Privacy for BYOD Deployments

One of the biggest concerns for BYOD end users is the privacy of the personal content on devices managed under Workspace ONE UEM. Your organization must assure employees that their personal data is not subject to corporate oversight.

With Workspace ONE UEM, you can ensure the privacy of personal data by creating customized privacy policies that do not collect personal data based on the device ownership type. In addition, you can define granular privacy settings to deactivate the collection of the personally identifiable information and disallow certain remote actions to employee-owned devices to ensure employee privacy.

You must inform your end users about how their data is collected and stored when they enroll into Workspace ONE UEM.

For more information about how VMware handles information collected through Workspace ONE UEM, such as analytics, see the VMware Privacy Policy at https://www.vmware.com/help/privacy.html.

Important: Countries and jurisdictions have differing regulations governing the data that can be collected from end users. Your organization must thoroughly research the applicable laws before you configure your BYOD and privacy policies.

Configure Privacy Settings

End-user privacy is a major concern for you and your users. Workspace ONE UEM provides granular control over what data is collected from users and what collected data is viewable by admins. Configure the privacy settings to serve both your users and your business needs.

Review and adjust privacy policies according to device ownership, which lets you align with data privacy laws in other countries or legally defined restrictions.
Ensure that IT monitoring is in place, preventing overload of servers and systems.

Important: Each jurisdiction has its own regulations governing what data can be collected from end users. Research these regulations thoroughly before configuring your privacy policies.

Navigate to Devices > Device Settings > Devices & Users > General > Privacy.
Select the appropriate setting for GPS, Telecom, Applications, Profiles, and Network data collection.
- - Collect and Display – User data is collected and displayed in the UEM console.
- - Collect Do Not Display – User data is collected for use in reports but is not displayed it in the UEM console.
- - Do Not Collect – User data is not collected and therefore it is not displayed.
Select the appropriate setting for the Commands that can be performed on devices. Consider disabling all remote commands for employee-owned devices, especially full wipe. This deactivation prevents inadvertent deletion or wiping of an end user's personal content. If you deactivate the wipe function for select iOS ownership types, users do not see the "Erase all content and settings" permission during enrollment.

Note: If you change the privacy settings from prevent () to allow ( or ) on remote lock, shutdown, reboot, or clear the passcode, then any previously enrolled Apple device must be re-enrolled with the new privacy setting before you can perform those remote actions on those Apple devices.
- - Allow – The command is made on devices without permission from the user.
- - Allow With User Permission – The command is made on devices but only with the permission of the user.
- - Prevent – The command does not run on devices.
If you are going to allow remote control, file manager, or registry manager access for Android/Windows Rugged devices, consider using the Allow With User Permission option. This option requires the end user to consent to admin access on their device through a message prompt before the action is performed. If you opt to allow use of any commands, explicitly mention these commands in your terms of use agreement.
For User Information, select Display or Do Not Display in the Console for the First Name, Last Name, Phone Number, Email Accounts, and user name data.
If an option other than user name is set to Do Not Display, that data displays as "Private" wherever it appears in the console. Options you set to Do Not Display are not searchable in the console. When a user name is set to Do Not Display, the user name displays as "Private" only on the Device List View and Device Details pages. All other pages in the console show the user name of the enrolled user.
You can encrypt personally identifiable information, including first name, last name, email address, and telephone number. Navigate to Groups & Settings > All Settings > System > Security > Data Security from the Global or Customer-level organization group you want to configure encryption for. Enabling encryption, selecting which user data to encrypt, and selecting Save encrypts user data. Doing so limits some features in the console, such as search, sort, and filter.
Select whether to Enable or Deactivate the Do Not Disturb Mode on the device. This setting lets user devices ignore MDM commands for a specified period. When Enabled, you can select a grace period or activation time in minutes, hours, or days, after which the Do Not Disturb Mode expires.
Select to Enable or Deactivate the User-Friendly Privacy Notice on the device.
When Enabled, you can select Yes (display a privacy notice) or No (do not display a privacy notice) for each ownership level: Employee Owned, Corporate - Dedicated, Corporate - Shared, and Unknown.
Click Save. Access to privacy settings is restricted so you must enter your four digit console PIN to continue.

