|
Ranter posted:So no concerns if they're running a device that no longer receives security updates? If they're using the native activesync connector you should be getting the android version running on the other end. Collect those logs, audit them once or twice a year, and cut off the most egregiously out of date devices and tell them to update or upgrade
|
# ? May 17, 2019 13:41 |
|
|
# ? May 27, 2024 23:29 |
|
Jedi425 posted:If you're referring to the thing where the ASA will stop all traffic forwarding if it can't reach a syslog server over TCP, it's not a bug. In fact, that is Cisco Approved Default Behavior. You have to specifically configure the ASA not to become a brick if it can't send syslog data over TCP. That's it. Thing is, other devices on their network were using tcp without a problem.
|
# ? May 17, 2019 14:35 |
|
BangersInMyKnickers posted:If they're using the native activesync connector you should be getting the android version running on the other end. Collect those logs, audit them once or twice a year, and cut off the most egregiously out of date devices and tell them to update or upgrade Yes I have full insight, our mfa service requires a small app on their device so I know we have old android devices out there. If we cut them off because we require a minimum version of android, but we also explicitly won't reimburse them for a new phone or at least partially reimburse, that's a dick move, no? They can say "I can't afford a new phone but you require me to have it to log in to our systems. Either pay for a new phone for me, give me a phone, or disable the 2fa requirement when logging in to applications." I wonder what goons opinion on this is, I feel like I need to have management change company policy to reimburse for phones since we currently require byod and 2fa leveraging the device they bring. Or just accept the risk and allow old android 6 or android 7 devices?
|
# ? May 17, 2019 19:24 |
|
Ranter posted:Yes I have full insight, our mfa service requires a small app on their device so I know we have old android devices out there. If we cut them off because we require a minimum version of android, but we also explicitly won't reimburse them for a new phone or at least partially reimburse, that's a dick move, no? They can say "I can't afford a new phone but you require me to have it to log in to our systems. Either pay for a new phone for me, give me a phone, or disable the 2fa requirement when logging in to applications." In a lot of states, you can't legally tell someone to buy equipment for a job. Depending on the 2FA system, you can get like $20 dongles that do the same thing as the phone app, and can hand those out to people who refuse to update. But yeah, mandating people use their personal phone for business stuff, AND mandating they update it is kinda a dick move.
|
# ? May 17, 2019 19:36 |
|
We are BYOD and require an app for MFA, but we pay a stipend for employees that are using their phones for work. Up to $140/month depending on the situation.
The Fool fucked around with this message at 19:42 on May 17, 2019 |
# ? May 17, 2019 19:39 |
|
Ranter posted:Yes I have full insight, our mfa service requires a small app on their device so I know we have old android devices out there. If we cut them off because we require a minimum version of android, but we also explicitly won't reimburse them for a new phone or at least partially reimburse, that's a dick move, no? They can say "I can't afford a new phone but you require me to have it to log in to our systems. Either pay for a new phone for me, give me a phone, or disable the 2fa requirement when logging in to applications." As the employee I would tell you to gently caress off. Edit: several years ago, I was a consultant on an email migration project and they just expected I had an iPhone and would use that for testing mobile email stuff. I laughed and said no, provide me an iDevice, and that's how I as a consultant had a company paid for iPhone in an organization with over 100k users and where very few people had company paid for iPhones. I'm going to be going through this again soon when my current physical RSA fob dies, they are pushing hard for soft token, but I need it for 2fa for an internal app, so an escalation up my org chart will be happening soon. The Electronaut fucked around with this message at 19:48 on May 17, 2019 |
# ? May 17, 2019 19:45 |
|
Ranter posted:Yes I have full insight, our mfa service requires a small app on their device so I know we have old android devices out there. If we cut them off because we require a minimum version of android, but we also explicitly won't reimburse them for a new phone or at least partially reimburse, that's a dick move, no? They can say "I can't afford a new phone but you require me to have it to log in to our systems. Either pay for a new phone for me, give me a phone, or disable the 2fa requirement when logging in to applications." My company is getting into the legal jungle of this right now. My company doesn't want to pay a stipend to its 10k employees. We will see how it shakes out.
