How Much Can Your Company Really See on Your Computer?

Table of Contents

TL;DR #

This article does not discuss the value judgment of “whether companies should monitor employees,” nor does it encourage circumventing company security policies. We aim only to clarify the technical mechanisms: what companies can see, how they do it, where the boundaries lie, and how ordinary employees should understand their digital boundaries.

What a company can see is not a simple “yes” or “no” answer.

More precisely, it depends on three layers:

Network Layer: The company network is like a “main gate,” primarily seeing where you connect, which domains you visit, and roughly how much traffic you generate.
Endpoint Layer: The company computer is like a “room.” If enterprise security software is installed, it might record application usage, file operations, external device copying, screenshots, clipboard content, and even partial window content.
Behavioral Layer: Company accounts, internal systems, DLP, MDM, and watermarking systems act like “action recorders,” auditing what you access, download, export, and whether you’ve interacted with sensitive data.

This article aims to establish a clear framework for understanding, not to create anxiety.

Please remember these three points:

Company equipment is not private space. Company accounts are not private identities. Company networks are not private networks.

Understanding these three points will make you neither naive nor overly stressed.

Conclusion First: What Companies Most Easily See Are “Traces,” Not “Content” #

Regarding company monitoring, many people have a common misconception:

As long as I clear my browser history, the company won’t know my browsing records.

This thought is natural, but inaccurate.

Browser history is merely a local record on your computer. What companies truly rely on is often not this history, but rather more system-level logs:

Whether there are access records at the network egress;
Whether there are proxy logs on the company gateway;
Whether there is security software on the computer endpoint;
Whether there are access audits for company accounts;
Whether files have been copied, uploaded, or exported;
Whether security systems have triggered alerts.

In other words, many actions are not limited to your browser but may also exist within the company’s network, accounts, endpoints, and security systems.

Deleting browser history, at most, only erases a small portion of traces on your own computer. But if the network, accounts, endpoints, and file systems all retain records, it’s like wiping away footprints but forgetting about access control records, surveillance footage, and courier delivery receipts.

Therefore, the first basic judgment is:

What companies most easily see may not be specifically what you said, but rather when, using what device, where you accessed, and what actions you performed.

Core Model: Network Layer, Endpoint Layer, and Behavioral Layer #

When discussing corporate monitoring, many people directly ask:

Can the company see my chat history?
Can the company know what web pages I browsed?
Can the company see what files I copied?

These are all realistic questions, but directly asking “can it” is often not accurate enough.

A better way to ask is:

Are you using a company computer or a personal computer?
Are you connected to a company network or a personal network?
Have you installed company certificates, MDM, VPN, EDR, or DLP software?
Are you logged into a company account?
Are you accessing an internal company system or an external website?
Has the company clearly communicated its device and network usage policies?

From an enterprise IT security architecture perspective, the visibility of employee digital behavior can be broken down into three layers:

Layer	Analogy	Primary Monitoring Object	Typical Technologies
Network Layer	Main Gate	Where you went	`DNS`, `SNI`, Proxy logs, `TLS Inspection`, Firewall
Endpoint Layer	Room	What you did on the device	`EDR`, `DLP`, File system filtering, Screenshots, Clipboard audits
Behavioral Layer	Action Recorder	What you accessed, downloaded, exported, shared with what identity	`MDM`, Account audits, Permission logs, Data watermarking, Internal system logs

These three layers combined constitute the true security visibility of an enterprise.

Therefore, “what a company can see” is not a single technical issue, but an architectural one.

Network Layer: The Company Might Know Where You Went #

Many people assume that as long as a website uses HTTPS, the company won’t see anything.

This understanding is only half true.

HTTPS does encrypt webpage content, login passwords, form data, and transmitted data. Under normal circumstances, ordinary routers cannot directly read what you type into a webpage.

However, network devices can still see a lot of metadata, such as:

Which device initiated the connection;
When the connection occurred;
Which IP was accessed;
Which domain was accessed;
How large the traffic was;
How long the connection lasted;
Whether video, gaming, cloud storage, social media, recruitment websites, code platforms, or AI tools were accessed.

Here’s a crucial technical point: SNI.

