Another vote for keeping things absolutely separate. Two jobs ago I was in a situation where I had two iPhones and two 15" Macbook Pros to keep work and personal separate.
On the phone side I was very happy to be able to leave my work phone with someone else at the office when going on leave and to be able to put it on silent during evenings / weekends.
With the Macs even I think I was silly at first, but over time the company computer became more strictly controlled and even had to travel to the IT department (a thousand miles away) several times – there were even some data loss events caused by ill considered infrastructure changes. Eventually I was very happy with my choice to keep things totally separate, so protecting my personal data. When I left I could just hand them back their Mac – easy and simple.
I understand. But as a former one of “those people” I know the they don’t aways get to make the rules. For example, in the US, if you want to accept credit cards you must meet the standards set by the Payment Card Industry
The thing with those rules to change a password every x months is that those rules do not exist any longer:
When we are auditing a company (in Germany - German guidelines) and still do find policies in place that request a password change every x months, we take this as a hint that the company may have issues keeping their IT department and policies up to date and in compliance with current guidelines - which can be a potential security risk in itself.
I’m retired and haven’t been keeping up, apologies. It does appear that PCI is changing that requirement:
"Changing a system account every 90 days is difficult for most organizations and creates a significant risk for a system outage. Starting on April 1, 2025, organizations will need to perform a targeted risk analysis to determine password length and change frequencies and then implement processes to ensure passwords are changed. At a minimum passwords for application accounts will need to meet the 12-character length standard with 15 characters being stated as a “good practice”.
I actually had a really interesting experience the last time I had to do a forced password change on my work machine. When I was typing a new password in, it let me know that the time until the next expiration was dependent on the strength of the password. So, if I put in a B$ password like password1234 it would expire in 3 months. Adding additional characters pushed it to six months. I made it a five-word passphrase and it told me I wouldn’t need to reset it for two years! That is honestly a pretty smart way to get people to choose stronger passwords - the joy of not having to reset it again for two years.
The company I work for also implemented MDM recently. The most annoying thing for me is that I cannot combine my work and private calendars anymore on my personal devices, because I do not want my private devices in MDM. I decided to get a MacBook Pro for personal use.
I do use iCloud on my work device which is enrolled in MDM using Intune and I sometimes use the work MacBook for personal use. Many because of the size, my work machine is a 14" MBP M1 and my personal is a 16" MBP M1. (14" is a bit les bulky when sitting on the couch )
Until now device management is limited on my work machine and my company cannot see my personal data. At this moment my employer is working on implementing microsoft defender, and this could mean that they wil also log locations where the MacBook is used and browser history. If this is pushed through I probably will not use the work MacBook Pro for personal use anymore.
If you want to know what your company can do with the managed device you can check the installed profiles, in my case:
Also it is important to know if the device is categorised as Personal or Business. If the machine is marked Business in the Company Portal then you employer might be able to do much more, in most cases it is marked as Personal, at least in the Netherlands (or EU in general) because of legal limitations what an employer is allowed to do even on a company device.
This was super helpful frontlines advice insight the thing about mixed calendars is exactly the type of minor annoyance I am the most worried about adding up to real pain.
I highly recommend the two Mac lifestyle. The company I work for manages work machines very tightly. I had an open-source app I installed for work purposes, long before they tightly managed everything on the machines, but it got deleted by a policy. That was it for me.
The company also supports BYOD, so I keep my calendar in my work Outlook and get to it from personal devices, and use other work stuff. They control web access when on VPN but don’t try to manage personal Macs. Personal phones get more management but also get corporate apps.
We’re about to go down the same path. I’m currently using a BYOD machine and told them to budget for a new machine for me and the other person not using a work-supplied device. Has to be two machines in my view. The risk of being locked out of personal data is too great.
What I’m unsure about is the wealth of reference information I have in tools like DEVONthink and Obsidian. I’m not sure yet if I’ll try to separate work related stuff into a separate bucket or sync everything but store it in some kind of encrypted mechanism that only I can access.
We’ve put the question of phones in the too-hard basket for now but I suspect Apple will be getting a large order from us in the next 12 months.
We all have one life with multiple facets and sometimes you need to cross the streams (like checking personal email / calendars / messages on a work device or vice versa). I’m still not sure how this is going out in this situation yet.
But all the challenges from MDM would still apply, correct? I.e. the company can’t install a configuration profile that only applies to part of your phone.
In my case we can also opt for MAM (Mobile Application Management), only the apps connected to the corporate systems are managed (in our case Microsoft app: Outlook, Teams, To Do, etc.). This is a good way to still have some separation. If MDM would be forced by the company I would definitely choose a separate personal phone.
)
the thing about mixed calendars is exactly the type of minor annoyance I am the most worried about adding up to real pain.