Don't use work laptops for personal stuff

Depending on the password manager your company uses (I hope they’re using a password manager), you can put your 2FA into the password manager, so no need to take out your phone for company 2FA any more.

It’s not just Fortune 500’s. I’ve consulted/worked at several places that man-in-the-middle all https traffic.

My solution - some years ago - was to park the unused, unactivated corp laptop in a drawer, and use my own Mac. I had to pay for it but I didn’t have IT hassling me.

A couple of years later new corp ownership brought in the goons - which fortunately was about the time I retired. Those folks had no clue - none. Sad.

In the “old days” usually we used stuff after there was a request from HR to “investigate” someone. Nobody cared about what you did or were doing until someone did.

Wait…so I shouldn’t be posting to BB from my work laptop?
Oh, damn…

I haven’t seen it mentioned above, and it may not be relevant anymore but…

In the old, old days, where my company email was my ONLY email, I’d use that as a login for some websites. Over the next (bla bla bla) years, I made my own email and used that, not really thinking about it.
Years later, after I’m gone, I tried to access some little used sites and realized that once the work email was deactivated, I couldn’t prove some of my accounts were my own by replying from it.

So, yes, having the email address for the login wasn’t the problem, but having to prove security without owning it anymore was a big one.
Also true for those who have moved to another internet provider, and they shut off the email they supplied. Ack!

So much older and wiser, now.

I never do personal activities on any machine that is not mine. For many years I travelled as a consultant for several of the big firms. I would have my company laptop, a client-issued laptop, and my personal laptop. These were a pain to lug around and it was always entertaining to go through airport security but it was worth it to me not to have either my company’s or my client’s IT group spying on me in my off hours.

Now I run my own consulting business so I can mix my personal and business activities on my laptop - because my business is my personal stuff and there is no IT department (or I am it). Still, clients prefer workers (permanent and contingent) to use company hardware. So on my desk now I have my machine and two client-laptops; I don’t do any personal activity on either client machine.

If I need to get on my laptop at a client site I only connect using my phone as a hotspot and use a VPN. Assume big brother is watching.

I only do Outlook and Teams on my work piece of crap - besides the corporate spyware, they’ve got Webroot antivirus, a travesty which makes compiles 10x slower because it thinks every single new .obj file is a possible virus.

So ironically, because their computer ‘security’ is such TSA security theater, I do all my actual work on my personal machines (and so do many of my co-workers) - which is probably not what the malicious little CFO who sets our ridiculously restrictive IT policies intended, but the hell with him.

I have a company phone, they pay the phone bill.
It’s supposed that clients, and co workers have to call me during work hours, and because, before COVID, sometimes I worked in office in Town A, sometimes in Town B and sometimes in a client’s site, having a work laptop and cellphone was understandable.
On that phone I’ve work contacts and very few extra apps If not required, like because I’m on-call, I turn off work phone after workdays.

Of course using a personal phone for work related things it’s a worse idea.

Honestly, that whole story is really disingenuous to me.

when Preston handed in his resignation, the choice came back to haunt him. His manager told him to return his work laptop, and — per Apple protocol — said he shouldn’t wipe the computer’s hard drive…Preston pushed back…He was told the policy wasn’t negotiable

So what? Wipe it. You’ve already resigned. What are they going to do?

Others have found that when testing new products like Apple’s Face ID, images are recorded every time they open their phones

Well, yah. That’s how stuff like that is tested. All the messages in the messaging app are logged, face ID photos will be logged, etc. That’s what debug tools of things like that have to do. That’s why you don’t use your personal accounts and devices.

Apple employees also can’t use their work email addresses to sign up for iCloud accounts, so many use their personal accounts.

Create a new gmail account for the purpose. That’s what we all do at work for every service. We need to test Facebook integrations too, and we sure as hell don’t use our actual personal FB accounts for that. We create dummy ones. Doing otherwise is just stupid.

Underpinning all of this is a stringent employment agreement that gives Apple the right to conduct extensive employee surveillance, including “physical, video, or electronic surveillance” as well as the ability to “search your workspace such as file cabinets, desks, and offices (even if locked), review phone records, or search any non-Apple property (such as backpacks, purses) on company premises.”

Again, so? This is every company I’ve ever worked for. I’ve never worked for Apple, but this is standard. Of course they can go through your desk if they want. Everything in the building belongs to the company. There is no expectation of privacy in that environment.

In software engineering, certain employees are expected to participate in a “live-on” program that puts out daily builds with bug fixes. “You can’t have a successful live-on program without people treating these devices exactly the same as a personal phone,” the source says. “So a work device or a work account just won’t cut it.”

This is just not true. We all use dummy accounts for all our continuous integration testing and it works just fine. I don’t understand what the reporter is talking about here.

Employees could pause during onboarding and say they want to create a new Apple ID specifically for work or use a different phone. But most do not

OF COURSE THEY SHOULD DO THAT. I have like, five Apple IDs for various work purposes. If people are using their own Apple IDs at work, then yah, all their personal stuff is going to get exposed to their employer. This is not Apple’s fault.