SNI stands for Server Name Indication. Its purpose is to tell the server which domain the browser intends to access, before the encrypted connection is established.

You can think of it as:

Before the webpage content even starts encrypted transmission, the browser first says at the doorstep, “I want to go to example.com.”

In traditional TLS connections, SNI is usually transmitted in plain text. Enterprise firewalls, security gateways, and proxy servers can use this to record which websites you visited.

Therefore, even if the company cannot see what you specifically typed on a webpage, it might know if you visited:

YouTube;
GitHub;
ChatGPT;
Recruitment websites;
Personal cloud storage;
A specific SaaS platform;
A specific internal or external API service.

Of course, technology continues to evolve. ECH, or Encrypted Client Hello, has emerged, which can be understood as an anti-eavesdropping mechanism that encrypts handshake information, including SNI.

This means that in the future, the ability of enterprise network devices to determine visited domains solely based on clear-text SNI might be weakened.

However, in most current enterprise network environments, ECH has not yet become widespread. Companies can still classify and audit network access through SNI, DNS, proxy logs, IP reputation databases, and traffic pattern analysis.

The most accurate conclusion for this layer is:

The company may not know what you said on a webpage, but it very likely knows where you went.

TLS Inspection: Can Companies Decrypt HTTPS Traffic? #

The answer is: under specific conditions, yes.

This type of technology is commonly referred to as TLS Inspection, SSL Inspection, or corporate proxy decryption. It’s not something an ordinary home router can easily achieve, but rather a component of enterprise-grade security gateways, firewalls, zero-trust proxies, cloud security gateways, or DLP systems.

It usually requires three prerequisites:

Controlled Endpoint: The device is managed by the company;
Trusted Certificate: The device has a company-controlled root or intermediate certificate installed;
Traffic Through Enterprise Gateway: Network access passes through a company proxy, VPN, firewall, or zero-trust gateway.

These three conditions are indispensable.

If the conditions are met, the enterprise security gateway can stand in the middle, establishing two separate encrypted connections: one with your browser and one with the target website:

Your browser thinks it’s communicating with the target website;
The target website thinks it’s communicating with your device;
In reality, the enterprise security gateway in the middle can decrypt, inspect, record, and then re-encrypt and forward the traffic.

This mechanism sounds very much like a “man-in-the-middle attack.” However, in enterprise security scenarios, it can be part of a compliant deployment, typically aiming to check for malware, sensitive data exfiltration, unauthorized SaaS usage, and other risks.

It can help companies check:

Whether high-risk websites are accessed;
Whether malicious files are downloaded;
Whether company secrets are uploaded;
Whether customer data is sent to personal email;
Whether internal documents are uploaded to personal cloud storage;
Whether unauthorized SaaS or AI tools are accessed.

However, TLS Inspection does not have unlimited capabilities.

Firstly, TLS Inspection is very computationally intensive and can increase network latency. Secondly, sensitive websites like banks, healthcare, payment systems, and personal email are usually excluded from decryption. Thirdly, some apps use certificate pinning, a mechanism that only trusts a specific certificate chain, meaning the enterprise gateway may not be able to decrypt them successfully. Fourthly, modern zero-trust architectures do not necessarily aim for “decrypting everything”; often, they focus more on identity, device posture, access policies, risk scores, and least privilege.

Therefore, a more accurate statement is:

Under the conditions of “controlled endpoint + trusted certificate + traffic through enterprise gateway,” enterprises possess the ability to decrypt some HTTPS traffic. However, the existence of this capability does not mean all companies will fully enable it.

Endpoint Layer: Security Agents on Your Computer Are Key #

Company Wi-Fi primarily sees network connections. Company computers are entirely different.

If you are using a company computer and enterprise security software is installed on it, the company’s visibility into that device will significantly increase.

Common enterprise endpoint security components include:

EDR: Endpoint Detection and Response;
DLP: Data Loss Prevention;
MDM: Mobile Device Management;
Asset management software;
Patch management software;
Antivirus software;
Zero-trust client;
Host auditing software;
Remote assistance tools;
Enterprise browser or browser security plugins.