Privacy Notice Deployment

Privacy notices are automatically delivered based on the organization group and device ownership of the device connecting. You can display a privacy notice for each ownership type: Employee Owned, Corporate - Dedicated, Corporate - Shared, and Unknown.

When you assign an ownership type to receive privacy notices, all users in the selected ownership type receive the privacy notification immediately as a Web clip. If you inserted the privacy notice lookup value PrivacyNotificationUrl in your message template, then the message includes a URL where the user can read the privacy notice.

Users receive the privacy notice automatically if:

They enroll a new device and they are of an ownership type for which the privacy notice is enabled.
They currently use an enrolled device and their ownership is changed post-enrollment to a type that is assigned the Web clip.

To learn how to deploy a privacy notice as part of a device activation, see Register an Individual Device.

Create a Privacy Notice for BYOD Users

Inform your users about what data your company collects from their enrolled devices with a customized privacy notification. Work with your legal department to determine what message about data collection you communicate to your end users.

Navigate to Groups and Settings > All Settings > Devices and Users > General > Message Templates.
Select Add to create a template. If you have already created a privacy notification template, select it from the list of available templates to use or edit it.

Complete the Add/Edit Message Template settings.

Setting	Description
Name	Enter a name for the notification template.
Description	Enter a description of the template you are creating.
Category	Select Enrollment.
Type	Select MDM Device Activation.
Select Language	Select the default language for your template. Use the Add button to add more default languages for a multi-language delivery.
Default	Assign this template as the default message template.
Message Type	Select one or more message types: Email, SMS, or Push message.

Create the notification content. The message types that you selected in the Message Type selection determine which messages appear for you to configure.

Element	Description
Email
Email Content Formatting	Select whether your email notification is delivered as Plain Text or HTML.
Subject	Enter the subject line for your email notification.
Message Body	Compose the email message to send to your users. The editing and formatting tools that appear in this text box depend on which format you select in the Email Content Formatting selection. If you have enabled the Visual Privacy Notice, include the lookup value `PrivacyNotificationUrl` in the message body.
SMS
Message Body	Compose the SMS message to send to your users. If you have enabled the Visual Privacy Notice, include the lookup value `PrivacyNotificationUrl` in your message body.
Push
Message Body	Compose the Push notification to send to your users. If you have enabled the Visual Privacy Notice, include the lookup value `PrivacyNotificationUrl` in your message body.

Select Save.

Privacy Best Practices

Striking a balance between your business needs and the privacy concerns of your employees can be challenging. There are a few simple practices that can manage Privacy Settings to strike the best balance.

Important: Every deployment is different. Tailor these settings and policies that fit your organization in the best way by consulting with your own legal, human resource, and management teams.

User Information for Privacy Best Practices

In general, you display user information such as the first name, last name, phone number, and email address for both employee-owned and corporate-owned devices.

Application Information for Privacy Best Practices

In general, it is appropriate to set the collection of application information to either do not collect or collect and do not display for employee-owned devices. This setting is important because public apps installed on a device, if viewed, can be considered personally identifiable information. For corporate-owned devices, Workspace ONE UEM records all installed applications on the device.

If Do Not Collect is selected, only personal application information is not collected. Workspace ONE UEM collects all managed applications, whether public, internal, or purchased.

Remote Commands for Privacy Best Practices

Consider disabling all remote commands for employee-owned devices. However, if you allow remote actions or commands, explicitly mention these remote actions and commands in your terms of use agreement.

GPS Coordinate Collection for Privacy Best Practices

The collection of GPS coordinates relates to privacy concerns in a fundamental way. While it is not appropriate to collect GPS data for employee-owned devices, the following notes apply to all devices enrolled in Workspace ONE UEM.

Only the Workspace ONE Intelligent Hub relays device GPS location data back to the console.
- Other apps that use the Workspace ONE SDK such as VMware Browser, Content, Boxer, and so forth, do not report GPS data back to the console.
- GPS is typically used for lost or stolen devices. It is also used when knowing the location of a device is inherently part of the Workspace ONE UEM console function such as Geofencing.
- When GPS data is reported, Workspace ONE UEM defines a 1-kilometer region around this location. It then reports location information whenever the device moves outside the region.

