Remix.run Logo
trollbridge 5 hours ago

I once worked at a cybersecurity firm and they had a particularly botched rollout of MDM to Macs (which would regularly put the machine into an undesirable mode of 100% CPU usage plus max out upload bandwidth repeatedly trying and failing to backup the machine to some online backup service). I had work to do, so I simply disabled the MDM profile for the machine, installed an OS to my liking, and restored the apps I wanted to use, and went about things.

A year or so later the company hit hard times and we had a large layoff that affected me, and at the end of the video call, the directory of my department mentioned that they needed to wipe my laptops but it "wasn't showing up in MDM". I said I'd be glad to jump on a call with IT to fix that, but then he mentioned the IT staff were laid off too.

I then suggested I did get hired for my cybersecurity expertise, that I do take my obligations seriously, and he could just ask me to do whatever they were planning to do from the MDM console, and it would get done. He insisted that wouldn't be necessary since in his worldview the MDM was unbreakable and he just needed to reconnect to Wi-Fi or something.

Very amusing worldview. In the real world, where I live, I would assume a highly competent employee could exfiltrate trade secrets without me being able to catch them via standard / automated means. This particular Apple former employee got caught because he bragged about it, not because of technical means to catch him. As I've pointed out to a number of people, the very best DLP solution can be completely obviated by someone aiming a camera at their company-issue workstation's monitor.

justusthane 4 hours ago | parent [-]

> then suggested I did get hired for my cybersecurity expertise, that I do take my obligations seriously, and he could just ask me to do whatever they were planning to do from the MDM console, and it would get done. He insisted that wouldn't be necessary since in his worldview the MDM was unbreakable and he just needed to reconnect to Wi-Fi or something.

> Very amusing worldview.

It’s ironic that you’re displaying the exact behavior pointed out by the GP:

> This is how you behave when you think you're so much smarter than everyone around you that consequences don't apply to you.

MDM is implemented to protect company assets regardless of the actions of the users. It would not be due diligence on the part of the director to trust you to wipe your own device.

It’s not clear to me what the point of your comment is other than illustrating that you’re smarter than your director.

trollbridge 2 hours ago | parent | next [-]

I don't think I'm smarter than everyone else, but instead attribute this to organisational dysfunction. The problem (that went on for weeks) of the default MDM deployed software making some computers unusable was one everyone who got afflicted by it just found workarounds for, and in particular, our incentives were to get our jobs done, not to make sure we continued to allow the MDM deployed stuff to do whatever it wanted that was actively harmful to the company's best interests.

Considering the MDM was not implemented properly (particularly in an environment where one hires cybersecurity professionals, who are more likely than most to be able to figure out workarounds to it), it would actually be much more prudent to hire trustworthy staff who can be trusted not to steal company assets, trade secrets, and so on versus thinking you can conduct a zoom call on said company asset and then fire off a command via the MDM to wipe the laptop when the call is over.

I actually think the director was pretty smart, since he managed to avoid having an extended conversation about the lack of working MDM and ability to follow the procedure in front of the other person on the zoom call. Sometimes it's very important to be able to read between the lines of what someone is telling you.

Relying on remote wipes to secure company data is not a particularly strong plan, either (as this Apple saga should make clear); a determined person would simply be either constantly exfiltrating data, disconnect a machine from the network before it can be wiped, or other various plans (and do so without detection). I should know, since my job duties there were to advise customers on how to move towards a zero trust environment.

Barbing 3 hours ago | parent | prev [-]

Sounds like the boss's response was not to insist the proper procedure be followed, but to assert that the technology had to work as intended, and as soon as he figured out the issue on _his side_ the standard operating procedure could be followed.