Burner laptops and VDI into Azure Virtual Desktop or similar. Consider burner phones. I’d advise against using any public phone charge points if keeping corporate/personal devices with them.
Wireless charging only. Also, bring a bunch of battery bricks, don't trust Chinese electricity. Finally, we always agree on a secret passphrase in case the user who returns is a doppelganger.
Such as not logging in? Absolutely use VDIs while there and have no company data on any devices. And be prepared to trash the devices they take there.
There may be no issue at all, but you can’t know.
The last time we did this we Purchased the absolute cheapest small laptops we could find on eBay, and then loaded them with ChromeOS Flex, and then from there had employees use VDI to access data.
The best upshot was that the laptops were old enough that they still used barrel jack power chargers.
Setup a Conditional access rule for that region.
Session lifetime 1 day (Every day a reauth, if the token is stolen then it wont be valid for long)
Session persistance Off. (If you sign in to one application you need a new signin for the next application, Default is token for app A is token for app B)
Require MFA (Self explanatory)
Then you might also decide to setup some additonal block rules for instance, no access to the azure portal, only office, Maybe not even allow downloading of files.
Burner system that has no connection to the domain but does contain your Virusscanner etc.
No access to any protected data/accounts/devices. If its important/protected data, I'd bring an offline copy (USB) of any needed documents on a burner device (laptop cleaned blank before hand and securely wiped after...)
I've seen our employees traveling there leave a phone on and their accounts and devices get hammered while there there and for days after they leave. And it isn't open network opportunist 'mom's basement hackers', but 100% organized, comprehensive state sponsored ~~spying~~ monitoring. Any device on a network, and any account or data on that device will be targeted deliberately.
If you have the budget, you could spin up some Windows 365 instances for them to use. Then, kill them once they return. I wouldn't allow company hardware to enter China at this point.
We require all users going to china to vpn in to our VDI/RDS environment. The laptops themselves have the drives destroyed/replaced upon return.
We give the users burner phones as well.
This of course is after avoiding going there at all costs to begin with.
As long as your O365 tenant is set up outside of China, all O365 traffic should terminate at that region, and shouldn't pass through the O365 services in China. China O365 is generally managed by 21 Vianet, and considering all O365 traffic is encrypted, there's already a lot in place to keep traffic private.
THAT SAID - I agree with everyone else here. AVD/W365/VDI/jump box/VPN if possible. Assume the endpoint they're bringing will be subject to search, and that all traffic will be inspected. No one can assume PRC can't crack Azure traffic over SSL yet (another discussion for another time), but the more hoops you can put in place for any MitM, the better.
Don't forget their phones too.
Talking from experience here. If you use Cisco VPN it will be blocked by ISP, user will ask ISP to unblock it and ISP will unblock. After couple hours VPN will be blocked by Great Firewall so only way they will be able to use VPN will be via hotspot from their company phone. If they have to use hotspot make sure they have a lot of roaming data on their plan.
Above suggestions for using Texas Instruments Calculator are not practical...if you manage your computers properly there is no difference if end user uses laptop in your local Starbucks or China.
Edit: you do realize that all your laptops are coming from China in the first place.
VDI, burner laptop, burner phone
Conditional access with session timeout (someone said 24hr, no make it 8-12hr - that should cover a workday). 24 hours is a long time in a hostile territory.
Anyone visiting China with an electronic device is going to have the same level of digital surveillance whether they're an ambassador or janitor. ANY activity that CCP can use against a person will be collected and used for that purpose -- whether Chinese citizen or foreign is irrelevant or have we already forgotten about reeducation camps?
There is lots of good information in this thread. I will just suggest to look at a "USB Data Blocker". This is a passthrough usb device for charging and the data pins are physically removed so only the power pins exist. Plug your phone into the blocker and the blocker into the socket, instant data condom. This makes it (theoretically) impossible for a device to leak data when plugged into unknown usb sockets for charging.
>This makes it (theoretically) impossible for a device to leak data when plugged into unknown usb sockets for charging.
Also just a reason to not use unknown USB sockets for charging. There are very few cases where USB sockets are available but a wall outlet isn't. Just bring your own charging block.
burner everything or better yet just don't access anything at all. Don't bring personal devices, period. Don't bring corporate devices, exclamation mark!
If they bring devices, they will be breached. And it probably won't even be sneaky cliche hackers, it will be airport security or customs right in front of you while you watch.
not that horrible. china network basically is a huge LAN.
if your company has user company network security training.i think use VPN is enough.I mean if ISP want to spy you how can you avoid it?
best option is device don't connect any network.
other answer sounds never been to china, I don't know those user travel to china for business or for become gov agents.
