Mobile Device Management (MDM)

Mobile Device Management (MDM) is a service to provide better security for corporate devices (smartphones and tablets) at the university.

Your phone contains a wealth of information. If you were to lose it, how much could someone learn about you? How much could they learn about the University? Protect yourself and the U of A by enrolling your corporate cell phone in Mobile Device Management (MDM).

More information about MDM can be found on the UAlberta Mobile Device Management site.

What is Mobile Device Management?

Mobile Device Management (MDM) is an application called AirWatch for mobile devices such as cell phones and tablets. AirWatch will enhance information security by ensuring a six-digit pin (passcode, password or pattern) and enabling file and email encryption on corporate mobile devices. It adds an additional layer of security by separating emails into a corporate email container.

Why is the university implementing MDM?

The U of A is implementing MDM to enhance security and reduce the risk of a breach of personal and/or U of A information. Additionally, an MDM tool aligns with the Information Technology Security Policy and Encryption Procedure. All corporate cell phone users will need to download the MDM application. Based on security best practices, users will have three days to set a six-digit pin or password after downloading the application.

What is the definition of a corporate cell phone?

Corporate cell phones, more specifically corporate SIM cards, are those phone numbers on the university corporate invoices and include:

  • TELUS Mobility phones on a pay-per-use plan;
  • Bell Mobility phones on a pay-per-use plan;
  • existing contracted Rogers Communications cell phones.

Corporate-dedicated phones are the university corporate cell phones used by one individual, and the MDM account will authenticate to the individual’s CCID.

Corporate-shared phones are the university corporate cell phones shared by more than one individual, such as a team cell phone. The MDM account will be a generic name and will not configure U of A Gmail.

How will MDM help me?

If you lose your corporate cell phone, you can contact IST (780-492-9400) to delete any U of A, personal, student or employee information off your phone, thus reducing the risk of a privacy or security breach. To update your phone pin or locate your lost phone, you can visit the MDM self service portal.

Will this application monitor emails and websites?

No. The MDM Agent is a tool to help you and the university protect important and/or confidential data. The MDM software monitors the overall security and health status of the device.

IST support staff cannot see passcodes/passwords, emails, texts, voice calls, etc.

IST support staff can see the following information on the AirWatch console:

  • your name;
  • your CCID;
  • your device telephone number;
  • the make, model, and serial number of the device;
  • the status of device and whether or not it is compliant;
  • the Terms of Use and whether or not they have been accepted.

How do I enrol in MDM?

You will receive an email with instructions on how to download the AirWatch MDM application on your cell phone and enrol. As well, the MDM Google Site provides step-by-step user guides for iOS and Android.

What occurs during the enrolment process?

The steps to enrol are as follows:

  1. Remove your existing U of A email account from your Apple (iOS) device before enrolling.
  2. Unsync your U of A email account from your Android device before enrolling and encrypt your Android device.
  3. Authenticate your CCID.
  4. Accept the Terms of Use.
  5. MDM will automatically configure your U of A email account in a secure manner.
  6. As part of the U of A's security policy, the mobile device will be encrypted automatically, including both internal storage and SD cards (if applicable).
  7. For Apple iOS platforms, a device passcode automatically enables full-disk encryption. For Android devices, internal storage encryption is mandatory and is irreversible without destruction of data. This means that devices will continue to be encrypted even after the policy is removed and the user must reset the device to factory settings to remove the encryption.

Android

Android recently updated their security settings with the release of Android 6. The security improvements are why users need to explicitly give the AirWatch agent access to certain settings during enrolment. You will need to grant permission to phone access so that the AirWatch agent can detect the SIM card only and is not monitoring communications. See Six Key Security Features in Android Marshmallow 6.0 for further explanations.

iPhone

A note about the warning message “The administrator may collect personal data, add/remove accounts and restrictions, list, install, and manage apps and remotely erase data on your iPhone." This warning is required by Apple. U of A cannot adjust the language but we want to explain what it means for you and your mobile device.

The administrator may collect personal data

Specifically, we associate your name with this device for your record at mdm.ualberta.ca. You can see all the data we collect there. (Namely cell phone number, make and model, operating system, and CCID.

Add/remove accounts

We add your U of A email, calendar and contacts account to your device. This will only be removed at the time your account is unenrolled or if the device is lost or stolen and IST Security works with you to have the device wipe.

And restrictions

We enforce restrictions such as requiring a 6-digit passcode and requiring auto-lock and passcode lock after 5 minutes.

List, install, and manage apps

The U of A does not have an app catalog. There are no apps that you will have the option to install other than the AirWatch Inbox

And remotely erase data on your iPhone

When you unenroll from the MDM service your MDM profile and your U of A email, calendar and contact accounts are automatically erased from your device. From the self-service portal you have the ability to perform a wipe and IST Security has the ability to perform this wipe during security procedures such as lost or stolen devices.

Which mobile phones are affected?

Faculty and department corporate smartphones are required to enrol in the MDM solution.

  • Smartphone - with Android 4 and above
  • Smartphone and Tablet - with Apple iOS 7 and above

Which are not affected?

  • Non-corporate cell phones [Bring Your Own Device (BYOD) reimbursed by faculties and departments or paid by the user]. IST will begin working on phase two to include BYOD pending policy review.
  • The MDM application cannot be added to smartphones that do not have Apple or android operating systems such as:
    • Windows
    • BlackBerry phones with the Blackberry operating system (OS)

Will cell phone plans change?

No. The corporate plans through TELUS and Bell are still pay-per-use plans. The existing Rogers contracts remain as they are and should be ported to TELUS or Bell pay-per-use once the contracts expire. Do not create new Rogers contracts.

The enrolment process requires me to change my passcode. Can I use a password?

The Apple iOS requires passcodes, and some Android phones require either passcodes or passwords.

Android:

  • Currently, there are no restrictions on using a swipe pattern for the lock screen. However, some types of Android phones may automatically lock out this option if it is deemed not as secure as a six-digit passcode.
  • With Android encryption, the user will still be asked for their full device passcode (and not swipe) in order to boot the device if it has been fully turned off or restarted.
  • Android does not provide the ability to encrypt the disk using a swipe pattern in place of a passcode. The six-point pattern can be added after encryption.
    • Remember that a password is more secure than a pattern for locking your phone. Read more here

Apple (iOS):

  • The fingerprint authentication does work;
    • before you can set up Touch ID, you need to create a passcode for your device;
    • read more about Touch ID security here.

What should I do if I have a corporate cell phone and did not receive an email with instructions to enrol in MDM?

IST is introducing MDM by faculties and departments. If your faculty is beginning to use the MDM tool and you have a corporate cell phone but did not receive the enrolment email, please contact IST:

Please note that some corporate cell phones do not have an individual user identified. IST is actively working with the affected faculties and departments to correct this.

Where can I find help?

For any questions about MDM, please contact IST: