Or Buy a cheaper iPad to get access to corporate network, tether from phone or use WiFi.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
What access does my company have to my personal iPhone?
- Thread starter ghsDUDE
- Start date
- Sort by reaction score
Installing that profile allows your company to fully manage your device. That said, I’ve seen profiles that exert more control over what you can and can’t do; this profile looks more lightweight.
Regardless, I would never allow any of my personal devices to be enrolled on a corporate MDM. If this is a requirement, as others have suggested, get a separate iPhone with a separate Apple ID or have the company provide a phone they pay for.
In your particular case it was likely possible that your company could have gone the Mobile Application Management (MAM) route with Intune. Sometimes this is referred to MAM-WE where the WE means “without enrollment in MDM.” With that type of setup the company controls corporate data in applications like Outlook and Teams but nothing else. Remote wiping is limited to the corporate data, not the entire phone.
Source: I’m the Intune admin for my company and set this up for our end users last year, including myself. I can’t see anyone’s personal data, their device phone numbers, etc. I can’t locate their devices, I can’t wipe anything but our company data, I don’t know anyone’s Apple ID. And…I don’t want to. It’s creepy to allow company control over personal devices. Intune’s MAM is a good solution for BYOD.
Note: in Intune it’s possible to use MDM *with* MAM for more control over application permissions, but that’s not what we do.
Regardless, I would never allow any of my personal devices to be enrolled on a corporate MDM. If this is a requirement, as others have suggested, get a separate iPhone with a separate Apple ID or have the company provide a phone they pay for.
In your particular case it was likely possible that your company could have gone the Mobile Application Management (MAM) route with Intune. Sometimes this is referred to MAM-WE where the WE means “without enrollment in MDM.” With that type of setup the company controls corporate data in applications like Outlook and Teams but nothing else. Remote wiping is limited to the corporate data, not the entire phone.
Source: I’m the Intune admin for my company and set this up for our end users last year, including myself. I can’t see anyone’s personal data, their device phone numbers, etc. I can’t locate their devices, I can’t wipe anything but our company data, I don’t know anyone’s Apple ID. And…I don’t want to. It’s creepy to allow company control over personal devices. Intune’s MAM is a good solution for BYOD.
Note: in Intune it’s possible to use MDM *with* MAM for more control over application permissions, but that’s not what we do.
My company said we had to install that software to use Outlook and Teams on our phones, so I said I guess I just won’t be reachable on my phone then. Oh well.
I'd avoid putting MDM on a personal phone.
A while ago we needed to do some testing on an iPad. We needed a "normal" iPad, the same sort of thing that our customers would use, so our team leader popped into town and bought one. All was well for a few years, until the "MDM guy" learned of its existence. Suddenly we were told that it must go into MDM. I protested, saying it's a test iPad and it's supposed to be as stock-standard as possible. Of course, being work-owned I had no right to block it, and it went into MDM with the promise that it would only be used for tracking/wiping if the iPad went missing.
They reneged on that promise within a week.
A while ago we needed to do some testing on an iPad. We needed a "normal" iPad, the same sort of thing that our customers would use, so our team leader popped into town and bought one. All was well for a few years, until the "MDM guy" learned of its existence. Suddenly we were told that it must go into MDM. I protested, saying it's a test iPad and it's supposed to be as stock-standard as possible. Of course, being work-owned I had no right to block it, and it went into MDM with the promise that it would only be used for tracking/wiping if the iPad went missing.
They reneged on that promise within a week.
Oh, wait. Please continue the story. What else did they do with it (besides the ability to track/wipe)?
Regardless of all of our comments and opinions about MDM:
I think it might be best to just walk down the hallway (or wherever) and ask all these questions to the relevant person in charge. That’s their job and they would likely be happy to answer your questions. Genuinely. Just have a polite conversation and clear up all your concerns about MDM on your personal phone.
I think it might be best to just walk down the hallway (or wherever) and ask all these questions to the relevant person in charge. That’s their job and they would likely be happy to answer your questions. Genuinely. Just have a polite conversation and clear up all your concerns about MDM on your personal phone.
Last edited:
I agree with this suggestion, and from an IT-guy within a company perspective. Most companies don't want users to use their private devices within the company or to use company devices privately.
