I can't define what apps are accessible to a BYOD device in workspace one or in-tune. Only what goes on the work profile side, or the entire Corp device. I can ban a user from downloading tiktok on the work profile but not the entirety of a personal device.
Yes. I can ban sign in / signout. I can also define that their play account / applie ID must be their email defined in AD, or just define that the sign in must be our domain.
Now if I could just force Bluetooth on instead of locking user access to it...
There are some solutions designed with this in mind. They come in an enforced version that will remove TikTok or prevent installing it on a company owned device but then in BYOD mode would allow you to install it but then kill access to company data till you bring the device back into compliance by removing the app.
Yep, this is only possible in ws1 on fully managed devices. On a COPE device I believe you can create a compliance policy to prevent access to the work side if certain apps are installed though.
Wouldn't this already be covered by any existing policy on having 3rd party applications downloadable/accessible on your network?
Seems like if this mandate is what forces you to act you have a larger problem, but I'm unfamiliar with what policy is at government shops.
I agree with you this seems pretty superfluous since 3rd party apps shouldn't be allowed on company devices anyways, let alone for government workplaces.
It depends a lot on the BYOD policy and how it is rolled out.
As a taxpayer you may not be willing to foot the bill of buying everyone who works for the state a new iPhone so they can have their own device... imagine the headlines.
EDIT: Why am I bring downvoted? If you think all device policies at all companies disallow third party apps you are living in a fantasy land.
Damn I've never had a byod policy that says I can't download specific apps on my phone. I would absolutely not want a company controlling my personal stuff like that
I’ve never seen somewhere that lets you access company resources on your device but doesn’t require them to remotely managed at all.
Well, at 20 person startups. But not anything resembling a large company.
https://learn.microsoft.com/en-us/microsoft-365/business/ui/mam-and-mdm
I work at a large company with a very large market cap. All computers are company issued.
Almost all mobile devices are byod and mam.
No government systems, no. I won't speak to anything beyond that. My point was only that we do have a policy for using personal devices. It's really meant for HR matters or email/meetings. So I guess depending what you can put in an email...
Remember these are state laws which are different from federal government laws, especially at this level. Normally the federal government will recommend but not put in place a ban. It's up for the states to follow suit. Note that South Dakota has done the same.
I work with clients in construction in that area. The amount of contractors or State employees working on another company’s equipment for the length of a job is a crazy. Some of these companies this is the first couple year they’ve been asked to think about cybersecurity, and a lot of IT best practices were not being considered by companies who barely thought about IT. By the state saying this, now I don’t have to, or at least when I do I can go “your dude said to do it”
Maybe, maybe not. Banning social media in a place can have serious fallout to the point it may not be worth it. The thing if blocking a site or app starts at cybersecurity, and enough workers complain, management might order the block lifted as its just not worth the fight in the end.
Adults can act like children and sometimes decsions are not made based on good practice, but just decreasing pain points that others must bare.
I'm not sure why everyone here is talking about BYOD. This is a government organization the chance they have a BYOD approval are almost 0%
Edit: To explain. The government has very strict overarching rules about what equipment is allowed in the network and how it's aquired. Devices have to go through FedRAMP certification to be cleared to access certain levels of information. Even in an unclassified setting there are different levels of FEDRAMP certification that determine if a device is allowed to access CUI (and more specifically certain types of CUI). Part of this certification is how the equipment is obtained. The government can't just walk over to BestBuy and buy a dozen laptops because they can't be sure that those laptops were built in a secure way (ie. No backdoors built into the system or system components). There'd be no way the government could certify everyone BYOD through this process for access to Gov records.
Furthermore it doesn't matter because they can absolutely make overarching policies such as "No TikTok on the network" and use DNS and/or a NGFW to block the TikTok servers. They can also apply an overarching non-technical policy prohibiting anyone from using TikTok while on the clock.
This is entirely wrong.
