General
Mobile Device Management (MDM) FAQs
Table of Contents
- What is Mobile Device Management (MDM)?
- What’s in it for me?
- How does MDM work with mobile devices?
- Will MDM back up the data on my mobile device?
- Will using MDM slow down my mobile device?
- Will using MDM reduce the battery life on my mobile device?
- What devices can enroll in MDM?
- What if my mobile device doesn’t meet the requirements to enroll?
- What if I choose not to enroll my personally-owned mobile device?
- How do I enroll my device in MDM?
- What data on my device does MDM access or store?
- Who has access to the data stored in MDM?
- What actions can SLAC perform on a managed device via MDM?
- Can SLAC use MDM to track me via my mobile device?
- I’ve heard that under circumstances, SLAC can make a copy of everything on my device.
- Can SLAC wipe my whole device, including my personal information?
- Can SLAC wipe just the SLAC-managed information from my devices?
What is Mobile Device Management (MDM)?
The Mobile Device Management (MDM) service provides you with real management capabilities, including convenient configuration, self-service tools, and enhanced protection. It also keeps you up to date with common-sense privacy and security measures.
MDM enables you to connect securely to internal networks without needing to configure the settings one-by-one on your own.
What’s in it for me?
MDM gives you free tools so you can protect your privacy and manage your device even when it's not with you. It applies profiles that:
- Add a passcode and automatic screen lock to your device to keep intruders out.
- Encrypt the contents of your device to protect its contents should it be lost or stolen.
- Remotely lock your device if you lose it.
- Enable you to wipe data from your device if it's lost or stolen.
- Configure ActiveSync email, contacts, and calendar on your device.
- Detect whether a device has been jailbroken or rooted to protect you from malware.
- Automatically block intruders who enter more than 10 failed passcode attempts on an iOS device. (Note: reaching the 10th attempt takes two hours on an iOS device.)
- Configure SLAC secure WiFi.
- Configure eduroam secure WiFi - roaming wireless service at participating educational and research institutions.
MDM also gives you easy access to apps that provide enhanced productivity here at SLAC.
Why do we need MDM?
MDM encrypts data so that if a device is lost or stolen, a 3rd party cannot access protected information, such as Personally Identifiable Information (PII) that may be stored on it.
Stanford University has learned that a stolen device may be determined after the fact to have PII/PHI even when the user believed there was none. Given this understanding, the University and SLAC require all mobile devices used for business purposes to be enrolled in MDM.
Who may enroll in MDM?
Anyone with a SLAC Windows account and one or more eligible devices may enroll in MDM.
Who is required to enroll in MDM?
Anyone who uses a mobile device for SLAC business is required to enroll that device in MDM. These include persons who:
- use SLAC-owned eligible mobile devices,
- receive a stipend compensating them for the use of their personal mobile device,
- for their own convenience elect to use their personal device to:
- access SLAC networks other than the visitor network,
- access SLAC email via client software that stores message content on the device, or
- otherwise have the ability to access PII or PHI.
How does MDM work with mobile devices?
Will MDM back up the data on my mobile device?
No, you are responsible for backing up your mobile device. MDM does set up automatic encryption of your backup if your device is an Apple iPhone or iPad, though.
Will using MDM slow down my mobile device?
No, there should be no performance impact once you have completed enrollment in the mobile device management program.
Will using MDM reduce the battery life on my mobile device?
No, in general, MDM only “checks in” once a day and uses less power than sending a single text message.
What devices can enroll in MDM?
Our MDM service protects smart phones, tablets, and iPod touch devices. Windows and Macintosh laptops are protected via other SLAC IT services.
Apple iOS devices:
- With iOS 12.0 or later
Android devices:
- With Android 8.0 or later
- Mainstream smart phones and tablets from Google (Nexus), Motorola, Samsung, and HTC have the highest degree of success. Amazon branded and lesser-known devices are less successful.
- Chromebooks (ChromeOS) are not eligible for enrollment in MDM
- Android devices manufactured by Huawei or ZTE are not eligible for enrollment in MDM
No support for Windows Mobile, Blackberry, or Symbian devices is contemplated. Support for Windows Phone is depreciated and no longer available.
What if my mobile device doesn’t meet the requirements to enroll?
Devices that are not able to enroll in MDM can continue to use the SLAC visitor WiFi network and access email via the web interface (also known as Outlook Web Access – OWA).
What if I choose not to enroll my personally-owned mobile device?
If you choose not to enroll in MDM, you can continue to use the SLAC visitor WiFi network and access email via the web interface (also known as Outlook Web Access – OWA).
How do I enroll my device in MDM?
Please see the Jamf MDM for iDevices or Intune for Android articles for instructions on how to setup your device(s).
What data on my device does MDM access or store?
