This is an automated archive.

The original was posted on /r/sysadmin by /u/hiddenbutts on 2023-10-24 20:56:41+00:00.

In light of a recent “rant” of questionable truthfulness, it may be time for a discussion on what options we have as sysadmins and why employees don’t want to connect personal devices to the company.

This is not a discussion about if MFA should be used or not, it’s a discussion about what options are currently available that would satisfy the company’s requirement for MFA/security and the employees right to privacy. Looking through the archive, there is nothing recent on this.

Installing an MFA token is not “just an application”. It is putting company data on an employee owned device, and the terms of service can change at any time. There are ways you can limit exposure, but in the end, it is making that personal device part of the company assets from a legal point of view.

There are many aspects to this, the biggest of which is legal in nature. Link below is a fantastic overview of the legal landscape involving BYOD and corporate legal issues.

Another aspect to acknowledge is the difference between required and optional. If an employee can opt-in to having email/company data on the phone so it is more convenient for them to work, that is very different than being required to have something on a personal phone to do their job.

There will be people you will run into in your career that have a hard no on mixing personal and work, and that should be respected. Firing someone because they refuse to put work information on a personal device will get you in legal trouble.

So what solutions do you have? Do you have a budget for company cell phones? Do you have yubikeys or similar token generators? Do you have a soft token that is accessible after login to windows? Maybe some other solution?

(not a lawyer, but have been around quite a few blocks and seen some shit. also read the ToS on many of these apps, and they can get updated anytime)