September 25, 2023
Introduction
Ivanti/MobileIron is software used by Mass General Brigham to manage and secure mobile devices. As part of the process to register your device with MGB and to receive access to corporate resources like MGB email and MGB apps, you will need to install the MobileIron app on each personal device that you plan to use for business purposes. Ivanti/MobileIron tracks device information, such as the version of the operating system (OS) on your device, in order for MGB to maintain compliance with MGB policies. MobileIron also provides a way for MGB to wipe the device clean of all company information when a user leaves the company, or if the device is lost or stolen. It also monitors required security measures, like password length and complexity, to maintain compliance with MGB policies.
MobileIron: What MGB can and cannot see on your Device
MGB can view non-personal device information (e.g. carrier and country, IMEI, MAC Address, etc.), and the phone number of the device (only devices with cellular connectivity).
MGB cannot view personal email, photos, videos, phone activity (e.g. numbers called, duration, etc.), or web browsing activity on your device.
|
Feature/Functionality |
Corporate Purchased |
Personal Device BYOD |
Notes |
|
Corporate email |
NO |
NO |
This information is not viable by MobileIron. However, if you are using an MGB Email account, MGB Email Admins may have the ability to audit/view corporate email |
|
Personal email Texts iMessages Photos Videos Voicemail Phone Activity Web Browsing Activity |
NO |
NO |
MGB does not have access to any of this information |
|
View PHS Apps on the device |
✅ |
✅ |
Apps downloaded via the PHS “App Catalog” |
|
View All Apps on the device |
✅ |
NO |
|
|
Location |
✅ |
NO |
|
|
User Name |
✅ |
✅ |
Enrolled owner of the device |
|
User Email Address |
✅ |
✅ |
From MGB Active Directory |
|
Phone Number Device Type and Model OS and Version Operator / Carrier Date / Time Registered IMEI Serial Number Wi-Fi MAC Address Used / Available RAM Used / Available storage Exchange ActiveSync Identifier
|
✅ |
✅ |
This information is automatically supplied by your device to MobileIron and is not configurable |
|
Device ID |
✅ |
✅ |
Android only |
- Personally owned iOS and Android devices, the MobileIron Administrator can only view business-related apps that are available in the MGB App Catalog. The Administrator cannot view any personal apps that you have installed on your device.
- MGB corporate purchased iOS and Android devices, the Administrator can view all apps that are installed on the device. It is important for the MobileIron software to identify the apps that you have on your device in order to enforce company policy, such as requiring the MobileIron Go app or disallowing or “blacklisting” apps that could put the company at risk (e.g. from data loss or malware infection).
- The MobileIron Administrator cannot view the location of your enrolled iOS or Android device.
What the Warning Means when You Register your iOS device with MobileIron
When you register your iOS device with MobileIron, you will receive the following warning prompt:
“Installing this profile will allow the administrator to remotely manage your device. The administrator may collect personal data, add/remove accounts and restrictions, list, install, and manage apps, and remotely erase data on your device.”
This is a standard warning provided by Apple and the text cannot be changed to reflect what MGB has configured in the system. Please refer to the section above for a description of what the MGB can view on your device.
Why Does the MobileIron App Request Permissions when Registering Android Devices
When you register your Android device with MobileIron, you may receive the following warning prompt:
“Allow Ivanti Go to make and manage phone calls?”
MGB and MobileIron does not (and can not) use this permission to make or manage calls. Furthermore, it does not provide MGB the ability monitor or track phone use. This warning is a standard warning by Google. Please refer to the section above for a description of what the MGB can view on your device.
When you register your Android device with MobileIron, you will be prompted to grant the app certain permissions. Android app permissions are static and defined in the app itself. They cannot be changed dynamically based on a specific company’s configuration. This means that MobileIron apps ask for all of the permissions necessary to provide full MobileIron functionality even if MGB will not be using those permissions. Please refer to the section above for a description of what MGB can view on your device.
Related Articles
HOWTO: Enroll into Ivanti Go for iOS
HOWTO: Enroll into Ivanti Go for Android
HOWTO: Unenroll from Ivanti Go for iOS
INFO: Ivanti Go: What is it and Why do I need it?
INFO: Ivanti Go: What Mobile Devices are Supported?
INFO: Ivanti Go: What Is Ivanti Go Tunnel and Why do I Want It?
INFO: Self Service Portal for Ivanti Go (KB0034390)
INFO: Ivanti Go Frequently Asked Questions (FAQ) for iOS (KB0033978)