[p2detar]

An MDM orga cannot install a trusted CA on non-supervised (company owned) devices. By default on BYOD these are untrusted and require manual trust. It also cannot see everything on your device - certainly not your email, notes or files, or app data.

[somebudyelse]

As someone who has an MDM-managed device, I beg to differ. Although, this one uses newer style android MDM, which involves factory resetting and doing special things during OOBE. Even if it used the older style, nothing's stopping the app for requesting file access, notification access, etc. and not working until you grant the permissions.

[Melatonic]

Android has multiple options for MDM - the mess invasive one has a completely separate work profile that should not give the org that kind of access.

[p2detar]

Nothing is stopping any app from the Play store to request any particular permission, not just MDM apps, right? And yet, no app can read arbitrary filesystem data including random app data without your device being rooted first.

If anything, one of many MDM purposes is to prevent orgas from enrolling rooted devices in their fleet.

[layer8]

If it is untrusted, you also won’t have a TLS connection be established based on that CA.