How did IT team know that I am out of California?
My job requires me to stay in California while I work from home. I connect the TinyPilot to my work laptop (which is the target PC) from June to Aug 10th, and accessed it using my personal laptop. My work laptop stayed at my home located in CA, and my personal laptop traveled with me in the CA during this time. I used tailscale, and everything worked perfectly.
On Aug 11st, I flied to another place outside CA with my personal laptop connecting to my work laptop (which is still at my home). From 8:00AM to 11:00AM I worked as usual, and then my supervisor called me saying that the IT team detected that I am not in CA.
My understanding to the TinyPilot is that it appeared to be a generic monitor+USB keyboard+USB mouse+USB storage drive, as given in https://tinypilotkvm.com/faq/target-detect-tinypilot. None of these should contain ip information. I wonder how did the IT know that I am not in CA?
Michael Lynch @michael2023-08-23 20:09:45.907Z2023-08-23 20:26:07.294ZThanks for reporting this! I hope your TinyPilot hasn't gotten you into trouble at work.
This is a tough one. This is the first report we've ever received of a third party potentially identifying remote access to a TinyPilot.
You're right that there's no network connection between the TinyPilot and the work computer, so I don't see a way that software on the work computer would be able to infer details about the network connection between your personal laptop and the TinyPilot device.
I initially thought perhaps your employer saw TinyPilot attached to your work computer (which they can do), but you mentioned that the TinyPilot has been connected since June. And your supervisor called you immediately after you accessed your TinyPilot from outside of CA, so it seems like just having a TinyPilot connected isn't what's making them think you left CA.
Is it possible that they detected your location through some other means? Here are a few possibilities I can think of:
- Do you run software provided by your employer on your personal devices (e.g., a work app on your personal phone)?
- Do any of your personal devices talk to servers that your employer operates (e.g., work email on your personal phone, work Slack on your personal phone, personal phone synced with work calendar)?
- Did you bring any other hardware provided by your employer with you when you traveled outside of CA?
Thank you for your reply.
I did not bring any company hardware with me. Yet I did bring my personal iPhone, which used Outlook and Teams to receive company emails and messages. However, before I traveled outside CA, I uninstalled them. Is it possible that my company made some settings on my iPhone (possibly when I initially installed the Outlook and Teams) that could track my location and I am not aware of?
Michael Lynch @michael2023-08-24 12:26:00.559ZIs it possible that my company made some settings on my iPhone (possibly when I initially installed the Outlook and Teams) that could track my location and I am not aware of?
It's hard to say without knowing the processes at your employer.
If you at any point IT enrolled your personal device in mobile device management (MDM), it's possible that IT retained some insight into your device even after you uninstalled Outlook and Teams. iPhone MDM apparently doesn't share location data, but it's possible they still have access to IP address information or other signals that could allow IT to approximate your location.
@charles also pointed out to me that some MFA solutions collect location information. Microsoft Authenticator, for example, collects location data:
Authenticator collects your GPS information to determine what country you are located in. The country name and location coordinates are sent back to the system to determine if you are allowed to access the protected resource. The country name is stored and reported back to your IT admin, but your actual coordinates are never saved or stored on Microsoft servers.
These are very helpful information. My iPhone does have an authenticator app, and I think it might be the one that made the IT aware of my location, because this is the only hardware that is "related" to my company.
Do you know if there is a way to check the permissions my authenticator app have on my iPhone that can lead to location information?
- Michael Lynch @michael2023-08-25 14:39:52.821Z
I don't use an iPhone and we're getting a bit too far outside the scope of TinyPilot support, but you should be able to find permissions by following Apple's instructions.
- In reply tosfan⬆:ZSantosh Krishnan @Zantosh
If you have a company teams account on your phone, then they probably installed a device management app that doesn't get deleted just because you removed teams and Outlook. I always use VPN to put me in my home area for this reason.
Thank you for your reply. I think it is probably because of my phone. I remember I installed something (although I can't find it in my phone at this moment) when I was hired by the company. I am going to test it by asking my friend to bring my phone to China :)
I wonder if you happen to use TinyPilot on your device and working remotely?
