November 1, 2024
Introduction
Intune is software used by Mass General Brigham to manage and secure mobile devices. As part of the process to register your device with MGB and to receive access to corporate resources like MGB email and MGB apps, you will need to install the Company Portal app on each personal device that you plan to use for business purposes. Intune tracks device information, such as the version of the operating system (OS) on your device, in order for MGB to maintain compliance with MGB policies. Intune also provides a way for MGB to wipe the device clean of all company information when a user leaves the company, or if the device is lost or stolen. It also monitors required security measures, like password length and complexity, to maintain compliance with MGB policies.
Intune: What MGB can and cannot see on your Device
MGB can view non-personal device information (e.g. carrier and country, IMEI, MAC Address, etc.), and the phone number of the device (only devices with cellular connectivity).
MGB cannot view personal email, photos, videos, phone activity (e.g. numbers called, duration, etc.), or web browsing activity on your device.
|
Feature/Functionality |
Corporate Purchased |
Personal Device BYOD |
Notes |
|
Corporate email |
NO |
NO |
This information is not viable by Intune. However, if you are using an MGB Email account, MGB Email Admins may have the ability to audit/view corporate email |
|
Personal email Texts iMessages Photos Videos Voicemail Phone Activity Web Browsing Activity |
NO |
NO |
MGB does not have access to any of this information |
|
View MGB Apps on the device |
✅ |
✅ |
Apps downloaded via Company Portal |
|
View All Apps on the device |
✅ |
NO |
|
|
Location |
✅ |
NO |
|
|
User Name |
✅ |
✅ |
Enrolled owner of the device |
|
User Email Address |
✅ |
✅ |
From MGB Active Directory |
|
Phone Number Device Type and Model OS and Version Operator / Carrier Date / Time Registered IMEI Serial Number Wi-Fi MAC Address Used / Available RAM Used / Available storage Exchange ActiveSync Identifier
|
✅ |
✅ |
This information is automatically supplied by your device to MobileIron and is not configurable |
|
Device ID |
✅ |
✅ |
Android only |
- Personally owned iOS and Android devices, the Intune Administrator can only view business-related apps that are available in the Company Portal. The Administrator cannot view any personal apps that you have installed on your device.
- MGB corporate purchased iOS and Android devices, the Administrator can view all apps that are installed on the device. It is important for Intune to identify the apps that you have on your device in order to enforce company policy, such as requiring the Company Portal app or disallowing or “blacklisting” apps that could put the company at risk (e.g. from data loss or malware infection).
- The Intune Administrator cannot view the location of your enrolled iOS or Android device.
What the Warning Means when You Register your iOS device with MobileIron
When you register your iOS device with Intune, you will receive the following warning prompt:
“Installing this profile will allow the administrator to remotely manage your device. The administrator may collect personal data, add/remove accounts and restrictions, list, install, and manage apps, and remotely erase data on your device.”
This is a standard warning provided by Apple and the text cannot be changed to reflect what MGB has configured in the system. Please refer to the section above for a description of what the MGB can view on your device.
Why Does the Company Portal App Request Permissions when Registering Android Devices
When you register your Android device with MobileIron, you may receive the following warning prompt:
“Allow Company Portal to make and manage phone calls?”
MGB and Intune does not (and can not) use this permission to make or manage calls. Furthermore, it does not provide MGB the ability monitor or track phone use. This warning is a standard warning by Google. Please refer to the section above for a description of what the MGB can view on your device.
When you register your Android device with Intune, you will be prompted to grant the app certain permissions. Android app permissions are static and defined in the app itself. They cannot be changed dynamically based on a specific company’s configuration. This means that Intune apps ask for all of the permissions necessary to provide full Intune functionality even if MGB will not be using those permissions. Please refer to the section above for a description of what MGB can view on your device.