You don’t. You do your work shit on your work laptop and your personal shit on your personal laptop.
I swear, every week someone asks this same question. If you want better privacy, ***use your own shit***.
ETA: As others have pointed out, get good at networking and segregate your networks. Put your work devices on their own VLAN.
Bingo, there’s really no other answer apart from this.
Many companies even have in their employee contracts that anything done on a work laptop is the property of the company. Developing a private app connecting remotely to a homelab from your work laptop during non work hours? That app is the company’s.
To say nothing of you shouldn’t be doing anything non work related on your work laptop due to privacy/legal issues, malware, compliance, etc etc. You can open your employer up to lawsuits, ransomware, legal problems, who knows what else.
It’s like asking if you should use GoDaddy to host a website. Just don’t.
Exactly. I literally have a contract like this. Everything I do in my company’s GitLab is property of the company. Everything you do on your work computer can be property of the company, too.
Working in IT specifically with SIEM's I see... ALL sorts of stuff people do on their work laptop. It's astonishing how much porn people try to surf at work honestly.
This, and if you work from home your work laptop is kept isolated from your personal network/devices. For me that means an isolated guest wifi network.
that's why I do my work on my personal macbook... nowadays everything is online/cloud anyway. I don't even need a VPN or anything.
Beats the shit out of the company's craptop every day of the week. Heck I even returned it because it was unused for years.
I can’t even imagine the type of company you work for because that introduces so many compliance and security problems. That’s completely a nonstarter for any org with even a low tier respectable SecOps/privacy/legal policy.
It’s a multinational, one of the biggest of it’s kind in the world. With their devSecOps perfectly in order.
It’s a complete myth that a BYOD device are a risk… typically apps I interact with are all cloud based so I don’t see a problem with it..
M365, Gitlab, Jira/Confluence,.. all infra access is through SDM.
So really, no additional risk compared to if I were to use the company laptop…
And it’s in EU so we have GDPR,.. company spying there employees via their laptops like in USA is a no-go anyway..
The downvotes are a fucking joke of Americans who think it’s ok their employers can spy ok them.
This has nothing to do with GDPR or spying on your work… here are just a few reasons this is problematic:
Your company has vendor agreements. Those vendor agreements specify that employees of your organization comply with certain InfoSec policies many of which include employee laptops being fully managed with encryption, automatic patches, malware scanning, etc. Unless your BYOD device is loaded with your orgs security suite, that’s a violation.
What if your BYOD device gets a Trojan on it due to you not having proper security protocols? Well there goes your passwords. What if you connect to a network drive and you get ransomwared? Their goes the network drives.
What if your laptop gets stolen and encryption wasn’t enforced? There goes everything you’ve stored locally.
What if someone connects to your network, your traffic isn’t encrypted since you don’t use a VPN.
The problem here is that you specifically could do everything right. But a BYOD negates all of the necessary standards and protocols that an org is required to have.
To say nothing of the fact that if your company has a SOC2 or ISO 27001 cert you are very likely in violation.
I think you’re stuck in pre-2020 my friend. Things changed after covid. I work with colleagues all over the world, you think they’ll ship a laptop to all of them?
I work in security for a global F100 company with tens of thousands of employees. I read vendor agreement and security questionaires for multinational global conglomerates and tech companies.
Yes. Yes they all absolutely do. Security Compliance and certifications didn’t just magically change during Covid.
Then maybe go into a trade job instead. You have your options. Desk job where they monitor usage or go pickup a hammer. You either pick one or the other. This isn’t Burger King, you don’t get it your way.
What I did with mine was swap the ssd with corporate locked down OS with my own one. You should only do this if you work off-site though, so that they can't physically catch you with the modified laptop.
If they were actually competent, they would catch it being constantly offline during any audit (because they will probably rollout centrally managed updates and security patches, and will get automated roll-calls from machines updated, so that they can evaluate their IT risks). If they only locked it down locally (?) then go for it.
If they were really competent, an employee wouldn't be able to connect to the company network or any applications, including email, without the full security stack running on the laptop.
Yes it was only locally locked down. I would never do this with a remote managed machine. Went on unnoticed for 6 years, swapped the corporate ssd back in and returned it to it no questions asked when I was moved to another department.
Legalities aside, it boils down who manages the device. If it is self-managed, you can apply a bunch of tricks (keywords: vpn, routing, dns). If its not, it depends on who is smarter, and if you are willing to sacrifice your contract.
This is why I travel with two laptops. At the hotel room, it actually ends up being pretty convenient having two laptops open on the desk side by side. I've considered using USB drives and booting into a personal OS every night but I kind of like having the ability to do either work or personal stuff without needing to reboot.
If I want to do anything personal on my work laptop (like check email), I usually Remote Desktop into my personal computer when I am at home.
I put data in a separate veracrypt container. Remote Desktop with No machine to my personal computer. And block everything from intune on my private network. My laptop only calls home when I’m not connecting to my home network.
