Company forcing me to Apple products

[jj14x]

For mobile phones, containerization is the most typical solution. A real-world example: I work for a government agency that routinely processes sensitive unclassified information. I get my work email on my personal Nexus 6. That work email lives inside an encrypted container, and I cannot copy/paste data back and forth between the container and the rest of my phone. The government "owns", manages, monitors, and secures the container and the data within, and has the ability to perform multi-pass remote wipes of the container.

Thanks for the follow up on my question. I guess I am missing something obvious - if you lose your phone and it is compromised, regardless of this container being set up, isn't the thief able to view/use your data? Once the company realizes that the device is lost, sure, they can remote wipe it (as can be done in any other case where there is no virtualization), but by then, the thief already has some (if not all) of your information.

 

[DC Wuff]

Thanks for the follow up on my question. I guess I am missing something obvious - if you lose your phone and it is compromised, regardless of this container being set up, isn't the thief able to view/use your data? Once the company realizes that the device is lost, sure, they can remote wipe it (as can be done in any other case where there is no virtualization), but by then, the thief already has some (if not all) of your information.

Sure thing. The mobile email client from work is able to enforce device lock using the native Android capability (I use pattern lock anyway). So the thief would have to get my phone while it was still unlocked in order to get any of my data. Since my Nexus 6 uses native Android device encryption, it would be next to impossible to get any of my data -- even with special equipment -- if my phone were locked.

The rules of behavior in my user agreement for work stipulate that I must report a lost device to the help desk immediately. So, between my ability to use the native kill/wipe command from Google, my carrier's ability to issue a kill/wipe command, and my work email administrators' ability to issue a kill/wipe command for either the container or the whole device (the latter requires my approval), the risk of compromise of my personal data is mitigated to my satisfaction.

 

[jj14x]

Thanks. So, having your work related Emails in a separate partition in itself doesn't offer any special safety net(?). If your device is out of your hands, the safety of data (personal and work related) relies on your password/pin, encryption, and you reaching out to your helpdesk ASAP to kill/wipe. The benefit that the work container provides is that your helpdesk may elect to wipe only the work related data, instead of the entire device.

So, the goal is really securing the data, by securing the device. That makes sense. This is similar to the approach my employer has taken - except they don't have a separate container for work related stuff. The entire device is wiped, which I agree with. If only the work related container is wiped, the assumption is that all connection/credential information associated to the container (stored outside of the container) are also wiped. We know that a delete on solid state storage is never foolproof, so I think wiping of the entire device (and throwing away the encryption key) is probably a safer approach.

Thanks for the conversation.