What access does my company have to my personal iPhone?

[ghsDUDE]

I have a my own personal iPhone and I really don’t want another phone for work. My company says I can access Outlook and Teams from my personal iPhone, but I have to install Microsoft Intune Company Portal. I recently installed it on my iPhone 15 Pro Max and noticed it installed a Mobile Device Management Profile on my phone.

Below are a few screenshots of everything it’s showing me and I’m a little concerned about what it DOES and DOESN’T have access to.

1. Is this normal? My old company didn’t make us install this and we were still able to access our Outlook and Teams accounts.

2. What access to my iPhone does my company have with this installed? Can they see my iMessages, text messages, calls, photos, locations, Apps I’m using (can they see what I’m looking at on Reddit) and what my browsing history is on Safari? Can they also lock my phone, kick me off and delete everything?

3. This is a big reputable company and I don’t want to sound paranoid, I’m just wondering what it can and can’t see. Should I be concerned?

 

[Bigwaff]

Is this normal?

Very normal in corporate environments or any company w/ knowledgable IT and Security groups.

What access to my iPhone does my company have with this installed? Can they see my iMessages, text messages, calls, photos, locations, Apps I’m using (can they see what I’m looking at on Reddit) and what my browsing history is on Safari? Can they also lock my phone, kick me off and delete everything?

The answer is YES to all the above depending on your company's BYOD (Bring Your Own Device) policies. You agree to these policies by installing the MDM profiles on your device. If you have concerns, perhaps you should review your company policies instead of asking random forum users.

This is a big reputable company and I don’t want to sound paranoid, I’m just wondering what it can and can’t see. Should I be concerned?

Depends. What computing activities do you perform on your device? Activities you do not wish anyone to know about?

 

[now i see it]

Personally I wouldn’t trust any iPhone that had a MDM installed on it from any company. The phone is now there’s- so to speak.
We’ve been shown over and over and over and over and over again that tech companies for the most part can not be trusted.
How much convincing does a person need?

 

[BugeyeSTI]

I'd say if you have any concerns you should get a phone specifically for work and another that's your private device..

 

[Andeddu]

Always take the extra device for work. I have one and would never think of installing such apps on my personal issue belongings.

 

[mblm85]

No way in hell would I be allowing that on my personal phone.

If work want me to be contactable, they can provide me with a phone which would be switched off outside work hours (unless I did a job where I was paid to be on-call).

Better to keep work and personal life completely separate too.

 

[Bigwaff]

Personally I wouldn’t trust any iPhone that had a MDM installed on it from any company.

Well, some of us don't have a choice if your company provides the device... but I certainly would not use it for personal use for any reason. I won't install any corporate MDM profile on my personal device. If the company requires me to be accessible via phone, email, text, chat, etc when away from my company computer, the company can provide me a device and cellular service at company expense.

 

[splifingate]

Should I be concerned?

Personally, I would be "Heil Nah" on all of that; but--apart from that--my main concern would be not that they have access to the personals, but that they are ultimately able to decide (and act-on) what you may do with said device.

If they are so concerned with such things, it seems that they should provide a device to you.

Maybe ask them if they would do such a thing?

 

[eyoungren]

I have never had a job where a work phone was provided to me as my occupation doesn't involve making or receiving phone calls. I do get contacted, but that's through email or messaging and sometimes text message.

While I have my work Google account on my personal phone(s) and my work messaging app, I added those by choice. There is no MDM here and I know the passwords. I keep work email/messaging separate from personal and there is zero need to use work accounts for personal things or personal accounts for work things. I could choose to remove both the email and the messaging from my phone if I wanted to.

I'm more concerned about my work issued laptop. I asked about the policy when I got the first one and was given a blank stare (because they don't have one) and simply told "Well, don't load it up with porn. But you can use it however you want". I know for a fact there are no apps that are recording or analyzing what I do. It really isn't necessary given what I do. I operate in a world of deadlines and if X person does not have what they need by X time then questions start getting asked. So what matters is producing what's being asked for by the deadline.

