Sprint Faces Backlash For Adding MDM Software To Devices

itwbennett writes: On Wednesday, Sprint customer Johnny Kim discovered an in-store technician adding MDM software to his personal iPhone 6 without prior notice or permission. Kim took to Twitter with his complaint, sparking a heated conversation about privacy and protection. One expert who commented on the issue told CSO's Steve Ragan that 'it's possible Sprint sees the installation of MDM software as an additional security offering, or perhaps as a means to enable phone location services to the consumer.' But, as Ragan points out, 'even if that were true, it's against [Sprint's] written policy and such offerings are offered at the cost of privacy and control over the user's own devices.' (MDM here means "Mobile Device Management.")

Nice summary!

[Just+Some+Guy]

Credit where it's due: adding the definition of "MDM" at the end was a nice touch for those not already in the know.

Re:Nice summary!

[HiThere]

Extremely helpful. I kept reading it as a misspelled Man (in) The Middle...and kept wondering what the D could actually stand for.

Sounds like I got the meaning correct, though.

Re:Nice summary!

Credit where it's due: adding the definition of "MDM" at the end was a nice touch for those not already in the know.

Perhaps, but going the extra step to define it for this audience is like having to spell out STD in a porn workers forum.

Re:Nice summary!

[Sowelu]

I think you've forgotten how multidisciplinary Slashdot is. Hell if I've ever seen that acronym before.

Re:Nice summary!

[zlives]

Man in Da Middle

Re:Nice summary!

[mitgib]

Credit where it's due: adding the definition of "MDM" at the end was a nice touch for those not already in the know.

Perhaps, but going the extra step to define it for this audience is like having to spell out STD in a porn workers forum.

Isn't it proper journalism practice to define acronyms on their first use, then continue on using the acronym through the remainder of the story? Doing it at the end does make it seems as I am splitting hairs, which I am not, as long as the acronym was defined, I understand it.

Re:Nice summary!

[Just+Some+Guy]

I only knew what it was because a previous employer's IT department kept wanting to infect my phone with it.

Re:Nice summary!

[__aaclcg7560]

If you think Slashdot is journalism, you got issues to work out.

Re:Nice summary!

adding the definition of "MDM" at the end was a nice touch for those not already in the know.

Better late than never, but it would have been nice to have it defined at the start. I read through wondering WTF they were talking about. The acronym was too wrong to be a typo of MITM and made no sense as a typo of MDMA.

Re: Nice summary!

Agree, and also they really should spell out the acronym on the first use (not at the end) -- though that is just a minor nitpick.

Re:Nice summary!

[Darinbob]

Huh? I still don't know what MDM is without following that link. We're a bunch of engineers and high tech people, here, unused to the low tech social media smart phone culture.

Re:Nice summary!

[bhcompy]

Yes, we're all mobile device acronym experts here.

Re:Nice summary!

[Opportunist]

To be fair, it's not far from what is considered journalism today.

I mean, the difference between copy/pasting from other places to aggregate stories isn't that far from copy/pasting press agency reports and cutting it so the ad fits on the page.

Re: Nice summary!

[SQLGuru]

Yeah....as I was reading the summary, I actually opened the link to the article (in a new tab) so that I could get a definition.......being as this is Slashdot, I was very surprised to see the definition of the term at the end of the summary (which is why I had opened the link).

Re:Nice summary!

[rsclient]

It's only common within a subset of the community.

I've been a Slashdot reader forever; I own a smartphone; I have been a professional programmer since before they even had smartphones. But until I joined a group that actually had to interact with MDM software (I do email sync; we need to interact with policy managers to support Exchange ActiveSync policies), I had never heard of MDM as an acronym.

Re:Nice summary!

[CanadianMacFan]

Proper writing period, not just journalism. When you introduce acronyms in technical manuals, letters, newspaper articles, or even webpages then the correct usage is to write out the term on the first usage followed by the acronym in parentheses immediately after. From then on one can use the acronym.

While it was nice to have the acronym defined it was weird to do so at the end because it would have made the summary easier to read instead of having the uncertainty while reading the summary and then finding it out.

