๐Ÿซง Location Bubble Part 2 of 2

The Location Bubble โ€”
Going Fully Undetected

You've locked your app settings. Now here's the complete system โ€” every layer from your network to your device, and the honest answer on what MDM can and can't see through all of it.

โฑ 10 min read
๐ŸŽฏ Actionable step-by-step
๐Ÿ” Includes MDM detection guide
Series:
Part 1 โ€” How apps leak your timezone Part 2 โ€” The location bubble
Part 1 explained what your apps send and what you can change at the app level. This guide covers the complete picture โ€” what a fully built location bubble looks like, layer by layer, and where the real boundaries are. Including the honest answer on MDM, which most guides skip.
The core idea

What a Location Bubble Actually Is

A location bubble is not about hiding. It's about reconstructing home. Every signal that identifies your location โ€” your IP address, your timezone, your device metadata, your activity patterns โ€” gets replaced with a version that says "home." Not fake-home. Actual home. Your real home IP, your real home timezone, your real home network. You just happen to be accessing it from somewhere else.

๐Ÿ 
The right way to think about it
It's not a disguise. It's a remote control for your home.
When you use a TV remote, the TV has no idea you're sitting on the couch or standing across the room. The signal is the same. A location bubble works the same way โ€” your company's systems see the same signals they've always seen from you, because those signals are genuinely coming from your home. You're just operating the remote from further away.
The Location Bubble โ€” Layer by Layer
๐ŸŒ Layer 1 โ€” Network
Home residential IP via hardware tunnel
๐Ÿ• Layer 2 โ€” OS & Browser
Timezone locked to home, auto-update off
๐Ÿ“ Layer 3 โ€” Device
Location services off, WiFi scanning blocked via Ethernet
๐Ÿ’ฌ Layer 4 โ€” Apps
Slack, Teams, Google, Zoom all set to home timezone
โœ“ You โ€” digitally at home

Each layer handles a different category of signal. Miss one and that signal leaks through. Build all four and your digital footprint is genuinely indistinguishable from working from your home network โ€” because in every way that matters to the detection systems, you are.

Layer 1 โ€” The most important one

The Network Layer โ€” Your IP Address

This is the foundation everything else rests on. If your IP address says Bangkok, no amount of app settings will fix the metadata. The network layer has to come first.

The goal is simple: all your internet traffic exits through your home router, using your home residential IP. Not a VPN data center. Not a foreign hotel IP. Your actual home connection โ€” the same one your company's systems have been seeing for months or years.

Option A

Hardware Tunnel โ€” The Most Complete Solution

A travel router at your physical location connects to the local WiFi (hotel, Airbnb, cafรฉ). All your devices connect to the travel router. All traffic goes through an encrypted WireGuard tunnel back to a home router sitting on your home network. Traffic exits the internet through your home IP.

  1. 1Home router โ€” plugged into your home internet. Acts as the exit point. Never moves.
  2. 2Travel router โ€” goes in your bag. Connects to local WiFi wherever you are. Creates your bubble.
  3. 3Kill switch โ€” if the tunnel drops for any reason, all traffic stops. No real IP leakage even for a second.
  4. 4Every device connected to the travel router is automatically inside the bubble โ€” laptop, phone, tablet, no per-device setup.
๐Ÿ’ก
Why hardware beats software VPNs for this: Software VPNs protect one device at a time, require installation on each device (which EDR can see), use data center IPs that are on corporate blocklists, and drop and reconnect in ways that create impossible travel log events. A hardware tunnel at the router level covers all devices, uses your residential IP, and handles reconnection invisibly at the network level.
๐ŸŒ
This is what HomeLink does
HomeLink ships two pre-configured GL.iNet routers โ€” one for home, one for travel. The tunnel is set up, the kill switch is hardcoded at the firmware level so a firmware update can't reset it, and the relay server means it works even on Starlink or T-Mobile 5G where port forwarding isn't possible. Your IP is your actual home IP. Setup is plug in and go.
Option B

DIY WireGuard โ€” If You Want to Build It

If you own a GL.iNet router and want to set this up yourself, the implementation guide covers the full process. The main limitations to be aware of:

  1. !CGNAT: T-Mobile 5G, Starlink, and some fiber providers use shared IPs that make port forwarding impossible. The DIY method won't work without a relay server workaround.
  2. !Kill switch: The GL.iNet software kill switch can be reset by firmware updates. You have to check it manually after every update.
  3. !DDNS lag: When your home ISP rotates your IP, DDNS can lag by minutes โ€” causing tunnel drops during that window.