What’s more, most Apple devices don’t support using multiple Apple IDs.

That’s patently false. I switch Apple IDs on my many work devices (and sometimes my personal one) constantly.

I stopped reading shortly after that because this article is so full of falsehoods being used to paint a particular picture. This is trying to be some sort of hard-hitting piece, but all it does is show that Apple is exactly like every other company. They seem to be trying to draw some stark contrast that Apple cares about customers but not employees, which is ridiculous. Apple’s customer security is very good, and no company in history has ever cared about employee privacy. That’s a ridiculous standard to apply only to Apple.

The article is trying to shock and awe, but the only people shocked by that are maybe the ones who have never read their own employment contracts for the companies they work for.

Yep. I work at such a place, and it’s a huge hassle to do anything outside of your very specific job duties because of the segregation of access. I was so used to working places where I could access anything as an admin. It makes sense of course, but was frustrating for my first year.

Heck, at my current place of work I don’t even use the company wifi for my phone, plans have gotten cheap enough that I just stay on LTE and occasionally tether my personal iPad when in a lull and need a break.

It really, really helps to cut down on distraction to have options like that. No more “well, it’s just a quick check” on my work MacBook. It’s kind of like how legalizing cannabis cuts down on cannabis consumption. It’s no longer outlaw chic, ooh, I’m doing something shady so it feels cool to get away with it vibes to encourage addiction.

That said, I always insisted upon Macs for my dev environment precisely because the Windows certified IT department refused to support them and left me alone to manage it myself. It’s only recently that I’ve had to deal with device management ware, and since I now have enough personal devices I don’t feel the itch any more.

Just get a iPad with cellular data and use it at work. Never connect to the [strike]Honeypot[/strike] personal use network at work, never use the work PC, don’t log in to websites at work.

Frankly, if you work at a job where they give you a lap top, you can afford your own computer, so buy one. Never co-mingle. Better to do your own stuff on a Pi on your TV than to use a corporate laptop for anything personal…

It sounds like you are at an outfit that either has more demanding requirements, more mature monitoring systems, or both, than mine; but the point that IT monitoring is typically massively powerful; but something that IT has an interest in only because it’s architecturally necessary to meet various security requirements; not because the SoC(if there even is one that’s not just carved out of whatever free moments people with other responsibilities have) wants to see it; has absolutely been true anywhere I’ve worked. (edit: I assume that there are some people in IT who are power-tripping, trying at LOVEINT, or otherwise abusing their position. (A)fuck those guys; (B)given that IT, no matter how much you work on least-privilege, RBAC, privileged access logging, etc. tends to involve situations where you need to be an honest custodian of the power vested in you I’d hope that any responsible IT department would fire them into next week as being too unreliable for a position of trust; even if the company culture is too dysfunctional to consider their specific abuses to be of concern.)

I think the disconnect between user understanding and IT reality was most visible(sometimes amusing) when I worked for a public school department. Legally mandatory security stuff was relatively softcore compared to corporate; but the userbase was massively mischievous and knew that there was almost no chance of any real consequences for anything they tried, so they tried everything they could think of all the time.

We had a program where we would pick out the ‘troublemakers’ whose activities seemed most sophisticated but not malicious(eg. the kid who went to some lengths to set up accounts with our firewall/content inspection appliance vendor under the misapprehension that we were using their cloud auth rather than local auth for those devices; anyone who found a workaround to get programming tools into the environment to make study hall more interesting; but definitely not cyberbullies, hardware vandals; anyone who even tried to approach the student information system or the health records system that the school nurses used) and offered them summer jobs assisting the department(both because we needed the help, especially for new lab deployments, upgrading entire schools, etc. and to give them personal and financial ties to the department in order to help channel them into purely productive misbehavior).

Every time, without fail, those kids would come in with the impression that they’d been pulling one over on us left, right; and center; and relatively quickly discover that we were already casually joking about what they’d been doing(a handy icebreaker to start off department meetings was to do an informal comparison of the activities at the various schools; and which department member had the best haxxor kiddo story); but we were so swamped keeping a lot of endpoints running at the reliability level teachers needed to trust their lesson plans to them that playing cop for anything that didn’t either compromise our reliability objectives or threaten the security of data that actually mattered that we had neither the time nor the interest to play officer hardass for the little stuff(also, given that the official “Computer Class” curriculum was at the level of “How do I even press buttons in Word/What even is an Internet and Stranger Danger”, the IT department (purely unofficially of course) smiled on technically promising and ambitious students, so long as they weren’t assholes about it). I think it was a useful learning experience for them.