As to not having to define it for this audience I would say that it's not common enough to warrant one. I'm fairly knowledgeable about the acronyms and didn't know what it was. I would say things such as MS (Microsoft) or IP (as in IP address) wouldn't need definitions but once you start going into a specific domain then it would be polite to add it even if it may be common to you.

Re: Nice summary!

What is "IT"?

Re: Nice summary!

That's something they teach in Editing 101, which you have to fail before becoming a Slashdot editor.

Re:Nice summary!

MDM/ Mobile device management is how corporate environments connect moble devices into central managment systems. Apple basically invented the system with profiles and Apple configuration app. Admins can create a profile the tells the phone about a long list of things. From certificates to install/trust, apps to install, apps to block, what server to respond to wipe/reset. How to report location data for tracking, If a passcode is required. VPN configurations... on and on.

MDM is for companies not personal phones and phone providers.

Re:Nice summary!

[mwehle]

I have been a professional programmer since before they even had smartphones.

Too funny! Now get off my lawn...

Re: Nice summary!

A book (and movie) by Stephen King.

Re:Nice summary!

Apple basically invented it? Please. How about a citation for that? Apple hasn't invented anything. (Hint: Look at BlackBerry then apologize to the class for being disruptive.)

Re:Nice summary!

[shri]

And I thought it was some sort of MoDeM software which would enable you to use your phone as a modem. :)

Re:Nice summary!

[sumdumass]

Would that be std in, std out, or std err?

I mean i view a lot of porn so I should be qualified to understand but damned if I do.

Re:Nice summary!

I was amazed frankly....

Re: Nice summary!

I think either use of stdin or stdout in this context is an stderr.

Re: Nice summary!

[NoZart]

According to my universities "Women in IT" Group, it stands for "internet technologies" XD

Re:Nice summary!

[eionmac]

Concur.

Re:Nice summary!

Yeah it's a Chicagoan MIM attack used by da Bears (Ditka).

LOL

Man is Sprint retarded. SoftBank should have bought T-Mobil instead...

I don't care how Sprint "sees it"

[U2xhc2hkb3QgU3Vja3M]

It's not their devices and they should not be installing software without the express permission of their owners.

Fight for your bitcoins!

Re:I don't care how Sprint "sees it"

If the phone is part of a contract, you're wrong. If the phone was bought outright, you're STILL wrong, as once you agree to (insert mobile service provider) terms, it becomes their stuff.

Re:I don't care how Sprint "sees it"

[PmanAce]

If it was your device, why can't you root it legally?

Re:I don't care how Sprint "sees it"

[Holi]

Which is their stated policy. Personally I see this as some dissatisfied tech who planned on trying to access the phones later for pics and credit card numbers.

Re:I don't care how Sprint "sees it"

When you help fix someone's PC, do you ever install any software on it - Virus Removal software included?
If I ran a multi-billion dollar company that repaired "computers" you can bet the first thing all Techs would do would be to run a standard tool that would look for the most common problems, saving my company millions in labor costs.

Re:I don't care how Sprint "sees it"

Because that would allow you to violate the rights of copyight owners.

Re:I don't care how Sprint "sees it"

wrong

Re:I don't care how Sprint "sees it"

[PmanAce]

And why is it legal for some Android phones to be rooted then?

Re:I don't care how Sprint "sees it"

[__aaclcg7560]

I had a job interview at a multi-billion-dollar company a few years ago. The IT department wasn't allowed to license anti-virus or anti-spyware utilities because the software companies weren't in the multi-billion-dollar league, as any purchase from a smaller company would be seen as an "endorsement" by the larger company. (The hiring manager made it sound like the Prime Directive from Star Trek.) The IT techs spent all their time manually removing spyware and viruses from laptops. Unless the laptop got hosed, they weren't allowed to reimage the laptop. I turned down the job offer.

Re:I don't care how Sprint "sees it"

[Calydor]

Are you installing a program on another person's computer, without his knowledge and consent, that will allow you to at any time take control of that computer again without his knowledge and consent?

That is not legal. That is how botnets work.

Re:I don't care how Sprint "sees it"

[Darinbob]

If it's Sprint's phone, then Sprint should be the one paying for it.

Re:I don't care how Sprint "sees it"

[Opportunist]

The times of "I pay for it so I own it" are gone. Today you gotta be happy if only your device is owned by some corporation and you still may decide what you do with your body.

