Can MDM software be used to spy on employee ?
from BlueMagma@sh.itjust.works to cybersecurity@sh.itjust.works on 29 Oct 09:28
https://sh.itjust.works/post/27312015

My employer had us install a software called “fleet osquery”, they said it’s a first step toward inventory management of all the devices for IT. I guess it also adds a layer of safety by making sure nobody installs any dangerous software/malware on their work devices.

Looking at the docs , it looks like this can be used to remotely execute scripts on my laptop, should I be worried about my employer spying on me during work hours ? Or logging information about what I’m doing ?

#cybersecurity

threaded - newest

alyx@reddthat.com on 29 Oct 09:43 next collapse

yes you should be. that thing probably is literal malware. is it even legal (where you live) for your employer to force you to install such a thing on your laptop (i assume it’s a personal one)?

cron@feddit.org on 29 Oct 10:32 next collapse

Fleet is an open source device management software. Calling it literal malware seems odd to me.

How would you manage hundeds or thousands of devices without Intune, SCCM, Ivanti, Ansible or whatever tool your org uses?

I would be more worried if the company had no means of controlling their devices, keeping them updated, secure and compliant.

When it comes to protect the rights of thw users, there are typically laws in place (at least where I live).

nick@midwest.social on 29 Oct 11:15 next collapse

Incorrect.

huginn@feddit.it on 29 Oct 12:56 collapse

(it’s not his personal device - it’s a work owned device)

lemmyng@lemmy.ca on 29 Oct 09:51 collapse

Work laptop or personal laptop?

If it’s a work-supplied laptop then it’s their device, and you should not use it for personal stuff. Always assume that company-supplied devices are monitored. Having said that, IT won’t sit there watching your every move, but they will care if you watch porn or download torrents.

If it’s a personal laptop then they can go pound salt.

shaggy959500@lemmy.world on 29 Oct 10:11 next collapse

As someone that has managed MDM platforms before, I absolutely agree with this. If it’s a work laptop, then yeah they have the right to install MDM on it. If it’s a personal laptop, I really wouldn’t recommend it.

MDM gives the admins full control over the device. They can run commands to wipe the device, install software, set policies, gather inventory data, or any custom action they want.

The MDM platforms I’ve used can’t be used to spy on people, but they absolutely have the power to install software or run scripts that can spy on you. IT probably doesn’t have time to actually watch individual employees, but anything they do likely has a built in report that can give data on who did what, prioritizing based on whatever the company is looking for.

Always assume that companies are monitoring everything going on with the computers and WiFi networks that they own. They likely are checking things out to make sure activity is safe and appropriate.

BlueMagma@sh.itjust.works on 29 Oct 11:20 next collapse

Work laptop of course, if it was my personal device I wouldn’t even care what they say. I think I’m going to isolate my work laptop from my home network now though.

Bob_Robertson_IX@discuss.tchncs.de on 29 Oct 13:17 collapse

I think I’m going to isolate my work laptop from my home network now though.

This is always a good idea. Your work IT department doesn’t trust you, and you shouldn’t trust them.

biscuitswalrus@aussie.zone on 29 Oct 21:48 collapse

Hey I don’t know your technical capability, but Steve Gibson pointed out the lowest knowledge way to get an isolated network just by buying two more cheap NAT routers. Your current router stays routing internet, but in LAN1 you plug in one of the new routers, let’s call it your home network, and LAN2 of your internet router plug in the other router and call it insecure. Plug in your WiFi access points into home and your devices. Plug in work laptop and other IoT to insecure. Home won’t be able to talk to insecure, and insecure can’t talk to home. This is all because of NAT. Just make sure the home network range is a different range to the insecure.

Otherwise it’s just a vlan on router and switches and access points with no firewall rules that allow INSECURE to HOME.

You might already know all this in which case never mind!

www.grc.com/nat/nat.htm

Bob_Robertson_IX@discuss.tchncs.de on 30 Oct 00:35 collapse

Thanks, I did know that but I’m glad it is here for anyone else who may need to know.

ramble81@lemm.ee on 29 Oct 12:04 next collapse

This is the correct answer. Assuming it’s a work owned device, the answer to “can they monitor me?” is always yes.

However, unless you’re constantly tripping their automated alarms, or management has come to them with a productivity issue about you, they’re not gonna do much.

lud@lemm.ee on 29 Oct 22:27 collapse

but they will care if you watch porn or download torrents.

HR might care, IT probably not.

chatokun@lemmy.dbzer0.com on 29 Oct 22:38 collapse

In IT, and have been since 99. I cared more about porn(adware, viruses, etc used to be more frequent on them) than other groups I expected to caresometimes. A regional managers laptop was acting slow, so sent back to us. During cleanup I found porn among other issues, and reported it to their manager. The response was basically:

“How much longer before you can return the laptop to them?” They just wanted em up and running again. Now at an MSP, and we’ve found porn on fileservers, often time by the owners of the company.

lud@lemm.ee on 29 Oct 23:02 collapse

Yeah it’s generally advised to avoid trying to solve a HR problem with technology or at least with anything complicated.