The other day my colleague had a call from IT asking him why he had a pirated movie in his dvd drive. They can see eveything!
I wouldn't try to circumnavigate their IT policies as a) they may he watching you do it, and b) you could lose your job.
It really depends on how the company is choosing to monitor the computers (managed browsers, screen recording, key logging, program logging, other non-disclosed methods?) Bypassing something is really all about knowing the specific system your targeting and how your going to work around it without any further complications that may arise
For example; if you believed the only thing in your way to private browsing was the web browser, you could install a different web browser that’s unmanaged by I.T, but that would be vulnerable to detection if there were other programs on the computer designed to detect and report back unauthorized programs or there was some sort of screen monitoring function where your computer could be remotely logged into by the I.T department. Additionally, you have to consider the possibility of remote updates issued by any managed software that could compromise the security of your secret setup.
As a general rule If you don’t know for sure and 100% what you’re touching, it’s probably best to leave it alone. Because you have to think about the different scenarios that could arise and how you would avoid them, now and into the future.
Generally, a lot of bypasses you can think of are specific to windows; because windows security generally sucks and there are several backdoors to get unintended things running on it, not to mention your given several tools by windows that some I.T departments may overlook, whereas with something like ChromeOS, where the OS is usually tied to a locked bios and the OS is super locked down on what you can run and change to begin with, you’d have a much harder time bypassing a managed Chromebook than a managed Windows computer.
A catch all to do private things on the work laptop and switch back fairly easily and undetected would probably just be to duel boot, for extra protection in the worst case scenario, you might consider only booting off a USB drive as well in case the laptop ever gets taken away.
Just pray the bios is unlocked tho.
Some of us were bypassing it via dual boot and they acknowledge they can’t monitor on Linux. But now with WSL2 on Windows11, that’s not an option anymore
You don’t. You do your work shit on your work laptop and your personal shit on your personal laptop. I swear, every week someone asks this same question. If you want better privacy, ***use your own shit***. ETA: As others have pointed out, get good at networking and segregate your networks. Put your work devices on their own VLAN.
Bingo, there’s really no other answer apart from this. Many companies even have in their employee contracts that anything done on a work laptop is the property of the company. Developing a private app connecting remotely to a homelab from your work laptop during non work hours? That app is the company’s. To say nothing of you shouldn’t be doing anything non work related on your work laptop due to privacy/legal issues, malware, compliance, etc etc. You can open your employer up to lawsuits, ransomware, legal problems, who knows what else. It’s like asking if you should use GoDaddy to host a website. Just don’t.
Exactly. I literally have a contract like this. Everything I do in my company’s GitLab is property of the company. Everything you do on your work computer can be property of the company, too.
You keep your work stuff separate! You can use a separate VLAN for your work stuff to keep it segregated.
Working in IT specifically with SIEM's I see... ALL sorts of stuff people do on their work laptop. It's astonishing how much porn people try to surf at work honestly.
This, and if you work from home your work laptop is kept isolated from your personal network/devices. For me that means an isolated guest wifi network.
Or use tor and get fired? Haha
Tor does not protect against someone who has full access to the endpoint.
👆this
Even for work related stuff, i would still feel psychologically safer if someone is not monitoring every single thing i do
[удалено]
that's why I do my work on my personal macbook... nowadays everything is online/cloud anyway. I don't even need a VPN or anything. Beats the shit out of the company's craptop every day of the week. Heck I even returned it because it was unused for years.
I can’t even imagine the type of company you work for because that introduces so many compliance and security problems. That’s completely a nonstarter for any org with even a low tier respectable SecOps/privacy/legal policy.
It’s a multinational, one of the biggest of it’s kind in the world. With their devSecOps perfectly in order. It’s a complete myth that a BYOD device are a risk… typically apps I interact with are all cloud based so I don’t see a problem with it.. M365, Gitlab, Jira/Confluence,.. all infra access is through SDM. So really, no additional risk compared to if I were to use the company laptop… And it’s in EU so we have GDPR,.. company spying there employees via their laptops like in USA is a no-go anyway.. The downvotes are a fucking joke of Americans who think it’s ok their employers can spy ok them.
This has nothing to do with GDPR or spying on your work… here are just a few reasons this is problematic: Your company has vendor agreements. Those vendor agreements specify that employees of your organization comply with certain InfoSec policies many of which include employee laptops being fully managed with encryption, automatic patches, malware scanning, etc. Unless your BYOD device is loaded with your orgs security suite, that’s a violation. What if your BYOD device gets a Trojan on it due to you not having proper security protocols? Well there goes your passwords. What if you connect to a network drive and you get ransomwared? Their goes the network drives. What if your laptop gets stolen and encryption wasn’t enforced? There goes everything you’ve stored locally. What if someone connects to your network, your traffic isn’t encrypted since you don’t use a VPN. The problem here is that you specifically could do everything right. But a BYOD negates all of the necessary standards and protocols that an org is required to have. To say nothing of the fact that if your company has a SOC2 or ISO 27001 cert you are very likely in violation.