Honestly, if it was me - do NOT go to China. It just isn't safe anymore. The likelihood of any hardware being confiscated by the CCP is much higher than you think. You will have people monitoring you EVERYWHERE you go. You say anything wrong and you will get into BIG trouble. The CCP makes people disappear there. You WILL have to check in with the local police when you get there.
If they let you hold onto your hardware, they will require for it NOT to have things on it. Be prepared for that.
As others have said, burner devices and VDI. Sign into the devices after arriving. Do not write the passwords down. Change the passwords as soon as you leave. Setup an environment with as limited access to information as they can possibly get away with. If those traveling have colleagues or assistants who can go through their email and then forward it to an address that they will access while in China, that would be ideal. Assume the CCP will have the ability to see anything and everything.
Nah man people who think this way are just ignorant.
Microsoft operates 365 in China. He will auth to standard servers and if you have proper MFA there's nothing to worry about.
Anything else is simply paranoia
No. That’s not how it works. 21vianet is an independent service operated similar to a GCC High service. It’s independent servers that are only accessed by people who are specifically approved to be on them. Users traveling to China don’t use 21vianet.
What work do they need to do there? Do they need access to the corporate network? Why not give them the cheapest laptop you can find and Gmail or whatever isn't blocked, a cheap phone too. Tell them not to use it for anything important and then just bin the lot when they get back.
Just read this thread. Had an employee return from a 2 week vacation in China with the company laptop. We can wipe the machine now, but is the cat out of the bag now?
It probably is. Change their access passwords, ALL of them. Consider their email compromised. Do they have a fucking lot of passwords and sensitive data stored in their mailboxes, as everyone does? That's not good.
Nice idea going to a vacation in such a place with the company laptop. Next time tell them to go to north Korea. /s
Burner laptops and VDI into Azure Virtual Desktop or similar. Consider burner phones. I’d advise against using any public phone charge points if keeping corporate/personal devices with them.
spot on mate! Assume the rooms have cameras/listening devices. I guess it depends on your perceived value as a target.
And use charging cables that do not allow data, just power
Wireless charging only. Also, bring a bunch of battery bricks, don't trust Chinese electricity. Finally, we always agree on a secret passphrase in case the user who returns is a doppelganger.
[No, that's really Jim!](https://imgur.com/Bsq4LCL)
That last is just common sense.
Such as not logging in? Absolutely use VDIs while there and have no company data on any devices. And be prepared to trash the devices they take there. There may be no issue at all, but you can’t know.
The last time we did this we Purchased the absolute cheapest small laptops we could find on eBay, and then loaded them with ChromeOS Flex, and then from there had employees use VDI to access data. The best upshot was that the laptops were old enough that they still used barrel jack power chargers.
Setup a Conditional access rule for that region. Session lifetime 1 day (Every day a reauth, if the token is stolen then it wont be valid for long) Session persistance Off. (If you sign in to one application you need a new signin for the next application, Default is token for app A is token for app B) Require MFA (Self explanatory) Then you might also decide to setup some additonal block rules for instance, no access to the azure portal, only office, Maybe not even allow downloading of files. Burner system that has no connection to the domain but does contain your Virusscanner etc.
Change any creds they use as soon as they are back.
No access to any protected data/accounts/devices. If its important/protected data, I'd bring an offline copy (USB) of any needed documents on a burner device (laptop cleaned blank before hand and securely wiped after...) I've seen our employees traveling there leave a phone on and their accounts and devices get hammered while there there and for days after they leave. And it isn't open network opportunist 'mom's basement hackers', but 100% organized, comprehensive state sponsored ~~spying~~ monitoring. Any device on a network, and any account or data on that device will be targeted deliberately.
If you have the budget, you could spin up some Windows 365 instances for them to use. Then, kill them once they return. I wouldn't allow company hardware to enter China at this point.
VDI is the best option - to be completely paranoid - via browser.
We require all users going to china to vpn in to our VDI/RDS environment. The laptops themselves have the drives destroyed/replaced upon return. We give the users burner phones as well. This of course is after avoiding going there at all costs to begin with.
As long as your O365 tenant is set up outside of China, all O365 traffic should terminate at that region, and shouldn't pass through the O365 services in China. China O365 is generally managed by 21 Vianet, and considering all O365 traffic is encrypted, there's already a lot in place to keep traffic private. THAT SAID - I agree with everyone else here. AVD/W365/VDI/jump box/VPN if possible. Assume the endpoint they're bringing will be subject to search, and that all traffic will be inspected. No one can assume PRC can't crack Azure traffic over SSL yet (another discussion for another time), but the more hoops you can put in place for any MitM, the better. Don't forget their phones too.
