blocking access to personal email on a mobile device at work

Clone CLONE
March 20, 2014 at 12:57:07
Specs: Windows 7 64, P4- 2.8 ghz 22 gb
Many of our staff are using their personal mobile phones to access their personal email addresses throughout the day.

Is there a way to use the wireless access point to block access to a personal email service??

We can't turn wireless off in the building and it is probably impractical to add the MAC of each personal mobile device to a filter on the wireless access point.

We are using Sonicwall firewalls... is there something I can do in the Sonicwall configuration to block access to personal email providers??


See More: blocking access to personal email on a mobile device at work

Report •

#1
March 20, 2014 at 13:25:33
As you already clearly know - every wifi device has MAC (Media Access Control)

http://en.wikipedia.org/wiki/MAC_ad...

It is "unique" that that device..

It's related/tied to the wifi adapter that every wifi device has built-in.

Your wifi access point will (or ought to) have an option to restrict who can connect to it - even if they know the SSID and password for your access point.

It's called (usually) MAC filtering. Allows either "only these" MAC addresses to connect; or blocks "these" MAC addresses from connecting - depending on which option you choose.

You enter the actual MAC address for each device (that's found in the phones setup section) - if using the "block" these devices option. If using "allow only these devices" then enter any/all those devices you are happy to allow to use the wifi, and not the rest... This is likely the easier option; although it will take wee bit of time/effort to build that list...

Likewise you can do it via another option - which is to change password which allows access to your wifi and then do not allow it to be known...; and ideally also hide the SSID (and ideally change it) too. But all legit devices will of course have to be reconnected with the "new/hidden"' password (and SSID if changed). And that is a point of weakness as someone more than likely will "share it with a friend..." while setting it up?

Equally you could simply change and hide the SSID (change it as the staff will likely know the current one); and that "might" be sufficient. Which having said I'm pretty sure someone would soon find out what it is - from the legitimate wifi access kit?

All of this is accessed via the usual web-page style Management function; in the wifi setup section.

I'd be much inclined to use the MAC filtering path/option - "allow only these to connect". And ensure the password to access the access-point setup is seriously restricted access too; not shared about...

message edited by trvlr


Report •

#2
March 20, 2014 at 13:34:13
Stopping smartphones from connecting to your wireless network and through it, their personal email will not stop employees from checking their personal email at work. They'll just have to use their device's 3/4g connection is all.

I doubt you can legally block them during breaks and/or lunch.

It matters not how straight the gate,
How charged with punishments the scroll,
I am the master of my fate;
I am the captain of my soul.

***William Henley***


Report •

#3
March 20, 2014 at 13:34:23
I appreciate this response and yes, we have thought of mac filtering.
The problem is, we either have to enter 100 or so mac to not allow or 100 or so mac to allow.

And I doubt the person would freely give up the mac on their personal phone... so then we could need to canvas all of our work computers and get the mac off of them and input them to the firewall to allow.... and if we get a guest in the building, we would have to configure the mac filtering to all the guest mac. It doesn't seem overly practical.

We will do it, just was hoping for an easier answer.

Thank you though... good thought


Report •

Related Solutions

#4
March 20, 2014 at 13:39:22
we do not intend to stop them from accessing their personal email during a legitimate break. they in fact could use their computer and network to access their personal email while on break.

I do realize that they can access their personal email through 3g / 4g but am hoping most of them do not want to incur the cost of doing that.

Thanks for your answers. I feel like I was on track with my thoughts.

Have a great day everyone.


Report •

#5
March 20, 2014 at 14:02:35
I don't see that any employer has an obligation to provide email access for its staff from their phone - via company wifi...; nor to actually provide that facility via any kind of web/internet access... Likewise free 3g/4g phone access?

That many do allow - within reason (and that's very hard to define) - to connect to the internet over the company connection (for not only emails), is fine; but often it's seriously over-used and often abused... Typically it is of course from a PC - whichever style; and now with smart phones from those too...

