Submitted by jillianpikora t3_11dn123 in Pennsylvania
Comments
drewbaccaAWD t1_jabjew3 wrote
And considering there's a federal ban doing the same, I can't really blame them for following the lead. If it was some rogue action, I'd roll my eyes, but this hardly seems newsworthy at the county level.
dirtyoldman20 t1_jaer0q0 wrote
This is the Pennsylvania sub.
drewbaccaAWD t1_jaerd3j wrote
Shoo, troll. Don't bother me.
HomicidalHushPuppy t1_ja9mvwi wrote
Why are government employees putting apps like this on government phones in the first place???
No-Setting9690 t1_ja9q8fe wrote
Real question is, wtf is it not locked down by IT? If a user can do that, so can a malicious hacker. Seems like zero security is in place.
ItsjustJim621 t1_jaa9gcy wrote
I’m one of 7 IT people in my company….if someone wants to even download something as mundane as MS Paint, they need us to remote in and temporarily give them privileges to do so
Zenith2017 t1_jad3agv wrote
Your question is on point and well directed. The county should have more controls in place to begin with, 100%. But security always has an inherent trade off.
My only answer is that it takes a lot of man power, money, and red tape to effectively control devices like that. Remember, while Lancaster County IT and security folks are taking directives passed by CISA as well as the state, they're pretty much on their own for actually implementing and controlling stuff like that. It's not like they get some PA or fed sponsored software that does what they need; as I understand it's on the county to contract with vendors and implement their tech.
Yes, it's very simple and not too staggeringly expensive to lock down these devices with JAMF or whichever solution. But, that also comes with a ton of downside. You now have tickets and calls and ornery users and delays resulting from needing your help desk folks to go resolve app install requests. You're worried about where these packages are sourced from, so you're either maintaining your own repos which is a ton of work, or trusting the app store. You might be manually maintaining a whitelist of apps users can install without further authorization, and you still need to have a mechanism to actually stop them from breaking the rules.
Security comes from a simple idea, but the reality of making it happen is WAY more complex, especially in a government environment where change will take years or decades. I mean, look at the timing of this announcement, versus the exposés published ages ago showing how TikTok aggressively harvests metadata and could previously even see the contents of your clipboard. It took all that time for a decision to be made and a control to be implemented.
No-Setting9690 t1_jad4y2j wrote
Been in IT almost 30 years. Locking down a cell phone is quite easily managed with the correct software. What you stated is correct on why they usually don't do it, but it's not an excuse they should ever make.
It's not an if, but a when they will be hit. It only takes one user to make you have a very bad day.
Zenith2017 t1_jad7wmq wrote
Oh I'm painfully aware of that last part...
No-Setting9690 t1_jad8ng1 wrote
Same here. Way too many 8 seconds calls that should have happened, turn into an IT nightmare.
Zenith2017 t1_jad9y77 wrote
I toil day after day to make and implement effective security detections, and then customer gets pwned because a fricken domain admin just says yeah whatever go ahead to getting spammed with 100 MFA pushes they didn't initiate. 😭🙃🥺🫠
No-Setting9690 t1_jadaj1z wrote
That's very sad and funny at the same time. Quality of admins today is not the same. Too much Googling, not enough effective knowledge.
xeio87 t1_jaayb4u wrote
So the one reason I could see is social media outreach. Many agencies keep a Facebook/Twitter/etc profile for announcements and other stuff. That's about it.
Jiveturkwy158 t1_jadgz6o wrote
They don’t have to have the capability to do so for the legal team of the county to make a specific rule to make it abundantly clear that in case a piece of tech can download (somehow got a permission missed by it setup) that doesn’t imply the user has permission to.
This is a cya by the legal team, not a directive from IT.
[deleted] t1_jad3q4o wrote
This really isn’t anything new. Social media sites have been blocked for a long time on government devices.
SunOutrageous6098 t1_ja9vu1z wrote
“The policy is applicable to all County issued devices, including desktops, laptops, servers, tablets, cellular phones, or any other information processing asset— including any and all devices connected to the County of Lancaster network for the purpose of accessing County of Lancaster data or services.”
So that also means employees who use their personal phones to receive email during off hours or any employee who connects their phone to Wi-Fi.
If there’s two-factor authentication in place it’s virtually impossible not to use your cell phone.
I would expect them to provide cell phones to every employee who needs to use their phone for 2FA or access information outside of standard working hours.
Blexcr0id t1_jac3b21 wrote
I stopped using my personal devices to access my state email and onedrive / VPN after a co-worker was asked to provide their personal phone records during discovery. Total shit show. Also, frig that, I don't work in my off hours.
hippata2023 t1_jaagmpp wrote
> “The policy is applicable to all County issued devices, including desktops, laptops, servers, tablets, cellular phones, or any other information processing asset— including any and all devices connected to the County of Lancaster network for the purpose of accessing County of Lancaster data or services.”
You're reading that too broadly. So long as the device itself doesn't connect to the County's network, it's not subject to this rule. So yes, you can still check email on your personal device and not worry about running afoul of this policy, so long as it's not connected to the network.
[deleted] t1_jaakzw7 wrote
[removed]
obsolete-man t1_jaalswe wrote
Why are they allowed to install any software on their government owned computers?
PsychoCelloChica t1_jab6qbo wrote
This isn’t targeting personal accounts. Civil employees are usually barred from using government equipment for personal use like that. This is to prohibit official use like your county government or health department having an account. Or maybe even your local library having one.
Because the flip side of not allowing personal use of a public device is often that you can’t use an official login on your personal private device either.
BluCurry8 t1_jacdo3m wrote
🤣🤣🤣🤣
hippata2023 t1_jaaezka wrote
Still waiting for the facebook ban anytime now....
FB is more of a danger than TikTok, and it's not even close.
drewbaccaAWD t1_jabjl7j wrote
Facebook is a danger insomuch as it propagates nonsense to gullible people who use the platform as a source of news.
TikTok is a danger in that it's a backdoor to hack government devices and computers.
Both are a danger, but in very different ways.
BluCurry8 t1_jace7o3 wrote
Hahaha. Sorry but Facebook has the same dangers. It is only speculation that TIK TOk is a conduit for spyware and or viruses. I would scrutinize the more mundane programs like games before Tik Tok. This is just racist propaganda for the purpose of political gain.
drewbaccaAWD t1_jaet3s2 wrote
I can use Facebook through a browser.
The apps are where the danger lies. And while a Facebook app certainly could be abused, the threat doesn't come from foreign nationals.
I had a secret clearance in the Navy, and I fully support US government devices being blocked from apps from hostile countries. There's nothing racist about it as it's well known that China actively collects information about our military. Are they actively using TikTok to do so? That's speculative (and/or confirmed but not to the general population). Given the way the government runs over there, they certainly can if they aren't doing so at the moment.
I'm not a fan of how the far-right pulls all the red scare BS with China or how Trump and co. turned Covid into some bizarre xenophobic nonsense. But on this particular topic, the decision appears to be objectively made, not for political gain and propaganda as you propose.
I doubt that I'll convince you otherwise, but I wanted to be clear that my own support of this move is not based on racism or any dislike of the Chinese people more generally. I do not consider the current Chinese government trustworthy, and that's different from not trusting the people/ethnicity more broadly.
South_Divide_4329 t1_jaav0s2 wrote
Can’t believe they gave these dudes a minimum wage of $15hr but the private sector gets rammed by corporations looking to keep the market low for profit margins.
LibrarianLoves t1_ja9lsdg wrote
They're only banning TikTok on devices owned by the county, not anyone's private devices.