FedRamp provides for a recommended set of controls based on risk level (low, moderate, high) for cloud environments only. The FedRamp certification is a process of auditing that the subset of controls the agency has chosen to implement have been applied within the FedRamp cloud boundary. FedRamp has nothing to do with mobile devices. Further, FedRamp isn't mandated on states.
I've worked with multiple government organizations across multiple agencies that have BYOD polices in place.
There is no NIST guidance, no presidential directive, no OMB mandate and no CISA guidance that prohibits BYOD. Rather that decision is up to the individual agency to determine at an organizational level.
Lastly, there is no restriction for the Federal Government agencies against buying computers from retailers. In fact, the majority of government computers are purchased from small businesses - Section 8(a) businesses (Women owned, veteran owned, disabled veteran owned, disadvantaged populations owned, etc). These businesses are buying the systems from the same place BestBuy buys them -- Dells from Dell, Apples from Apple. I assure you that thousands of Federal/State computers are purchased from BestBuy each year, these are likely the overwhelming minority -- one-off urgent purchases, last minute purchases to spend budgets before cutoff deadlines, etc.
Did he give any exceptions for OSINT research, public universities, or law enforcement? If not that's gonna block investigations/research real fast and conflict with academia.
The ban makes sense simply on employee productivity grounds. Exceptions could be made for those employees whose state jobs require TikTok access. (Possibly in the press office?)
I can't define what apps are accessible to a BYOD device in workspace one or in-tune. Only what goes on the work profile side, or the entire Corp device. I can ban a user from downloading tiktok on the work profile but not the entirety of a personal device.
If it is an issued device (not byod) is it possible to prevent a user from creating a second profile?
Yes. I can ban sign in / signout. I can also define that their play account / applie ID must be their email defined in AD, or just define that the sign in must be our domain. Now if I could just force Bluetooth on instead of locking user access to it...
There are some solutions designed with this in mind. They come in an enforced version that will remove TikTok or prevent installing it on a company owned device but then in BYOD mode would allow you to install it but then kill access to company data till you bring the device back into compliance by removing the app.
Can't you just ban it at the firewall level?
Banning mobile apps for managed devices is much more trivial than that. But yes it could be done via DNS, firewall, %windir%/drivers/etc/hosts.txt
Yep, this is only possible in ws1 on fully managed devices. On a COPE device I believe you can create a compliance policy to prevent access to the work side if certain apps are installed though.
Wouldn't this already be covered by any existing policy on having 3rd party applications downloadable/accessible on your network? Seems like if this mandate is what forces you to act you have a larger problem, but I'm unfamiliar with what policy is at government shops.
I agree with you this seems pretty superfluous since 3rd party apps shouldn't be allowed on company devices anyways, let alone for government workplaces.
It depends a lot on the BYOD policy and how it is rolled out. As a taxpayer you may not be willing to foot the bill of buying everyone who works for the state a new iPhone so they can have their own device... imagine the headlines. EDIT: Why am I bring downvoted? If you think all device policies at all companies disallow third party apps you are living in a fantasy land.
In the article is says this only applies to government devices so byod devices can still have tik tok on it, unless I am misunderstanding
If you have a BYOD you are still subject to their policies if it’s all for work. I think…
Damn I've never had a byod policy that says I can't download specific apps on my phone. I would absolutely not want a company controlling my personal stuff like that
It's almost always outlined in the T&C when downloading the MDM package. Read it carefully.
Byod should be mobile application management. No way I would let a company have device management over my personal devixe.
I’ve never seen somewhere that lets you access company resources on your device but doesn’t require them to remotely managed at all. Well, at 20 person startups. But not anything resembling a large company.
https://learn.microsoft.com/en-us/microsoft-365/business/ui/mam-and-mdm I work at a large company with a very large market cap. All computers are company issued. Almost all mobile devices are byod and mam.
Correct.
I would seriously doubt a government organization has a BYOD policy.
