I'm trying to understand how my employer can access my HTTPS traffic on my personal devices. Here are the scenarios I'm considering:
A) My personal computer or phone has Mobile Device Management (MDM) but no root certificate installed.
B) My personal computer or phone has a root certificate but no MDM.
C) My personal computer or phone has both MDM and a root certificate.
D) I have neither MDM nor a root certificate on my personal devices.
Additionally, I assume all of these setups would be ineffective if there isn't some kind of legal man-in-the-middle arrangement via a next-generation firewall (NGFW) or proxy. Can anyone provide insights on which scenarios might allow employer access? Thanks!
5 Answers
Just assume that your employer can see pretty much all activity on their devices and networks. If you want privacy, don’t use work devices for personal things at all.
In scenarios B and C, your employer could potentially decrypt your HTTPS traffic thanks to the root certificate. It effectively allows a man-in-the-middle setup where your data is unwrapped and inspected. A is a bit gray, as MDM could lead to certificate installation, but it's not straightforward. D is your safest bet since that means no employer control at all.
Just to add on, you should keep in mind that even without full packet decryption, employers can still track where you’re going online, including DNS lookups and IP addresses.
D is definitely the safest option here; it basically means your devices are non-work related. But remember, if you’ve logged into any work service, like Office 365, you might have accepted some terms that grant them access in some way.
What do you mean by accepted terms? Are you talking about something like agreeing to a hidden cert?
If your device has a root certificate, an employer could impersonate any HTTPS site easily. They might use a proxy or NGFW to intercept traffic without users even realizing it. There are tools out there that automate this process for monitoring as well.
Could you explain if a man-in-the-middle setup always requires a next-gen firewall?
Honestly, my knowledge on this is pretty limited. I’m curious just like you! But it does seem like employers can potentially access more than we might think, especially with the right tools.
Most folks here know their stuff, so don't worry! You came to the right place for answers.
Could you go into more specifics regarding my situation?