I feel very sad to hear people install their employer’s MDM on their personal phones.

It’s kind of like your employer wanting a key to your car when it’s in the company lot, or to check your coat pockets when you leave work, or requiring a vial of your blood.

Some would say that I am privileged to say “nope!” to all of the above, but tacitly requiring employees to bring their own devices and then controlling them with MDM is such an inappropriate use of power that we should be protected from it, by right.

Just to add to this: Many IT Security departments reflexively enable the "most secure sounding" option, even if it makes no sense, stops people working, or conflicts with other requirements. Generally there can be no meaningful debate about these settings, because nobody wants to personally wear the risk of disabling a security setting that is already enabled.

In my career I've always tried to enforce only the seamless security that users don't even notice, the ones that "work in the background". Most SecOps people have the opposite notion of this, thinking that systems aren't really secure unless they're in-your-face to the point of being obnoxious and interfering with regular business activities.

It's not secure if it's not theatre.

A random example is the "usage terms" that large orgs make everyone click through when they log in. These do nothing. Some text has never in the history of the world stopped a hacker hacking into a system. Illegal access is illegal whether you tell users about it or not. Crimes are crimes even if you don't have the legal code printed out and visible wherever that crime may be committed. The only users who will actually see the text are staff with contracts, staff that have their details registered with HR, staff that can be conveniently arrested by the police if they break the law. You know who doesn't see that disclaimer? Hackers.

Why does this matter anyway, you ask? Why not just "click accept" and move on with your life? Well... because when you log onto a shit-slow corporate terminal services desktop, that's a process that takes 2-5 minutes on a good day. Roughly half-way-through the process will stop and wait for 30 seconds for that acceptance click. No click, and the whole thing is aborted. It's a test to see if you have the patience to sit there, wasting minutes of your precious life on Earth watching a screen change colours while the system loads, click, and only then have a brief moment of freedom to do other things while the loading continues.

I put up with this every day, because some dingbat in legal thought that crimes will occur if they don't force 15,000 employees to click 'Accept' on text none of them have ever read. Every day.

It's a thousand cuts like that add up to corporate misery, to the point where big vendors are being irresponsible to the public by adding anti-human features like this.

I refuse to sign in to my work gmail on my android exactly for this reason. It basically wants to lock down my phone. It doesn’t do that for my iPhone though, but I’m not logged in their either, FWIW.

I refuse to use my personal devices for work, as a matter of principle. Need me to be on call?, flip phones are pretty darn cheap.

This is how you get me to start stubbornly claiming I don't have a smartphone.

If you have special requirements for the devices I use, it's your responsibility to provide separate devices from my personal ones.

Thats literally just a really shitty IT department poorly managing their MDM. And on Android at least the "work profile" is generally completely separate from your usual stuff and (if enrolled properly) the company cannot control major aspects of your phone (just the work profile). The company can remote wipe the work related sections, for example, but not your entire device.

There are settings though for passcode enforcement and whatnot