Just wait 'til implanted technology becomes available, then this is gone too.

Re:I don't care how Sprint "sees it"

[Opportunist]

Indeed, why can't you?

Re:I don't care how Sprint "sees it"

[Opportunist]

Sorry, but if you install software on my computer that allows you access to it without my explicit prior consent to this, rest assured that whether I just discontinue business with you or send my legal department after you depends only on whether or not you have a bigger legal department than me.

One thing is certain: You will not have me as a customer anymore.

Re:I don't care how Sprint "sees it"

[CanadianMacFan]

If the phone is part of a contract you are paying for the phone over a number of installments. Paying for a car by using a loan doesn't make it bank's.

The provider's terms don't make the phone theirs either. Just like signing up to an ISP doesn't make your computer belong to that ISP or by getting a license for your car doesn't make it belong to the government.

Re:I don't care how Sprint "sees it"

Actually, you are completely wrong.

If Sprint is adding mandatory MDM, then the device is enrolled in Apple's DEP program. That is an enterprise-only plan, and can only be used on devices directly ordered and owned by the enterprise. Basically, agreeing to the terms of service for a plan ABSOLUTELY CANNOT get around the fact that Sprint does not own the devices.

If this has happened on a Sprint enterprise deployment account, Apple should revoke all of Sprint's enterprise accounts.

Re:I don't care how Sprint "sees it"

The firmware and software on the phone is not yours; you only license the use of it. Also you agreed to the EULA by using it.

You also agreed to the Spring T&C when you purchased the contract for their service.

Re:I don't care how Sprint "sees it"

Because Apple is more interested in protecting copyright holders so copyright holders are more inclined to use Apple's platform. Take Netflix for example, available on iOS long before Android (and even when it was on Android it was limited to certain devices) because of its protection of the rights of copyright holders.

I understand a lot of people dont agree with that and that's fine. Some people feel these restrictions infringe upon their rights, so they have the right to choose not to use a platform with those restrictions. However this can also mean you are locked out of content.

Re:I don't care how Sprint "sees it"

[PmanAce]

I never said it was legal on all Android devices.

Re:I don't care how Sprint "sees it"

But it's possible on pretty much all Android devices, it just depends on how (and if) they are secured.

Re:I don't care how Sprint "sees it"

Wrong. Rooting a phone you own does not violate copyright. It may make piracy easier, in that you're now free to install pirated stuff. On the other hand, sw publishers are free to refuse to operate on such a phone.

Re:I don't care how Sprint "sees it"

Well, there is no need to "install" a fixup tool. Run it from an usb stick instead. Faster, and don't inconvenience the owner with extra sw. And no problems if the disk is completely full either.

Re:I don't care how Sprint "sees it"

You include in the contract that your company name/log etc cannot be used for advertising or marketing purposes. Probably cost legal 1 week extra in staffing costs to save how much wasted rework by IT ?!?

Re:I don't care how Sprint "sees it"

[sumdumass]

Its not really the act of rooting that is the problem. It is the dmca anti circumvention law that makes circumvention as well as most collaboration and dissemination the problem.

Re:I don't care how Sprint "sees it"

[GerbilKor]

Personal (non DEP) devices can have Mobile Device Management installed on them. It is common for companies who let employees bring their own devices. The only difference is that DEP devices can do it automatically over the air rather than needing to go to a website or sign into an account to set it up. https://www.apple.com/business/dep/

Re:I don't care how Sprint "sees it"

[the_B0fh]

Who says you can't? Whether you have the technical means to do it or not is a different matter, but legality? No problems there.

Everyone is blaming Sprint

[Holi]

When Sprint has policies in place that actually forbid that action without a customer request. Isn't it more likely you have an unethical tech who is looking for future access to phones?

Re:Everyone is blaming Sprint

[Archangel+Michael]

Except, it is a Sprint owned MDM and domain.

Any sufficient level of incompetence is indistinguishable from Malice. Which is the more likely scenario, Incompetence or Malice? Knowing Sprint Techs, Incompetence is my initial guess.

Now, if it was something out of Corporate, I would assume Malice. Just because it usually takes evil to get to the top of such organizations.