Telecom Data for Privacy Best Practices

It is only appropriate to collect Telecom data for employee-owned devices if they are a part of a stipend where cellphone expenses are subsidized. In this case, or for corporate-owned devices, consider the following about data you can collect.

Carrier/Country Code – Carrier and Country Code are recorded and can be used for Telecom tracking purposes. Telecom plans are set up and devices are assigned to the appropriate plan based on the carrier and country. You can use this information to track devices by home carrier and home country or by current carrier and current country.
Roaming Status – This status can be used to track which devices are in a 'Roaming' or 'Not Roaming' state. Compliance policies can be set up to deactivate voice and data use while the device is roaming or you can also apply other compliance actions. Also, if the device is assigned to a Telecom plan, Workspace ONE UEM can track data use while roaming. Collecting and monitoring roaming status can be helpful in preventing large carrier charges due to roaming.
Cellular Data Use – The data use in terms of total bytes sent and received. This data can be collected for each cellular device. If the device is assigned to a Telecom plan, you can monitor data use based on a percentage of total data amount per billing cycle. This feature allows you to create compliance policies based on the percentage of data used and is helpful in preventing large carrier overage charges.
Cell Use – The voice minutes that can be collected for each cellular device. Similar to data, if the device is assigned to a Telecom plan, you can monitor use based on a percentage of minutes per billing cycle. This method allows you to create compliance policies based on the percentage of minutes used and can be helpful in preventing large carrier overage charges.
SMS Use – The short message service (SMS) data that can be collected for each cellular device. Similar to data, if the device is assigned to a Telecom plan, you can monitor SMS use based on a percentage of messages per billing cycle. This method allows you to create compliance policies based on the percentage of messages used. Monitoring SMS use is helpful in preventing large carrier overage charges.

User Data Collection from BYOD End Users

The Workspace ONE UEM infrastructure collects and stores many types of user-generated data. The following matrix matches each data type to the platforms and operating systems from which the data can be collected.

Use this matrix to determine which data collection is necessary for your deployment. Workspace ONE UEM also defines optional data that you can collect, such as Bluetooth MAC. You can configure these options and assign privacy settings by ownership type: dedicated corporate, shared corporate, and employee owned.

For more information about how VMware handles information collected through Workspace ONE UEM, such as analytics, see the VMware Privacy Policy at https://www.vmware.com/help/privacy.html.

✓ - Can be collected.

X - Cannot be collected.

✓* - Can be collected on Workspace ONE Intelligent Hub deployments.

✓** - Can be collected on Workspace ONE Intelligent Hub or iOS 9.3+Supervised Mode deployments.