Read the full implementation guide โ†’

Layer 2

The OS & Browser Layer โ€” Lock Your Timezone

With the network layer in place, your IP is home. Now your OS and browser timezone need to match. If they auto-update to local time, the timezone mismatch between your IP (home) and your device metadata (Bangkok) creates a new flag.

Mac

macOS โ€” Lock the Timezone

  1. 1Open System Settings โ†’ General โ†’ Date & Time
  2. 2Turn off "Set time zone automatically using your current location"
  3. 3Manually select your home timezone from the dropdown
  4. 4Do this before you travel โ€” not after you land
โš ๏ธ
macOS sometimes re-enables automatic timezone after OS updates. Add a check to your pre-travel routine.
Windows

Windows โ€” Lock the Timezone

  1. 1Open Settings โ†’ Time & Language โ†’ Date & Time
  2. 2Turn off "Set time zone automatically"
  3. 3Select your home timezone from the dropdown
๐Ÿ’ก
Browser timezone follows the OS timezone automatically on Windows. No separate browser setting needed.
Layer 3

The Device Layer โ€” Kill Location Services

Even with your IP and timezone locked to home, your device can still betray you through GPS and WiFi triangulation if location services are on. This layer shuts that down.

Mac

macOS โ€” Disable Location Services

  1. 1System Settings โ†’ Privacy & Security โ†’ Location Services
  2. 2Either turn off Location Services entirely, or scroll down and disable it for every work application โ€” Slack, Teams, Chrome, Safari, Zoom
  3. 3Scroll to System Services at the bottom โ†’ turn off "Significant Locations" and "Location-Based Suggestions"
Windows

Windows โ€” Disable Location Services

  1. 1Settings โ†’ Privacy & Security โ†’ Location
  2. 2Turn off "Location services" entirely, or toggle off individual apps
  3. 3Scroll down and disable location access for any work apps listed

The Ethernet trick for WiFi triangulation

Even with location services off, your laptop's WiFi radio is still scanning for networks in the background. Those network names can be cross-referenced to physical locations. The cleanest way to stop this entirely: connect your laptop to the travel router via Ethernet cable and disable your WiFi entirely. No WiFi radio, no visible networks, no triangulation possible.

This isn't always practical in a hotel room โ€” but for high-stakes work from sensitive locations, it's the most complete option.

Layer 4

The App Layer โ€” Lock Your Profile Settings

With the first three layers in place, app settings are the final polish. They handle the human-visible signals โ€” what your colleagues see when they look at your profile or status. See Part 1 of this series for the full per-app breakdown. The summary:

  1. 1Slack: Profile โ†’ Edit Profile โ†’ Time Zone โ†’ set to home
  2. 2Google Calendar: Settings โ†’ Time Zone โ†’ Primary โ†’ set to home (this propagates to all Google apps)
  3. 3Zoom: zoom.us โ†’ Profile โ†’ Edit โ†’ Time Zone โ†’ set to home
  4. 4Teams: Settings โ†’ General โ†’ Language and region โ†’ set to home
  5. 5Slack Do Not Disturb: Set DND to hours that match your home working schedule so your active/inactive status looks normal
The honest exception

MDM โ€” What It Is, How to Check, and What It Changes

MDM stands for Mobile Device Management. It's software your company installs on work laptops to enforce security policies and sometimes collect telemetry. It's the one part of this picture that the bubble doesn't fully contain โ€” but the risk depends entirely on what your specific MDM setup is configured to do.

๐Ÿ”ญ
Simple version
It's like a landlord who has a key to your apartment
The bubble is your apartment. You control everything inside it. But if your company installed MDM on your work laptop, they have a key โ€” and that key works regardless of what network you're on. They might never use it. They might use it only for security enforcement. Or they might use it to check your location. The question is: do they have the key, and what are they doing with it?

Step 1 โ€” Check if MDM is installed on your device

๐Ÿ” How to check for MDM on your device
Mac
Go to System Settings โ†’ Privacy & Security โ†’ Profiles
If you see any profiles listed that you didn't install yourself, MDM is present.
Also check: Apple menu โ†’ About This Mac โ†’ System Report โ†’ Software โ†’ Managed Client โ€” if this section exists and has content, your device is managed.
Windows
Go to Settings โ†’ Accounts โ†’ Access work or school
If your work account is listed with an organization name and "Managed by [Company]," MDM is enrolled.
Also check: Settings โ†’ Privacy & Security โ†’ Windows Security โ†’ Device Security โ€” corporate MDM often appears here.
The telling signs regardless of OS
Settings that are grayed out or locked. A timezone you can't change. Location services you can't turn off. A VPN that starts automatically. These are MDM policies enforcing configuration โ€” and they mean the MDM can likely also read from those same systems.

