At Bitglass, end-user privacy is always top of mind because security deployments that don't take employee habits and expectations into account are doomed to fail. The best example is mobile device management, a solution that has seen wide availability, but surprisingly low adoption with privacy often cited as the top concern.
We decided to look at just how invasive these device management tools could be in our 'MDMayhem' experiment, wherein we installed agents on several of our employees' devices with their permission. While our employees knew what they were getting into - knew the privacy they would be sacrificing by taking part in the experiment - most employees in other organizations readily follow IT's instructions and install device management software without a second thought.
Turns out, these tools can see more than they let on. Everything from location data to the apps you have installed on your phone. Our team configured the MDM software to route mobile data traffic through a corporate proxy and installed corporate-issued certificates on employee devices. What surprised us most is just how easy it was to push this dangerous cert to devices without notifying employees.
By capturing all packets, our team was able to see the contents of employees’ personal email inboxes and capture usernames and passwords, all transmitted in plain text via the always-on VPN we setup. Even third-party apps were susceptible to packet sniffing.
While most know to expect some loss of control and privacy over corporate data on a managed device, none realized the extent to which MDM could be used and abused to monitor personal data and activity. Fortunately agentless, data-centric alternatives to MDM, like the Bitglass mobile solution, are on the rise and provide IT with a BYOD solution that offers robust security on par with MDM while avoiding the potential for abuse we observed in our experiment.
download the report