I’m non-techy. I work for a public school district and visit with kids in about a dozen schools. I like having my work email on my phone so teachers can get in touch if they need me. For years we’ve just used the outlook app with no real issues that I’ve noticed. We’re seeing more and more micromanagement and it sucks. We recently got notice that we have to install Cisco Duo on our phones if we want to have our email on it. Should i do that? Or just say no and be ok with being out of contact?
I’ve managed Duo installations. The administrator can see your phone number, your device os and version, history of authentication attempts.
Duo is just a widely used third party multifactor authentication app, which is useful for organizational cybersecurity.
I had it on my phone for years working at a hospital and really never had any privacy concerns with it the way I have with other apps. The convenience of being able to respond to work emails on your phone is totally worth it
Duo does location tracking. It also can perform device attestation
Are you sure it has permission to track your location? I’m not seeing that one. Either way, they share nothing with your employer
+1 to being out of contact – It can honestly wait until the next time you’re near a work computer. (I’m hoping a work laptop or something is involved here.)
Yeah, i have a work iPad with me most of the time, so it should ding if it’s getting Wi-Fi, but it’s usually in my backpack. Also, i know they can track the location of it so i sometimes leave it at home on purpose. Would forwarding my work emails to a gmail or proton account be an option?
Would forwarding my work emails to a gmail or proton account be an option?
I give it 100% chance of it being a problem.
Forwarding your work email to a different service provider will probably violate PII and will also set off some flags.
Please don’t be a hero. Work your 40 hours and then stop. You didn’t clarify, but I’m slightly worried that you want to be more connected which might lead you to increase your workload or working hours, and that will make your job less sustainable in the long run, and we really want people like you to stick around for many years to come.
After your comment, i removed the outlook widget from my phone. I left the app on it, but i look at it so much less in my off time now. Previously, I thought i was only mildly irritated by the emails i sent in outside hours. Until it was gone, I didn’t recognize the general anxiety i was having from just seeing it there. Thank you!!
Oh no, I’m definitely not looking to put in more than 40 hours. I spend most of my day driving from school to school and i just want my teachers to be able to reach me- without giving my cell to everyone. Also, i share a one-room office with 15 people, so i like to do meetings and paperwork from home even though I’m not supposed to. Thank you for your concern.
If the options are to give your cell number or hook email to your phone, I would take email every time. People do not respect your private number and it will be known by everyone at work. At least with email you can shut off work notifications. Also if you are already breaking the rules by going home you can cover yourself a little if someone is trying to find you at work and they can’t.
Can you ask for a work phone?
They world never ever cover that. The special Ed director built her own office, but we have a 15 year old printer in our office (a room that 17 people share) and we have to buy our own toner fo itr.
Too much. If your work needs you to have constant email access they should pay for you to have a second phone.
They didn’t say their employer needed them to do it, they said they wanted to
As others have pointed out duo seems to collect pretty minimal data
Don’t.
Two reasons:
Many employers require you to install phone-management software as part of the data loss mitigation/data exfiltration requirements - and those requirements might be set by their insurers.
This gives them the ability to remotely lock or wipe your phone at any time - useful to them because they remove company data if you lose your phone, or you leave the company, or are suspended for any reason. Obviously that’ll also lose any personal data on the phone, but that’s your problem, not theirs. They can also monitor its location and similar things.
That’s obviously a reason why you should never, ever, use a work-issued device for personal use - besides it being against their acceptable use policy. If your employer requires you to check email then they are required to issue you the means to do so. They cannot insist that you use any personal devices for that.
It’s bad for your mental health.
Keep work to work hours. Keep work devices for work. Keep personal hours and devices for your personal use.
This physical separation requires a little discipline but, having been on all sides of this barrier (employer, employee, suffering with poor mental health, and currently, in good mental health) - I know this to be the only way to achieve a health balance.
This is great context, thanks.
A followup question, if you don’t mind. I am running stock android 14, which offers multiple users. My main user account is my personal (nothing work related), and a second user account is my work profile, complete with phone-management software. The two accounts are based upon different Google accounts.
If my work were to remote wipe, I have assumed that would only affect the (second) user profile which has those apps, and not the main user account.
Do you know if that is correct?
If my work were to remote wipe, I have assumed that would only affect the (second) user profile which has those apps, and not the main user account.
My understanding is that these tools offer a factory reset, so they would wipe everything. After all - if the phone is stolen, you wouldn’t want to just wipe one profile and leave data within another.
I’m forgetting the episode but darknet diaries podcast had one where a guy took revenge against a former employer and wiped out an entire schools email system and wiped all phones that has logged into the school email. This was done from compromising the school’s outlook admin account.
That was the first time i learned that logging into the employer email could give them the level of control over your device. Fortunately i never have done that for the #2 reason.
There are usually a couple more steps beyond just signing in. Sometimes it will require an app or you get a big warning stating hey, the employer is going to gain a ton of access on here, do you agree?
I use a S23 Ultra and have my work profile on a sandbox environment with Knox, I can also turn it off at the end of the day and while normally work could have access to my personal data, knox blocks that.
If it’s Android, set up a work profile and put the VPN and email on that.
A followup question, if you don’t mind. I am running stock android 14 on a pixel 6. My main user account is my personal (nothing work related), and a second user account is my work profile, complete with phone-management software. The two accounts are based upon different Google accounts.
