Notices

Microsoft Intune

Old 11-01-2018, 12:37 PM
  #1  
Senior Member
Thread Starter
 
Join Date: Oct 2012
Posts: 1,283
Default Microsoft Intune

After 2 years of the wild wild west, my company is finally rolling out a mobile device management plan and we are using InTune.

I'm probably going to find an old device and sanitize it, but don't want to deal with two devices.

These are personal devices, and will be setup in InTune as such, but I have a couple of questions for those in the know.

1. How did I know that the setup is done as Personal, not Corporate?
2. Can they change the admin type from personal to corporate without me knowing about it? The IT guys (who I know and like) said they can't change it from their end without wiping the phone. I had read the following article, which says the opposite. The article, however, is fairly old and may well have changed. https://practical365.com/clients/mob...obile-devices/
3. What other intelligent questions should I be asking?
MattGoose is offline  
Old 11-01-2018, 12:47 PM
  #2  
Senior Member
 
Join Date: Jun 2018
Location: Southeast Connecticut
Posts: 169
Default

I'm not aware of a way you can tell how they set your device (personal/corp)...from the "CompanyPortal" app that will be installed on your device. It's a very...bland/lacking MDM app.

Granted IT can flip the switch later, but by default devices are enrolled as personal, only auto flipping to corporate if the phones identifier number matches a pre-loaded list of corp fleet phones.

The inTune Company Portal app hasn't changed much at all since that article above. Really not much IT can see. I use it basically for granular or full wipes of phones..and it barely works 50% of the time at that. Not a fan of it...and it's a heavy app in the background...adds a lot to battery drain.
YeOldeStonecat is offline  
Old 11-01-2018, 01:30 PM
  #3  
Senior Member
Thread Starter
 
Join Date: Oct 2012
Posts: 1,283
Default

Originally Posted by YeOldeStonecat View Post
I'm not aware of a way you can tell how they set your device (personal/corp)...from the "CompanyPortal" app that will be installed on your device. It's a very...bland/lacking MDM app.

Granted IT can flip the switch later, but by default devices are enrolled as personal, only auto flipping to corporate if the phones identifier number matches a pre-loaded list of corp fleet phones.

The inTune Company Portal app hasn't changed much at all since that article above. Really not much IT can see. I use it basically for granular or full wipes of phones..and it barely works 50% of the time at that. Not a fan of it...and it's a heavy app in the background...adds a lot to battery drain.
Thank you.

Can IT manually flip the registration from Personal to Corp without my knowledge?

If it sucks through battery that's a whole other reason not to accept.
MattGoose is offline  
Old 11-01-2018, 01:35 PM
  #4  
Senior Member
 
Join Date: Jun 2018
Location: Southeast Connecticut
Posts: 169
Default

Originally Posted by MattGoose View Post
Can IT manually flip the registration from Personal to Corp without my knowledge?
To the best of my knowledge, yes. I don't recall ever seeing or reading about a feature on the Company Portal app (the MDM software client that gets installed on your phone)...which gives you any status or notification. Pretty sure that toggle switch is just a control for how much "wiping" gets done when they go to wipe a phone. And..as you can see from the article you found, what they see. Which..isn't really much...it's a very bare-bones MDM.
YeOldeStonecat is offline  
Old 11-01-2018, 03:01 PM
  #5  
Senior MemberCaptains Club Member
 
Join Date: Feb 2002
Location: Saugus, Ma. USA
Posts: 11,005
Default

It's not as sexy as Airwatch, but still gets the job done. As long as the policy is set up to be fairly unobtrusive, it's not that big of a deal.

If you go into company portal / devices / <your phone>, scroll down to "ownership type" to see personal vs corporate.
jobowker is offline  
Old 11-01-2018, 03:41 PM
  #6  
Admirals Club Admiral's Club Member
 
Join Date: Aug 2013
Location: Mathews County, VA
Posts: 424
Default

Can't you just get 30,000 other phone owners to kick in $12 each to buy you a new phone so you don't have to worry about it?
RivaHaven is offline  
Old 11-02-2018, 05:24 AM
  #7  
Senior Member
 
Join Date: Jun 2018
Location: Southeast Connecticut
Posts: 169
Default

Originally Posted by jobowker View Post
It's not as sexy as Airwatch, but still gets the job done. As long as the policy is set up to be fairly unobtrusive, it's not that big of a deal.

