWP configured to automatically turn off at the end of the workday, so I become unavailable after that. There's always the possibility I can turn it back on after hours, but that extra step works well enough as a deterrent for me :)
First thing I thought of, too. Why do I need to unlock my phone? Because I need yet another MFA code for yet another mundane part of my job.
You can usually do OTP from your pc directly, just install an OTP application on your pc like keepassxc
Security dept. would like to have a word.
security theater dept. has entered the chat