Re:Everyone is blaming Sprint

[Holi]

I was claiming malice on the part of the tech hence the term unethical.

Re:Everyone is blaming Sprint

[gstoddart]

Here's the alternative: the technicians are so incompetent they don't know the meaning of individual steps and just do them by wrote, have no idea what the policy says, and don't give a fuck about your phone.

Essentially a malicious level of incompetence.

Re:Everyone is blaming Sprint

[sherr]

"Rote".

Sorry if I'm being a Nazi, I never know if someone just typo'd something or acutely used the wrong word, and if so if they would appreciate knowing the correct one or not.

Re:Everyone is blaming Sprint

Not necessarily.

Some people are just proactive in their debugging. This might be a tech that heard once that "installing blah-grot app means you can fix it over the phone next time". It might run contrary to policy but very few people perform their duties by first questioning every word handed to them by their manager. You're not expected to double-check your manager follows the corporate guidelines. Line staff follow the orders you give them.

We've all been in that position where we hand our laptop to someone to browse the internet and the first thing they do is install a search bar. They do it because it's familiar to them. They don't realize what they're doing is bad in any way. They also don't believe that installing an application on someone else's computer violates any sort of etiquette (hint: it does). Some of these people don't even understand what software installation does, nor do they care much for configuration management.

It's not necessarily malice. It could be simple ignorance.

Re: Everyone is blaming Sprint

That's why Macs have a self destructing guest account. You hand your computer to someone , they run in an unprivilded environment and all changes are deleted on log out, the account is destroyed, and rebuilt next time it's used.

It's won't stop someone who really knows what they are doing and has malicious intent, but it nukes virtually all bad etiquette behavior

Re:Everyone is blaming Sprint

[gstoddart]

Sir, I would love to commend you on reaching level 7 in your quest to be a full-fledged pedant.

And while your goal of offering enlightenment to others is commendable, I must caution you that pedantic behavior is, ultimately, a reward only to the one opting the exhibit the pedantry.

But, with great haste and alacrity I will endeavor to send my endorsement letter to the Counsel of Tedious Grammatical Endeavors. ;-)

Re:Everyone is blaming Sprint

Correcting the use of the WRONG WORD is not being pedantic. He was even fairly polite in his correction. You seem like you just need to learn to take criticism.

Re:Everyone is blaming Sprint

[gstoddart]

You seem like you just need to learn to take criticism.

You seem like you just need to learn to spot humor.

Not according to TFA

[tomhath]

Isn't it more likely you have an unethical tech who is looking for future access to phones?

Reading the article (yea, I know) it seems Sprint gave him several different reasons why it was installed. None of which included rogue technician.

Re:Not according to TFA

[Holi]

Sprint support staff gave him several reasons. I took that to mean the call center jockeys. It does not seem like it was Sprint Corporate telling him that, it was more like barely trained support staff who probably don't even know what MDM is. We also know it was a tech who manually installed it so the whole pre-installed claptrap was obviously pulled out of someones ass. I would not be surprised if some tech was installing it on many phones knowing it would give him access at a later point. And no Sprint is not going to admit that until they absolutely have to.

Additional "features"

On a side note, after using androids exclusively I was finally talked into getting an iphone when it was time to upgrade. So far I don't have any problems with the phone itself... but one BIG noticeable difference is every few weeks after using my new phone I get random calls from phone scammers/telemarketers. That's after I took the time to harden my phone as much as possible without jailbreaking it. Never once had this issue with the Andriod and the same friend who talked me into it finally mentioned that in the fine fine print apple blatantly says they sell your info to third parties which explains the calls.... so this will be the last apple product for me.

Re:Additional "features"

[unimacs]

The only calls I've gotten on my personal iPhone that weren't from people I gave my number to were wrong numbers.

Re:Additional "features"

Bunch of lies troll!

Re:Additional "features"

Well I've had the same number since 2001, and used an android for the past 6 years. Never once use to get wrong numbers or telemarketers until I switched to an iphone this fall. Now I get every few weeks and they're those "you have won a free trip" automated recordings. It also reset my choice to limit ad tracking under settings/advertising the past two ios updates which wasn't cool of them either.