|
# ? May 17, 2019 20:03 |
|
I'm not putting employer's poo poo on my phone period, especially stuff like Google's MDM app. One fatfinger and oops we wiped your device and I don't have time to deal with that no matter the resolution. Pick a solution that supports some other authentication method if you aren't providing employer-paid hardware tokens of some manner, be that employee badge, some yubikey thing, dongle, actual phone or whatever.
|
# ? May 17, 2019 20:03 |
|
With BYOD policies it's also worth thinking about your process, policies, and procedures you'll need to cover should you ever need to confiscate a personal device for forensic investigation in the event you suspect an employee of doing whatever deserves a forensic investigation of their device. I would also never let a device that isn't running a modern OS (one still receiving security patches) connect to my environment or resources in any fashion.
|
# ? May 17, 2019 20:07 |
|
In modern android, only the work stuff is wiped or controlled by the employer. https://support.google.com/work/android/answer/6191949?hl=en I can also turn off work mode while on vacation, all notifications and syncing are disabled.
|
# ? May 17, 2019 20:11 |
|
Guy Axlerod posted:In modern android, only the work stuff is wiped or controlled by the employer. https://support.google.com/work/android/answer/6191949?hl=en Last I administered Google's MDM (two years ago) there was link in the dashboard to wipe the device and there was no way to disable it on personal devices. If that changed at some point then great but considering how slow Google is at pushing useful updates within G Suite I kind of doubt it.
|
# ? May 17, 2019 20:20 |
|
Sheep posted:Last I administered Google's MDM (two years ago) there was link in the dashboard to wipe the device and there was no way to disable it on personal devices. If that changed at some point then great but considering how slow Google is at pushing useful updates within G Suite I kind of doubt it. Android for Work has been around since 2015 and allows work stuff to be isolated to its own area which can be wiped without affecting the entire device. https://arstechnica.com/information-technology/2015/03/a-review-of-android-for-work-dual-persona-support-comes-to-android/ They still also have fully managed options for company-owned devices, but this is the way BYOD should be handled. AFAIK at least initially some devices didn't support it, but I'd have to assume that it's become standard at some point in the four Android versions since.
|
# ? May 17, 2019 20:40 |
|
My phone is hosed up, good to see that they finally fixed that. My number one complaint when administering Google MDM was that I couldn't turn off that button to stop our people from accidentally (or not) wiping personal devices. Other than that it was the best free option by far.
Sheep fucked around with this message at 21:01 on May 17, 2019 |
# ? May 17, 2019 20:48 |
|
Diametunim posted:confiscate a personal device for forensic investigation in the event you suspect an employee of doing whatever deserves a forensic investigation of their device. Uhhh, that's not a thing. You can always ask for it, but confiscation of personal property, regardless of what you think it may or may not contain, is a good way to get sued in a slam-dunk easy fat settlement. Do no do this.
|
# ? May 17, 2019 20:51 |
|
Ranter posted:Yes I have full insight, our mfa service requires a small app on their device so I know we have old android devices out there. If we cut them off because we require a minimum version of android, but we also explicitly won't reimburse them for a new phone or at least partially reimburse, that's a dick move, no? They can say "I can't afford a new phone but you require me to have it to log in to our systems. Either pay for a new phone for me, give me a phone, or disable the 2fa requirement when logging in to applications." Diametunim posted:should you ever need to confiscate a personal device for forensic investigation in the event you suspect an employee Sheep posted:I just reenrolled my personal device, used a work profile, and confirmed that administrators can still wipe the entire device. I'll post screenshots when I get home and can edit out my email. evil_bunnY fucked around with this message at 21:01 on May 17, 2019 |
# ? May 17, 2019 20:56 |
|
AlternateAccount posted:Uhhh, that's not a thing. You can always ask for it, but confiscation of personal property, regardless of what you think it may or may not contain, is a good way to get sued in a slam-dunk easy fat settlement. Do no do this. I find it disturbing that someone even assumes they can take an employees personal property.
|
# ? May 17, 2019 20:59 |
|
Sickening posted:I find it disturbing that someone even assumes they can take an employees personal property.
