Hey everyone! I'm diving into the world of self-learning and I have a question about my personal devices and employer monitoring. If I own a personal computer or phone, under which of these scenarios could my employer decrypt and see my HTTPS internet traffic? Here are the options: A) I have Mobile Device Management (MDM) on my devices but no root certificate installed. B) I have a root certificate on my devices but no MDM. C) Both MDM and a root certificate are on my devices. D) Neither MDM nor a root certificate are on my devices. Also, I assume all of this would fall apart if there's no legal man-in-the-middle setup via a next-generation firewall or proxy in place, right? Thanks in advance!
2 Answers
D is the safest option since it means you’re using personal devices without any work oversight. However, if you've logged into your work account, like O365, there could still be some level of access due to the permissions you accepted when signing in.
For options B and C, having a root certificate allows for man-in-the-middle attacks, meaning the employer can decrypt your traffic. Option A is a bit of a gray area; even with MDM, there's potential for certificate installation, but typically this wouldn't impact your personal activities much. Just remember, even without decrypting, employers can still see IPs and DNS lookups, so they could know you're using Instagram without knowing what you're doing there.
Wait, what do you mean by "accepting permissions"? Are you saying there's a hidden certificate involved?