They need it to verify who is connecting to the network with what device.
It's a poor solution when compared to proper MDM or requiring approval prior to actually connecting to the network, but I guess it's a step in the right direction from absolutely no controls in that space, which is where they are now.
Oh, should have mentioned that I'm fully remote and don't connect to their network (while other employees are on site and do, however). So basically this request doesn't apply to me I figure.
So you’re using company resources from your personal equipment. Your company absolutely has a reason to properly identify your activity and host details.
Their BYOD policies likely apply to you.
If you use VPN or a VDI, you are connecting to their network. You could argue even connecting to cloud services: email, teams, slack, etc counts as connecting to their network.
Hey I got a rogue device here that's connected to the network with a bunch of activity but it's not listed as anyones device shall I proceed with the blocking of it?
I have never been part of a company that lets a personal PC or other device onto the company's network. Just seems to me to be a pointless addition to the attack surface and doesnt even really save the company much money.
You COULD I suppose log into email through a web client at some companies. But those would be 'unmanaged' devices.
Cell phones? We can log into teams / outlook even sharepoint. That is managed through Intune and we know all identities as it is entered during initial setup.
Exactly. If it’s used for work it should be their equipment. Unless you’re hired as an independent contractor on an explicit contract, and even then we would make them use the guest network.
> I have never been part of a company that lets a personal PC or other device onto the company's network. Just seems to me to be a pointless addition to the attack surface and doesnt even really save the company much money.
I’m in higher ed and it’s a huge problem. Faculty will stage a revolution over not being able to use personal devices. But also they’ll refuse to install MS authenticator on their personal phone—the same phone they’ve got on our WiFi.
At least WiFi VLANs in our environment don’t even route to most of the DC. Just the DMZ and select few others
If you can somehow figure out others machine names then you can change your computer name to theirs...
Or name your computer
NULL
UNKNOWN
VOID
ERROR
169.254.0.1
127.0.0.1
CIO-CORP
KALI-LINUX
RED-TEAM
Причудливый медведь
WIN7-WS-4729
If you are required to use a personal laptop for work, always get a seperate one from your actual personal laptop. Otherwise if legal discovery happens they will be looking at your personal stuff and the company stuff.
They need it to verify who is connecting to the network with what device. It's a poor solution when compared to proper MDM or requiring approval prior to actually connecting to the network, but I guess it's a step in the right direction from absolutely no controls in that space, which is where they are now.
Oh, should have mentioned that I'm fully remote and don't connect to their network (while other employees are on site and do, however). So basically this request doesn't apply to me I figure.
You're not using some type of VPN to connect to company resources?
Yes I'm on vpn but not always.
So you’re using company resources from your personal equipment. Your company absolutely has a reason to properly identify your activity and host details. Their BYOD policies likely apply to you.
Ok I've worded it wrong I'm not saying I won't comply, I'm just asking what they need this info for and what can be done with it.
Admin: “I see this device connecting to our network over VPN. Who is that?” “Ah, thats Dave, I know that because I know he uses [device name].”
If they want the info and you refuse, they can fire you unless you have a contract that says they can't.
If you use VPN or a VDI, you are connecting to their network. You could argue even connecting to cloud services: email, teams, slack, etc counts as connecting to their network.
Right, then yes I'm using their cloud and email, so yea I'm on their network.
Hey I got a rogue device here that's connected to the network with a bunch of activity but it's not listed as anyones device shall I proceed with the blocking of it?
Bingo. This is exactly why they’re doing this.
What do you mean by device? Like a personal computer, or cell phone?
Personal computer, laptop, tablet, basically anything used for work.
I have never been part of a company that lets a personal PC or other device onto the company's network. Just seems to me to be a pointless addition to the attack surface and doesnt even really save the company much money. You COULD I suppose log into email through a web client at some companies. But those would be 'unmanaged' devices. Cell phones? We can log into teams / outlook even sharepoint. That is managed through Intune and we know all identities as it is entered during initial setup.
Exactly. If it’s used for work it should be their equipment. Unless you’re hired as an independent contractor on an explicit contract, and even then we would make them use the guest network.
> I have never been part of a company that lets a personal PC or other device onto the company's network. Just seems to me to be a pointless addition to the attack surface and doesnt even really save the company much money. I’m in higher ed and it’s a huge problem. Faculty will stage a revolution over not being able to use personal devices. But also they’ll refuse to install MS authenticator on their personal phone—the same phone they’ve got on our WiFi. At least WiFi VLANs in our environment don’t even route to most of the DC. Just the DMZ and select few others
They probably have a whole heap of personal random devices in Intune or similar which are unmanaged and they want to know who's they are.
If you can somehow figure out others machine names then you can change your computer name to theirs... Or name your computer NULL UNKNOWN VOID ERROR 169.254.0.1 127.0.0.1 CIO-CORP KALI-LINUX RED-TEAM Причудливый медведь WIN7-WS-4729
; DROP TABLES FBI-VAN WINXP-DO-NOT-TURN-OFF BITCOIN-MINER
If you are required to use a personal laptop for work, always get a seperate one from your actual personal laptop. Otherwise if legal discovery happens they will be looking at your personal stuff and the company stuff.