--- name: mobile-device-management description: Manage corporate and BYOD mobile devices including iOS, Android, and tablets through centralized MDM solutions. Use when enrolling devices, enforcing security policies, deploying applications remotely, managing device configurations, handling device loss/theft, implementing containerization, managing BYOD programs, or tracking device compliance. Triggers on phrases like "MDM", "mobile device management", "BYOD", "device enrollment", "device policy", "app deployment", "kiosk mode", "device wiping", "Apple Business Manager", "Android Enterprise", "device compliance". --- # Mobile Device Management (MDM) Centralized management and security of corporate and employee-owned mobile devices across iOS, Android, and tablet platforms. ## Workflow 1. Select MDM platform based on OS support, feature set, scalability, and budget (e.g., VMware Workspace ONE, Jamf Pro, Microsoft Intune, Cisco Meraki Systems Manager, Hexagon). 2. Define enrollment strategy: supervised/enhanced (corporate-owned) vs. standard (BYOD), ABM/EMM integration for zero-touch enrollment. 3. Establish device compliance policies: OS minimum versions, passcode requirements, encryption, jailbreak/root detection, app allow/block lists. 4. Configure device profiles and configurations: Wi-Fi, VPN, email, certificates, restrictions. 5. Deploy required applications: MAM (Mobile Application Management) for corporate apps, VPP for iOS app distribution. 6. Monitor device fleet: compliance status, battery health, storage, OS updates, security alerts. 7. Respond to incidents: lost/stolen device wipe, selective wipe (corporate data only), policy violations. 8. Maintain application catalog and automate app updates. 9. Review and audit policies quarterly; update compliance thresholds. 10. Conduct annual BYOD program review and policy updates. ## Device Enrollment Strategies ``` ENROLLMENT METHODS BY DEVICE TYPE =================================== iOS / iPadOS (Corporate-Owned, Dedicated): → Supervised mode via Apple Business Manager (ABM) → Automated Device Enrollment (ADE, formerly DEP) → Zero-touch: device activated → auto-enrolled in MDM → Full device control, kiosk mode, app pre-staging → Ideal for: shared devices, kiosks, frontline worker devices iOS / iPadOS (BYOD): → User-enrolled, non-supervised → Managed app wrapper for corporate apps (containerization) → Limited device control: can enforce app-level policies only → Selective wipe: remove only managed apps and data → Ideal for: employees using personal iPhones/iPads Android (Corporate-Owned, Fully Managed): → Android Enterprise fully managed mode → Zero-touch enrollment via Google EMM (now Android Device Policy) → Full device control, dedicated device mode (kiosk) → Work profile can be hidden, device locked to org → Ideal for: frontline workers, shared devices, retail Android (BYOD - Personal Use with Work Profile): → Android Enterprise managed configurations (COPE/BYOD hybrid) → Work profile separates corporate and personal data → Corporate policies enforced only in work profile → Apps installed in work profile are managed → Ideal for: employees using personal Android devices Cross-Platform Considerations: → Choose MDM supporting both iOS and Android for mixed fleets → Microsoft Intune: strong cross-platform, Office 365 integration → Jamf Pro: iOS/Mac only; needs additional solution for Android → Workspace ONE: comprehensive cross-platform with UEM capabilities → Cisco Meraki: strong cross-platform with network integration ``` ## Device Compliance Policies ``` DEVICE COMPLIANCE POLICY MATRIX ================================ MINIMUM REQUIREMENTS (ALL DEVICES): Passcode / PIN: → Required: Yes → Minimum length: 6 characters (numeric) or 8 characters (alphanumeric) → Complexity: Require alphanumeric for corporate-owned devices → Inactivity lock: 15 minutes → Failed attempt limit: 10 attempts before wipe (corporate-owned) → Simple PIN prevention: Yes (no "123456", "000000") Encryption: → iOS: Data protection enabled (default since iOS 8+) → Android: Full disk encryption or file-based encryption (default since Android 6+) → Enforcement: MDM verifies encryption status; non-compliant devices flagged OS Version: → iOS: Current version minus 2 (e.g., if iOS 18 is latest, minimum iOS 16) → Android: Current version minus 1 minimum; security patch within 90 days → Action on non-compliance: Block corporate email, alert user, escalate to IT Jailbreak / Root Detection: → Detection: MDM checks jailbreak/root status → Action: Block corporate apps, restrict email, alert security team → Logging: Timestamp, device ID, user, action taken Security Applications: → Required: Antivirus/anti-malware on Android (iOS less critical) → Optional: VPN app for remote access → EDR/EDR-lite: Endpoint detection for corporate-owned devices