If my work were to remote wipe, I have assumed that would only affect the (second) user profile which has those apps, and not the main user account.
Do you know if that is correct?
Instead of adding an account to the device with all of the management software that goes with it, one could use a generic SMTP email client (K-9 Mail?) and still get the email, but not have to worry about the privacy and remote administration concerns.
Edit: nevermind, I skimmed the question at first, and didn’t see the duo limitation. This solution probably isn’t an option.
Appreciate the comment, unfortunately my employer has limited access to O365 apps. I have a slightly different use case than OP
It’s a slippery slope. They may require your phone to have password or Microsoft intune. Plus, they will know you have it on your phone.
Duo is Cisco’s version of authentication. The only permissions it has on my phone is notifications.
In its current form, it doesn’t appear to let your company’s IT department control your phone.
Do you have any concerns about having it? I mostly don’t want my phone activities or location tracked.
Duo tracks your location. Not exact location but IP address and city.
Only IP address. Location days from IP address is a guess at best
If you are accessing your work email through your phone, you’re going to be pinging the server with your phone’s IP address. Duo isn’t adding any tracking beyond that.
How specific? Most companies can tell if you are connecting to the mail server from an IP in a different city without needing any app to do that.
Just within the city, doing paperwork from home instead of at a campus.
your IP will be the easy give away if they care to audit. a possible solution is to VPN to the campus and nat your traffic from a campus IP, but now we are getting into additional questionable action.
If they’re on their phone they should just make sure they don’t connect to their home WiFi or their campus WiFi on their phone during work hours. All anyone will see them connecting with then is their cell network IP, prolly just an ipv6 address, and there won’t ever be an obvious tell that they are in a specific location in town.
agreed. as long as the administrative requirement is not “all work done from office desk”, and cellular carrier IP ranges are allowed for his specific services, a cellular connection from laptop (cuz tech reasons) works. OP just likely needs a reasonable cya excuse to make things smooth.
I’ve got duo; we had to have it at my uni for 2FA for our school emails. As far as I can tell it really isn’t very invasive. That said, I do think it tracks general location but I don’t believe it goes further than that.
I would never mix private data with work related data. You should get a second phone for work related things. As pointed out by others, it may be technically possible to have both on the phone without interfering with each other (which also would be more convenient), but keeping things separated physically has another advantage: Data you are handling/ generating at work belongs to your employer. This means that he can demand (problbly backed up by law) to search your phone when things should go south in the future. You don’t want your employer to have a peek at your personal phone, do you? Also, your employer might want you to install tracking/ logging software to make sure you really do the work. By having a dedicated phone for work related stuff your private stuff is out of focus.
You should get a second phone for work related things
Slight correction: OP’s employer should get him a second device if they require him to access work email away from his office during work hours.
Main issue is that you have your work e-mail on your pocket, and can see them 24/7
Ask for a physical device like a yubikey instead of the duo app.
Use the web browser to access email.
I’m a huge proponent of Yubikeys, and I use them every day. I use it for every account I have that supports non-resident FIDO2. I have my ssh keys set up on there so i can just sit down at any computer and ssh in to my remote servers without having to rely on being on a computer with its pub key already on the server. I use it for my pgp keys. I use it for TOTP on a few of my more sensitive accounts that don’t support anything better.
In addition to my regular w2 9-5 pen testing job I do pen testing as a contractor for a place like hacker one on steroids. I am forced to use Duo by them. Can’t use another TOTP app, can’t use a yubikey. While in most cases you can use another TOTP instead of duo, it is not always possible. That said, I highly doubt a school system has set up Duo in a way that prevents you from using alternate TOTP apps.
I had never heard of it. I’ll do some reading.
I have a 6 year old work ipad and we buy our own toner cartridges for our office printer. They’re not buying anything. They put millions into door-swiping, staff-tracking security but we have playgrounds that don’t have fences. Public education is super fucked up.
I think they cost $20. Either this, nothing, or give in and give them access.
You can always get a cheap prepaid burner
YouYour employer can always get a cheap prepaid burnerFTFY
Ha! When I started here 20 years ago they had just gotten rid of pagers.
People have already answered well enough though many of them mention IP addresses and you said you were non techy so wanted to add this
Giving away your IP address is not that big a deal, you do it every time you visit a website without a VPN or connect to pretty much any web service
(You still shouldn’t post it publicly of course but it’s unlikely your employer is going to dox you, and if they do it’s probably illegal)
Their employer don’t need their IP address to be able to dox their location. They likely have their physical address already. IP address locations are self-reported, unreliable and usually onyl point to a city or a wider area.
Not if you cross reference the IP with data leaks on the deep web, revealing way more or other personal info
They already know everything about me. I just want to be left alone to do my job without being tracked for how many minutes i spend working from home.
I don’t imagine the app can do that anyway unless you explicitly give it permission to run in background at all times
You know you don’t know what you’re talking about when you call it “deep web”.
you mean I should’ve called it the “dark web”? I just wanted to imply that “dark web” is a subset of “deep web” in the sense that it is not searchable by regular search engines, thereby including “dark web” to the “deep web” set. But regardless, leak dumps can be found in both places, right?
