Airwatch

NYSpeed Automotive NYSpeed Off Topic
1

Anyone here have any experience with the airwatch app? Our IT dept sent out an email to all employees that have “work” phones to follow the steps provided to install it. By work phone I mean personal phone that I get a monthly compensation in my check for towards the bill. Not fond of the idea but at the same time I know push back won’t look good to the execs as well.

2

I have mobileiron plus RSA key. No clue if airwatch is similar, but if it is it locks everything down. All email attachments are opened through mobileiron and all web traffic is monitored and logged

3

Airwatch is an MDM solution. They’re owned by VMWare.

Airwatch only has access to the APIs that Apple has built in for MDM. It’s not too intrusive. They can’t read texts or listen to your calls or anything. The intent of the software is to be able to enforce good security policies. Encryption, strong PIN, no jailbreaking, etc… They can also push out your Exchange configs, wireless configs, other Apps. Overall, I wouldn’t be too worried about it. The ONLY thing to be wary of is the fact that they can remote-wipe your device. So I’d make sure that you keep good backups. They should only be doing that in the event that it gets lost, but hey, shit happens.

Oh, and all of the above assumes you have an iPhone. I DO believe that they have more control on an Android device.

      • Updated - - -

I’m not sure what all MobileIron is configured to do on your device, but typically in order for “all web traffic to be monitored”, they would need to implement an always-on VPN to feed your traffic back to a web proxy on premise… Unless they are using a Web Proxy in the cloud, which is also POSSIBLE but not something I usually see.

And yes, Airwatch is similar in that it’s an MDM solution, but again it depends on how it is configured and how your network is architected.

4

I believe it’s a vpn as it’s always connected to the mothership

but I also don’t know what the hell im talking about, so there’s that too.

Mine is a government phone

5

Yeah you probably have always-on VPN then. OP’s situation is probably not that strict.

6

With all these MDMs if you have Android you’re fucked if you have Apple you’re really not that bad off.

7

My last employer tried that shit. I told them that they could keep their money and I would keep my phone. Oddly they agreed and still let me use my phone on their networks and have my email and such. I feel like it was a very odd decision.

8

I don’t like it since it opens your device to the company. Installs a profile, they can see your photos, apps, and a bunch of info on your phone and even can remote wipe it causing you to have no phone. They do have a new solution for email only called Boxer which is just an email container which removes all the overreaching profile stuff and has been well received.

9

Chances are the “kid” who enrolls your phone with the MDM policy gives two shits about your photo’s, as you claim is a possibility. I just checked our Maas360 and was unable to view any information pertaining photo’s, downloads, etc… The weirdest thing I saw was the ability (which we don’t have enabled) to see browser history. I guess if you’re not sure if the company is monitoring your BYOD or company device, stay off meatspin.com … Even then, IT is too busy to rifle through your shit, unless they are requested by HR. Also, the person looking through your shit could get fired.

IDK… If you’re not doing anything wrong, why worry?

Although, I can confirm there is an enterprise wipe to remove the corporate profile, and a full wipe, which we have only used per HR request.

10

Based on your statements being based on your own solution, I assume you didn’t setup your MDM system or understand how they work.

Airwatch (or any MDM system uses the same interface Apple provides) can access damn near everything on a device so MaaS360 can as well. Most companies with mature BYOD policies have a sign off and some data collection/privacy polices that let you know what they can see and do on your device. Some that are newer and install some random setup and don’t have much management approval install the defaults and collect way more than they need to.

You can pull full hardware and software inventory on the phone, everything about the device such as model and versions, serial number, jailbreak status, IMEI numbers, GPS location, network IPs, wifi networks, if a pin is set and force people to perform certain settings on it such as lock time and length. Apple does sandbox apps so seeing document stores for apps is typically restricted but native apps you can such as photos, contacts, disable camera, prevent apps from sharing data, and what email servers configured. You can trust and install your own certificates, break ssl with proxying web traffic through your own concentrator, connect to VPN at all time to enforce your own IPS/IDS network scans on traffic with web browsing logs, and a bunch more. Yes, this means intercepting traffic like iMessage, Snapchat, Facebook, Messenger, etc. From what I saw last, I think they can see your text contacts but I don’t think we can see content if them.

Basically you are trusting your device with someone else and them not being evil. Again, most companies with mature policies have tuned the policy to simple stuff like requiring a locking PIN, sending you a device certificate so you can connect to their VPN and WiFi, and maybe proxying connections internal so you can access resources and web sites and leave the device to be yours. These companies also have strict change controls that someone can’t just change the policy without some major approval. Other companies I have seen just allow whatever and don’t have the time to really tune to their needs.

You can see the profile settings if you go into Settings->General->Device Management.

11

When I was at Praxair, I had a Droid that had Airwatch installed on it. Never really gave a shit about it. I was more concerned if they could tell I was out in the middle of Lake Erie when I was supposed to be “working”. But fuck them, they can take a long suck of my cock.

12

You’re spot on with my situation is I never originally configured policy, or understand how MDM works from a security point of view… I was more involved with creating a private wireless network that we can effectively enroll the device to the policy and successfully distribute a certificate to the device. Then, test device compliance as far as what the end user experience is like when enrolling the device. So, I guess I’m the plumber with the infrastructure wrenches.

Taking a look at the policy, it’s as you said, basic to the point where we protect the user from leaking data that contains PHI. I guess we’re more concerned with protecting the privacy of the provider as well as the person who owns the device. Everything you mentioned in the first sentence of the 3rd paragraph is realistically what we can see too. Beyond that we seem to not care about, nor do I as I’m a “contractor” who’s company just gives us a stipend amount for our phone use. All in all, I guess you can say the client I work for has a “mature” policy in place that is tuned to our needs.

At the end of the day, if we had the ability to see photo’s, it better be a hot chick with some nudes. I’m not getting fired over some dick pics.

13

I admin an airwatch server for about 450 employees.

We use it for controlling corporate apps and corporate email on corporate owned devices. We are rolling it out to personal devices, but it has not happened yet.

Basically, from the admin panel I can clear the passcode on your phone, wipe all the corporate data from your phone remotely, or even wipe the phone completely including all your personal data. I can push apps to your phone remotely. I can see a list of all apps installed on your phone, the battery life left, and other vitals.

There is a setting in there that we do not enable but another company may. It will track the location of the phone down to I think 10 feet. We messed around with it last year and it is very accurate.

This type of technology is typical for businesses that have fleet vehicles, or people out in the field that are not trustworthy.

Airwatch makes my life easy, I can create groups, and push work related apps to groups of phones or ipads from my desk and not have to go around and do it manually.

And when someone gets shitcanned, we yank the data off the phone and deactivate it remotely.

14

For 99% of companies its two thing a compliance requirement and the ability to wipe phones if they’re lost/stolen/someone gets fired.

15

For AirWatch, you can install it following the instructions and check what it’s controlling in the AirWatch settings. Since you install the app, you can also uninstall it just as easily yourself. It doesn’t lock itself down to your device if you install it from AWagent.com and follow the steps to enroll your device.

It can do several things. Email for BYOD seems to be the #1 items that companies utilize. Then, Content Locker, to access shared resources from your device remotely. Resources being internal applications and repositories, etc. Then, if your company has its own applications, they can be added as well to the BYOD device.

Everything in AirWatch is pushed down by a policy. If you remove AirWatch, the policies are removed and the device returns to normal.

I’d go through with the company install and then check the AirWatch config on your device, to see what they’re adjusting/changing/controlling. It’s very easy to see… and feel free to post up a screenshot if you’d like help in deciphering it.