When mobile device management is being used there are often concerns by end users about what the company can see on their mobile devices. For most people the concerns are around private information such as text messages and photos, while others are concerned about the level of control that the company gets over their device. For the purposes of this blog post I'm going to be looking at Microsoft Intune, but other MDM solutions will have similar capabilities and if you want to know about those then you should investigate that further with your MDM vendor of choice.
Those two types of concerns can be addressed separately, but before I go into that in more detail I just want to point out that this is not a purely technical problem to solve. Mobile device management requires a level of trust between the end users in your organization and the people responsible for managing the MDM platform. There needs to be clear communication between the parties to ensure that expectations are properly set. There also needs to be reasonable policies in place to reduce the risk of administrative error (or malicious action) causing a data loss or breach of privacy for the user of a managed device. This means that you should have, at a minimum:
- An acceptance policy for end users who are enrolling devices in your MDM solution. A real one, written by humans and only partially mangled by lawyers. The goal is to have a document that your users will actually read, understand, and willingly sign (or reject), and not just a formality that gets signed and filed away somewhere to cover your butt in the event of a problem later.
- A limited number of trusted and trained administrators who can manage the sensitive and impactful elements of the MDM solution (e.g. able to configure policies, access inventory data, etc). Limited access can be provided for support staff to deliver end user support, but like all administrative rights should be provided on a least privilege basis.
- Privacy advocates from the user population who can review and understand the level of control and access that the MDM solution provides over managed devices.
So with all that in mind, let's look at an example of what Microsoft Intune knows about a iOS device that has been enrolled.
As you can see the privacy notice is fairly clear about what the Intune administrators can see – model, serial number, OS, app names, owner, device name. Intune admins can't see phone call history, web surfing history, location information (except for iOS 9.3 and later devices when the device is in Lost Mode), email and text messages, contacts, passwords, calendar, and cameral roll.
So, is it as simple as that? Not really. There's some extra considerations to apply here that I think are pretty important. Let's start with device information.
In the screenshot above the most important detail to be aware of is the phone number. My demo device is an iPad with no SIM card inserted, so there is no phone number reported. If a SIM was present, the last four digits of the phone number would be visible. That is the case for any personal device, which is what a newly enrolled device is classified as by default. If you change the device ownership to corporate (more on this shortly), the full number becomes visible.
Another implication of personal vs corporate devices is the discovered apps. For personal devices there is no app inventory collected, except for the Company Portal app that is used to manage enrolment on the device.
An Intune administrator can change the device ownership from personal to corporate in the Intune admin portal.
When doing so they are shown a very clear warning about the impact of this change.
However there's no additional warning provided to the user of the device, so they would not know when a device has been changed from personal to corporate owned by an administrator. There are two potential issues here that you need to be aware of. The first is the implications for device phone numbers being exposed to Intune administrators. Just because a user consents to having their device managed, doesn't mean they want their phone number disclosed, and it's not clear from the privacy notice during enrolment that this will actually occur. It's something that you should make your users aware of in the documentation they sign when agreeing to enrol devices in Intune.
The second issue is the app inventory. The fact that corporate devices get a complete app inventory (for Windows 10 this only applies to Windows Store apps, not Win32 apps) is addressed in the privacy warning shown to users. The actual consequences of this may not entirely be clear. App inventory can reveal a lot about a person, even if the actual data within the apps is not exposed (which it isn't). You could try to argue that a user shouldn't be using apps that might reveal such private matters on a corporate device, which is a fair point. But remember, a personal device that is enrolled in Intune can be changed to a corporate device without the knowledge of the device owner.
Again, these issues are not able to be fully dealt with using technical solutions. The trust between your users and Intune administrators is key, and you should ensure that only the appropriate people in your IT support teams have access to this potentially sensitive data in Intune.
There's a few more things to be aware of when devices are enrolled in Intune. In an earlier screenshot you can see controls for Intune administrators to:
- Remove company data – this will remove corporate data from managed apps such as Outlook and OneDrive, but leave personal data such as photos and text messages alone.
- Factory reset – this will wipe the device entirely, restoring it to a default state. If the user does not have backups of their personal data then it will be permanently lost.
- Delete – this will remove the device from Intune, but not remove data from the device.
- Remote lock – this will lock a device remotely, assuming it can be contacted. It takes just a few moments for the device to lock, but anyone with the device PIN/passcode can unlock it again.
Hidden in a “More” menu are some additional actions that Intune administrators can take.
- Remove passcode – removes the device passcode, allowing anyone who has physical access to the device to access the apps and data on the device.
- Bypass activation lock – used to recover devices where the previous owner has not relinquished control of iOS before they handed back the device (e.g. a corporate owned device that will be re-issued to another staff member may require the activation lock to be bypassed).
- Lost mode/Locate device – when a iOS 9.3 or later device is in lost mode an administrator can access a limited amount of location data to try and find it.
Of all those administrative actions the ones of concern to end users are factory reset, which could result in permanent data loss, and remove passcode. You might be wondering why removing the passcode is a risk, given that it only benefits someone who has physical access to the device. Well… let's just say that a previous case I investigated involved a… complicated relationship…er, triangle… of sorts… anyway, an admin helped another person gain access to a device belonging to a third person they were trying to snoop on for some rather unhinged reason. Moving on.
For any of those device actions you can see a list of who did what in the Intune monitoring section. This is not quite full-blown auditing for Intune, which is something Microsoft says they're working on, but at least you should be able to identity any administrators who are doing the wrong thing (intentionally or otherwise).
That was a rather long walk to answer a simple question – what can Microsoft Intune see on your managed mobile devices?
The short answer is, not much. At least not directly. But there's a lot of control given to Intune administrators that could lead to more invasive snooping, or even more destructive actions. Which brings us back to my earlier point that most of this stuff is not a technical problem to be solved, rather it is a trust issue between the device user and the organization's (and their IT support staff). Frankly I think it's a reasonable trade-off. Companies trust their staff not to act in way that is harmful, and staff need to be able to trust the organization to manage their mobile devices appropriately. If that trust doesn't exist, I suspect there's deeper problems that Intune can't solve.