If you go into company portal / devices / <your phone>, scroll down to "ownership type" to see personal vs corporate.
What CompanyPortal version you have? Looking on mine, I don't see it...just have my phones name,"original name", OS, Device Settings Status. I'm on Android and I don't see any update for the app.
YeOldeStonecat is offline  
Old 11-02-2018, 05:30 AM
  #8  
Admirals Club Admiral's Club Member
 
Join Date: Jan 2007
Posts: 9,745
Default

What I'd pay attention to is what access is being granted to them. It can range from full device control to limited such as the ability to remotely wipe the device (if its lost) or just set password/PIN requirements. You have to be willing to trust your employer quite a bit. Mistakes do happen although rare you don't want your device to be remotely wiped by mistake.
mystery is offline  
Old 11-02-2018, 07:16 AM
  #9  
Senior Member
Thread Starter
 
Join Date: Oct 2012
Posts: 1,283
Default

Originally Posted by jobowker View Post
It's not as sexy as Airwatch, but still gets the job done. As long as the policy is set up to be fairly unobtrusive, it's not that big of a deal.

If you go into company portal / devices / <your phone>, scroll down to "ownership type" to see personal vs corporate.
The actual written MDM policy is massively overreaching.... Badly so. But it wasn't written by the IT department, so I'm trying to understand what I'm actually signing up for with the InTune tool.

The policy doesn't align with the overall capabilities of InTune... In other words, the policy says the company can do a bunch of stuff that InTune won't let you do when the devices are registered as personal.

So if they can't change it from personal to corp without my knowledge, then I'm less worried. If they can, then it's a hard no.
MattGoose is offline  
Old 11-02-2018, 07:20 AM
  #10  
Senior Member
Thread Starter
 
Join Date: Oct 2012
Posts: 1,283
Default

Originally Posted by mystery View Post
What I'd pay attention to is what access is being granted to them. It can range from full device control to limited such as the ability to remotely wipe the device (if its lost) or just set password/PIN requirements. You have to be willing to trust your employer quite a bit. Mistakes do happen although rare you don't want your device to be remotely wiped by mistake.
This is exactly the question. And it gets more complicated when you start talking Android permissions. InTune asks for password permission - to monitor the number of attempts to enter a PW. But that same permission lets you change passwords, even though InTune (allegedly) can't do that.

So the company policy is waaaaaaay overly broad, Android permissions aren't granular enough, and InTune might able to be switched from personal to corp without my knowledge.
MattGoose is offline  
Old 11-02-2018, 07:21 AM
  #11  
Senior Member
Thread Starter
 
Join Date: Oct 2012
Posts: 1,283
Default

Originally Posted by RivaHaven View Post
Can't you just get 30,000 other phone owners to kick in $12 each to buy you a new phone so you don't have to worry about it?
Were you dropped on your head as a child?!
MattGoose is offline  
Old 11-02-2018, 07:21 AM
  #12  
Senior Member
Thread Starter
 
Join Date: Oct 2012
Posts: 1,283
Default

Originally Posted by YeOldeStonecat View Post
To the best of my knowledge, yes. I don't recall ever seeing or reading about a feature on the Company Portal app (the MDM software client that gets installed on your phone)...which gives you any status or notification. Pretty sure that toggle switch is just a control for how much "wiping" gets done when they go to wipe a phone. And..as you can see from the article you found, what they see. Which..isn't really much...it's a very bare-bones MDM.
The personal/corporate difference is a big one.

As a personal device, they can see a very limited number of things. As a corporate device, they have pretty much unfettered access.
MattGoose is offline  
Old 11-02-2018, 07:24 AM
  #13  
Admirals Club Admiral's Club Member
 
Join Date: Jan 2007
Posts: 9,745
Default

Originally Posted by MattGoose View Post
This is exactly the question. And it gets more complicated when you start talking Android permissions. InTune asks for password permission - to monitor the number of attempts to enter a PW. But that same permission lets you change passwords, even though InTune (allegedly) can't do that.

So the company policy is waaaaaaay overly broad, Android permissions aren't granular enough, and InTune might able to be switched from personal to corp without my knowledge.
Its been a while since I have seen Intune but what do you mean by switch from personal to corp?

If the company is doing things the right way, they should be making it very clear what it has access to do and what they will actually do. Either in a one-page memo, FAQ document, or policy.