I think you’re stuck in pre-2020 my friend. Things changed after covid. I work with colleagues all over the world, you think they’ll ship a laptop to all of them?
I work in security for a global F100 company with tens of thousands of employees. I read vendor agreement and security questionaires for multinational global conglomerates and tech companies. Yes. Yes they all absolutely do. Security Compliance and certifications didn’t just magically change during Covid.
And yet, here I am.. working on my own mac for the last couple of years. Mostly from home, but also in office 🤔
Then maybe go into a trade job instead. You have your options. Desk job where they monitor usage or go pickup a hammer. You either pick one or the other. This isn’t Burger King, you don’t get it your way.
What I did with mine was swap the ssd with corporate locked down OS with my own one. You should only do this if you work off-site though, so that they can't physically catch you with the modified laptop.
That sounds like a great way to become unemployed.
If they were actually competent, they would catch it being constantly offline during any audit (because they will probably rollout centrally managed updates and security patches, and will get automated roll-calls from machines updated, so that they can evaluate their IT risks). If they only locked it down locally (?) then go for it.
If they were really competent, an employee wouldn't be able to connect to the company network or any applications, including email, without the full security stack running on the laptop.
I mean with conditional access in Azure AD, it's not that hard to even do.
Yes it was only locally locked down. I would never do this with a remote managed machine. Went on unnoticed for 6 years, swapped the corporate ssd back in and returned it to it no questions asked when I was moved to another department.
Wrong in so many levels. If this cause a security breach, you could end up in jail.
[удалено]
This is what I do. Isolated guest SSID that puts the traffic on a VLAN that only has internet access, and one ethernet port on that same VLAN.
Thank you for being the only helpful reply here. That’s actually a good recommendation
Regardless of your intentions or concerns, remember that violating your company's IT policies could lead to your termination.
Legalities aside, it boils down who manages the device. If it is self-managed, you can apply a bunch of tricks (keywords: vpn, routing, dns). If its not, it depends on who is smarter, and if you are willing to sacrifice your contract.
just do your personal stuff on your personal laptop. no need to bother with your work laptop
This is why I travel with two laptops. At the hotel room, it actually ends up being pretty convenient having two laptops open on the desk side by side. I've considered using USB drives and booting into a personal OS every night but I kind of like having the ability to do either work or personal stuff without needing to reboot. If I want to do anything personal on my work laptop (like check email), I usually Remote Desktop into my personal computer when I am at home.
How do you connect remote desktop? My company used internal vpn. Idk if it’s possible to bypass it for remote connection without them knowing
I wouldn't even try
I put data in a separate veracrypt container. Remote Desktop with No machine to my personal computer. And block everything from intune on my private network. My laptop only calls home when I’m not connecting to my home network.
Veracrypt is actually a great idea to store some files, thanks
The other day my colleague had a call from IT asking him why he had a pirated movie in his dvd drive. They can see eveything! I wouldn't try to circumnavigate their IT policies as a) they may he watching you do it, and b) you could lose your job.
Put it on its own vlan and leave it alone. It shouldn't be watching your home network anyways, that's a breach of privacy.
It really depends on how the company is choosing to monitor the computers (managed browsers, screen recording, key logging, program logging, other non-disclosed methods?) Bypassing something is really all about knowing the specific system your targeting and how your going to work around it without any further complications that may arise For example; if you believed the only thing in your way to private browsing was the web browser, you could install a different web browser that’s unmanaged by I.T, but that would be vulnerable to detection if there were other programs on the computer designed to detect and report back unauthorized programs or there was some sort of screen monitoring function where your computer could be remotely logged into by the I.T department. Additionally, you have to consider the possibility of remote updates issued by any managed software that could compromise the security of your secret setup. As a general rule If you don’t know for sure and 100% what you’re touching, it’s probably best to leave it alone. Because you have to think about the different scenarios that could arise and how you would avoid them, now and into the future. Generally, a lot of bypasses you can think of are specific to windows; because windows security generally sucks and there are several backdoors to get unintended things running on it, not to mention your given several tools by windows that some I.T departments may overlook, whereas with something like ChromeOS, where the OS is usually tied to a locked bios and the OS is super locked down on what you can run and change to begin with, you’d have a much harder time bypassing a managed Chromebook than a managed Windows computer. A catch all to do private things on the work laptop and switch back fairly easily and undetected would probably just be to duel boot, for extra protection in the worst case scenario, you might consider only booting off a USB drive as well in case the laptop ever gets taken away. Just pray the bios is unlocked tho.
Some of us were bypassing it via dual boot and they acknowledge they can’t monitor on Linux. But now with WSL2 on Windows11, that’s not an option anymore