For each mobile device, SLAC stores the following:
- UDID
- Phone Number
- Platform
- OS Version
- WiFi MAC Address
- BlueTooth MAC Address
- Serial Number
- Most recent check-in time
- Jailbroken/Rooted status
- Storage Capacity
- Physical Memory Size
- “Find My iPhone” enrollment status
- Activation Lock status
- Time of most recent iCloud backup
- Encryption Status
- Roaming Status
- Personal HotSpot Status
- SIM Card Status
- IP Address
- IMEI
- SIM Number
- Cellular Radio Status
- Total number of active apps (but not the names of the personally owned apps)
- Names, Versions, and Usage Information for MDM-managed apps
- Metadata for installed encryption and identity certificates
- Passcode Status
- Time of Enrollment
(Not every parameter listed above is applicable to every device. Some are iOS – or Android-specific, some apply only to cellular-enabled devices and not to WiFi-only devices.)
Who has access to the data stored in MDM?
Access to data in MDM is limited to the minimum necessary, and all access is logged.
For example, SLAC reporting users and other Stanford Affiliates staff have access to basic enrollment and compliance information.
Help desk staff have access to most technical details for each device as they require that information to troubleshoot user and device problems.
MDM application administrators have access to all data contained in the system. There are currently only three MDM application administrators at SLAC.
Access to data held by the MDM system is considered to be privileged access and is governed by SLAC’s policies for System Administrative Accounts.
What actions can SLAC perform on a managed device via MDM?
MDM help desk and admin staff can:
- Query the device to update the data items listed above
- Lock the device
- Clear the passcode from the device
- Enterprise wipe the device
- Send messages to the device via the device’s native notification service
- Publish new profiles to the device
- Refresh existing profiles on the device
- Publish web clippings and applications to the device
Not all capabilities are available to all IT administrator roles.
Can SLAC use MDM to track me via my mobile device?
No. If we find it necessary to enable this feature in the future, we will notify all MDM users.
We do not currently track shared devices (for example, devices used at a kiosk to fill out forms, or by shift personnel while they are at their workstations) but we reserve the right to do so in the future.
SLAC encourages device owners to enroll their devices in third-party services such as Find My iPhone or Android Device Manager so that they can find their devices themselves should the need arise.
I’ve heard that under circumstances, SLAC can make a copy of everything on my device.
-
Why would that be done?
If a legitimate business need arises such as responding to internal investigations, security incidents, or discovery requests arising from administrative, civil, or criminal legal proceedings, the Laboratory may be required to inventory or copy content from the device. By enrolling in the MDM service you are explicitly granting your permission for this access should the need arise.
-
Who would have to approve it?
These copies must be approved by and the copying process managed by SLAC Human Resources.
-
How would it be done?
Once the access is authorized, the user of the device would make it available to investigators for copying, typically by means of commercial or open-source forensic tools.
-
Who would be able to see that data?
The data would be exposed to the smallest group of individuals possible, and only within the scope of the matter at hand.
-
Is this true for personally-owned devices as well as SLAC-owned devices?
Yes. See in particular paragraph 2d of the Stanford University Administrative Guide Memo 6.2.1, Computer and Network Use Policy.
Personally Owned Resources
Stanford does not require personnel to use their personally owned resources to conduct University business. Individual units within the University may permit such use, and users may choose to use their own resources accordingly. Any personally owned resources used for University business are subject to this policy and must comply with all Stanford requirements pertaining to that type of resource and to the type of data involved. The resources must also comply with any additional requirements (including security controls for encryption, patching and backup) specific to the particular University functions for which they are used.
-
What happens if I refuse to allow the copy to be made?
Failure to cooperate may result in loss of system access, administrative disciplinary action up to and including termination, civil or criminal penalties.
Can SLAC wipe my whole device, including my personal information?
The capability exists, but it is our policy to never wipe someone’s whole device.
Any mobile device that receives email from our Exchange server via ActiveSync can be completely wiped, even if it is not enrolled in MDM. This is a feature of the ActiveSync protocol. SLAC has never used this feature.
That said, mobile devices are often lost, stolen, or damaged. Prudent users will back up the personal information on their mobile devices and will enroll in third-party services like Find My iPhone or Android Device Manager so that they can wipe the personal data from their devices themselves if they deem it necessary.
Can SLAC wipe just the SLAC-managed information from my devices?
Yes. This is called an “enterprise wipe.”
The most common reason that SLAC data would be removed from a personal device is when the device is removed from the MDM system, either because the owner is replacing it with a new device, or because the owner is leaving SLAC employment.
Enterprise wipes are also performed under certain circumstances when a device is reported as lost or stolen.
Finally, device owners can perform enterprise wipes themselves through the MDM Self Service Portal at https://mm.stanford.edu/mydevice.
The group will be "SLAC" and your SLAC Windows AD information for Username and Password.