I personally hate having to carry two phones but I will not grant a company access to my personal data or take control of my personal device. My favorite solution is GOOD believe it or not. All in its own sandbox doesn't need MDM to mess with the device.
mystery is offline  
Old 11-02-2018, 07:48 AM
  #14  
Senior Member
Thread Starter
 
Join Date: Oct 2012
Posts: 1,283
Default

Originally Posted by mystery View Post
Its been a while since I have seen Intune but what do you mean by switch from personal to corp?

If the company is doing things the right way, they should be making it very clear what it has access to do and what they will actually do. Either in a one-page memo, FAQ document, or policy.

I personally hate having to carry two phones but I will not grant a company access to my personal data or take control of my personal device. My favorite solution is GOOD believe it or not. All in its own sandbox doesn't need MDM to mess with the device.
When a device is registered with InTune it is identified as either a personal device or a corporate device, which determines how much the IT admin can see. Personal is fairly narrow, corporate is wide open.
MattGoose is offline  
Old 11-03-2018, 07:10 PM
  #15  
Senior MemberCaptains Club Member
 
Join Date: Feb 2002
Location: Saugus, Ma. USA
Posts: 11,005
Default

Originally Posted by YeOldeStonecat View Post
What CompanyPortal version you have? Looking on mine, I don't see it...just have my phones name,"original name", OS, Device Settings Status. I'm on Android and I don't see any update for the app.
Version 5.0.4, on Android. On my main screen, there's 3 tabs for apps, devices, and contact. Don't go into settings.
jobowker is offline  
Old 11-06-2018, 08:18 AM
  #16  
Senior Member
Thread Starter
 
Join Date: Oct 2012
Posts: 1,283
Default

Just an update...

Threw InTune and Outlook on an old tablet.

Got an app called Desktop Notifications which sends the Outlook notifications to my cell phone and I can go on the Outlook web access to see if I need to do anything.

Don't need to carry two devices anymore, just leave the tablet plugged in somewhere with internet access.
MattGoose is offline  
Old 11-06-2018, 08:28 AM
  #17  
Admirals Club Admiral's Club Member
 
Join Date: Jan 2007
Posts: 9,745
Default

Originally Posted by MattGoose View Post
Just an update...

Threw InTune and Outlook on an old tablet.

Got an app called Desktop Notifications which sends the Outlook notifications to my cell phone and I can go on the Outlook web access to see if I need to do anything.

Don't need to carry two devices anymore, just leave the tablet plugged in somewhere with internet access.
just be careful that you are not breaking/circumventing company policy by doing that, especially if any info is in those alerts
mystery is offline  
Old 11-06-2018, 09:04 AM
  #18  
Senior Member
Thread Starter
 
Join Date: Oct 2012
Posts: 1,283
Default

Originally Posted by mystery View Post
just be careful that you are not breaking/circumventing company policy by doing that, especially if any info is in those alerts
Right now there is no company policy.... There was so much blowback on the one that was released it got retracted.

The web based access is new since this whole thing started, so accessing email from there is fine.

I got the idea for mirroring from the IT department.

This whole thing is just more complicated than it needs to be!
MattGoose is offline  
Old 11-06-2018, 09:21 AM
  #19  
Senior Member
 
Join Date: Sep 2010
Location: GA
Posts: 651
Default

I’m in the process of testing Intune before rolling it out company wide.

1) Your phone can be switched to Corp mode without you knowing.

2) Once Intune is on your device it is under complete control of the Intune Admin

3) Can other people see your stuff (text, pics, location, etc)?

- No, If you look at the Microsoft data.

- If you look at other research, it’s possible.
Redwine is offline  
Old 11-06-2018, 10:47 AM
  #20  
Senior Member
Thread Starter
 
Join Date: Oct 2012
Posts: 1,283
Default

Originally Posted by Redwine View Post
I’m in the process of testing Intune before rolling it out company wide.

1) Your phone can be switched to Corp mode without you knowing.

2) Once Intune is on your device it is under complete control of the Intune Admin

3) Can other people see your stuff (text, pics, location, etc)?

- No, If you look at the Microsoft data.

- If you look at other research, it’s possible.
Yeah, I figured 1 and 2 to be true. There's no robust policy in place restricting IT access. The policy that was in place actually infinitely expanded IT access. No bueno.

This workaround, for now, is great. My "work" tablet has very minimal stuff on it, and nothing personal. Best part is that I don't actually need to carry two devices so long as the work one is powered up and online.
MattGoose is offline  

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Thread Tools
Search this Thread