Sure, sometimes some random bean-counter within the company comes up with the idea of BYOD to save money and manages to get his idea implemented without understanding the risk, but, I would say its mostly staff that want this so they don't have to carry more than one phone around.
I am in the exact same situation as OP, but on top of that, my company offers the MAM-WE where I don’t have to install Intune but can only access my e-Mails through the Outlook application (not Apple Mail) and MS Teams. I believe it’s fair to say that this MAM-WE solution is much less intrusive than a full-blown Intune onboarding?
You're correct, there are a few downsides to this solution but it keeps things simple for both the user and the IT-admin staff.
One downside could be that if the company has a tight policy that that security updates should be applied ASAP and the end users clueless and don't do this, they might be locked out until its updated.
Managed devices can be automatically updates and get e-mails that they need to updated before getting locked out.
But the above is no biggie really for iPhone devices. Update and you're free to logon again.
Its trickier when you have a number of Android users with a mixed bag of devices trying to find a sweetspot of what security package to set as the lowest requirement.
Listen to what all the others are saying, if your company requires you to use a MDM (management software) then do not, and I repeat DO NOT install it on your personal mobile phone because the MDM terms and conditions is a 'catch all', meaning it will have access to EVERYTHING you do on your personal phone. Your company will be able to see everything you do on your phone, it will have access to your personal emails, your photo's, your video's, your text messaging, your browsing history.
For example, if your have a partner and you want to exchange sexy pictures/video or text messages between one another, your company will have access to all of that. If your single and use a dating app, your company will also have access to that. If your company pi$$ you off and you use the browser to search sites on employment law, your company will have access to that. If your planning on looking for another job, your company will have access to that (your browsing history).
When you installed the MDM your phone this is you accepting the terms and conditions of the app. The MDM software will already be sending the your company information from your phone now. Remove it immediately and request the company give you a company phone because what you have posted about your companies MDM, it is an invasion of your privacy and by the mere fact of installing the MDM software on your phone you just gave your company permission to invade your privacy.
When you confront your company over this explaining your concerns, they will more than likely say 'we would not do something like that', do not believe them. Get them to give you a company phone.
For example, if your have a partner and you want to exchange sexy pictures/video or text messages between one another, your company will have access to all of that. If your single and use a dating app, your company will also have access to that. If your company pi$$ you off and you use the browser to search sites on employment law, your company will have access to that. If your planning on looking for another job, your company will have access to that (your browsing history).
When you installed the MDM your phone this is you accepting the terms and conditions of the app. The MDM software will already be sending the your company information from your phone now. Remove it immediately and request the company give you a company phone because what you have posted about your companies MDM, it is an invasion of your privacy and by the mere fact of installing the MDM software on your phone you just gave your company permission to invade your privacy.
When you confront your company over this explaining your concerns, they will more than likely say 'we would not do something like that', do not believe them. Get them to give you a company phone.
Ehm… so the statement about not being able to see browsing history in the screenshot the OP posted is just a lie?
The college i work at, in the IT dept, does similar for personal devices to access college resources such as email, teams, Onedrive for phones, tablets, personal laptops. All ours is used for is to make sure the device in question is up to date with updates and security updates and that it has a password\passcode to get into the device. I believe we do have the ability to wipe a device if it was lost\stolen but this is only done with the permission of the head of IT and the principal of the college.
I would be interested in that too. Is this just a default statement and what the company can actually see might be completely different?
Same here - I’ve had responsibilities across 70 countries so in theory an issue could be escalated to me 24/7/365. In reality only happened once!
There's many ifs and buts to this, it all depends on how its setup and if the company require more things on the device to be able to access company services.
I would say that most companies don't want to gather more data than whats needed, and for companies, at least in the EU, you don't want to have peoples private data within your company.
The same goes for people that use their company phones for private use, but people choose to ignore looking into why its a bad idea.
If the OP's company would have required the users to install MS defender, then I would have said that sure, they will most likely be analyzing traffic. But even if that would be the case, to dig into what people do browse requires resources and there's generally no reason for doing to.
But....even if traffic isn't analyzed or the company is gathering info, theres still reason to think twice before installing private apps on a company phone or using a private phone the way the OP does.
Apps that are installed gives a good idea on who you are, are you using tinder or grindr? Well then we know your sexual preference.
You installed an app to know when you are ovulating, then you know that someone soon might have kids etc.