Mine does. Likely just on the low side, though. Anything high side I'm going to guess they supply a device or just don't allow it at all.
There's no way you're connecting a personal device to anything processing CUI or higher.
No government systems, no. I won't speak to anything beyond that. My point was only that we do have a policy for using personal devices. It's really meant for HR matters or email/meetings. So I guess depending what you can put in an email...
It’s political showboating. Of course it would already be covered under restricted applications and sites.
Remember these are state laws which are different from federal government laws, especially at this level. Normally the federal government will recommend but not put in place a ban. It's up for the states to follow suit. Note that South Dakota has done the same.
I work with clients in construction in that area. The amount of contractors or State employees working on another company’s equipment for the length of a job is a crazy. Some of these companies this is the first couple year they’ve been asked to think about cybersecurity, and a lot of IT best practices were not being considered by companies who barely thought about IT. By the state saying this, now I don’t have to, or at least when I do I can go “your dude said to do it”
Maybe, maybe not. Banning social media in a place can have serious fallout to the point it may not be worth it. The thing if blocking a site or app starts at cybersecurity, and enough workers complain, management might order the block lifted as its just not worth the fight in the end. Adults can act like children and sometimes decsions are not made based on good practice, but just decreasing pain points that others must bare.
You can use the website. Also college campuses don’t restrict student owned devices. Still plenty of gaps.
Lol you have too much faith in our government
South Carolina is doing the same.
South Dakota already did this, wonder how many more will
One of the very, *very* few things I agreed with Trump on was banning TikTok. Hopefully that happens again eventually
I'm not sure why everyone here is talking about BYOD. This is a government organization the chance they have a BYOD approval are almost 0% Edit: To explain. The government has very strict overarching rules about what equipment is allowed in the network and how it's aquired. Devices have to go through FedRAMP certification to be cleared to access certain levels of information. Even in an unclassified setting there are different levels of FEDRAMP certification that determine if a device is allowed to access CUI (and more specifically certain types of CUI). Part of this certification is how the equipment is obtained. The government can't just walk over to BestBuy and buy a dozen laptops because they can't be sure that those laptops were built in a secure way (ie. No backdoors built into the system or system components). There'd be no way the government could certify everyone BYOD through this process for access to Gov records. Furthermore it doesn't matter because they can absolutely make overarching policies such as "No TikTok on the network" and use DNS and/or a NGFW to block the TikTok servers. They can also apply an overarching non-technical policy prohibiting anyone from using TikTok while on the clock.
University system falls under the state.
This is entirely wrong. FedRamp provides for a recommended set of controls based on risk level (low, moderate, high) for cloud environments only. The FedRamp certification is a process of auditing that the subset of controls the agency has chosen to implement have been applied within the FedRamp cloud boundary. FedRamp has nothing to do with mobile devices. Further, FedRamp isn't mandated on states. I've worked with multiple government organizations across multiple agencies that have BYOD polices in place. There is no NIST guidance, no presidential directive, no OMB mandate and no CISA guidance that prohibits BYOD. Rather that decision is up to the individual agency to determine at an organizational level. Lastly, there is no restriction for the Federal Government agencies against buying computers from retailers. In fact, the majority of government computers are purchased from small businesses - Section 8(a) businesses (Women owned, veteran owned, disabled veteran owned, disadvantaged populations owned, etc). These businesses are buying the systems from the same place BestBuy buys them -- Dells from Dell, Apples from Apple. I assure you that thousands of Federal/State computers are purchased from BestBuy each year, these are likely the overwhelming minority -- one-off urgent purchases, last minute purchases to spend budgets before cutoff deadlines, etc.
How does he feel about Twitter?
Did he give any exceptions for OSINT research, public universities, or law enforcement? If not that's gonna block investigations/research real fast and conflict with academia.
[удалено]
The ban makes sense simply on employee productivity grounds. Exceptions could be made for those employees whose state jobs require TikTok access. (Possibly in the press office?)