These software solutions are not necessarily intended for “spying on employees.” Their legitimate goals typically include:

Ransomware prevention;
Trojan prevention;
Data leakage prevention;
Source code exfiltration prevention;
Customer information leakage prevention;
System patch management;
Peripheral device access control;
Meeting compliance audit requirements.

However, from a technical capability perspective, once an endpoint agent has sufficiently high system privileges, the information it can collect far exceeds that of the network layer.

It might record:

What software was opened;
What processes were run;
What websites were visited;
What USB drives were inserted;
What files were copied, modified, or deleted;
What attachments were uploaded or downloaded;
Whether sensitive documents were opened;
Whether suspicious commands were executed;
Whether unauthorized software was installed;
Whether security rules were triggered.

It’s important to emphasize that different vendors and deployment strategies vary greatly. Not all enterprise endpoint software possesses all the above capabilities, nor do all companies enable all features.

Therefore, endpoint monitoring is better understood as a “capability set” rather than a fixed answer.

Chat History: The Problem Lies in “Plain Text on the Endpoint” #

A common concern for many is:

If I log into WeChat, Slack, Feishu, or Teams on my company computer, can the company see my chat content?

The answer depends on the layer.

From the network layer, many chat applications have their own encryption protocols. The company may not be able to directly decrypt chat content on a router or firewall.

However, from the endpoint layer, the situation is more complex.

Chat content must ultimately be displayed on your screen.

As long as the content is displayed, it must at some point become plain text and reside somewhere in the endpoint environment, for example:

Application process memory;
Local cache;
Notification center;
Clipboard;
Input method candidate area;
Screenshot buffer;
Screen rendering layer;
Log or database files.

Therefore, given specific permissions and product capabilities, endpoint security software might capture some content through the following methods:

Screenshots;
Screen recording;
Clipboard monitoring;
Input behavior auditing;
Window content capture;
Screen OCR;
Local cache scanning;
Process memory reading;
Hooking certain application interfaces.

The key here is not “breaking the chat software’s encryption protocol,” but rather capturing content from the endpoint side that has already been decrypted, displayed, copied, or entered.

You can understand it this way:

Encryption protects the transmission process, but once the content reaches your device, is opened, displayed, copied, or entered by you, it enters the endpoint environment.

In short:

What the network layer cannot see, the endpoint layer may not be unable to see.

However, these capabilities also have clear limitations.

Firstly, they usually rely on high system privileges. Secondly, systems like macOS and iOS have stricter sandboxing, permission prompts, and security mechanisms. Thirdly, some apps use anti-hook, secure input, end-to-end encryption, cache protection, or hardened rendering policies. Fourthly, many companies, even if technically capable, may not enable deep content capture due to compliance, cost, and employee relations considerations.

Therefore, a more accurate conclusion is:

The company may not be able to directly read your chat content from the network. However, if you open a chat window on a controlled work computer, endpoint security software, under specific permissions and policies, can indeed capture some visible content.

This is also why company computers are not suitable for highly personal matters.

Files and DLP: Data Exfiltration Is a Major Pain Point for Enterprises #

Many people interpret enterprise monitoring as “the boss wants to catch me slacking off.”

While that might exist, from a security engineering perspective, what companies are usually more concerned about is whether company data is leaking.

Truly high-value data often resides in files:

Client lists;
Financial reports;
Contracts;
Source code;
Design drawings;
Training data;
Internal pricing strategies;
Employee and user privacy data;
Model configurations;
Trade secrets.

Therefore, many enterprises deploy DLP, or Data Loss Prevention systems.

DLP can set checkpoints at multiple locations:

Local file systems;
USB drive copying;
Email attachments;
Web uploads;
Cloud storage synchronization;
Printing;
Screenshots;
Code repositories;
- Instant messaging attachments;
Database exports.

Underlying technologies may include:

File system filter drivers;
Content scanning;
Sensitive keyword rules;
Regular expressions;
Data fingerprinting;
File hashing;
Permission tagging;
Document classification;
Watermarking;
Machine learning classifiers.

For example, when an employee attempts to upload a file containing customer ID numbers, bank card numbers, contract numbers, source code snippets, or internal pricing strategies to personal cloud storage, the DLP system might block, record, or alert.