You're on a domain system I suspect? Do your staff need to access/use the internet itself for their job? If not then you can either setup time restrictions on all computers to prevent (any computer not requiring it for the job) accessing it completely; or perhaps allowing during lunch break only.

For guests... you might do what we did in a broadcast environment I worked in... IT set up two wifi access points; one locked down and used the MAC "allow only" option; the second one required the use of a separate SSID and password (kept hidden/restricted respectively - and on occasion changed...; and was for guests to use. This second access point was in time abused... Which led to this routine:

(This became the norm after a short while.) When a guest arrived his/her MAC details were included (for his/her visit only) in the "allow only" list - on the "second" access point - and removed later... That was very little trouble to arrange... and usually quite effective. SSID and password were not made known to guests...

message edited by trvlr


Report •

#6
March 20, 2014 at 14:03:47
It seems like the best plan would be to handle this though policy. Just write up or fire people that don't follow the policy.

::mike


Report •

#7
March 20, 2014 at 14:15:04
While I can see the idea of a "policy...", in most environments these days the appeals process (and in the UK at least they are lengthy) can make it this a long drawn out event...; and any employee would know this...

The only time I have seen an employee dismissed was when he (in this case) was actually surfing porn and dating sites during office hours... He was observed by a colleague (several in fact) and had already been warned about his excessive "surfing" in general. The porn etc. was the nail in his coffin - and he was out the door immediately. No appeal, no redress etc...

Proving someone was using their phone would be much harder?


Report •

#8
March 20, 2014 at 16:12:15
I work in a state that's at will, so I can be fired whenever, as long as its for no reason. :)

::mike


Report •

#9
March 20, 2014 at 16:20:49
mmm - which one is that...?

Report •

#10
March 20, 2014 at 17:08:36
"mmm - which one is that...?"

Pretty much any state that is a "right-to-work" state:

http://en.wikipedia.org/wiki/Right-...

"Channeling the spirit of jboy..."


Report •

#11
March 20, 2014 at 17:40:12
Even allowing for, and recognising there is (by some) abuse of the system (work environment and labour laws/agreements) the way things are in other parts of the USA, and outside it too... is perhaps to be preferred?

I have seen flagrant abuse of both systems in my professional life; and history is strewn with some very nasty events/accounts too - on both sides...

But no doubt there are many (on both sides) who will disagree...; and we can leave it at that - agree to disagree... Rather than go down another long debate similar to another recent one...?

The example I mentioned earlier was one of just deserts. As the individual had been warned about exessive surfing, and the porn etc. was sheer stupidity and really left the company with no options (nor had he a valid case to argue).


Report •

#12
March 21, 2014 at 07:07:27
And I doubt the person would freely give up the mac on their personal phone...

On our wireless network I can actually login to the controller and see who's connected and each connected devices MAC address. In most cases, it's quite easy to tell a smartphone from say, a laptop or iPad. That being said, with our equipment, I click on "block" beside the connection and that device will not be allowed to reconnect.

I don't know what equipment you're using, but even SOHO level equipment will show connected devices but you may have to look at each AP individually to see who's connected to it if you don't have a central controller for your wifi network. If you look through the list(s) I'm sure you'll be able to figure out which are smartphones and which aren't and I'm sure enough would be obvious to reduce the number you'd actually have to research significantly.

We don't bother blocking though because it's a total waste of time. I'd like to, but then when one of the bigwigs in the company wants to use his/her phone or pad, well, I'm sure you understand how that works........lol..........so just leave it with everybody able to use it on their phones and pads, it's less administrative work for us.

I do realize that they can access their personal email through 3g / 4g but am hoping most of them do not want to incur the cost of doing that.

That was my point......there will be a cost involved so most of them won't bother.

Good luck and maybe write back here and let us know what you end up doing to resolve your issue. I'm kind of curious now. :)

It matters not how straight the gate,
How charged with punishments the scroll,
I am the master of my fate;
I am the captain of my soul.

***William Henley***


Report •

Ask Question