Home » Clients » Mobile Devices » What Can Microsoft Intune See On Your Managed Mobile Devices?

What Can Microsoft Intune See On Your Managed Mobile Devices?

When mobile device management is being used there are often concerns by end users about what the company can see on their mobile devices. For most people the concerns are around private information such as text messages and photos, while others are concerned about the level of control that the company gets over their device. For the purposes of this blog post I'm going to be looking at Microsoft Intune, but other MDM solutions will have similar capabilities and if you want to know about those then you should investigate that further with your MDM vendor of choice.

Those two types of concerns can be addressed separately, but before I go into that in more detail I just want to point out that this is not a purely technical problem to solve. Mobile device management requires a level of trust between the end users in your organization and the people responsible for managing the MDM platform. There needs to be clear communication between the parties to ensure that expectations are properly set. There also needs to be reasonable policies in place to reduce the risk of administrative error (or malicious action) causing a data loss or breach of privacy for the user of a managed device. This means that you should have, at a minimum:

  • An acceptance policy for end users who are enrolling devices in your MDM solution. A real one, written by humans and only partially mangled by lawyers. The goal is to have a document that your users will actually read, understand, and willingly sign (or reject), and not just a formality that gets signed and filed away somewhere to cover your butt in the event of a problem later.
  • A limited number of trusted and trained administrators who can manage the sensitive and impactful elements of the MDM solution (e.g. able to configure policies, access inventory data, etc). Limited access can be provided for support staff to deliver end user support, but like all administrative rights should be provided on a least privilege basis.
  • Privacy advocates from the user population who can review and understand the level of control and access that the MDM solution provides over managed devices.

So with all that in mind, let's look at an example of what Microsoft Intune knows about a iOS device that has been enrolled.

Privacy notice displayed to iOS users enrolling in Intune
Privacy notice displayed to iOS users enrolling in Intune

As you can see the privacy notice is fairly clear about what the Intune administrators can see – model, serial number, OS, app names, owner, device name. Intune admins can't see phone call history, web surfing history, location information (except for iOS 9.3 and later devices when the device is in Lost Mode), email and text messages, contacts, passwords, calendar, and cameral roll.

So, is it as simple as that? Not really. There's some extra considerations to apply here that I think are pretty important. Let's start with device information.

Intune inventory for an enrolled personal device
Intune inventory for an enrolled personal device

In the screenshot above the most important detail to be aware of is the phone number. My demo device is an iPad with no SIM card inserted, so there is no phone number reported. If a SIM was present, the last four digits of the phone number would be visible. That is the case for any personal device, which is what a newly enrolled device is classified as by default. If you change the device ownership to corporate (more on this shortly), the full number becomes visible.

Another implication of personal vs corporate devices is the discovered apps. For personal devices there is no app inventory collected, except for the Company Portal app that is used to manage enrolment on the device.

Intune app inventory for a personal iOS device
Intune app inventory for a personal iOS device

An Intune administrator can change the device ownership from personal to corporate in the Intune admin portal.

Changing an Intune managed device from personal to corporate ownership
Changing an Intune managed device from personal to corporate ownership

When doing so they are shown a very clear warning about the impact of this change.

However there's no additional warning provided to the user of the device, so they would not know when a device has been changed from personal to corporate owned by an administrator. There are two potential issues here that you need to be aware of. The first is the implications for device phone numbers being exposed to Intune administrators. Just because a user consents to having their device managed, doesn't mean they want their phone number disclosed, and it's not clear from the privacy notice during enrolment that this will actually occur. It's something that you should make your users aware of in the documentation they sign when agreeing to enrol devices in Intune.

The second issue is the app inventory. The fact that corporate devices get a complete app inventory (for Windows 10 this only applies to Windows Store apps, not Win32 apps) is addressed in the privacy warning shown to users. The actual consequences of this may not entirely be clear. App inventory can reveal a lot about a person, even if the actual data within the apps is not exposed (which it isn't). You could try to argue that a user shouldn't be using apps that might reveal such private matters on a corporate device, which is a fair point. But remember, a personal device that is enrolled in Intune can be changed to a corporate device without the knowledge of the device owner.