Re: Additional "features"

Correlation is not causation.

At least when I worked there, Apple does not sell customer information to third parties and they were extremely strict about what they disclosed to partners (eg companies delivering on site service for AppleCare)

I doubt very much that they have suddenly started doing it

Re:Additional "features"

[andymadigan]

I just got a new iPhone (in September) with a new number. No telemarketing calls at all. Of course, I bought the phone at the Apple store and use it on T-Mo. If you're getting calls, I'll bet it's not Apple that gave out the number.

Re:Additional "features"

I bought mine sealed new in box and took it to a local corporate verizon store to get activated. Same number I've had since 2001. The employee never installed anything, and the phone didn't leave my hands for more than a minute. There's no trolling or malice involved here despite apple fanboys having modded it down. I'm just recalling my own recent issues with phone quirks and the negative experience has led me to not want another apple phone after 14 years of peaceful bliss.

Re:Additional "features"

[ShaunC]

I was finally talked into getting an iphone when it was time to upgrade. So far I don't have any problems with the phone itself... but one BIG noticeable difference is every few weeks after using my new phone I get random calls from phone scammers/telemarketers.

Did you install the LinkedIn app on that phone?

Re:Additional "features"

[andymadigan]

You're absolutely certain it was a Verizon store and not a "premium reseller" (which often use the Verizon branding)? And you're sure Verizon themselves don't sell your information?

Practically any company you've given your number to in the past 14 years might have decided to sell it to some scummy company, but it's extremely unlikely that it was Apple.

The various Apple license agreements are at http://www.apple.com/legal/ , I'd be interested to see what clause you think Apple has that would allow them to sell your phone number.

Re:Additional "features"

[the_B0fh]

Wow. To make up such nonsense. No wonder you had to post a AC.

Dumbphone FTW

Every time I want to upgrade to a smart phone I think back to the 1990s when I didn't have a cell phone. Then about issues like this.

Having a tiny portable phone in my pocket: $20.
Not having to treat it like a crotchety piece of IT equipment: priceless.

Great sentence structure, SprintCare!

[wardrich86]

"Did you not want to installed it? Let us know!"

Also - clearly he didn't fucking want it installed... Is it a new rule now that Customer Service just not read messages at all?

Re:Great sentence structure, SprintCare!

[Opportunist]

*after bashing techs head in*

Didn't want to get beaten up? Let me know!

Re:Great sentence structure, SprintCare!

[CanadianMacFan]

When did they start reading messages?

How to tell if you may have MDM

[plover]

On your iPhone, go into Settings / General, select Profile, then look at the profiles that have been added. A stock iPhone has none. If you have an ISP who adds a cert that allows you to connect to their hotspots, you may see that here. If you have installed your company's MDM, perhaps a product like AirWatch, that will show up here. If you see something you don't recognize, that's when you need to do some research.

Inside the profile you can view the certs it installed. A WiFi cert will list what it can do: be wary if it includes a proxy.

Re: How to tell if you may have MDM

I see no profile option under settings/general

Re: How to tell if you may have MDM

[thoromyr]

Nor do I. The iPhone settings has a search feature. Doing this finds it, which is under settings/general -- but it is still not there. I'm not sure if it is hidden due to a snafu or malicious intent...

Re: How to tell if you may have MDM

[Kozar_The_Malignant]

It's only visible if a profile has been installed.

Re: How to tell if you may have MDM

I know of no means by which MDM profiles can be hidden on iOS (Note: i have significant experience here as I work for one of the major MDM vendors.)
Apple's MDM implementation does not allow any MDM to block removal of the MDM profile. The owner/operator of the device has complete control and can manually remove the profile and any client apps at any time.

Sprint clarifies the confusion

[zlives]

The technician misheard the customer, the customer said " i do NOT want to be ass fucked". the tech didn't hear the NOT.

Re:Sprint clarifies the confusion

The customer said "I DO NOT want that." The technician heard "I DONUT want that." Donuts are fucking tasty and hell yes everyone wants a donut, so of course he installed it.

I don't understand ...

[gstoddart]

At what point was the technician handling his phone, and what was he doing with it?

Because if I go in for you to add me to your network, and you start installing shit on my phone ... I'm going become unreasonable quite fast.