ADDITIONAL POLICIES BY RISK LEVEL: Low Risk (General Employees): → Standard compliance policies above → Allowed to install personal apps → Camera and clipboard access: permitted Medium Risk (Access to Customer Data): → All above + screen capture prevention (iOS: restrict screenshots) → Clipboard monitoring: prevent copying corporate data to unmanaged apps → Camera: disabled in managed apps → Email: managed email app only High Risk (Executive, Finance, Engineering): → All above + VPN required at all times → Application allowlist: only approved apps permitted → Location tracking enabled (corporate-owned only) → Weekly compliance audit report → Biometric authentication required (Face ID, fingerprint) ``` ## Application Deployment & Management ``` APPLICATION DEPLOYMENT FRAMEWORK ================================== DEPLOYMENT METHODS: iOS: → Volume Purchase Program (VPP / VPP): Bulk app licensing via ABM → Managed App Configuration: Silent config push (e.g., VPN settings, SSO) → In-App Purchase: Require managed Apple ID for IAP in managed apps → Custom Apps: Wrap enterprise apps with MDM payload and distribute → Web Clips: Bookmark web apps as home screen icons Android: → Google Play for Work: Admin-managed app catalog from Play Store → Internal App Sharing (Google Play Console): Enterprise-only distribution → Custom Apps: Package enterprise APK/AAB with MDM distribution → Managed Configuration: Pass settings to managed apps DEPLOYMENT STRATEGIES: Required Apps (Enforced): → Company VPN, email client, MFA authenticator, security apps → Auto-installed on enrollment → Removal prevented on corporate-owned devices → User notified of app purpose and necessity Available Apps (Optional): → Productivity tools, collaboration apps, reference materials → Listed in company app catalog → User selects and installs at will → Managed configuration applied automatically Blocked Apps (Restricted): → Known insecure apps, unencrypted messaging, data-exfil risks → Examples: Telegram (non-encrypted), file-sharing apps without DLP → Policy blocks installation; alert if already installed → Review block list quarterly APPLICATION UPDATE MANAGEMENT: → Auto-update: Enable for security patches and critical updates → Staged rollout: Push updates to 10% → 50% → 100% over 2 weeks → Testing: Verify app compatibility in staging group before wide rollout → Rollback: Maintain previous version availability for 30 days → Budget: Track VPP/Google Play licensing costs; audit unused licenses APPLICATION CATALOG BEST PRACTICES: → Categories: Productivity, Communication, Security, Travel, HR → Descriptions: Clear purpose, data handling disclosure → Ratings/Reviews: Allow user feedback to guide catalog decisions → Usage analytics: Track which apps are used; remove unused apps annually ``` ## BYOD Program Design ``` BYOD PROGRAM POLICY FRAMEWORK =============================== PROGRAM STRUCTURE: Eligibility: → All FTE employees eligible (excludes contractors unless approved) → Device must meet minimum specs: iOS 14+ / Android 10+, 2GB+ RAM → Employee responsible for device purchase, maintenance, carrier plan Corporate Compensation: → Monthly device stipend: $15–$25/month (taxable benefit) → Data plan subsidy: Up to $25/month for corporate use → Repair/replacement: NOT covered by company (personal device) → Stipend paid via payroll or expense reimbursement Data Separation: → Containerization: Managed work profile (Android) or managed apps (iOS) → Corporate data stored only in managed containers → No corporate data in personal email, notes, files → DLP policies prevent copying data between managed and personal apps Privacy Protections: → Company CANNOT: Access personal emails, photos, contacts, location → Company CAN: Enforce passcode on device, manage corporate apps → Company CAN: Perform selective wipe of corporate data only → Employee MUST: Acknowledge and sign BYOD agreement before enrollment Termination / Offboarding: → Employee retains device and all personal data → Corporate data and managed apps wiped remotely → Selective wipe triggered within 24 hours of termination → Employee confirms wipe completion within 48 hours → Outstanding stipends stop immediately BYOD AGREEMENT KEY CLAUSES: → Device ownership: Employee owns device; company owns corporate data → Monitoring disclosure: What data company can see (managed apps only) → Loss/theft: Employee notifies IT within 24 hours; company performs remote wipe → Compliance: Device must maintain compliance; repeated violations = program removal → Indemnification: Employee responsible for device damage/loss; company not liable → Duration: Agreement valid through employment; terminates upon separation COMPLIANCE TRACKING: → Monthly compliance report: % enrolled, % compliant, violations → Quarterly policy review: Update minimum OS, app lists, stipend amounts → Annual program survey: Employee satisfaction, feedback, improvement areas → Audit trail: Enrollment date, policy acknowledgments, wipe confirmations ``` ## Incident Response for Mobile Devices ``` MOBILE DEVICE INCIDENT RESPONSE PLAYBOOK ========================================== SCENARIO 1: LOST OR STOLEN DEVICE Immediate Actions (within 1 hour): 1. Employee reports loss to IT/security via helpdesk or phone 2. IT verifies device identity (serial number, employee confirmation) 3. Device locked remotely via MDM ("lost mode" with recovery message) 4. If corporate-owned: full remote wipe initiated 5. If BYOD: selective wipe of corporate data/container 6. User's MFA tokens revoked; re-enrollment required 7. Carrier notified to blacklist IMEI (corporate-owned devices) 8. Security team assesses data exposure risk Post-Incident: → Device flagged in MDM; cannot re-enroll without IT approval → Security assessment: what corporate data was accessible? → Breach notification if sensitive data exposed (per policy/law) → Replacement device provisioned (corporate-owned) → Employee completes incident report SCENARIO 2: JAILBREAK / ROOT DETECTED Automated Response: 1. MDM detects jailbreak/root status change 2. Managed apps disabled; email access blocked 3. Alert sent to employee: "Device no longer compliant" 4. 48-hour window to restore compliance (remove jailbreak/root) 5. If not resolved: escalated to manager + IT 6. If BYOD: employee must enroll compliant device or lose access 7. If corporate-owned: device wiped and re-enrolled SCENARIO 3: MALWARE / COMPROMISED DEVICE Response Steps: 1. EDR/antivirus detects malware; alerts MDM and security team 2. Device quarantined: network access restricted via NAC 3. Forensic data collected (app list, network connections, file changes) 4. Full remote wipe initiated 5. User credentials reset; session tokens invalidated 6. Incident investigation: malware source, data accessed, scope 7. Clean device provisioned with updated security policies 8. Security awareness training for affected user SCENARIO 4: POLICY VIOLATION (REPEATED) Escalation Process: 1. First violation: automated warning to employee 2. Second violation: IT contact; required remediation within 7 days 3. Third violation: manager notification; formal written warning 4. Continued violations: BYOD program removal; corporate device required 5. HR involvement if violations involve data policy or acceptable use ``` ## Integration Points - **Microsoft Intune**: UEM with Microsoft 365 integration; conditional access for Azure AD; co-management with SCCM/MECM for Windows; app protection policies for Office apps - **Jamf Pro**: iOS/Mac-only; deep Apple ecosystem integration; Jamf Protect for EDR; Jamf School for education; custom script deployment (Shell, Python, AppleScript) - **VMware Workspace ONE**: Cross-platform UEM; Workspace ONE Access for identity; Intelligence for analytics; Assistant for AI-driven user support; Hub for unified device experience - **Cisco Meraki Systems Manager**: Cross-platform with Meraki network integration; auto-discovery of devices; wireless network auto-configuration; Meraki dashboard correlation - **MobileIron (Now IBM MaaS360)**: Cross-platform; strong BYOD support; app wrapping with IronKey; zero-trust network access integration - **Okta / Azure AD**: Conditional access policies based on device compliance status; SSO for managed apps; MFA integration - **SIEM (Splunk, Sentinel)**: Forward MDM logs for security monitoring and incident correlation - **Identity Providers**: Certificate-based authentication; SAML/OIDC for managed app SSO ## Edge Cases - **Legacy devices (iOS 12 / Android 8)**: Cannot meet modern compliance requirements; plan migration path; provide subsidized upgrade; block access to sensitive systems - **International employees**: Different app availability (no Google Services in China); local app stores; GDPR considerations for device data; country-specific MDM restrictions - **Field workers with limited connectivity**: Allow offline MDM policy enforcement; cache compliance checks; sync when connectivity restored; kiosk mode for single-app devices - **Medical/healthcare devices**: HIPAA compliance requires encryption, audit trails, access controls; PHI access restricted in managed apps; device wipe must not destroy patient data - **Government/classified devices**: FIPS 140-2 encryption required; air-gapped management; SC-APP certification for iOS apps; CAC/PIV smart card integration - **High-volume deployment (1000+ devices)**: Automated enrollment via ABM/Zero-Touch essential; pre-configuration staging; dedicated deployment team; phased rollout by department - **Shared devices / kiosk mode**: Lock device to single app or app set; disable hardware buttons; prevent jailbreak/root; remote content updates without user interaction