What access does my company have to my personal iPhone?

[Bearxor]

But seriously though OP - you should encourage your employer to implement Mobile Application Management via Intune instead of MDM if you’re actually that worried.

MAM only controls and manages the corporate data of an eligible app.

For example - Outlook. You have a personal account and a work account. Only the work account data inside Outlook is secured and wipeable remotely. This can be used in conjunction with EntraID Conditional Access so that only devices that are protected in this manner can access corporate data.

The wrinkle here is that a lot of iPhone users want to use the built-in Apple Mail and Calendar instead of having to use Outlook for those tasks and, in that case, MDM is required. It’s not really that invasive and if your company is doing things correctly the normal admins only have the rights to “retire” your device, not “wipe” it.

Retire just removes company data from the device, like apps installed from Intune, the corporate email profile, etc…

 

[cyanite]

Personally, I would be "Heil Nah" on all of that; but--apart from that--my main concern would be not that they have access to the personals, but that they are ultimately able to decide (and act-on) what you may do with said device.

If they are so concerned with such things, it seems that they should provide a device to you.

Maybe ask them if they would do such a thing?

This is completely normal mdm practice which isolates the company from the private part.

I would remove that app and the associated MDM profile. It is a bad idea to give the company access on your private phone. If you want access to company information, get a company phone.

Or use a private phone with mdm for the added convenience this gives. Why would it be a bad idea? The access is limited.

Don’t install InTune. I have a work iPad Pro and had to do a full reset to install it, at which point I can’t then restore the old device backup and get back all my app data. 3 years worth of stuff: gone. This is a work device and I was obliged to update it because, well it’s not mine!

That’s anecdotal and not normal. I had several mdm phones and have moved backup or transferred directed between them.

You have basically given them your phone

Nonsense FUD.

That’s massively invasive. You should get a phone just for work.

Nonsense FUD. This is at a fairly normal level.

I manage Intune for 20,000 iPhones. I can export all SMS, email, password key chains, browsing history, see your WeedMaps account, and have your location data, your pictures, screenshots, Bumble profile and texts. Pretty much everything. Take that Intune off your phone. Use a browser. Or live a good life without weed and internet chicks.

This is incorrect and FUD. It may be correct for your situation, but not for OP as seen on the screenshots.

Listen to what all the others are saying, if your company requires you to use a MDM (management software) then do not, and I repeat DO NOT install it on your personal mobile phone because the MDM terms and conditions is a 'catch all', meaning it will have access to EVERYTHING you do on your personal phone

This is incorrect and FUD.

Wow, it is quite obvious that noone here actually works with MDM. And what is even more interesting is that noone here trusts Apple!

It’s pretty typical of forums like this and similar places on Reddit. But the annoying part is all the emotional responses.

2. Is it possible my company got all the information off my phone in a day? I’m not sure if it starts tracking from the minute it’s installed or backdates everything so it has the entire phone history?

No. Read your own screenshots. Also, I am wondering why you are working there at all since you seem to distrust them so much.

But seriously though OP - you should encourage your employer to implement Mobile Application Management via Intune instead of MDM if you’re actually that worried.

They already have a limited access profile, as can be seen.

 

[laptech]

What info can your organization see when you enroll your device?

Describes the information on your enrolled device that's visible to your organization.

learn.microsoft.com

Lot of fear-mongering in this thread.

I cannot remember the specifics but I remember MR doing an article where security researchers had found that a number of apps had been found to have a particular process modified that allowed it to run hidden in the background collecting users data and sending it back to who ever made the app.

Apple has been caught illegally collecting users data (this is just one example)

Apple Fined $8.5 Million for Illegally Collecting iPhone Owners' Data for Ads

The company harvested iPhone owners’ data for targeted ads without proper consent, a French regulator ruled. It's a rare privacy misstep for Tim Cook.

gizmodo.com

Google has also suffered the same.

Companies tell people one thing but do the opposite. People have very good reasons to be fearful of companies wanting to put MDM's on employee's phones. There is just far to much anecdotal evidence out there that shows companies do spy on their employees.

 

[bollman]

That has nothing to do with MDM.
MDM is what it is: a method to ensure compliance. It was not designed to, and cannot be modified to collect user data.
If it could be done via some shady software? Sure, but don’t install shady software then. Has nothing to do with MDM.

 

[Ctrlos]

Just to dowse the fire and misinformation a little bit, this is the exact wording from my InTune Company Portal. Yes, I was annoyed at having to wipe my work-provided iPad Pro to get it registered but if thats what it takes to keep hold, so be it.

I use it primarily for work but I also install other apps on their for blog posts and when I'm on the road I play games on it. I'm not stupid enough to browse anything dodgy on the internet on it nor would I ever install any emulator apps. But its also not against company policy to edit my iCloud photos or play some Death Stranding on there.

I wouldn't want these terms on my personal phone though; if you need work email access out of hours they should offer it via an Outlook web portal without issue.

