Recently my employer has pushed for Okta Identity management. And somewhere in that plan they somehow thought appropriating employee personal phones was a good idea. Now we can't login to certain internal apps without a mobile device because Okta needs one time password/accepting push notification. And the otp/push notification should necessarily happen on a mobile device. Given that company hasn't provided any mobile devices to employees, everyone is forced to use their personal phones.
We use Okta where I work but we are allowed to install Okta Verify without installing the MDM profile.
If we want to do work email on our phone, we do have to submit to MDM. 99% of the employees I know refused to allow MDM on their personal phone, and the company was OK with that. They made a few managers carry work issued 2nd phones.
We also use Slack and are allowed to use that without MDM so that works for a lot of us.
My wife has to carry a 2nd phone for work, she's got 2 iPhones and it's very annoying, but preserves the separation.
Any company that wants to put an MDM on my phone, will have to buy me a second phone.
See, I'm the computer geek in the family, and that means that I'm the family MDM manager. Which means I already have an MDM on my phone, and since you can only ever have one MDM on a mobile device like that, well the conclusion is inevitable.
If they don't want to buy me a second phone, then they're going to have to decide which of those two policies they actually want to enforce.
I worked for a company that was forcing a MDM on employees a few years back. I went ahead and wiped it and installed Cyanogenmod instead of the stock android rom. My phone was then incompatible with the MDM so I was no longer required to install it. I don't think it would of been able to do all that much even if it managed to install.
I ask for a phone if my duty requires it. If they won't provide it then they don't want the job done very badly and if they fire you then unemployment should cover it. Each granted claim increases their unemployment insurance premium if I understand correctly, so there is some disincentive to just fire you--it's probably cheaper to get the phone. (This is in California, SF Bay Area).
For this specific case, you can actually use other otp apps such as Google Authenticator with okta. See https://help.okta.com/en/prod/Content/Topics/Security/MFA.ht...
You'll also have to unselect push notifications somewhere, don't remember exactly where, but it was apparent in the ui.
My company recently required the use of a specific 2FA app that I didn't use in order to validate credentials on our laptops when accessing our VPN. I don't personally like having to put an app on my phone however, using an app to validate identity and using an app too conduct business are two very different things. I'm still considering requesting a physical token though...
Can't you ask for a key fob OTP code generator device? Employees who work at sensitive client sites in many cases wouldn't be allowed to connect their phones to the Internet and may have restrictions placed on the usage of it. A separate hardware key generator (which is really a second factor) could possibly help (depending on the situation and need).
Maybe they don’t have great labor laws. Would your boss really believe you if you said you don’t have a cell phone? If you didn’t have legal protection (or a shit ton of other employment options) would you just tell him to fuck off?
No, we have great labour laws (employment protection, anti-discrimination, limits of business relationship well defined) but it is illegal to conceal identity in government and business matters (here in Turkey, you cannot avoid identifying yourself even while invoking the right against self-incrimination). Not like the UK or the US. Employer would think you try to conceal your essential contact info and will be able to refuse your contract.
In addition, all IMSIs and IMEIs are registered in a whitelist and tied to identity.
Any ideas on what happens in such cases?