	Android	Apple iOS	macOS	Windows Rugged	Windows Desktop
Application Tracking
View installed internal apps	✓	✓	✓	X	✓
View app versions	✓	✓	✓	X	✓
Capture app status	✓	X	✓	X	✓
Certificates
View list of installed certificates	✓	✓	✓	X	✓*
Asset Tracking
Device Name	✓	✓	✓	✓	✓
Device UDID	✓	✓	✓	✓	✓
Phone Number	✓	✓	X	✓	✓
IMEI/MEID Number	✓	✓	X	✓	✓
Device serial number	✓	✓	✓	✓	✓
IMSI number	✓	X	X	✓	✓
Device model	✓	✓	✓	✓	X
Device model name (Friendly)	X	✓	✓	✓	X
Manufacturer	✓	✓	✓	✓	✓
OS Version	✓	✓	✓	✓	✓
OS Build	✓	X	✓	✓	✓
Firmware/kernel version	X	X	✓	X	X
Track device errors	X	X	✓	✓	✓
Device Status
Battery available	✓	✓	✓	✓	✓
Battery capacity	✓	✓	✓	✓	X
Memory available	✓	✓	✓	✓	X
Memory capacity	✓	✓	✓	✓	X
Location
GPS tracking	✓	✓**	✓	✓	✓
Bluetooth Data	✓	✓**	✓	✓	✓
USB Data	X	✓**	✓	✓	✓
Network
Wi-Fi IP Address	✓	✓	✓	✓	✓
Wi-Fi MAC	✓	✓	✓	✓	✓
Wi-Fi signal strength	X	X	✓	✓	✓
Carrier Settings version	✓	✓	X	X	X
Cell signal strength	✓	X	X	X	X
Cell technology (none, GSM, CDMA)	✓	✓	X	X	X
Current MCC	✓	✓	X	X	X
Current MNC	✓	✓	X	X	X
SIM card number	✓	✓	X	X	✓
SIM carrier network	✓	✓	X	X	X
Subscriber MNC	✓	✓	X	X	X
Bluetooth MAC	✓	✓	✓	X	X
Show IP addresses	✓	✓	✓	X	X
Show LAN adapters	X	X	✓	X	X
Show MAC address	✓	✓	✓	X	X
Roaming
Detect roaming status	✓	✓	X	X	X
Deactivate Push notifications when roaming	X	✓	X	X	X
Voice roaming enabled (allowed)	X	✓	X	X	X
Data Usage
Track data usage through cell network	✓	✓	X	X	X
Track data usage through Wi-fi network	X	X	X	X	X
Calls
Track call history	✓	X	X	X	X
Messages
Track SMS history	✓	X	X	X	X
Cellular Status
Current Carrier network	✓	✓	X	X	X
Current network status	✓	✓	X	X	X
Remote View
Remotely control device	✓	X	✓	✓	✓
Screen capture (save, email, print, and so on)	✓	X	✓	✓	✓
Screen sharing (remote view within apps)	✓	✓	X	✓	✓
File Manager
Access device file manager	✓	X	✓	✓	✓
Access device registry manager	X	X	X	✓	✓
Copy files	✓	X	✓	✓	✓
Create folders	✓	X	✓	✓	✓
Download files from device	✓	X	✓	✓	✓
Move files	✓	X	✓	✓	✓
Rename folders and files	✓	X	✓	✓	✓
Upload files to device	✓	X	✓	✓	✓

Terms of Use for BYOD End Users

For liability reasons, you must inform employees about the data that is captured and the actions that are allowed on devices enrolled in Workspace ONE UEM. To help communicate your strategy, create Terms of Use agreements in Workspace ONE UEM.

Users are prompted to read and accept the terms of use you configure before they can enable MDM on their personal devices. By assigning Terms of Use agreements based on the ownership type, you can create and distribute different agreements for corporate and BYOD users.

After your organization has written its Terms of Use agreement, consider giving it to end users in a one to two-page white paper that omits unnecessary legal language. This white paper is not the official Terms of Use to which end users agree, but instead serves to communicate your corporate policies. Ideally, end users do not see the terms of use for employee-owned devices for the first time when they enroll their device. Be upfront about what end-user information you collect and how your BYOD policies affect them.

Restrictions for BYOD Devices

Workspace ONE UEM permits you to deploy different security policies and restrictions to employee-owned and corporate-dedicated devices.

Using restriction profiles, you can set tight restrictions for corporate-dedicated devices, and looser restrictions for employee-owned devices. For example, restrictions to apps like YouTube or native App Stores are not typically deployed to employee-owned devices. Instead, you can create security profiles and restrictions that increase the level of device security without having a negative impact on functionality.

Device-Agnostic Restrictions

Workspace ONE UEM makes the following restrictions available for every device and platform:

Encrypted backups – Protect all backups with data encryption for BYOD devices with access to corporate content.
Force fraud warning in supported browsers – Require users to acknowledge all warnings issued by the browser when it detects a suspicious site.
Deactivate moving emails – Prohibit the exposure of sensitive corporate data by disabling the ability to forward a corporate email to a personal account, or open it in third-party applications.

Platform-Specific Restrictions

Each platform has its own set of enforceable restrictions. Evaluate these restrictions individually to determine their value to your deployment. Some, like iOS restrictions limited to supervised devices, do not apply, because employee-owned devices cannot be enrolled with Apple Configurator.