Step 2 โ€” Understand what MDM can do if present

Not all MDM deployments are equal. MDM is a platform โ€” what it actually does depends on what policies your IT team configured. Here's what's possible vs. what's common:

MDM capabilityTechnically possibleCommon in practice
Enforce security policies (encryption, password requirements)YesVery common
Report device IP addressYesCommon
Report installed applicationsYesCommon
Force location services onYesLess common
Report GPS coordinates activelyYesLess common โ€” mainly larger enterprises
Report WiFi networks nearbyYesLess common
Bypass your network routing (VPN bypass)YesVaries โ€” some MDM agents do this
โš ๏ธ
The key question: If MDM is present and your location services are truly off โ€” not grayed out, genuinely off โ€” the MDM loses its GPS/WiFi triangulation feed. It can still report your IP (which the bubble handles) and device telemetry, but not your physical coordinates. If location services appear grayed out or locked, MDM policy is forcing them on and the bubble has a gap at the device layer.

Step 3 โ€” The practical answer for most people

If you work at a small to medium company, use a personal device for travel where possible, and your company hasn't explicitly told you the laptop is managed โ€” MDM is unlikely to be running aggressive location collection. The bubble covers you for the detection scenarios that actually affect most remote workers.

If you work in finance, healthcare, defense contracting, or a large enterprise, assume more aggressive MDM. In that case, use a personal device connected to the travel router for any work that matters for location privacy. Your personal device isn't enrolled in your company's MDM. The bubble around it is complete.

โœ“
The personal device solution is clean: Connect your personal laptop to the HomeLink travel router. Your traffic exits your home IP. Your personal device has no MDM. Location services are under your full control. The bubble is complete with no exceptions.
Before every trip

The Pre-Travel Checklist

๐Ÿซง Complete Location Bubble Checklist
Layer 1 โ€” Network
โœ“ Home router plugged in and connected to home internet
โœ“ Travel router packed in carry-on (never checked luggage)
โœ“ Verified kill switch is active
โœ“ Pre-flight test passed โ€” whatismyip.com shows home IP from external network
Layer 2 โ€” OS & Browser
โœ“ Automatic timezone disabled on Mac/Windows
โœ“ Timezone manually set to home timezone
โœ“ Verify setting hasn't been reset by a recent OS update
Layer 3 โ€” Device
โœ“ Location services off for all work applications
โœ“ "Significant Locations" disabled (Mac)
~ If available: connect via Ethernet to travel router, disable WiFi entirely
~ Check for MDM โ€” if grayed-out settings exist, use personal device instead
Layer 4 โ€” Apps
โœ“ Slack timezone โ†’ home
โœ“ Google Calendar timezone โ†’ home (propagates to all Google apps)
โœ“ Zoom timezone โ†’ home
โœ“ Teams/Outlook timezone โ†’ home
โœ“ Slack Do Not Disturb hours match home working schedule
Ongoing โ€” Every New Location
โœ“ Run whatismyip.com before opening any work app โ€” confirm home IP
โœ“ If IP doesn't match home: stop, don't open work apps until tunnel is confirmed
โœ“ After any firmware update: recheck kill switch and timezone settings
The honest ceiling

What the Bubble Covers โ€” and What It Doesn't

Detection scenarioBubble coverage
IP-based geolocation and country detectionโœ“ Fully covered
Impossible travel from VPN dropโœ“ Covered by kill switch
Risky IP / VPN IP blocklistsโœ“ Covered โ€” residential IP
Timezone metadata mismatchโœ“ Covered by OS lock + app settings
GPS location dataโœ“ Covered if location services off
WiFi triangulationโœ“ Covered via Ethernet + location services off
App-level timezone display signalsโœ“ Covered by app settings
MDM GPS reporting (if location services forced on)โœ— Not covered โ€” use personal device
MDM device telemetry on enrolled work laptop~ Partial โ€” IP covered, other telemetry varies
Human observation (colleagues noticing your hours)~ Partial โ€” covered by DND/status settings

A complete bubble on a personal device with no MDM covers everything in this table. The only gap that matters in practice is MDM-enrolled company laptops with active location telemetry โ€” and the solution for that is using a personal device connected to the travel router, which closes the gap entirely.

๐Ÿ“‹ Get the Pre-Travel Checklist

Every setting from this guide, in one printable PDF.

โœ“ Check your inbox โ€” the link is on its way. Your email is your key to access it anytime.

The network layer, handled.

HomeLink takes care of Layer 1 โ€” the hardest one. Pre-configured, residential IP, hardcoded kill switch, works on any ISP. You handle the other three layers in about 15 minutes.

Try HomeLink free for 30 days โ†’ DIY the tunnel yourself