- ZSantosh Krishnan @Zantosh
Yes. Lots of very solid experience. I love tinypilot. Helps me be a better dad and a better consultant. Can't live without it. I've cleared out my office and do all my work on my Google Pixel fold phone. Better than sliced bread that I don't eat bread anymore. Lol
Hi Santosh @Zantosh , could you please check if I understand your setup about VPN correctly?
For example the company want me to work at California. My understanding is that the target PC is connected to TinyPilot. Then a personal laptop is connected to TinyPilot over the internet using, e.g. TailScale. Then I need to set up VPN on the personal laptop to route to California, even I the personal laptop is physically at Canada? i.e.
target PC <--> TinyPilot <--> TailScale <--> VPN (route to CA) <--> personal laptopThank you for helping.
- ZSantosh Krishnan @Zantosh
Hi @sfan,
the company want me to work at California ==> Your company laptop stays in California
Company laptop is connected to TinyPilot, which is also in CaliforniaNow you have two approaches, up to you and mileage may vary.
Approach 1 - Find an old laptop and set it up for Windows RDP in california on the same network as your TinyPilot. Setup TailScale on this laptop. This is all now in your California location on the same LAN. Next, when you are far away, from your tablet, phone or other laptop, do a Windows RDP to the laptop that you have in your California location. From that laptop, you can connect locally to your TinyPilot and do your job.
Approach 2 - Setup TailScale on TinyPilot. When you are far away, from your tablet, phone or other laptop, open your browser and connect to your TinyPilot box that is in your California location and do your job. Problem with this approach is that TinyPilot has not been designed to stream video so you will have drops. Windows RDP is designed to stream the video so you will only have a degradation in quality, but it won't drop.
- In reply tosfan⬆:ZSantosh Krishnan @Zantosh
Don't send your phone to China. That's a terrible idea.
Instead load a VPN software line NordVPN and have it always on. Route your data through whichever state you need to be in and set it up to route all traffic via the VPN and if the connection drops then to kill your network. Works best.
- In reply tomichael⬆:
Hi Michael,
Can you please explain how the IP works when Tailscale is used to connect to the Tinypilot?
When people connect Tinypilot via Tailscale at Canada (for example), does Tinypilot receive any IP information (or any other location information) from Canada?
- CCharles Hague @cghague2023-10-24 02:11:16.386Z
Hi @sfan, thanks for your question about using Tailscale with TinyPilot.
When you join a TinyPilot device to a Tailscale network, the TinyPilot device will be able to see information about the local network you have connected to (whether wired or wireless) and the Tailscale network. Other devices on these networks may be able to see that the TinyPilot device is on the same network.
Thank you for you reply.
Is it true that my company (which is not connected to my local network) will not see that the Tailscale is connected to the target PC (i.e. work PC) via TinyPilot?
- CCharles Hague @cghague2023-10-24 21:30:49.777Z
Your TinyPilot device doesn't expose any information to the target computer about the network and services to which you have connected your TinyPilot device. Our article on whether anyone can detect TinyPilot contains more details that may be helpful.
- MIn reply tosfan⬆:Martin Goudreau @MartyG
Could it be that you are connecting to your office laptop via VPN?
Office laptop does connect the server via VPN, but I am not bringing my office laptop with me. The office laptop stays at home.
- MMartin Goudreau @MartyG
hmmm... how do you connect to your office laptop? using some 3rd party remote software?
I'm just asking as that may be the way they "see" you connecting... - In reply tosfan⬆:MMartin Goudreau @MartyG
Nevermind... my bad...
You are connecting to a TinyP...
- BIn reply tosfan⬆:@Bobbyricky
Do you have a 2 step authorization to log in, usually all companies have authorization software and if your using your phone in California to do two step authorization it logs where the phone was via GPS and network.
- AIn reply tosfan⬆:a7673 @a7673
@Zantosh @MartyG @sfan Hope you are doing well. I am reaching out to you since I am in the same boat as the OP's question (@sfan).
Do you have any work around figured out for this situation, asking since it seems like you've been working with TP device for many years. If you can shed some light on a solution that would be helpful to the community.On other note, I was thinking about virtualizing phones (iOS or Android)/ Use a KVM with Mobile phones and have them stationed in the work country and use the 2-Factor authentication apps remotely. I am not sure about this if it will work. I havent found any solution yet to this. Also, most of the authorization apps are only supporting In-App authorizations but not OTP over SMS or vice versa.