Intune app inventory for an iOS device
Intune app inventory for an iOS device

Again, these issues are not able to be fully dealt with using technical solutions. The trust between your users and Intune administrators is key, and you should ensure that only the appropriate people in your IT support teams have access to this potentially sensitive data in Intune.

There's a few more things to be aware of when devices are enrolled in Intune. In an earlier screenshot you can see controls for Intune administrators to:

  • Remove company data – this will remove corporate data from managed apps such as Outlook and OneDrive, but leave personal data such as photos and text messages alone.
  • Factory reset – this will wipe the device entirely, restoring it to a default state. If the user does not have backups of their personal data then it will be permanently lost.
  • Delete – this will remove the device from Intune, but not remove data from the device.
  • Remote lock – this will lock a device remotely, assuming it can be contacted. It takes just a few moments for the device to lock, but anyone with the device PIN/passcode can unlock it again.

Hidden in a “More” menu are some additional actions that Intune administrators can take.

Additional device administration actions in Intune
Additional device administration actions in Intune
  • Remove passcode – removes the device passcode, allowing anyone who has physical access to the device to access the apps and data on the device.
  • Bypass activation lock – used to recover devices where the previous owner has not relinquished control of iOS before they handed back the device (e.g. a corporate owned device that will be re-issued to another staff member may require the activation lock to be bypassed).
  • Lost mode/Locate device – when a iOS 9.3 or later device is in lost mode an administrator can access a limited amount of location data to try and find it.

Of all those administrative actions the ones of concern to end users are factory reset, which could result in permanent data loss, and remove passcode. You might be wondering why removing the passcode is a risk, given that it only benefits someone who has physical access to the device. Well… let's just say that a previous case I investigated involved a… complicated relationship…er, triangle… of sorts… anyway, an admin helped another person gain access to a device belonging to a third person they were trying to snoop on for some rather unhinged reason. Moving on.

For any of those device actions you can see a list of who did what in the Intune monitoring section. This is not quite full-blown auditing for Intune, which is something Microsoft says they're working on, but at least you should be able to identity any administrators who are doing the wrong thing (intentionally or otherwise).

Intune device actions monitoring
Intune device actions monitoring

That was a rather long walk to answer a simple question – what can Microsoft Intune see on your managed mobile devices?

The short answer is, not much. At least not directly. But there's a lot of control given to Intune administrators that could lead to more invasive snooping, or even more destructive actions. Which brings us back to my earlier point that most of this stuff is not a technical problem to be solved, rather it is a trust issue between the device user and the organization's (and their IT support staff). Frankly I think it's a reasonable trade-off. Companies trust their staff not to act in way that is harmful, and staff need to be able to trust the organization to manage their mobile devices appropriately. If that trust doesn't exist, I suspect there's deeper problems that Intune can't solve.

Paul is a Microsoft MVP for Office Servers and Services. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server. Paul is a co-author of Office 365 for IT Pros and several other books, and is also a Pluralsight author.
Category: Mobile Devices

4 comments

  1. Simon B says:

    Good article, thanks.
    So there’s one question I can’t seem to get a straight answer to, maybe you can help.

    On my corporate-owned device, I have my company email (O365) data as well as my personal email, also from O365 but my own tenancy.
    How can (or does) Intune differentiate between my [O365] data and corporate data?

    Cheers,
    S

    • It’s app and data source awareness.

      So let’s say you configure Intune to deploy the mail profile for your company email to your users. Intune is aware that is the “managed” corporate profile, and that the other ones are “unmanaged”, and will only delete the one it manages.

      Similar awareness with other apps like OneDrive, it knows that the data syncing to/from the corporate OneDrive for Business account is corporate, but your personal OneDrive is personal.

      The same awareness is how it prevents you copying data from OneDrive to Dropbox, if you’ve got policies preventing that.

      It can’t magically tell the difference between two different photos in your camera roll, that sort of thing.

      I don’t know if that’s the best explanation but hopefully that helps.

  2. Nat as blond as you hoped for says:

    Why should users trust theri company to not do “bad” with MDM/MAM while the company shows deep distrust to their employee by forcing an MDM/MAM application on their devices (especially if employee owned)? Did I miss something here?

Leave a Reply

Your email address will not be published. Required fields are marked *