Wow, it is quite obvious that noone here actually works with MDM. And what is even more interesting is that noone here trusts Apple!
MDM is developed by Apple, with privacy in mind. There is NO PERSONAL DATA that can be accessed via MDM. No way, won't happen, not a chance! By design!
What the organisation can see is exactly what is stated in the screenshots. And that data is not something Microsoft (or any other MDM solution) can change. That is exactly what Apple allows the owner of the MDM server to see, nothing more and there is NO WAY to access any other data.
And, to make it even better: you organisation has proper BYOD configuration: on the screen shot of what they can see, look at "if configured by your organisation" is only applicable to devices installed via ADE, which is ony devices bought by the organisation and installed via ADE.
Remember: this is NOT something your company can alter. You get what Apple decides is non-invasive.
MDM is developed by Apple, with privacy in mind. There is NO PERSONAL DATA that can be accessed via MDM. No way, won't happen, not a chance! By design!
What the organisation can see is exactly what is stated in the screenshots. And that data is not something Microsoft (or any other MDM solution) can change. That is exactly what Apple allows the owner of the MDM server to see, nothing more and there is NO WAY to access any other data.
And, to make it even better: you organisation has proper BYOD configuration: on the screen shot of what they can see, look at "if configured by your organisation" is only applicable to devices installed via ADE, which is ony devices bought by the organisation and installed via ADE.
Remember: this is NOT something your company can alter. You get what Apple decides is non-invasive.
The thing is, we have learnt from many many past instances of court cases or media exposure of companies writing/doing/saying one thing and completely doing the opposite. How many times has social media companies said 'we don't do this with users data' and then found out they were lying.
Do people honestly believe if their company says 'we wont/don't do this' that the employee believes them. I know I don't. 'No no, we don't do this, will never do this', find out the company lies, takes the mater to HR, 'oh yes, didn't you know, the company can actually do this because of A,B and C'.
NEVER EVER trust your employer regardless of how good they may seem.
Do people honestly believe if their company says 'we wont/don't do this' that the employee believes them. I know I don't. 'No no, we don't do this, will never do this', find out the company lies, takes the mater to HR, 'oh yes, didn't you know, the company can actually do this because of A,B and C'.
NEVER EVER trust your employer regardless of how good they may seem.
The experience I have is that it isn't a case of that the company has to convince the end-user that they aren't going to gather data. Most companies don't want to gather data and if they have to, they are keeping it to a minimum. Also most companies do inform end users on what to do and not to do.
Not saying theres evil companies, IT-people that likes to snoop around and so on, but still, its usually the end users that want to use private devices or install private stuff on company devices (if they can).
You are correct, I was convinced I could see private apps installed on non supervised, personal devices, but that isn't the case. Seem to apply on both Apple and Samsung devices. Only installed company apps are visible.
You learn new things everyday.
Last edited:
Well for me, I have InTune installed for my “company” (not a real one) MDM as part of my Office 365 Business account. Since I am the admin, I don’t mind what they can get, but they can get quite invasive.
I strongly support other people’s suggestions on hard separating work from personal. I would definitely do the same if I were you. In return, the hassle of carrying 2 phones doesn’t mean much tbh.
I strongly support other people’s suggestions on hard separating work from personal. I would definitely do the same if I were you. In return, the hassle of carrying 2 phones doesn’t mean much tbh.
Without those: easy. Without being able to install the iOS 18 betas? No way!
But the threat that your device could be remotely wiped just to protect company data leak is scary enough already. I would not give the company such high privilege to my device. Also mix use like this can impact iCloud backup as well, as when you restore, you need to be re-enrolled.
It looks fairly benign on what it is collecting. But basically when you install an MDM profile you might as well consider the phone the companies phone.
They could require an updated MDM profile that accesses more information, they could wipe your device either accidentally for maliciously - or if they get compromised a hacker could wipe all their connected devices.
Basically I would not accept this kind of thing on a personal device and require the company to provide me with a phone they own and only use it for official company business.
Also suggest cutting out Reddit since it's full of degenerates.
They could require an updated MDM profile that accesses more information, they could wipe your device either accidentally for maliciously - or if they get compromised a hacker could wipe all their connected devices.
Basically I would not accept this kind of thing on a personal device and require the company to provide me with a phone they own and only use it for official company business.
Also suggest cutting out Reddit since it's full of degenerates.