|
# ? May 17, 2019 21:02 |
|
evil_bunnY posted:I mean this is 2019 my dude. We're past the gently caress-you event horizon i have enough old android phones that if they do try to do it, ill say try your best with this samsung s3. oh, shame it won't work. heres a htc thunderbolt. that should work right?
|
# ? May 17, 2019 21:04 |
|
We pay a $75 a month stipend for cell phones but we don't reimburse for buying a whole new device.
|
# ? May 17, 2019 21:12 |
|
Here's a screenshot from the Admin dashboard on my newly enrolled Android 9.0 personal device using a work profile. You still have the option at least to ( Edit: just to win an internet argument I unregistered the profile and hit 'wipe device'. If you want proof that I set up a work profile then I got that too. If anyone wants to reproduce this then this is a friendly reminder that Google will provide you a free trial Admin domain for testing and you can try this yourself, you don't have to take my word for it. Sheep fucked around with this message at 21:49 on May 17, 2019 |
# ? May 17, 2019 21:21 |
|
Sheep posted:Here's a screenshot from the Admin dashboard on my newly enrolled Android 9.0 personal device using a work profile. You still have the option at least to (
|
# ? May 17, 2019 22:07 |
|
apseudonym posted:Did you push the button? Should just nuke the profile, if not that's a problem. I did, as you can see in the bottom of the second screenshot - where it explicitly states that corporate and personal data will be erased. I had already unregistered the profile on my phone so it wasn't able to do anything if it had tried (and I'm not going to find out). Edit: deleting the profile is an entirely separate button (wipe account). Anyways, I'm fully willing to admit that this is all probably just terrible design on Google's part and that it probably/hopefully doesn't actually wipe personal devices. I'd just like to point out that my original statement was only that there's no way to disable that 'wipe device' button even when personal devices are pulled up, which at this point has been pretty conclusively proven. I still like Google MDM from an administrative standpoint despite this bullshit. It's pretty straightforward, just works, and you can just swipe a slider to disable it when you go on vacation. Sheep fucked around with this message at 22:57 on May 17, 2019 |
# ? May 17, 2019 22:30 |
|
Sheep posted:I did, as you can see in the bottom of the second screenshot - where it explicitly states that corporate and personal data will be erased. I had already unregistered the profile on my phone so it wasn't able to do anything if it had tried (and I'm not going to find out). I've got nothing in this internet fight, I just want to make sure that it doesn't wipe the full device, but I'll go look into it.
|
# ? May 17, 2019 22:55 |
|
Ranter posted:We pay a $75 a month stipend for cell phones but we don't reimburse for buying a whole new device. My last company provided the choice, last-gen Galaxy or $65/mo stipend, and they also offered $200 every two years towards getting a new smartphone. Apparently barely anyone knew about it though, so when I filed the expense report I made sure to cite the page and paragraph of the benefits guide that mentioned it. Got a iPhone SE 32GB for basically $20, just paid tax and for the SIM card. And then $15 for a couple of Otterboxes and a belt clip from Craigslist. Still going about two years later, although the battery life is going downhill. Might get a new phone at some point in the next year, idk. Now that Google has their Android One program that guarantees longer update life that's one of Apple's big advantages gone. The current company doesn't give a stipend or company phones, but the extent of what we're expected to use them for is calling your manager if you're going to be late. Did anything ever happen with that Librem phone? I liked the idea because I'm not a huge fan of the idea of giving Google all of my data again (rather than just the 75% they get because I'm too lazy to migrate off of Gmail) and Apple is really only better about that until they get a financial incentive to start stealing your data.
|
# ? May 18, 2019 21:50 |
|
Please don’t put a belt clip on a phone.
|
# ? May 19, 2019 00:58 |
|
Sickening posted:Please don’t put a belt clip on a phone. Actually, it's called a magazine.
|
# ? May 19, 2019 01:01 |
|
I only used it when mowing the lawn and listening to music on it. And a couple times at the gym, because the gym shorts I used to use had pockets that would let everything out as soon as you laid down on the bench.