I just can't quite figure out from the article how the technician came to be installing this in the first place; it was obviously in the middle of something else.

Surely he didn't walk into a Sprint store and hand the technician his phone, did he?

Re:I don't understand ...

[The-Ixian]

Don't you have to enter an iTunes password every time you go to install an app on an iPhone?

If so, then why would the user allow this app to be installed in the first place?

Re: I don't understand ...

It's not an App.

Apple builds the MDM agent in to the operating system, so you just need the devices passcode.

They have the simplest setup assistant imaginable , there is no reason why a third party needs to be physically handling your unlocked phone to set it up. In fact if the phone is not in the original shrink wrap when they bring it to you, or there is any evidence of tampering, I'd ask for another one.

Re:I don't understand ...

[jittles]

At what point was the technician handling his phone, and what was he doing with it?

Because if I go in for you to add me to your network, and you start installing shit on my phone ... I'm going become unreasonable quite fast.

I just can't quite figure out from the article how the technician came to be installing this in the first place; it was obviously in the middle of something else.

Surely he didn't walk into a Sprint store and hand the technician his phone, did he?

Every time I've bought a device from the network provider, I make them hand me the box, still shrink wrapped. I can insert the SIM, if it doesn't come with one, tyvm. They never hesitate to just give me the box. Sometimes they need to scan barcodes off the back, but that's about the extent of it. Of course, certain devices come with vendor spyware already installed at the factory.

Re: I don't understand ...

[The-Ixian]

This show how much I know about iPhones.

Thanks for the explanation.

Re:I don't understand ...

[akgooseman]

I make them hand me the box, still shrink wrapped.

Plenty of commercial places have the simple equipment and supplies needed to re-shrink wrap inventory. I'd never trust a 'wrapped box as factory-fresh.

Re:I don't understand ...

[GerbilKor]

That is correct for Apps. But a configuration profile can be downloaded from a website or sent by a mail server when you try to log in to it. The user would need to accept it and enter the devices passcode, but no Apple ID is needed. iPhone User Guide: iPhone in Business

Re:I don't understand ...

[jittles]

I make them hand me the box, still shrink wrapped.

Plenty of commercial places have the simple equipment and supplies needed to re-shrink wrap inventory. I'd never trust a 'wrapped box as factory-fresh.

Yes but you can tell if it has been factory reset when you turn the iPhone on.

I'm pretty sure that's not the case

[Dunbal]

without prior notice or permission

I'm pretty sure it says they can do that in your contract. You remember your contract right? The one you signed to get service? What do you mean nobody reads those? You didn't read the contract you signed???

While I agree that pulling shenanigans like this is not something I want from the people who I hired to give me phone service, I'm willing to bet they are not acting outside the law.

Re:I'm pretty sure that's not the case

[gstoddart]

That's OK, I have an EULA on my phone which says you will not install any software without directly getting written permission, or I will give you an epic smackdown right there in the store.

I'm not acting outside the law either now.

Sorry, but this is stalling software which give them remote control of your phone without consulting you.

How's "computer fraud and abuse act" sound?

Re:I'm pretty sure that's not the case

[Opportunist]

This is why I love my country's consumer protection laws. Bits in consumer contracts that are "unusual" are not going to stick unless you explicitly point them out AND have the consumer sign that you did point out exactly this passage that is unusual.

And our judges tend to consider anything "unusual" that they're not used to. In other words ... well, you know how tech savvy the average judge is.

Re:I'm pretty sure that's not the case

[Dunbal]

The problem with your argument is that your EULA is imaginary, while their contract is real.

Re:I'm pretty sure that's not the case

Except if you read the article you'd see they quoted the part of the contract where Sprint specifically says they will NOT add MDM without permission from the user.

Re: I'm pretty sure that's not the case

[MorphOSX]

Actually, that's wrong. I work for a company that develops MDM software, and what you can do to a smartphone is incredibly limited, especially non-Samsung devices and iPhones.

Firstly, the iPhone can never be touched or targeted directly by an MDM server, it can only relay information through apple's Push Notification Services servers.

Secondly, Apple explicitly blocks any tool sets of access to contents of the device, including personal information. It is literally impossible to read that data on an iOS device. We never could. I can at most see a list of apps on the device and hardware details like Serial Numbers or IMEI data.