 

[bollman]

Did you read what it says? Browsing history is not collected. And that is not due to some policy or goodwill. It is a technical limitation.
And, why did you have to wipe your iPad? User enrolled MDM is designed to be installed and uninstalled without disturbing your personal data.

 

[Ctrlos]

Did you read what it says? Browsing history is not collected. And that is not due to some policy or goodwill. It is a technical limitation.
And, why did you have to wipe your iPad? User enrolled MDM is designed to be installed and uninstalled without disturbing your personal data.

The old MDM wouldn't overrite. The device profile just wouldn not install. The instructions from IT were to set it up cold, register with authenticator and then InTune. And then log in with iCloud. I tried doing another reset and restoring from a backup but the backup contains the old profiles and won't accept the new ones. I'd like to think I know more about Apple devices than IT but in this case I could not circumvent their instructions.

It sucked to lose some data but then again what dev isn't using iCloud to store it all in this day and age?

I know browsing history isn't collected but I'm not going to take the chance! Its the same reason I keep social media well away as well.

 

[4sallypat]

Where I work (government), we use an MDM to manage all our Apple devices that was purchased from Apple using their DEP.

I carry both: work MDM managed and my personal phone with me 5 days a week.

As IT, we are on call 24/7 and we had to take the work iPhone BUT we also had a choice to use dual eSIM or forwarding one to another to cut down the daily phone carry to 1.

I like to carry both iPhones with me as network speeds & service varies depending on location.

Also, helps me remember which is for work and which is for personal.

 

[I7guy]

P

[…]

Apple has been caught illegally collecting users data (this is just one example)

[…]

Actually it’s just France and according to the article apple is appealing. So it means they believe they didn’t do anything wrong. And that means they haven’t been caught, they’ve been accused.

 

[ninecows]

Maybe just enroll your device and start surfing on “not-safe-for-work-places” in your free time. Wait a few weeks and report back here if you got fired or not. Scientific method: Poke it with a stick and see what’s happens 😅

Sorry… couldn’t resist, but looking at the replies here people have opinions, but no-one will cover you a** if they are wrong. We can’t tell who’s right or wrong.

 

[Ta_whirimatea]

No way in hell would I be allowing that on my personal phone.

If work want me to be contactable, they can provide me with a phone which would be switched off outside work hours (unless I did a job where I was paid to be on-call).

Better to keep work and personal life completely separate too.

Absolutely 100%. Too many folk keep phone on contactable during a/l etc or out of hours. Work to live not live to work!!

 

[Ta_whirimatea]

Maybe just enroll your device and start surfing on “not-safe-for-work-places” in your free time. Wait a few weeks and report back here if you got fired or not. Scientific method: Poke it with a stick and see what’s happens 😅

Sorry… couldn’t resist, but looking at the replies here people have opinions, but no-one will cover you a** if they are wrong. We can’t tell who’s right or wrong.

Yeah, go nuts & find the wildest **** you can find to surf & see what happens 👍🏻 !

 

[bollman]

The old MDM wouldn't overrite. The device profile just wouldn not install. The instructions from IT were to set it up cold, register with authenticator and then InTune. And then log in with iCloud. I tried doing another reset and restoring from a backup but the backup contains the old profiles and won't accept the new ones. I'd like to think I know more about Apple devices than IT but in this case I could not circumvent their instructions.

It sucked to lose some data but then again what dev isn't using iCloud to store it all in this day and age?

I know browsing history isn't collected but I'm not going to take the chance! Its the same reason I keep social media well away as well.

Well, obviously something wrong with your device then.
When it comes to browsing history, this is something Apple never, ever would enable. Heck, thy even made it impossible to do on macOS (at least I haven't found a reliable way).

 

[chrfr]

I manage Intune for 20,000 iPhones. I can export all SMS, email, password key chains, browsing history, see your WeedMaps account, and have your location data, your pictures, screenshots, Bumble profile and texts. Pretty much everything. Take that Intune off your phone. Use a browser. Or live a good life without weed and internet chicks.

This is only true for devices owned by your company and which have gone through Automated Device Enrollment. User-enrolled (BYOD) devices have significant barriers around what MDM can do. I suggest reading this Apple document about it: User Enrollment and MDM - Apple Support
With that said, as someone who works with MDM, I wouldn't enroll a personal device even knowing that the MDM cannot access my personal data. This is really because I want the freedom of using a device that's not attached to work in any way when I'm not at work more than anything else.

 

[now i see it]

Here’s what an MDM is capable of if it’s hacked

Students scramble after security breach wipes 13,000 devices

Mass wiping occurs after hack of mobile device management platform.

arstechnica.com

 

[chrfr]

Here’s what an MDM is capable of if it’s hacked

Students scramble after security breach wipes 13,000 devices

Mass wiping occurs after hack of mobile device management platform.

arstechnica.com

This isn't the case in the instance that the OP is asking about- for personally owned devices, Apple does not allow the MDM to wipe the device.

