We use Office 365 at work and this comes with iPad versions of Office that I can authorize. I’m not a fan of MS Office, but I am forced to use it.
However they set restrictions such that I can’t cut-and-paste thing from one document to any non-MS document. So pasting something in an email doesn’t work.
In order to fix it, they’re asking for my iPad’s serial number. This is an iPad I bought, not supplied by work, so I’m reluctant to give it to them. What sort of ruckus can they cause if they had this?
Is this iPad already enrolled in something like InTune? There’s a setting in there to disable the clipboard restrictions for a device they already manage. They can’t forcibly enroll your personal device with only the serial number.
Sounds like they are asking for the serial in order to white-list your device for Copy/Paste. Guess that is the mechanism used in the InTune (or similar) device management tool. I can’t think of anything nefarious they could do given only this extra piece of information.
I find it very handy to have Office on the iPad - checking the calendar before going to bed, just to be sure I didn’t forget something or taking a boring Teams meeting using AirPods at the kitchen table while tidying up - or whatever…
I can’t Copy/Paste though - disabled by policy
Your iPad being under MDM is way worse than them just knowing your serial number.
With MDM they have the power to remotely erase your iPad…
Is there a special reason, you use your private equipment for work related matters?
No, this is my iPad and it has nothing like inTune on it.
I mean I get they don’t want us stealing “company secrets” but if you don’t trust us not to do that, then you probably shouldn’t be giving us company secrets.
I do not want them to be able to do that. Few years ago they “tricked” everyone into installing this profile on everyone’s personal devices and it led to all sorts of problems. I just ignored that email, luckily.
Yes, I want to be able to use the program i want to use to get work done not the ones sanctioned by people who have no idea what I need to do. Plus I don’t want two devices. My life is a mix of work and personal so why not my iPad?
Okay, then I’ll reluctantly give it to them.
This happened to a colleague of mine a couple years ago. He wanted to use his iphone for work stuff, to avoid the work android phone. IT decided after he had mislaid his phone to remotely erase it. He only ‘lost’ the phone for a short time - but you know IT…
I would never put a personal phone/tablet under the control of an IT department.
I get it but maybe buy a cheap used iPad just for them?
I had the impression, from your first post, that you are not a fan of using MS Office, and also a kind of afraid of using your private equipment. So it was my impression, that you asked therefore.
And in that case I would say that, if a company wants its employees to use a specific software, on a specific system, to do their job, the company has to supply the equipment!
That is why I asked.
But with your long actual post it seams that my impression was not true, so if you want to do it this way, it seems you have to submit the Number.
BTW, I personally would never use personal equipment for a work I would do for a company.
There are just way too much risks related to that…!
That’s fine if you own the company. It’s most definitely NOT fine if you are an employee.
If you leave the company or are fired or the company is bought or for whatever other reasons, then can and will want to wipe your device entirely.
Again, it depends on the policy set for the device. I enrolled my personal iPad and that gives the company control over only the MS Office-suite of apps and anything in the corporate OneDrive. Certain other apps are also under the “managed” umbrella, so I keep personal stuff out of there.
They specifically can’t wipe my device or even see any of my personal data - only the “work related” parts of it. This is neatly cordoned off and controlled by the Microsoft InTune policies and accounts. Of course, they DO also enforce the password policy and auto-lock timeout settings, which I find reasonable.
I’m assuming your company has a “Bring Your Own Device” policy? I’d go through this in detail and check. If they don’t have a policy—they should have and I’d be extremely cautious.
In the end it’s the policy that counts.
Speaking as someone who both sits on the “other side” of the sentiment being expressed here, and who also wants to be able to use my own devices for some work related things: It’s not just a matter of trusting people with “company secrets”; there is also the (disturbingly common) problem of lost or stolen devices that contain sensitive information. Once a device is permitted to contain corporate information the information security folks become (at least partly) accountable for how that device is handled and for how that information is secured.
Answering your original question: I agree with the others that a serial number alone isn’t a risk, otherwise every second-hand iDevice would be at risk from its previous owner(s).
So the serial number probably allows their system to check which device is trying to cut and paste and gives me permission to do so. Fair.
Oddly, on laptops this cut and paste restriction doesn’t exist.
Simple rule of thumb. My personal device my rules. If company wants me to be mobile then company provides device. I will NEVER install any profile nor give them any serial number. What if I loose the phone and some hacker steals company info, while I provide the serial number to company.
BTW, it seems to me to be rather stupid, to prevent Copy-Paste on an iPad as a security measure!
As long as it is still possible to take a screenshot (or a photo) the security value runs against zero…
I disagree with this. Of course it’s not possible to completely prevent exfiltration of textual data once you have sent it to be displayed on a screen (taking a photo, as you point out), but disabling a mechanism like copy-paste has a couple of important effects:
It prevents the inadvertent transfer of information via copy-paste out of ignorance, or misunderstanding.
It creates a situation in which copying the information can only happen as a deliberate and intentional act of non-compliance or malice. Dealing with non-compliance/malice is a different problem and requires different controls.
In theory at least, this can help an organization demonstrate that it has exercised due care in the handling of information with which it’s been entrusted. It may be a necessary control, if not a completely sufficient one.
Sorry, but I can’t see the differences!
Copy and Paste needs at least two active actions to be taken!
So it is not possible to do this “out of ignorance, or misunderstanding”.
If you are not allowed to pass informations on, then it doesn’t matter, if you are taking a Screenshot/Photo of the Screen, or use Copy-and-Paste, to steal the informations.
I can’t see under which circumstances this could be a sufficient kind of control for the care of informations by an organisation?
I agree. I would like to see how many IT and/or security professionals would be amused if copy/paste was prohibited by policy on their laptops… (the answer is: they would probably exclude themselves from that policy very fast ).
I can understand that copy/paste is something you would like to prevent in certain cases, but it should be tied to information and not to a device. I can totally understand that certain information, labeled classified has copy/paste restrictions, nut blocking it on a device is just stupid in my opinion .
For example someone sends me a text which needs to be added to an e-mail for a client through Teams chat… when I’m not at my desk and only have my phone with me, I can only type it over in the email (or other document). Would I have been behind my desk it would be easy to copy/paste it.
It’s similar to the use of a non-disclosure agreement (NDA): a control places a limitation (legal in this case, rather than technical in the case of copy-paste) on how information can be further shared. An NDA places explicit limitations on the further disclosure of information, but has no mechanism to prevent disclosure by someone for whom legal restrictions are unimportant (someone acting with malice or engaging in espionage, for example).
I’ll agree with you that the inconvenience of non-targeted disabling of copy-paste on a device probably outweighs the benefits in most cases, but that’s not the same thing as asserting that a security control has no value if it’s not 100% effective.
Edit to add: Another example would be a railroad crossing that has bells and lights but no gate (common in parts of North America). There is nothing physically bars a driver from crossing, but the bells and lights make it clear that there are likely consequences for doing so. They’re far from useless