In the eyes of enterprise security systems:

Watching videos for ten minutes might be an efficiency issue;
Transferring customer data to personal cloud storage is a security incident.

Therefore, file operations are a class of objects with extremely high priority in enterprise security monitoring.

Screenshots, Screen Recording, and Remote Viewing: Technology Exists, Boundaries Are More Important #

Some enterprise endpoint software indeed possesses screenshot, screen recording, or remote viewing capabilities.

These capabilities can be used for:

Remote IT support;
Malware forensics;
Security incident investigation;
High-risk operation auditing;
Traceability for internal system access;
Data leakage incident tracing.

Trigger methods may include:

Screenshots at fixed intervals;
Screenshots when sensitive systems are opened;
Screenshots when DLP rules are triggered;
Screenshots when high-risk websites are accessed;
Screenshots when external devices are inserted;
Screenshots when sensitive files are uploaded;
Remote viewing initiated by an administrator.

However, these capabilities are also the most prone to controversy.

Because it has moved from “recording behavioral metadata” to the realm of “observing the workplace.” Without clear notification, strict permissions, auditing processes, and reasonable boundaries, it can easily slide from security management into excessive surveillance.

Mature enterprises should typically achieve the following:

Clearly inform about the scope of monitoring;
Restrict accessible personnel;
Retain administrator operation logs;
Only trigger in security incidents or high-risk scenarios;
Set data retention periods;
Avoid collecting private content unrelated to work.

Just because it’s technically possible to see doesn’t mean it should be casually seen from a management perspective.

This is a very important boundary in enterprise security governance.

Mobile Phone Monitoring: Management Differences Between Android and iOS #

Mobile phones also need to be considered differently.

9.1 `Android`: Higher Openness, Stronger Enterprise Control #

The Android system has a higher degree of openness, and thus offers more in-depth control methods in enterprise management scenarios.

If a phone is under enterprise management, especially in Device Owner mode, with an enterprise ROM, OEM management solution, or strong MDM control, the company might manage:

Application installation;
Network proxy;
VPN;
Certificates;
Screenshot policies;
Data copying;
Work profile area;
Remote wipe;
Compliance status;
Peripheral and debugging permissions;
Some system behaviors.

Additionally, Android’s Accessibility Service, originally designed for accessibility features, if misused or granted high permissions, can indeed read screen content, perceive UI changes, assist with clicks, or obtain input paths.

Therefore, on an Android work device, especially a company-fully-managed device, it’s best to assume that work-related actions may be audited by default.

9.2 `iOS`: Stronger Sandbox, More Focused on Device and Application Management #

iOS has stricter permission restrictions for third-party apps. It’s difficult for ordinary apps to directly read screen content of other apps or break through the system sandbox as easily as on Android.

However, if an iPhone has a company MDM Profile or Configuration Profile installed, the company can still manage:

Enterprise apps;
Managed app data;
VPN;
Wi-Fi;
Certificates;
Device compliance status;
Remote lock;
Remote wipe;
Work account access;
Data flow between managed and unmanaged apps.

Therefore, enterprise visibility on iOS typically leans more towards “device management + work data boundaries + network path control,” rather than directly reading all app content.

In short:

Android offers more room for deep control, while iOS is stronger in sandbox isolation. But as long as it’s an enterprise-managed device, it should not be treated as a completely private device.

Invisible Watermarks: A Potent Tool for Tracing Leak Sources #

Many large enterprises that handle sensitive data incorporate watermarking mechanisms into their internal systems.

Watermarks can be divided into two categories:

Visible watermarks: Directly display name, employee ID, department, time, IP;
Invisible watermarks: Not obvious to the naked eye, but identifiable through algorithms.

Watermarks may contain:

Employee ID;
Login account;
Device number;
IP;
Timestamp;
Page number;
Session information.

Their purpose is usually not to monitor you in real-time, but to trace the source after a screenshot, screen capture (by phone camera), or document external transfer.

This is important.

Watermarking technology conveys an auditing capability: if sensitive information is leaked, the company can use the watermark to pinpoint the leakage path.

It’s not foolproof, and not every company has a mature implementation. However, in finance, large internet companies, government and enterprises, R&D, risk control, data platforms, and customer service systems, this type of technology is not uncommon.