You can create security profiles and restrictions by navigating to Resources > Profiles & Baselines > Profiles and selecting Add, then selecting the appropriate platform.
If you create profiles specifically for employee-owned devices, only assign them to Smart Groups based on Ownership Type: Employee-Owned. For more information, see Smart Groups.

For more information about creating security profiles and restrictions, see Add a Compliance Policy.

Enterprise Wipe for BYOD Devices

An essential aspect of your BYOD deployment is removing corporate content when an employee leaves, or when a device is lost or stolen. Workspace ONE UEM allows you to perform an Enterprise Wipe on devices to remove all corporate content and access, but leaves personal files and settings untouched.

While a Device Wipe restores a device to its original factory state, Workspace ONE UEM lets you decide how far an Enterprise Wipe goes when applying to public and purchased VPP applications that sit in a gray area between corporate and employee-owned devices. An Enterprise Wipe also unenrolls the device from Workspace ONE UEM and strips it of all content enabled through MDM. This content includes email accounts, VPN settings, Wi-Fi profiles, secure content, and enterprise applications.

If you used Apple Volume Purchase Plan redemption codes for devices running iOS 6 and earlier, you cannot reclaim any redeemed licenses for that application. When installed, the application is associated to the user App Store account. This association cannot be undone. However, you can redeem license codes used for iOS 7 and later.

Device Wipe – Send an MDM command to wipe a device clear of all data and operating system. This action cannot be undone.
- iOS Device Wipe Considerations
  - For iOS 11 and below devices, the device wipe command also wipes the Apple SIM data associated with the devices.
  - For iOS 11+ devices, you can preserve the Apple SIM data plan (if existed on the devices). Select the Preserve Data Plan check box on the Device Wipe page before sending the device wipe command.
  - For iOS 11.3+ devices, you have an extra option to skip the Proximity Setup screen while sending down the device wipe command. When the option is enabled, the Proximity Setup screen is skipped in the Setup Assistant, preventing the device user from seeing the Proximity Set up option.
- For Windows Desktop Devices, you can select the type of device wipe.
  - Wipe - This option wipes the device of all content.
  - Wipe Protected - This option is similar a normal device wipe but the device end user cannot circumvent the action. The Wipe Protected command keeps trying to reset the device until it is successful. In some device configurations, this command can leave the device unable to start.
  - Wipe and Persist Provisioning Data - This option wipes the device but specifies that provisioning data be backed up to a persistent location. After the wipe runs, the provisioning data is restored and applied to the device. The provisioning folder is saved. You can find the folder by navigating on the device to %ProgramData%\Microsoft\Provisioning.
Enterprise Wipe – Enterprise Wipe a device to unenroll and remove all managed enterprise resources including applications and profiles. This action cannot be undone and re-enrollment is required before Workspace ONE UEM can manage this device again. This device action includes options to prevent future re-enrollment and a Note Description text box for you to add information about the action.
- Enterprise Wipe is not supported for cloud domain-joined devices.

Perform an Enterprise Wipe for a BYOD Device

An enterprise wipe unenrolls the device from Workspace ONE UEM and strips it of all enterprise content, including email accounts, VPN settings, profiles, and applications.

In the Workspace ONE UEM console, select the appropriate organization group.
Navigate to Devices > List View and select a device or multiple devices from the list.
The Device Details view displays a list of actions you can perform under the More drop-down in the top right. Select Enterprise Wipe.
In the confirmation dialog box, select Prevent Re-Enrollment to prevent this device from enrolling again.
Enter a Security PIN if applicable, and then select Enterprise Wipe to finish the action.

Deactivate Full Wipe for BYOD Devices

For security and privacy reasons, you can deactivate the ability to perform a full wipe on a BYOD Device.

If you deactivate full wipe for select iOS ownership types, then users enrolling under that ownership type do not see "Erase all content and settings" permissions during profile installation.

Navigate to Devices > Device Settings > Devices & Users > General > Privacy.
Scroll down to the Commands section and find the Employee Owned column.
Set the Full Wipe option to Prevent and select Save.