Thirdly, Apple explicitly blocks MDM software from leveraging Geolocation except under very specific circumstances. The only way to do this is by building an iOS app and registering it through Apple's Enterprise iOS developer program, which then generates private provisioning profiles and code-signs the apps to be trusted on the iOS device. No apps in the App Store are allowed to provide geolocation to third-party services without express end-user consent. Our product does offer the functionality, but in order to use it even under these circumstances, there has to be a signed app installed and opened on the device to authorize it. I cannot force it to be authorized.

Fourthly, on the android side, an app has to be installed, and configured and authorized on the device in order to bring the device into management. Geolocation is limited here, too.

Fifth, unless the device is registered to a company and enrolled in Apple's Device Enrollment Program, or is manually configured on a Mac using apple's configurator software, the level of restrictions and control is limited. Only corporate owned devices enrolled through those methods can be made to be "supervised" in order to allow additional restrictive features.

Sixth, there is no means in any current MDM to enable or perform any type of screen sharing or access anything like cameras or other electronics.

Bottom line, MDMs are quite limited in their ability to do any snooping of any user data. The worst that can happen is someone issuing a remote erase command or device lock command. Nothing more invasive can be done.

Re:I'm pretty sure that's not the case

[david_thornley]

I had a friend who, when he bought software, paid with a check that had a note on the back saying that endorsing the check means a warranty of (IIRC) 100 hours mean time to failure. He always made it clear that the check said that, and never had a problem. Not that he had the money to sue anyone....

Re: I'm pretty sure that's not the case

[bhiestand]

Sixth, there is no means in any current MDM to enable or perform any type of screen sharing or access anything like cameras or other electronics.

Bottom line, MDMs are quite limited in their ability to do any snooping of any user data. The worst that can happen is someone issuing a remote erase command or device lock command. Nothing more invasive can be done.

How does TeamViewer's mobile app fit in with that? I'm guessing different because the user has to agree to some sort of pop-up?

Just curious. I know they advertise some of that functionality, but I never got around to demoing it.

How to Check?

So, how can I check my Sprint iPhone 6s for such software?

Re:How to Check?

[sims+2]

How to tell if an iPhone, iPad, or iPod touch is supervised
https://support.apple.com/en-u...

Trespass to chattels

Sounds like a pretty straightforward case of Tresspass to chattels.
Time to hire a lawyer.

It's Sprint's Now

Sprint recently changed to a "iPhone forever" lease plan where you lease the phone for $5 per month, plus additional undisclosed add-ons that make it actually $10 per month. But, you're leasing the phone. You don't ever own it.

They still offer you the option of buying the phone outright for ~$700 and no subsidy, if you want to "avoid paying them" the monthly lease rate.

Apple add's NSA reporter at the baseband level

Apple add's NSA reporter at the baseband level anyways

It is amazing.

I'm amazed every day I wake up and Sprint is still in business. It is a testament to the apathy of the average consumer.

Who Says It's A Sprint-Owned Domain?

[Dredd13]

I'm going to go ahead and throw up a red flag. I don't think this is a Sprint owned domain. I think it's meant to LOOK like one, but I don't think it IS one.

$ dig +short sprint.net ns
ns1-auth.sprintlink.net.
ns2-auth.sprintlink.net.
ns3-auth.sprintlink.net.
$ dig +short sprint.com ns
reston-ns1.telemail.net.
ns2-auth.sprintlink.net.
reston-ns3.telemail.net.
reston-ns2.telemail.net.
ns1-auth.sprintlink.net.
ns3-auth.sprintlink.net.

The places Sprint hosts their "well-known" domains looks remarkably like it's a legitimate place. "wabaw.net", however?

$ dig +short wabaw.net ns
ns6.domainmonger.com.
ns5.domainmonger.com.
ns7.domainmonger.com.
ns8.domainmonger.com.

I'm going to propose a theory that the WHOIS data shows Sprint so that - if someone gets caught and folks go looking for someone to vilify, Sprint is the unwitting victim. But - in reality - it's sitting in some domain-registration that nobody official at Sprint has ever heard of, and someone's been building a network of phones that they control via MDM.