Therefore, don’t assume that “not using system screenshots, only taking photos with a phone” necessarily prevents traceability.

Summary: Company Visibility Matrix Quick Reference #

What a company can see depends on device ownership, network path, and endpoint control.

The table below can serve as a quick judgment model:

Scenario Conditions	Network Monitoring Visibility Scope	Endpoint Monitoring Visibility Scope
Personal device + Personal network	Extremely difficult to obtain information	Extremely difficult to obtain information
Personal device + Company network	May see device ID, connection time, visited domains, traffic size, some app connection behaviors	Difficult to directly monitor unless root certificates, `MDM`, NAC software, or enterprise `VPN` are required
Company device + Personal network	Depends on whether company `VPN`, proxy, or zero-trust gateway is mandatory	High, may record app usage, file operations, peripherals, clipboard, screenshots, and some local behaviors
Company device + Company network	High, may include domain auditing, proxy logs, `TLS Inspection`, deep traffic auditing	High, may include file-system level, endpoint log level, app behavior level, and some screen content auditing

The core logic behind this table is:

Company networks enhance network visibility;
Company devices enhance endpoint visibility;
Company accounts enhance behavioral traceability;
Enterprise certificates, MDM, DLP, EDR further expand visibility.

Therefore, don’t simply ask “can the company see?”

A better question is:

Whose device am I currently using?
Whose network am I using?
Whose account am I logged into?
Whose management software is installed on the device?

How to Simply Self-Check: Is Your Device Managed by the Company? #

The following methods are not intended to circumvent company security policies but to help you understand your device boundaries.

The purpose of self-checking is not to “fight the company,” but to clarify:

Is my device managed?
What is the approximate scope of management?
Which actions are best avoided on this device?

12.1 Check if the computer has enterprise root certificates installed #

If a company performs TLS Inspection, it usually needs the device to trust an enterprise root certificate or intermediate certificate.

`macOS` #

You can open:

Keychain Access → System → Certificates

Pay special attention to whether there are:

Root certificates related to the company name;
Enterprise security gateway certificates;
Proxy software certificates;
Certificates related to security products such as Zscaler, Netskope, Palo Alto, Cisco, Fortinet, Cloudflare.

You can also check in System Settings for installed configuration profiles:

System Settings → General → Device Management

If a company profile exists here, it indicates that this Mac may be managed by the enterprise.

Windows #

You can open:

certmgr.msc

Then check:

Trusted Root Certification Authorities → Certificates

Look for certificates related to the company or enterprise security products.

You can also check:

Settings → Accounts → Access work or school

If the device is connected to a company organizational account, it may be subject to enterprise policy management.

12.2 Check if the phone has `MDM` or a configuration profile installed #

iPhone #

You can check:

Settings → General → VPN & Device Management

If a company profile, MDM Profile, enterprise VPN, or certificate configuration exists here, it indicates that the device may be included in company management.

Android #

The path varies slightly by brand, but generally you can check:

Settings → Security → Device admin apps

Or:

Settings → Passwords & accounts / Work profile

If the device has a Work Profile, Device Policy, company management app, or is marked as an enterprise device, it means it may be subject to MDM management.

12.3 Check if company `VPN` or proxy is mandatory #

You can check network settings for the presence of:

Always-on VPN;
Enterprise proxy;
PAC file;
Zero-trust client;
Security browser plugin;
Company’s unified traffic forwarding policy.

If all network access is forced back to the company gateway, then even if you are working from home, some traffic may fall within the company’s audit scope.

12.4 Look at company policies, not just technology #

The most important step is actually not to check certificates, but to review company IT policies.

Relevant content typically appears in:

Employee Handbook;
Acceptable Use Policy;
IT Security Policy;
BYOD Policy;
Privacy Notice;
Workplace Surveillance Notice;
Device Management Agreement.

These documents usually state:

Whether the company monitors devices;
What types of data are monitored;
Whether personal use is allowed;
Whether network access is recorded;
Whether remote wiping is possible;
Whether location, screen, file, or application information is collected;
How long data is retained;
Who can access audit data.

This is more reliable than guessing.