No, what concerns me is the work VPN. Since I work from home, I use the work VPN. And since THAT is controlled by work, I must assume there are logs and that certain people are capable of reviewing those logs and understanding what they contain. Consequently, I'm not doing anything on my work Mac(s) that I couldn't defend when I have them on the VPN. No personal content is stored on these Macs and I don't have personal accounts on them either.

And that is one very big reason why I have a KVM switch. If I need to do something personal, I just switch back to my own Macs, take care of it and switch back.

Now, if I ever have a job where I'm given a choice, then they are going to give me a work issued phone and only that phone will have what I need for work. Sure, that might mean carrying around two phones, but I'm a person that used to lug two 17" PowerBook G4s into Starbucks and use both. Carrying two phones has never been an issue for me.

Gotta keep it separate.

 

[philstubbington]

No way in hell would I be allowing that on my personal phone.

If work want me to be contactable, they can provide me with a phone which would be switched off outside work hours (unless I did a job where I was paid to be on-call).

Better to keep work and personal life completely separate too.

Completely agree. If you need me to have a mobile for my job, then provide me with one. Also I wouldn’t want my mobile number associated with any employer.

 

[eyoungren]

Completely agree. If you need me to have a mobile for my job, then provide me with one. Also I wouldn’t want my mobile number associated with any employer.

I semi agree here. I need to be contactable outside work hours because my work schedule is non-standard and also because there are a few times where they need me. But if they were ever going to use MDM, then they'd be getting me a phone. As it is right now, I put my work accounts on my phone myself and it's still separate from my personal stuff. They can't see at all what's on my phone.

But I deal with the golf world and there are multi-millions involved with golf courses. Sometimes a customer needs scorecards or yardage books overnighted, but corrections need to be made. So, I have to be contactable outside work hours.

That said, it doesn't happen very often as work tries to build things in so emergencies aren't real full-blown emergencies.

 

[Apple_Robert]

I would remove that app and the associated MDM profile. It is a bad idea to give the company access on your private phone. If you want access to company information, get a company phone.

 

[jz0309]

I don't have an issue using my personal phone for phone calls, to and from employer, and that doesn't require MDM.

If my employer wants me to answer emails, Teams messaging 24x7 via the phone - provide me one.

I did this back 5 or 6 years ago when I was working for a large consulting firm, never again

 

[Ctrlos]

Don’t install InTune. I have a work iPad Pro and had to do a full reset to install it, at which point I can’t then restore the old device backup and get back all my app data. 3 years worth of stuff: gone. This is a work device and I was obliged to update it because, well it’s not mine!

If they install it on your personal iPhone you may well be in the same situation. It’s a load of gumph that you need MDM to get your work email on there. Anything Outlook based can be accessed from the web without any trouble.

 

[nathansz]

You have basically given them your phone

If they insist you need a managed device to do your job then they must provide one for you

 

[I7guy]

Hmmm. From the MDM profile the information that can be gathered and what can be seen is benign - to me. I have had an MDM on my device for years and have never had an issue. In fact my personal mobile phone is listing in the company directory. (And the company pays a good stipend for that which is almost as much as my phone bill). I don't care that a list of applications can be gathered. I have had almost no issues over the course of time an MDM was installed - which is many many years at this point. If I want I can sever the connection to the company by turning off the VPN. Given the importance of reachability in today's corporate environment it's in the company's best interests to make sure it's device holders have a smooth co-existence with corporate policies imo.

Now company's will have various management policies. The lockdown on my phone is quite minimal. One safari setting turned on for cross-site scripting. But other company's may have a disastrous, disorganized MDM policy. As always YMMV. But I'm glad I don't have to carry two phones.

 

[splifingate]

load of gumph

Thank you for this phrase

 

[Reverend Benny]

I have a my own personal iPhone and I really don’t want another phone for work. My company says I can access Outlook and Teams from my personal iPhone, but I have to install Microsoft Intune Company Portal. I recently installed it on my iPhone 15 Pro Max and noticed it installed a Mobile Device Management Profile on my phone.

