landwomble t1_jc66wl7 wrote

Any corp that runs BYOD should be using Conditional Access / InTune or a 3rd party equivalent. You sign into mail/calendar etc and it enrolls your device, turns on and enforces strong PIN, encryption, remote wipe etc.

This is very much a Solved Problem.


landwomble t1_jc2ez3t wrote

BYOD is fine (although I'm fairly sure the civil services DOES supply work phones to most line of business staff who require one). However you should be enforcing Android Work Profile or the iOS equivalent when accessing corporate resources as part of a Conditional Access Policy. E.g. as soon as you sign into work email etc it enforces MDM before you get access. This will do stuff like insist on a secure PIN/password screen lock, control over application install under an allow/deny list, enforce device encryption as well as provision it with any certs needed to access company resources. Every company I can think of has been doing this for years and it's trivial and essential under a Zero Trust model for security.


landwomble t1_jc27qdz wrote

<shrugs> Pretty much every company does exactly that. It's neither hard nor expensive (and is probably a significant saver of money from not having to clear up after security incidents). UK Gov uses M365, they have access to InTune. Turn it on.

Personally I'd ban whatsapp/signal/telegram from them as well to enforce integrity in communications via Teams (which they are also using and licenced for) to avoid the "oops I lost my phone, sorry" responses to FOIA requests.


landwomble t1_jc274xy wrote

UK Gov has M365. They have this already via InTune. Who on earth, outside of government, would think allowing users to install ANYTHING they like on a work device was a good idea, let alone users that are privy to very sensitive information. It's madness.


landwomble t1_j9o042e wrote

Sure, defrost/defog buttons get used, but summer or winter, with climate control you set a temp you want and the car sorts it out and maintains that temp. I guess with older style aircon with no temp sensing you might need to manually fiddle with it but on modern cars - I don't see the point. I don't want to be cold in summer, I want to be comfortable all year round...


landwomble t1_j0b3yuu wrote

Why aren't US gov owned devices subject to a device management policy? If they are Android or iOS, it's trivial to apply an MDM policy to them to control what can/can't be installed, to mandate being patched and up to date before accessing gov resources like email etc. If they're Windows or Mac, similar with InTune etc. How the hell aren't they already like this? Every large company I've worked with over the past decade has been doing this for years...!


landwomble t1_ixzsxd6 wrote

When mine does this I usually suck out all the water with a pump action plunger, tip a few pints of boiling water into the drain hole then carefully use the plunger on it until it unblocks. With hot water you can feel your drain pipe until you find the spot where it goes cold and that's your blockage point.