Mobile Device Management Enrollment & Restrictions
Mobile device management enrollment and restrictions by platform
Pursuant to HOP 5.8.12, all mobile devices which utilize University resources must be enrolled with the UT Health San Antonio Mobile Device Management service.
To prevent data loss through uncontrolled connectivity, MDM establishes the following restrictions on University-owned devices.
Apple Platform Restrictions (for University-owned devices only)
Disallow opening managed app documents in unmanaged apps. When the University begins developing its own applications, MDM will ensure only those applications can open data specific to the apps; other apps will not be able to do so.
Disallow manual profile installation. The security settings on the smartphone or tablet are set in the device’s MDM profile. Allowing any other profiles to be installed would compromise the security of the device.
Disallow AirDrop. AirDrop allows files of many types to be transferred to other Apple products that have AirDrop enabled. Disabling AirDrop prevents data loss using an unmanaged application.
Disallow iCloud backup. Backing up an iOS product to the iCloud is designed for preventing loss of personal information and pictures. The iCloud, though, is not a managed product and is outside the control of the Health Science Center, so University information will not be backed up in this fashion.
Disallow document sync. Document sync in iTunes allows data files to be associated with specific apps on the iOS device. Document sync is disabled to keep University data from being opened on an application not managed by MDM.
Disallow photo stream. Photo stream allows pictures on your iOS device to be shared with other iOS devices with the same Apple ID. Since pictures on University-owned phones and tablets may be sensitive, Photo stream is disabled.
Disallow shared photo stream. Photo Stream allows pictures on your iOS device to be shared with other iOS devices with the same Apple ID. Shared Photo Stream allows the iOS user to control what photos can be shared and with whom. Since pictures on University-owned phones and tablets may be sensitive, Shared Photo Stream is disabled.
Disallow diagnostic data to be sent to Apple. When errors occur on iOS devices, the tablet or smartphone collects diagnostic information related to the error or crash. This information includes the type of device, its operating system, applications installed, and possibly data in use at the time. Because this information can include sensitive University data, error and crash data are not sent to Apple for analysis.
Accept cookies from visited sites. Browser cookies contain information about web sites visited, dates and times of visits, and other information about the web browsing experience. Malicious sites can inject cookies that allow the sites to track the web users across websites. MDM prevents the use of these “third-party” cookies.
Android Platform Restrictions (for University-owned devices only)
Disallow near field communications (NFC). Near field communications allows two or more similarly-equipped devices to establish private communications channels for sharing data, like pictures, documents, and others. Malicious NFC channels can be used to steal data from nearby devices. All data exchanges must be through MDM approved applications, so NFC is disabled, along with Beam and S Beam, as appropriate.
Disallow Google backup. Backing up an Android product to the Google cloud is designed for preventing loss of personal information and pictures. Google’s backup, though, is not a managed product and is outside the control of the Health Science Center, so University information will not be backed up in this fashion.
Disallow developer options. The open nature of the Android operating system and platforms allows for a great deal of customizing. This customization however, can make the device less secure and more vulnerable to compromise, so Developer Options have been disabled.
Disallow non-market app installation. Applications which have not been reviewed and approved for the Google Marketplace can contain malware and other malicious code that could lead to the compromise of the University device and data. No third-party applications obtained outside the Google Marketplace will be installed.
Disallow Google crash report. When errors occur on Android devices, the tablet or smartphone collects diagnostic information related to the error or crash. This information includes the type of device, its operating system, applications installed, and possibly data in use at the time. Because this information can include sensitive University data, error and crash data are not sent to Google for analysis.
Disable Android beam. Android Beam allows the rapid short-range exchange of web bookmarks, contact info, directions, YouTube videos, and other data through NFC. Since this can be used to cause data leaks, it is disabled with NFC.
Disable S Beam. Android S Beam (Samsung devices) allows the rapid short-range exchange of web bookmarks, contact info, directions, YouTube videos, and other data through NFC on Samsung devices. Since this can be used to cause data leaks, it is disabled with NFC.
Apple iOS MDM Enrollment Process
The following steps are necessary to register and enroll an Apple iOS device with the University's Mobile Device Management system. Should you have any questions or experience issues following this steps, please contact the Service Desk at 210-567-7777.
Corporate-Dedicated: This device was purchased and is owned by the University. The device is used exclusively for UT Health business. The University can control the entire device.
Employee Owned: This device was purchased and is owned by you. The device is primarily used for your personal business, but will occasionally be used for University business. The University can only control the University’s installed apps and email. Personal apps and data are not controlled by the University.
Instructions for Microsoft Intune Mobile Device Management for Apple iOS devices
Android MDM Enrollment Process
The following steps are necessary to register and enroll an Android device with the University's Mobile Device Management system. If you have any questions or experience issues while following the instructions in this document, please contact the IMS Service Desk at 210- 567-7777.
Corporate-Dedicated: This device was purchased and is owned by the University. The device is used exclusively for Health Science Center business. The University can control the entire device.
Employee Owned: This device was purchased and is owned by you. The device is primarily used for your personal business, but will occasionally be used for University business. The University can only control the University’s installed apps and email. Personal apps and data are not controlled by the University.
Instructions for Microsoft Intune Mobile Device Management for Android devices