 

[bigheaddoug]

I’d suggest reading this article:

Never accept an MDM policy on your personal phone

With BYOD, companies are more than ever keen on protecting their data. MDM tools, like Google Apps, do more than that; they invade your privacy.

blog.cdemi.io

 

[Rkuda]

Talk about timing:

Cyberattack Knocks Mobile Guardian MDM Offline, Wipes Thousands of Student Devices - Slashdot

Zack Whittaker reports via TechCrunch: A cyberattack on Mobile Guardian, a U.K.-based provider of educational device management software, has sparked outages at schools across the world and has left thousands of students unable to access their files. Mobile Guardian acknowledged the cyberattack...

it.slashdot.org

 

[bollman]

I’d suggest reading this article:

Never accept an MDM policy on your personal phone

With BYOD, companies are more than ever keen on protecting their data. MDM tools, like Google Apps, do more than that; they invade your privacy.

blog.cdemi.io

That article is widly wrong in some parts and grossly misleading in others.
Read the Apple article, that is what is true, not this random crap on the internet that obviously is spreading FUD and desinformation.

 

[bollman]

Here’s what an MDM is capable of if it’s hacked

Students scramble after security breach wipes 13,000 devices

Mass wiping occurs after hack of mobile device management platform.

arstechnica.com

Since these devices were school-issued, they were obviously in "supervised mode", therefore, they could be remotely wiped. This is not how it works with BYOD.

 

[klky]

In no universe would I allow my personal phone be used for work, especially if it meant installing various software, giving access etc. It's just a bad idea.

 

[bollman]

MDM does not "give access" to anything more than to the separate partition only used for what is associated with your org.
Don't anyone think Apple thought this through? Sure, this did not get any "stage time" at a Keynote, but believe me, this has been a big thing in the corporate world for years.

 

[krspkbl]

I don't know what they can see but if you're concerned and if you NEED a phone for work then tell them to provide you with one. Not just the phone but network access too. They provide the phone and cover the costs of calls/messages/data. Let them install what they like on it and you only use it for work.

I got promoted earlier this year and was offered a work phone but it'd be too much hassle. Luckily though my work doesn't force any software or restrictions on my personal phone. The worst thing that has happened is that I signed up for WhatsApp because some people only use that. If my work ever asked to install software then I'd tell them to give me a phone.

 

[tekkierich]

I manage Intune for 20,000 iPhones. I can export all SMS, email, password key chains, browsing history, see your WeedMaps account, and have your location data, your pictures, screenshots, Bumble profile and texts. Pretty much everything. Take that Intune off your phone. Use a browser. Or live a good life without weed and internet chicks.

please do not spread FUD. There are things you can and cannot do with MDM. One of the things you cannot do is export SMS, among many of the other things you have listed.

To access the data you are suggesting would require the device in your possession and a local USB based connection.

 

[ghsDUDE]

The factory reset may have been overkill. Your company no longer has access to the device. The answer to your second question would depend on whether your company retains logs, and what their policies are for data deletion. Unless you're a suspicious employee (and in such case, why would they keep you if it's bad enough) I doubt your company was jumping at the sight of your device enrollment. It looks like you removed the screenshots from your original post. It's possible your company scraped all of the data present in those disclaimers, but it's unlikely. If anything, they received device identifiers, and saw your traffic from the day in question.

What you accepted according to your screenshots are now in the company MDM.
Incredible that people don’t trust Apple on this one. MDM is built from the ground up for just these BYOD situations. Actually, when you apply a BYOD MDM profile the phone is ”split in two” to make sure the ”company” has no access to the private parts.

It👏does👏not👏work👏that👏way👏! Stop spreading misinformation.

The ONLY way to gain "full access" (and even that is quite limited with regards to MDM) to an iPhone/iPad is via "Supervised mode".
And your employer CANNOT get your phone into supervised mode unless you hand them your phone and they enroll it in ADE and does a complete wipe/reinstall.

Just by enrolling in an MDM does NOT enable your employer to vacuum your phone for info. There is NO WAY to get any "data" (user data, that is) from an enrolled iPhone, not even in "supervised mode".
There is a clearly defined set of information that the phone can report back to the MDM. This is clearly published here:

GitHub - apple/device-management: Device management schema data for MDM.

Device management schema data for MDM. Contribute to apple/device-management development by creating an account on GitHub.

github.com

The way MDM works is that the MDM quries one of the keys and get a result back, if allowed (check the keys at GitHub,. if it states: "supervised: true" then that info can only be retrieved from a phone in supervised mode). You cannot run scripts, you cannot run programs and get the output.

I would recommend asking the person in charge of this at your company. It’s perfectly-fine to have questions and to ask the relevant person at your company who has the answers.

The people you are asking now… we are just some random people on the internet. We could be giving you some good information. But we also could be giving you some bad misinformation.

The reason I deleted it is because my phone could be wiped remotely. I didn’t want to risk having my phone accidentally wiped.

Granted, I don’t believe they had access to my personal data…but the risk of an accidental wipe wasn’t sitting right with me.