Re:Who Says It's A Sprint-Owned Domain?

So, it means they already had a customer for the data. What's your point?

Re:Who Says It's A Sprint-Owned Domain?

[BitZtream]

Then why have several sprint tech support personal been 'aware' of the software that is installed?

Do you freak out when you see the domain names that Google uses for lots of stuff that in no way look like 'google' domains, but are for a fact Google domains? Trace route to www.google.com ... I think you'll lose your shit based on this post.

Just because you don't understand the shitty logic they used to pick a domain name doesn't mean it was't them, or an outsourced service they use.

Re:Who Says It's A Sprint-Owned Domain?

[Dredd13]

That's not what I said. But you've constructed a wonderful strawman for yourself to knock down.

I said, let's recap:

- The domain servers they're using are not their normal domain servers and look nothing like them
- The domain registrar used for the MDM is not their normal registrar (and corporations don't generally have a bunch of parallel accounts for such things, they centralize)
- The service isn't hosted in their copious capacity but in a pair of anonymous AWS instances

As has been noted elsewhere in this thread, the tech support people in question are low-paid script-monkeys and probably don't even fully understand what the person is talking about.

Slashdot != Journalism

[sjbe]

Isn't it proper journalism practice to define acronyms on their first use, then continue on using the acronym through the remainder of the story?

Slashdot isn't journalism. Slashdot is a debate forum that is kinda sorta vaguely topical. Nobody comes to slashdot for breaking news. They come to debate things and occasionally be informed with a viewpoint they might not have considered previously.

The MDM server is in Austria!

[Chmarr]

You have a good point:

$ host leon.webaw.net
leon.webaw.net has address 62.99.250.53

$ whois 62.99.250.53 ... snip...
netname: Schneid-GmbH
descr:
descr: Schneid GmbH
descr: Herbert Schneid
descr: PIRKA
descr: IPs statically assigned
country: AT

maxmind corroborates the information.

So... Sprint are putting control of your phone into the hands of someone in Austria. Nice going, guys!

Re:The MDM server is in Austria!

[Chmarr]

Oh dammit. Ignore. I typo'd the host name :(

Re:The MDM server is in Austria!

[Dredd13]

even worse. It's just a bunch of AWS servers....

$ host leon.wabaw.net
leon.wabaw.net is an alias for awseb-e-a-awsebloa-saeaoerx3v7z-1299207820.us-west-2.elb.amazonaws.com.
awseb-e-a-awsebloa-saeaoerx3v7z-1299207820.us-west-2.elb.amazonaws.com has address 54.213.59.154
awseb-e-a-awsebloa-saeaoerx3v7z-1299207820.us-west-2.elb.amazonaws.com has address 54.191.121.98

Bets on if the account info for that AWS account is fake?

Buying direct?

[FrozenGeek]

Sounds like buying your mobile device directly from the manufacturer, such as Apple, might be preferable to buying it from the service provider (albeit having to front the full cost of the device). I'll have to consider that if/when I upgrade from my 4S.

So? You can't do jack sh*t about it. (Arbitration)

[Fencepost]

It doesn't matter whether it goes against Sprint's published policies - there is precisely nothing that you can viably do about this kind of situation these days thanks to arbitration clauses.

You can't sue. You certainly can't start a class action suit based on all the customers this was done to. You can elect to go to arbitration over it, however if the arbitrator rules against you you're likely going to have to pay for all of Sprint's costs related to the arbitration - including whatever price tag they put on their lawyers' (yes, plural) time for responding to the case. And of course, if you win, you can probably get them to uninstall the software or perhaps let you out of your contract with no termination fee.

Meh

Ppl who are Windows users, run as admin, and have their automatic updates "turned on" just wave their hands at this. Meh.

I don't see what the problem is...

Considering the phone cannot escape the manufacturing company, what's the big deal?

There's a big MDM wrapped around the device to begin with. They can uninstall all the software they want, know what versions of software you have, forced so there's only one real browser engine, one store to get apps, one payment method only... etc. They've also proven they can add content (music) to your devices too without prior consent.

If you buy a device and you're okay with all of those previously used "MDM" permissions, who cares if there's another layer from a "big" and "trusted" company?