Legal and Compliance: Technical Capability Does Not Equal Unlimited Power #

Technical discussions can easily lead to a misconception:

As long as the company can technically do it, it can monitor endlessly.

This is not the reality.

In most jurisdictions, employee monitoring is subject to privacy, labor relations, data protection, communications regulations, and internal policy constraints.

In Australia, for example, companies handling personal information typically need to consider the Privacy Act, Australian Privacy Principles, and specific industry regulatory requirements. Different states and territories may also have additional regulations on workplace surveillance.

More broadly, reasonable enterprise monitoring should at least meet the following principles:

Clear notification;
Legitimate purpose;
Reasonable scope;
Minimum necessary;
Controlled permissions;
Auditable logs;
Data retention period;
No abuse of private information unrelated to work.

Therefore, we need to distinguish between two statements:

Is it technically possible?
Should it be done from a management perspective?

These two statements are not the same thing.

If a company views security tools as a means of prying, it ultimately harms not only employee privacy but also organizational trust.

This article is not legal advice. For specific countries, industries, or company scenarios, local regulations, contract terms, employee handbooks, and formal company policies should still be consulted.

Digital Boundary Guide for Ordinary Employees #

No need to panic, and no need to confront the company.

The most practical approach is to establish three boundary principles.

14.1 Device Ownership Principle: Company Equipment Is Not Private Space #

If a device belongs to the company, or is uniformly managed by the company, it’s best to treat it as a work space by default.

A safer approach is to treat company devices as work spaces and reserve personal matters for personal devices and personal networks.

Try to avoid handling on a company computer:

Personal banking;
Personal medical information;
Private emails;
Personal cloud storage;
Private chats;
Investment accounts;
Highly private searches;
Sensitive matters unrelated to work.

This is not about being guilty, but basic digital hygiene.

14.2 Identity Boundary Principle: Company Accounts Are Not Private Identities #

As long as you use a company account to log into a system, your operations may be recorded.

Including:

Which documents were accessed;
What files were downloaded;
What data was queried;
What records were modified;
What reports were exported;
What SaaS features were used;
What APIs were called.

Company accounts are inherently subjects for audit.

Therefore, do not use company accounts for personal matters, and do not use personal accounts for company data.

Keep identities separate.

14.3 Network Path Principle: Company Networks Are Not Private Networks #

As long as traffic passes through company Wi-Fi, VPN, proxy, firewall, or zero-trust gateway, network logs may be left behind.

Even if content is encrypted, the connection behavior itself may be recorded.

Therefore, for truly sensitive private matters, it’s best to use:

Personal devices;
Personal networks;
Personal accounts.

This protects both personal boundaries and reduces company compliance risks.

Conclusion: Don’t Be Naive, Don’t Be Anxious #

Regarding company monitoring, there are two worst types of understanding.

One is the naive approach:

I cleared my browser history, so I’m fine.

The other is the panic approach:

The company can see everything; I have no privacy at all.

Both understandings are inaccurate.

The more realistic situation is:

Companies have many technical means to gain security visibility;
Different layers see different things;
The network layer primarily sees connections, domains, and traffic paths;
The endpoint layer may see files, software, peripherals, clipboards, and some local behaviors;
Company accounts and internal systems naturally have audit logs;
Deep monitoring requires permissions, deployment, policies, and a compliance basis;
Technical capability does not equal unlimited power.

This article aims to inform, not to propagate “companies are scary” or “employees should fight against companies.”

More accurately, digital boundaries in the modern workplace have become crucial. Companies need to protect customer data, trade secrets, and internal systems, and employees also need to understand which spaces belong to work and which should be reserved for personal use.

The best state is not mutual suspicion, but clear boundaries:

Companies know what they should and should not look at;
Employees also know which devices, accounts, and networks are not suitable for personal matters;
Security tools are for governing risks, not for creating fear.

Therefore, the last three statements remain:

Company equipment is not private space. Company accounts are not private identities. Company networks are not private networks.

Understand these three points, and you will not be naive, nor will you have to be anxious.

Security in the digital workplace comes not from luck, nor from panic, but from clear technical common sense and well-defined institutional boundaries.

