INFO: Intune: What Mass General Brigham Can and Can Not See on your Mobile Device

 

Introduction

Intune is software used by Mass General Brigham to manage and secure mobile devices. As part of the process to register your device with MGB and to receive access to corporate resources like MGB email and MGB apps, you will need to install the Company Portal app on each personal device that you plan to use for business purposes. Intune tracks device information, such as the version of the operating system (OS) on your device, in order for MGB to maintain compliance with MGB policies. Intune also provides a way for MGB to wipe the device clean of all company information when a user leaves the company, or if the device is lost or stolen. It also monitors required security measures, like password length and complexity, to maintain compliance with MGB policies.

 

Intune: What MGB can and cannot see on your Device

MGB can view non-personal device information (e.g. carrier and country, IMEI, MAC Address, etc.), and the phone number of the device (only devices with cellular connectivity). 

MGB cannot view personal email, photos, videos, phone activity (e.g. numbers called, duration, etc.), or web browsing activity on your device

Feature/Functionality

Corporate Purchased

Personal Device BYOD

Notes

Corporate email

NO

NO

This information is not viable by Intune. However, if you are using an MGB Email account, MGB Email Admins may have the ability to audit/view corporate email

Personal email

Texts

iMessages

Photos

Videos

Voicemail

Phone Activity

Web Browsing Activity

NO

NO

MGB does not have access to any of this information

View MGB Apps on the device

Apps downloaded via Company Portal

View All Apps on the device

NO

 

Location

NO

 

User Name

Enrolled owner of the device

User Email Address

From MGB Active Directory

Phone Number

Device Type and Model

OS and Version

Operator / Carrier

Date / Time Registered

IMEI

Serial Number

Wi-Fi MAC Address

Used / Available RAM

Used / Available storage

Exchange ActiveSync Identifier

 

This information is automatically supplied by your device to MobileIron and is not configurable

Device ID

Android only

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

  • Personally owned iOS and Android devices, the Intune Administrator can only view business-related apps that are available in the Company Portal. The Administrator cannot view any personal apps that you have installed on your device. 
  • MGB corporate purchased iOS and Android devices, the Administrator can view all apps that are installed on the device. It is important for Intune to identify the apps that you have on your device in order to enforce company policy, such as requiring the Company Portal app or disallowing or “blacklisting” apps that could put the company at risk (e.g. from data loss or malware infection). 
  • The Intune Administrator cannot view the location of your enrolled iOS or Android device.

 

What the Warning Means when You Register your iOS device with MobileIron

When you register your iOS device with Intune, you will receive the following warning prompt:

“Installing this profile will allow the administrator to remotely manage your device. The administrator may collect personal data, add/remove accounts and restrictions, list, install, and manage apps, and remotely erase data on your device.”

This is a standard warning provided by Apple and the text cannot be changed to reflect what MGB has configured in the system. Please refer to the section above for a description of what the MGB can view on your device.

 

Why Does the Company Portal App Request Permissions when Registering Android Devices

When you register your Android device with MobileIron, you may receive the following warning prompt:

Allow Company Portal to make and manage phone calls?”

MGB and Intune does not (and can not) use this permission to make or manage calls.  Furthermore, it does not provide MGB the ability monitor or track phone use. This warning is a standard warning by Google.  Please refer to the section above for a description of what the MGB can view on your device.

When you register your Android device with Intune, you will be prompted to grant the app certain permissions. Android app permissions are static and defined in the app itself. They cannot be changed dynamically based on a specific company’s configuration. This means that Intune apps ask for all of the permissions necessary to provide full Intune functionality even if MGB will not be using those permissions. Please refer to the section above for a description of what MGB can view on your device.

 

 

 

 

 

 

 

Go to KB0027457 in the IS Service Desk