PURPOSE:
This Mobile Device Management (MDM) Policy outlines the standards and procedures for managing and securing mobile devices (smartphones, tablets, laptops, and desktops considered under this policy) used to access Idaho College of Osteopathic Medicine (ICOM) institutional resources. The purpose of this policy is to protect institutional data, ensure regulatory compliance, and maintain a secure mobile computing environment for all authorized users. MDM is essential for managing the risks associated with mobile devices, including data loss, malware infections, unauthorized access, and device theft.
SCOPE:
This policy applies to all institutionally owned mobile devices (smartphones, tablets, laptops, desktops) used to access, store, or transmit ICOM institutional data.
This policy encompasses the management of mobile devices connecting to or accessing:
- Institutional email
- Institutional applications (including SaaS applications)
- Institutional networks (wired and wireless)
- Institutional data, regardless of storage location (including data accessed within SaaS applications)
This policy applies to all individuals who use mobile devices to access institutional resources, including but not limited to:
- Faculty
- Staff
- Administrators
- Students (in specific roles requiring mobile device access)
- Affiliates
- Contractors
- Vendors
DEFINITIONS:
- Mobile Device: A portable computing device such as a smartphone, tablet, or laptop that is designed for mobility and wireless connectivity.
- Mobile Device Management (MDM): A category of software and services used to manage and secure mobile devices (as well as desktops) deployed across an organization. MDM typically includes features for device enrollment, configuration, policy enforcement, application management, and remote device actions.
- Institutionally Owned Mobile Device: A mobile device that is purchased, owned, and managed by ICOM and provided to faculty, staff, or students for institutional purposes.
- Enrollment: The process of registering a mobile device with the MDM system, allowing it to be managed and secured according to ICOM's policies.
- Security Configuration: The settings and parameters applied to a mobile device through the MDM system to enforce security policies, such as password complexity, screen lock timeout, and encryption requirements.
- Remote Wipe: A feature of MDM that allows authorized administrators to remotely erase all data from a lost, stolen, or compromised mobile device.
- Remote Lock: A feature of MDM that allows authorized administrators to remotely lock a mobile device to prevent unauthorized access.
- Application Management: The ability of the MDM system to manage applications on enrolled devices, including installing, updating, and removing apps.
- Data Loss Prevention (DLP): A set of technologies and processes used to prevent sensitive data from leaving the organization's control. In the context of MDM, DLP controls can restrict actions like copying, pasting, or sharing sensitive data on mobile devices.
- Conditional Access: A security feature that grants or denies access to applications and data based on specific conditions, such as the device's compliance status with security policies.
- Device Compliance: The state of a mobile device meeting the security policies and configuration requirements set by the MDM system.
- Encryption: The process of encoding data to prevent unauthorized access. MDM can enforce encryption on mobile devices.
POLICY:
Mandatory MDM Enrollment (for Institutionally Owned Devices): All institutionally owned mobile devices that access institutional resources must be enrolled in the institution's Mobile Device Management (MDM) solution. Enrollment must be completed prior to device issuance or use.
Acceptable Use Policy Adherence: All mobile device users must comply with the institution's Acceptable Use Policy and all other relevant institutional policies and procedures.
Security Configuration Enforcement: MDM will be used to enforce minimum security configurations on enrolled mobile devices, including but not limited to:
- Password/Passcode Complexity and Length: Enforcing strong passwords or passcodes for device access.
- Screen Lock Timeout: Setting automatic screen lock timeouts to limit unauthorized access.
- Encryption: Enforcing full device encryption or encryption of specific data containers.
- Operating System Patching: Requiring devices to maintain up-to-date operating system versions and security patches.
- Anti-Malware (Where Applicable): Enforcing the installation and active status of approved anti-malware software (where supported by the device platform and MDM solution).
- Application Management: Potentially managing the installation and types of applications permitted on devices, particularly for institutionally owned devices.
- Data Loss Prevention (DLP) Controls (Where Applicable): Implementing controls to prevent sensitive data leakage from mobile devices.
Remote Management Capabilities: Enrolled mobile devices will be subject to remote management capabilities provided by the MDM solution, which may include:
- Remote Wipe: Ability to remotely erase data from a device in case of loss, theft, or security compromise.
- Remote Lock: Ability to remotely lock a device to prevent unauthorized access.
- Application Deployment and Management: Remote installation, update, and removal of applications (primarily for institutionally owned devices).
- Configuration Management: Remote configuration of device settings and security policies.
- Location Tracking (Optional and with Transparency): Location tracking of institutionally owned devices may be enabled for asset management and security purposes (e.g., device recovery).
Data Access Control: MDM may be used to control access to institutional resources from mobile devices, including granting or denying access to applications and data based on device compliance with security policies (e.g., password compliance, anti-virus status, encryption status, OS patch level).
Device Loss or Theft Reporting: Users are required to immediately report the loss or theft of any mobile device enrolled in MDM or used to access institutional resources to the IT Help Desk or Information Technology Office. Remote wipe and other security measures will be initiated as needed.
Acceptable Use of Mobile Devices: Users must use mobile devices in a responsible and ethical manner, consistent with institutional policies, and respecting data privacy and security. Mobile devices should not be used in a manner that violates laws, regulations, or ethical standards.
Monitoring and Auditing: The institution reserves the right to monitor and audit the security and compliance status of enrolled mobile devices to ensure adherence to this policy and to detect and respond to security incidents. Monitoring activities will be conducted in accordance with legal requirements while adhering to the principles and guidelines set forth in the Data Privacy Policy.
User Responsibilities: Users of mobile devices accessing institutional resources are responsible for:
- Complying with this MDM Policy and all related security policies and procedures.
- Enrolling devices in MDM as required (institutional devices are pre-enrolled).
- Maintaining the security of their devices, including passwords/PINs, keeping software updated, and avoiding risky applications or behaviors.
- Reporting lost or stolen devices immediately.
- Using devices responsibly and ethically.
- Cooperating with IT in MDM enrollment, configuration, and incident response
POLICY EXCEPTIONS:
Exceptions to this MDM Policy may be granted in limited circumstances by the Chief Information Officer or designated authorization authority, with appropriate justification, risk assessment, and compensating security controls documented and implemented. Exceptions should be rare and subject to periodic review.
ENFORCEMENT:
Enforcement of this Mobile Device Management Policy is the responsibility of all managers, supervisors, IT administrators, and mobile device users, under the overall direction of the Chief Information Officer. Non-enrollment of institutionally owned devices, violation of security configurations, or other policy violations may result in disciplinary actions, up to and including revocation of device privileges, suspension of network access, and termination of employment or access privileges. The Information Technology Office will monitor compliance with this policy and investigate reported violations.
POLICY REVIEW AND UPDATES:
This Mobile Device Management Policy will be reviewed and updated at least annually, or as needed to reflect changes in mobile technology, MDM solutions, security threats, regulations, institutional risk assessments, business needs, or best practices in mobile device security. The Information Security Officer is responsible for coordinating policy reviews and updates.
PRIMARY POLICY OWNER:
Chief Information Officer
APPROVAL:
Effective: 7/8/25
Last Reviewed: 7/8/25
Review Requirement: Annual