References and Further Reading #

16.1 Network Layer, `SNI`, `TLS`, and `ECH` #

IETF. RFC 6066: Transport Layer Security (TLS) Extensions. This document defines TLS extensions, including Server Name Indication (SNI), and is foundational for understanding how SNI works.
Cloudflare. Encrypted Client Hello (ECH): the last puzzle piece to privacy. Introduces how ECH encrypts Client Hello and why it impacts SNI-based domain visibility in traditional enterprise networks.
Cloudflare Learning Center. What is encrypted SNI? How ESNI works. Suitable as introductory material for general readers to understand the evolution of SNI, ESNI, and ECH.

16.2 `TLS Inspection` and Enterprise Traffic Visibility #

NIST / NCCoE. SP 1800-16: Securing Web Transactions — Appendix A: Passive Inspection. Discusses the security, privacy, and visibility trade-offs enterprises face when inspecting encrypted TLS traffic.
NIST. Addressing Visibility Challenges with TLS 1.3 within the Enterprise. Discusses the impact of TLS 1.3 on enterprise network visibility and the new challenges enterprises face in security monitoring.
Louis Waked, Mohammad Mannan, Amr Youssef. The Sorry State of TLS Security in Enterprise Interception Appliances. Researches the potential security risks introduced by enterprise TLS interception devices, reminding readers that TLS Inspection itself needs to be securely implemented and governed.

16.3 Endpoint Security, `DLP`, `EDR`, and Enterprise Security Software #

Jonah Stegman, Patrick J. Trottier, Caroline Hillier, Hassan Khan, Mohammad Mannan. “My Privacy for their Security”: Employees’ Privacy Perspectives and Expectations when using Enterprise Security Software. Researches employees’ understanding, misconceptions, and privacy expectations regarding data collection by enterprise security software, suitable for supplementing this article’s discussion on “technical capabilities and organizational trust.”
Microsoft. Mobile device management documentation. Introduces how enterprises can manage mobile devices through Microsoft Intune and related tools, useful for understanding the basic positioning of MDM in an enterprise environment.

16.4 `Android`, `iOS`, and Mobile Device Management #

Android Open Source Project. Device management overview. Introduces concepts such as Profile Owner, Device Owner, and Work Profile in Android device management, helping to understand the differences between enterprise-managed devices and BYOD.
Google Android Management API. Enroll and provision a device. Explains the relationship between Android device enrollment, configuration, device ownership, and management modes, suitable for understanding how enterprises differentiate between personally-owned and company-owned devices.
Apple. Intro to device management profiles. Introduces how Configuration Profiles in Apple devices configure settings, accounts, restrictions, and credentials, serving as official documentation for understanding iOS / macOS device management.
Apple Developer Documentation. Install Profile Command. Explains the command mechanism for installing configuration profiles in Apple device management to developers, suitable as technical background material for MDM Profile.

16.5 Australian Privacy, Workplace Monitoring, and Compliance Boundaries #

Office of the Australian Information Commissioner. Workplace monitoring and surveillance. Introduces the relationship between workplace monitoring and privacy rights in Australia, and explains when relevant privacy principles may apply when employers retain monitoring records.
Office of the Australian Information Commissioner. Australian Privacy Principles. Introduces the basic framework of the Australian Privacy Principles, useful for understanding the principles enterprises must adhere to when handling personal information.
Office of the Australian Information Commissioner. Employment. Explains the basic boundaries of the employee records exemption under the Australian Privacy Act, helping to understand the difference between employee records and general personal information processing.
NSW Legislation. Workplace Surveillance Act 2005 No 47. The core legal text concerning workplace surveillance in New South Wales, including requirements such as written notice before employee monitoring. Although laws vary by state, this act serves as an important reference for understanding the compliance boundaries of workplace monitoring in Australia.

16.6 Keywords to Continue Monitoring #

If you wish to further research enterprise monitoring and employee privacy, you can continue to search for the following keywords:

SNI
Encrypted Client Hello
TLS Inspection
Certificate Pinning
Endpoint Detection and Response
Data Loss Prevention
Mobile Device Management
Work Profile
Device Owner
Workplace Surveillance
Employee Monitoring
Australian Privacy Principles
Workplace Surveillance Act