Writing

Feed Software, technology, sysadmin war stories, and more.

Friday, August 20, 2021

Your devices and your employer

I wrote the other day about how I went out and bought a second cell phone just because I wanted it to take the burden of all of the crap my new employer was about to throw at me. I didn't get into the reasoning behind this, or some of my experiences, and figured it's probably worth some explanation.

Let me back up in my career a few years. First there was the big G. This was before the days of smartphones as we know them today, and I was a pager monkey, so a pager I did receive. It was a giant bulky thing that could actually do two-way communications (sometimes). This meant that you could get a page and acknowledge it from that device - as long as you weren't eating lunch in Charlie's, where the two-way part didn't work. I also was given an ExpressCard (see, I told you this was a long time ago) cellular device which would let me get online with the company laptop from anywhere it had service.

This was far enough back in time to where we all still had desk phones, and assigned numbers that would ring in straight from the outside world, if you can believe it. Mine never got any use, but it was definitely there for the first couple of years.

When I got out of the pager monkey job, I returned both the pager and the cellular data gizmo, and felt an immense weight lifted. I spent the rest of my days there relatively unattached, or basically, like most people at the company. Only a relatively small group had to carry pagers and cellular data devices around, and I had left it behind.

In those times, things were relatively simple. The most mixing of work and personal stuff you could do was using your work laptop for other stuff. I did this, and I know now that it was stupid, but I will now explain how it came to be for the sake of others reading about it.

When the first iPhone came out, I saw how well the maps interface worked and decided to buy one right away. Those phones were sold and set up in an interesting way: the ATT store was the only place to get them, and they handed it to you in a sealed (!) bag. You had to take it home and hook it to a Mac running iTunes in order to set it up.

At that point in time, the only Mac I had was the one from work. I was familiar with iTunes on it because I had used it to rip a bunch of my CDs so I could listen to my music on it at work. Honestly, that's most of what that machine did while at the office, but I digress. Anyway, I used it to set up my phone, and so now I had yet another dependency on their laptop.

I eventually bought myself a clue by getting my own Mac laptop a couple of years later, and moved all of the "phone sync" stuff over to it. Then I cleaned that stuff off the work laptop, and that was that.

The story doesn't end there with this particular company. Since smartphones were becoming a thing, it was becoming kind of expected that you would sign into your "corp" gmail to keep tabs on things. I certainly had done that, and I'd use my phone to see if anything was going on.

Around 2009 or 2010, the company decided to try to pull a fast one on some of us. They said that our original NDA somehow hadn't gotten signed (what?), and that we needed to re-sign it. I asked the HR weenies for a copy of the original one from back when I started, so I could visually 'diff' them and see what had changed. I credit one of my coworkers for suggesting they might be changing the story on us - I wasn't appropriately wary at this point in my life.

Sure enough, they delivered, and sent me the original NDA. Note: they didn't send me *AN* original NDA they were using circa 2006 when I started. They sent me *THE* original NDA, complete with my signature from the day I started! Yes!

So then I started reading along, doing my best to do a 'diff' in wetware, and found that they had actually added some clauses. One of them amounted to 'taint' for your personal devices. Basically, if you signed in to your corp gmail from a device, they claimed the right to audit it at any point in the future.

My immediate response was to stop checking mail (or really, doing anything else work-related) from my personal devices. My iPhone, my personal machine's web browser, all of that stuff? I just let it go. Whatever it was could wait until the next day at the office.

I should point out that I did eventually sign this new thing, even though it was a crock of shit and I knew it. I did this because at that time, I still wasn't fully "over it", and figured it was worth staying there and continuing to work. Also, my direct manager had started making requests for me to sign it, because I guess HR was leaning on him?

This last one probably pushed my button of "do not make life unnecessarily interesting for other people if you can help it", and that guilted me into signing it. Then they went away and left me alone, but of course, I never touched "corp" stuff from any of my devices again.

I later found out that other people had this same thing happen to them: same lie about "not being signed", same change in the wording, and same pressure put on them by their immediate management chain.

...

So then you jump forward a couple of years and come to FB. They made this easy, if you took the right steps. On your first or second day of work, you get a laptop and a phone. I decided on the spot to make up a fresh set of accounts, and so created another e-mail alias on one of my domains, then used it to make a fresh iCloud account that was used on the corporate iPhone and corporate Mac.

I managed to go that entire span without ever loading or accessing any of that stuff from my personal phone. Even now, if I go to the app store, the little icon for FB and their many other apps still says [GET] instead of the little cloud download thingy that means "you had this already".

Some people chose to port their existing phone numbers (!!!) to the corp phone and then retired their personal phone. This was a very bad idea. I am glad I didn't do this, and I will advise anyone against doing it.

Basically, when you quit, you have to go through this process of getting your number released from their mega-account with ATT or whatever, and that's just one more bit of turmoil in a time when you just want to be done with it.

By way of comparison, since all of my stuff was separate, I just logged out of iCloud on the devices (at their request), left 'em on the conference room table, and headed for the door. Easy!

...

Then, more recently, we come to Lyft. They didn't issue phones, but did expect you to load on LastPass, LastPass authenticator, Duo, Slack, Atlassian stuff for Jira and whatnot, various Google apps for twofac, sheets, docs, calendars, mail and so on, TestFlight, Slido, PagerDuty, FB Workplace (!), plus the "alpha" build of the actual passenger app, and a bunch more stuff. I found out about this the day before I started, and so picked up a new phone to keep it all walled off. It, too, got a new iCloud account, even though it was still a personal device.

When I left, I just deleted all of their crap from the phone. If they had tried to encumber that device, I would have become the biggest Karen you can imagine and blown it up all over every outlet I could find. Fortunately, they never tried it, and so it ended quietly.

...

There is one thing I need to mention for anyone going the separate iCloud account route on corp devices: you *probably* should make sure you have it logged in from a personal Mac or something like that, or some other place where you can have passcodes sent. The reason is that if you should quit, you lose access to the authorized devices (phone, laptop) which will receive auth codes.

Why does this matter? Well, if you end up using any amount of storage (like backing up the device), they are going to want you to pay for it. You'll probably end up typing in a credit card number and all of that stuff.

Assuming you ever want to turn that off, you're going to need some way into the account. If you don't have a way to approve the login and provide the passcode, fixing that is going to be rather difficult.

For this reason, you'll probably want to go create a separate non-admin account on your Mac, then associate it with that "burner" iCloud account, and just let it sit there. Don't use that account on the machine for anything else. Then, if you ever need to get back in and shut things down to stop the autopay stuff, you'll have a way.

Been there, done that.

...

Final thoughts: I realize that many people do not have the option to just go and drop a couple hundred bucks on an additional phone and then add another $100/mo to their budget for the service. I did, and consider myself immensely lucky that this point of my life allowed me to do that. I, too, did not always have this option.

If you're like the younger version of me and can't afford to pick up another phone just to keep your work and personal lives separate, you may have to make some compromises in the name of not rocking the boat with your employer. If this happens, don't feel too bad about it. Every day, people have to suck it up and deal with relatively sketchy treatment from their employers, and can't speak up without fear of reprisal.

Anyone who would think less of you for doing what you had to do to keep a roof over your head and food in the mouths of you and your family is not someone worth listening to. I hope you won't take my advice to "split things up" as an ironclad requirement. It is simply a bunch of stuff that I hope people would try to do, but I also totally understand if you cannot for whatever reason.

Accordingly, if I missed anything else in this post that seems simple to me but is actually perilous for other people, I hope you won't respond too harshly.