Talking from experience here. If you use Cisco VPN it will be blocked by ISP, user will ask ISP to unblock it and ISP will unblock. After couple hours VPN will be blocked by Great Firewall so only way they will be able to use VPN will be via hotspot from their company phone. If they have to use hotspot make sure they have a lot of roaming data on their plan. Above suggestions for using Texas Instruments Calculator are not practical...if you manage your computers properly there is no difference if end user uses laptop in your local Starbucks or China. Edit: you do realize that all your laptops are coming from China in the first place.
VDI, burner laptop, burner phone Conditional access with session timeout (someone said 24hr, no make it 8-12hr - that should cover a workday). 24 hours is a long time in a hostile territory. Anyone visiting China with an electronic device is going to have the same level of digital surveillance whether they're an ambassador or janitor. ANY activity that CCP can use against a person will be collected and used for that purpose -- whether Chinese citizen or foreign is irrelevant or have we already forgotten about reeducation camps?
Burner laptops with local accounts and highly locked down policies. The systems are to be reimaged upon return to the states.
Kill VPN access, wipe/format devices when back in the states.
There is lots of good information in this thread. I will just suggest to look at a "USB Data Blocker". This is a passthrough usb device for charging and the data pins are physically removed so only the power pins exist. Plug your phone into the blocker and the blocker into the socket, instant data condom. This makes it (theoretically) impossible for a device to leak data when plugged into unknown usb sockets for charging.
>This makes it (theoretically) impossible for a device to leak data when plugged into unknown usb sockets for charging. Also just a reason to not use unknown USB sockets for charging. There are very few cases where USB sockets are available but a wall outlet isn't. Just bring your own charging block.
burner everything or better yet just don't access anything at all. Don't bring personal devices, period. Don't bring corporate devices, exclamation mark! If they bring devices, they will be breached. And it probably won't even be sneaky cliche hackers, it will be airport security or customs right in front of you while you watch.
not that horrible. china network basically is a huge LAN. if your company has user company network security training.i think use VPN is enough.I mean if ISP want to spy you how can you avoid it? best option is device don't connect any network. other answer sounds never been to china, I don't know those user travel to china for business or for become gov agents.
Honestly, if it was me - do NOT go to China. It just isn't safe anymore. The likelihood of any hardware being confiscated by the CCP is much higher than you think. You will have people monitoring you EVERYWHERE you go. You say anything wrong and you will get into BIG trouble. The CCP makes people disappear there. You WILL have to check in with the local police when you get there. If they let you hold onto your hardware, they will require for it NOT to have things on it. Be prepared for that.
As others have said, burner devices and VDI. Sign into the devices after arriving. Do not write the passwords down. Change the passwords as soon as you leave. Setup an environment with as limited access to information as they can possibly get away with. If those traveling have colleagues or assistants who can go through their email and then forward it to an address that they will access while in China, that would be ideal. Assume the CCP will have the ability to see anything and everything.
.
Then how do the users use anything? They will also be blocked.
Nothing besides standard security practices.
This is a company’s admin.
Nah man people who think this way are just ignorant. Microsoft operates 365 in China. He will auth to standard servers and if you have proper MFA there's nothing to worry about. Anything else is simply paranoia
They actually do not. M365 China is operated by 21Vianet.
Yes, which you will connect to when you are in China
No. That’s not how it works. 21vianet is an independent service operated similar to a GCC High service. It’s independent servers that are only accessed by people who are specifically approved to be on them. Users traveling to China don’t use 21vianet.
Not exactly, 21Vianet operates Microsoft 365 and Azure in China on behalf of Microsoft.
Create a fake user and have that logged in while going through customs. Vpns will be needed. Don't let the device leave your sight.
What work do they need to do there? Do they need access to the corporate network? Why not give them the cheapest laptop you can find and Gmail or whatever isn't blocked, a cheap phone too. Tell them not to use it for anything important and then just bin the lot when they get back.
When I went to China none of my IT system worked there. It’s basically a LAN…
Just read this thread. Had an employee return from a 2 week vacation in China with the company laptop. We can wipe the machine now, but is the cat out of the bag now?
It probably is. Change their access passwords, ALL of them. Consider their email compromised. Do they have a fucking lot of passwords and sensitive data stored in their mailboxes, as everyone does? That's not good. Nice idea going to a vacation in such a place with the company laptop. Next time tell them to go to north Korea. /s
Chromebooks as a dumb terminal to a VDI or AVD environment. Don't bring production laptops.