|
# ? May 19, 2019 01:02 |
|
22 Eargesplitten posted:Did anything ever happen with that Librem phone? I liked the idea because I'm not a huge fan of the idea of giving Google all of my data again (rather than just the 75% they get because I'm too lazy to migrate off of Gmail) and Apple is really only better about that until they get a financial incentive to start stealing your data. They currently claim it will launch in Q3, though based on the history of delays the project has seen I wouldn't put much stock in that. PINE64, who make a bunch of ARM SBCs and the $99 PineBook laptop, are also planning to release their own Linuxphone at a much lower cost than the Librem ($150 vs $650) and they're also planning to launch by the end of the year.
|
# ? May 19, 2019 01:05 |
|
Salesforce probably nobody will leave salesforce over this
|
# ? May 19, 2019 05:05 |
|
Potato Salad posted:Salesforce Take a look at Pipedrive. Salesforce sucks.
|
# ? May 19, 2019 15:25 |
|
Lain Iwakura posted:I’m about to evaluate it. by any chance, do you have first impressions?
|
# ? May 20, 2019 12:40 |
|
Lucid Nonsense posted:I've seen some fun stuff like that. One customer made a config change on an ASA and it started generating over 1k error messages per second for several hours afterward. Just a routine change, not a mistake. Cisco bug. https://www.curvature.com/resources/blog/how-a-bug-ridden-35-million-it-investment-led-to-bankruptcy/ The unnamed OEM was Cisco, and the bug was completely reproducible. The switches stopped passing traffic when mem usage hit ~79%
|
# ? May 21, 2019 12:44 |
|
Potato Salad posted:by any chance, do you have first impressions? None. I'll have none until August or September when I'll be able to do so.
|
# ? May 21, 2019 15:09 |
|
The MFA FUD train keeps rolling: Google accidentally mass alerted users of a false new device login to their accounts. Mistakes happen, yes, but if it keeps happening people are eventually going to ignore it when an actual wolf shows up.
|
# ? May 21, 2019 15:33 |
|
And in smartphone news, every single high-end smartphone (iPhone and Android) with movement sensors have been found vulnerable to persistent cross-browser fingerprinting attack.
|
# ? May 23, 2019 17:08 |
|
I've seen some rumblings of proof of concept vulnerabilities out there for the big ol' RDP bug that was patched recently, anyone seen anything public?
|
# ? May 23, 2019 17:09 |
|
Maneki Neko posted:I've seen some rumblings of proof of concept vulnerabilities out there for the big ol' RDP bug that was patched recently, anyone seen anything public? Symantec released an IPS sig for it yesterday. I assumed it was from MS reaching out to partners to help them develop sigs for this activity on the wire but maybe the juice is loose
|
# ? May 23, 2019 17:21 |
|
Maneki Neko posted:I've seen some rumblings of proof of concept vulnerabilities out there for the big ol' RDP bug that was patched recently, anyone seen anything public? I thought I saw something about McAfee Research managing to successfully exploit it either late yesterday or early this AM. E: Here it is https://arstechnica.com/information-technology/2019/05/why-a-windows-flaw-patched-nine-days-ago-is-still-spooking-the-internet/ quote:Until recently, researchers had to take Microsoft's word the vulnerability was severe. Then five researchers from security firm McAfee reported last Tuesday that they were able to exploit the vulnerability and gain remote code execution without any end-user interaction. The post affirmed that CVE-2019-0708, as the vulnerability is indexed, is every bit as critical as Microsoft said it was.
|
# ? May 23, 2019 17:28 |
|
Maneki Neko posted:I've seen some rumblings of proof of concept vulnerabilities out there for the big ol' RDP bug that was patched recently, anyone seen anything public? zerosum dropped a scanner yesterday: https://github.com/zerosum0x0/CVE-2019-0708 other than that it's a thousand fakes and the companies trying to avoid putting a one-click solution out
|
# ? May 23, 2019 17:31 |
|
|
# ? May 27, 2024 23:29 |
|
https://twitter.com/campuscodi/status/1131604111730839554?s=21
|
# ? May 23, 2019 20:32 |