That said, I also agree 100% on not using work systems for personal stuff, or personal stuff for work(excepting things like keyboards and monitors; which are treated by all but the most paranoid environments(which have a point, most monitor vendors can barely get properly formed EDID out the door; but it would be trivial to drop in a much more capable device that speaks i2c on the DDC line, and I wouldn’t bet on the (huge, kernel mode, security critical) display driver necessarily resisting fuzzing on an input that is supposed to just read a tiny EDID blob off an i2c ROM; and USB-C monitors of course can basically do whatever they want in terms of presenting stuff to the host system’s USB bus) as basically passive; and there’s no reason to deny yourself your preferred monitor and keyboard if you happen to be working at home).

All that said, I’ve been astonished by the number of times(not high in absolute terms; but as a percentage it has been a surprise) where people not only do personal stuff on work equipment; but come to us to try to make arrangements to keep being able to use work equipment during things like leave(company policy is that people on leave get their credentials frozen, to prevent a culture of managerial or coworker hassling of people who aren’t supposed to be working to work ‘because it’s an emergency’ or ‘on just one thing’ by making it so that they can’t get in to work resources) because they have no other computer. And we aren’t talking the packaging temps or the production line workers here; we are talking relatively senior positions and sales guys who almost certainly take home handily more than most of IT does. I’m obviously coming from a position of atypical interest in computers; but I just can’t imagine it. You can get a nice new laptop for ~$1k, an adequate new or nice-but-slightly-old corporate off-lease for under $500; and in our specific case the company has a policy of raffling off our EOL hardware to employees for a pittance(accounting doesn’t want to touch us making any money on an asset that has been booked as fully depreciated; IT doesn’t want relatively expensive tech time wasted on becoming a small volume hardware refurbisher; so we just had our social committee people pick out a charity that people can make some relatively nominal donation to to ‘pay’ for computers we are retiring; program is open to anyone, we select randomly if there is more demand than supply).

I’m also amazed at how willing people are to do work stuff on personal devices; especially in contexts where SSL MiTM is in effect; or where there’s an MDM/conditional access setup such that letting your work account touch your personal computer or phone can mean granting substantial direct control over it. I’m also surprised at how open some IT departments are to it. I loath ‘BYOD’ scenarios with a fiery passion(sure, I’d love to be held to expectations of reliability and mostly-automatic configuration derived from fully managed environments on whatever motley crap you drag in and resent me for making any changes to…) and compared to the costs of breaches, discovery incidents that drag in endpoints you have no visibility of, and the like, providing someone a RDP or Citrix remote desktop; or a basic boring business laptop, really isn’t that high.

Add to this that work laptop and cell are discoverable in any lawsuit involving the employer. So, anything residing on it, even if it’s personal, is gonna come out.

Yup, I work for a university, and this was made very clear to us up front. Every paperclip and scrap of paper was their property and could be inspected at any time. No such thing as privacy, which is why I declined the company phone. There are some here who have both a personal and a company phone to keep things separate, but I know myself pretty well, and one or the other would start getting left home.

Just as a note, never use a work email to sign up for cloud services. If at some point, your company decides to ‘bless’ use of Dropbox, iCloud, Google, etc. and purchase the (freaky expensive) enterprise license that will meet single sign on (SSO) and other security requirements, the cloud company almost always requires that you execute a ‘domain takeover’.

This means that all existing accounts using email addresses from that domain are (usually) wiped and all data/access for them is lost. No options are provided for the company to avoid this. You can’t mix and match, you can’t migrate. If it were your iCloud account, you’d be completely locked out from all iCloud access and stored files immediately.

So if you’re using a cloud service with a corporate email account and it’s not an SSO account managed by the company, it is absolutetly in your best interest to migrate your stuff to a personal account. If your company is nice they’ll warn you this is going to happen, but I can tell you that the legal department will absolutely advise that the domain takeover happen without warning so that any work material at those cloud services can’t be moved onto personal accounts.

Consider the assurances we still get that government spooks don’t have the capacity to crack everyone’s encrypted web and vpn traffic, so our passwords and habits are safe. However, they DO have the ability to RECORD all of it. We know they have optical splitters in the major Internet junction points, and send a copy of EVERYTHING to remote server farms for deep packet inspection. Word is, they simply record everything coming down the fire-hose so they can comb through it at their leisure. And they WILL have the capacity to crack it some day. Then they’ll play back years of Internet activity through the decrypters to build up our dossiers as well as nice lists of thoughtcrime and real crimes to follow up on.

I’m saying that employers will have the capacity to store all of your activity and have bots comb through it for noncompliance. They don’t need secret spy rooms where skilled security personnel monitor everyone’s desktops 24/7. Haven’t you ever wondered why faecebook is jailing you for 24 hours because of something you posted 5 years ago lately? Bots following up.

That’s why it’s important for any encrypted service to use PFS (perfect forward secrecy).

It doesn’t make it impossible to crack, but makes the task much harder because you have to crack separate keys for every single session. So instead of getting access to years of data with a single key, you get access to a single exchange.

Yeah, this. And I know people who let their kids use their university-owned laptop. Insanity.