Below are a few screenshots of everything it’s showing me and I’m a little concerned about what it DOES and DOESN’T have access to.

View attachment 2402887 View attachment 2402888 View attachment 2402892 View attachment 2402893 View attachment 2402894 View attachment 2402895 View attachment 2402896 View attachment 2402897

1. Is this normal? My old company didn’t make us install this and we were still able to access our Outlook and Teams accounts.

2. What access to my iPhone does my company have with this installed? Can they see my iMessages, text messages, calls, photos, locations, Apps I’m using (can they see what I’m looking at on Reddit) and what my browsing history is on Safari? Can they also lock my phone, kick me off and delete everything?

3. This is a big reputable company and I don’t want to sound paranoid, I’m just wondering what it can and can’t see. Should I be concerned?

I manage mobile devices using Intune at work....and here's my 5 cent.

1. Yes and no, it all depends on how they have set it up. If they are strict and want to make sure devices are compliant they might use this way of making sure of it. A more "lightweight" option is prob what you experiences in the past. Even if you dont onboard/enroll a private device you can set certain requirements such as iOS version, that no jailbroken devices can logon etc.

2. They can reset your phone, absolutely, its part of why they want you to do this. They will be able to see apps (and draw conclusions from what apps you have installed). If they require you to install Defender they can see most of the network activity that goes on on the phone too.

3. I don't think you should be concerned, but I always say, keep your company and private life separate. For many reasons. If you feel that you don't want to share your private life with your company, offboard your phone and ask your IT-dept to delete the profile and get a company phone.

 

[Bruh Bear]

That’s massively invasive. You should get a phone just for work.

 

[SuperCachetes]

I just disconnected my personal phone from work email and Teams for the first time in many years because the InTune MDM was rolled out to us. The straw that broke the camel's back, so to speak, was having to install the iOS version of Edge to open any links sent via work email. No sir, not on my phone.

Disconnecting has caused a few hardships here and there, mainly because I used work Outlook for my "everything" calendar. I have had to divest my personal appointments and put them into my personal Hotmail (aka Outlook) so I can see them on my phone - but ironically, you can sync personal Outlook calendars to your desktop (work) Outlook just fine. It is working okay for me. Anyone who really needs me has my mobile number (it is my only contact number, period) - and work email and all the BS "hey got a minute for a quick call?" Teams messages can wait.

To that last point, I admit that disconnecting is a luxury many don't have - but in my case, the work/life balance impact has been overwhelmingly positive.

 

[mattoruu]

When you say you “really don’t want another phone for work”, do you mean:

You don’t want another phone for work (even if the company provides it at no cost to you)?

If you only want to use a single phone for everything (personal and work) then you are probably stuck. If you want to use your own personal device for work, then this is likely what you need to deal with.

If that’s not what you mean, I would just get in contact with the relevant department at your company. If a phone is required for work, respectively inquire about having the company provide a phone.

If that’s not possible for whatever reason, I would look into buying a cheap, but decent-quality second-hand smartphone and make that your 100% work phone. And then (if you don’t want to pay for a second cellular line) use that phone on Wi-Fi or tether it to your main phone’s hotspot.

 

[winxmac]

I would never install anything work related on my personal phone nor anything personal on my work phone...

If you own the company or work independently that would be different...

 

[SteveJawbs]

I manage Intune for 20,000 iPhones. I can export all SMS, email, password key chains, browsing history, see your WeedMaps account, and have your location data, your pictures, screenshots, Bumble profile and texts. Pretty much everything. Take that Intune off your phone. Use a browser. Or live a good life without weed and internet chicks.

 

[TechnoMonk]

Last time I had intune, I told my client to give a device or I am not putting in an MDM. They will control the device, data and can monitor. It’s corporate security 101, and most places that uses MDM need ability to wipe out phone or data. If you leave the company, they will wipe your phone clean. Request a company device if you can’t get work done with out mobile access.

 

[12aklabs]

My work has that type of deal. I refuse to install any company software on my personal phone. If they require me to be reachable by phone (24/7 contact) then they can buy me a ”company” phone.