We do not allow BYOD, and recently noticed our new phones come with Dual SIM. We are worried people are going to start inserting their private SIM cards to use in the company devices. I wanted to ask if anyone has any major risks being paused by that set-up. We are using AirWatch from an MDM perspective so we have visibility and granular control on the device - but for some reason it doesn't pick up the presence of the second SIM.
"for some reason it doesn't pick up the presence of the second SIM"
Maybe that's baked into your MDM...?
What specific risk are you worried about or what would they be able to do with a second line and carrier added to the phone?
Some interesting trends I've noticed with different generations at my company. Most millennials and gen X are perfectly fine with getting a work phone and using it as a COPE (company owned, personally enabled) device and canceling their own phone plan. It saves them money in the long run by not paying for their own plan. But with gen Z, I've noticed they would rather do BYOD or get a work laptop they can use as needed. They don't want anything to do with a company phone. I say all of this to point out, at least in my area, the dual sim card risk would be very low to our org because they don't want the phone to begin with and prefer to use their own.
You could get a head of the situation and get two different carriers' setup for redundancy.
It depends on the device. From my experience iphones are locked down much better than android devices. Android devices allow for sandboxing so that mdm solutions can only access certain parts of the phone's dataset. I personally experimented with a dual sim android phone to be able to consolidate devices, and have a work number and a personal number. I've been carrying 2 phones for almost a decade, After my security assessment I returned the dual sim phone and when back to my 2 phone usage. Most of the dual sim phones are not really active/active, and so not fully baked yet for a personal and corporate use yet.
...Android devices allow for sandboxing so that mdm solutions can only access certain parts of the phone's dataset....
In my (devil's advocate) mind, Android seems more secure. If MDM is unable to access "parts of the dataset", they would also be protected from malicious actors/apps.
This is what risk management is all about. One needs to identify just exactly what they are concerned about (analysis) and decide if they can live with it (accept) or need to do something to fix it (mitigate).
So, you may be more interested in limiting what your users can install/do, in which case an iPhone might be better. On the other hand, I may be more interested in limiting the impact of a bad actor/app, making Android the better choice. Neither position is more correct; our risk tolerances are just different.
We were exploring the use of dual sim phones recently. We found out that the US phone versions, at least the Samsung Galaxy we tested, had the second sim slot disabled. Most international dual sim phones have both slots operational, not the case in the US. Also, new phones don't come with dual physical sim capabilities but you can add an e-sim + the physical sim.
I don't see the immediate threat of using a second sim/data plan. With the MDM you have as much control as the OS allows you to have. I only see the risk argument of an untrusted network being used but the same mitigating controls should already apply to the first mobile network enabled and to traffic over home wireless networks and hotel networks. But maybe I am missing something here?