FWIW, this isn’t to do with me personally at all, I’m not looking to do anything dodgy here, but this came up as a theoretical question about remote work and geographical security, and I realised I didn’t know enough about this (as an infosec noob)
Presuming:
- an employer provides the employee with their laptop
- with security software installed that enables snooping and wiping etc and,
- said employer does not want their employee to work remotely from within some undesirable geographical locations
How hard would it be for the employee to fool their employer and work from an undesirable location?
I personally figured that it’s rather plausible. Use a personal VPN configured on a personal router and then manually switch off wifi, bluetooth and automatic time zone detection. I’d presume latency analysis could be used to some extent?? But also figure two VPNs, where the second one is that provided by/for the employer, would disrupt that enough depending on the geographies involved?
What else could be done on the laptop itself? Surreptitiously turn on wiki and scan? Can there be secret GPSs? Genuinely curious!
Most places will use IP based location services so if you use a router based VPN to appear in another place it will hide you well enough for the initial glance.
Conditional access policies may out you though. Several places will deny known VPN endpoints from logging in. But if you get a VPS hosting server and run your own endpoint you will be less likely to get nabbed by that one.
GPS in laptops is almost unheard of. Sure there are specific models built for specific use cases that have them but a regular corporate laptop is not.
AGPS probably does work though for location. Many work laptops have sim cards for 5g, and that means connectivity permanence and assisted gps from cell tower triangulation.
However I know from testing things like m365 login just accepts the ip location of vpn endpoint.
My advice is it depends: and it mostly depends on the effort of the sysadmin and the level of logs they look into. The timing of the log from your vpn connection and your location. If they own the networks you did connect to, those networks will know where you are.
Use your personal device for personal things. End of story.
Oh one different situation: because I’ve been on the side of supplying logs to cyber forensic analysts as part of cyber insurance post breach, the level of scrutiny will matter. If they find you’re doing something they don’t want on work equipment near or around a cyber incident you’ll be part of the post breach recommendations. As in, what to remediate.