At this point I just deleted the work apps and went back to the drawing board. Maybe what I’ll do is just use the Outlook web app and set a reminder to check my email once after hours to catch anything urgent that may have come through. I may just ask my boss to text my personal number if they need me and leave it at that.
But to expand on this point, what kind of access to work data is fine to access from a personal device without risking confiscation for legal reasons? If I download Outlook then some email is on my phone, but if I log into the web app I’m accessing the same email. At that point would using the web app get me in the same boat?
Wow, so this applies even if you’re just logging into Outlook on a personal device? I wouldn’t have though that it would go that far. I guess weighing that risk is something for me to think about, as well as how often I realistically have to be reachable. This is very inconvenient if this is the best advice for even basic threat models.
If your employer is ever subpoenaed for access to your devices, there will be one simple question. “is there work stuff on it?”.
You want to be armed with the answer “no that’s my personal device I don’t use for work”. Anything more complicated will result in the device having to be turned over. In any case if your employer is subpoenaed you want to be able to remain contactable, having a personal computer, phone etc is crucial for this.
I think it’s also quite healthy to be able to turn those devices off when you’re not on the clock.
What about using the Microsoft Authenticator app, or using any authenticator app for 2FA for a work account? I guess that’s something I could quickly qualify if asked, but I can also see some lawyer not understanding what 2FA is and wanting to take my phone anyway. But in that case I’m in a pickle once more because I’m actually required to have 2FA for work now. I wanted to be better by using an authenticator app, but I do have the option of doing SMS 2FA.