One of the biggest concerns for BYOD end users is the privacy of the personal content on devices managed under Workspace ONE UEM. Your organization must assure employees that their personal data is not subject to corporate oversight.
With Workspace ONE UEM, you can ensure the privacy of personal data by creating customized privacy policies that do not collect personal data based on the device ownership type. In addition, you can define granular privacy settings to disable the collection of the personally identifiable information and disallow certain remote actions to employee-owned devices to ensure employee privacy.
You must inform your end users about how their data is collected and stored when they enroll into Workspace ONE UEM.
Important: Countries and jurisdictions have differing regulations governing the data that can be collected from end users. Your organization must thoroughly research the applicable laws before you configure your BYOD and privacy policies.
End-user privacy is a major concern for you and your users. Workspace ONE UEM provides granular control over what data is collected from users and what collected data is viewable by admins. Configure the privacy settings to serve both your users and your business needs.
Important: Each jurisdiction has its own regulations governing what data can be collected from end users. Research these regulations thoroughly before configuring your privacy policies.
Select the appropriate setting for GPS, Telecom, Applications, Profiles, and Network data collection.
- Collect and Display – User data is collected and displayed in the UEM console.
- Collect Do Not Display – User data is collected for use in reports but is not displayed it in the UEM console.
- Do Not Collect – User data is not collected and therefore it is not displayed.
Select the appropriate setting for the Commands that can be performed on devices. Consider disabling all remote commands for employee-owned devices, especially full wipe. This disablement prevents inadvertent deletion or wiping of an end user's personal content. If you disable the wipe function for select iOS ownership types, users do not see the "Erase all content and settings" permission during enrollment.
- Allow – The command is made on devices without permission from the user.
- Allow With User Permission – The command is made on devices but only with the permission of the user.
- Prevent – The command does not run on devices.
Privacy notices are automatically delivered based on the organization group and device ownership of the device connecting. You may choose to display a privacy notice for each ownership type: Employee Owned, Corporate - Dedicated, Corporate - Shared, and Unknown.
When you assign an ownership type to receive privacy notices, all users in the selected ownership type receive the privacy notification immediately as a Web clip. If you inserted the privacy notice lookup value
PrivacyNotificationUrl in your message template, then the message includes a URL where the user can read the privacy notice.
Users receive the privacy notice automatically if:
To learn how to deploy a privacy notice as part of a device activation, see Register an Individual Device.
Inform your users about what data your company collects from their enrolled devices with a customized privacy notification. Work with your legal department to determine what message about data collection you communicate to your end users.
Complete the Add/Edit Message Template settings.
|Name||Enter a name for the notification template.|
|Description||Enter a description of the template you are creating.|
|Type||Select MDM Device Activation.|
|Select Language||Select the default language for your template. Use the Add button to add more default languages for a multi-language delivery.|
|Default||Assigns this template as the default message template.|
|Message Type||Select one or more message types: Email, SMS, or Push message.|
Create the notification content. The message types that you selected in the Message Type selection determine which messages appear for you to configure.
|Email Content Formatting||Choose whether your email notification is delivered as Plain Text or HTML.|
|Subject||Enter the subject line for your email notification.|
|Message Body||Compose the email message to send to your users. The editing and formatting tools that appear in this text box depend on which format you chose in the Email Content Formatting selection. If you have enabled the Visual Privacy Notice, include the lookup value
|Message Body||Compose the SMS message to send to your users. If you have enabled the Visual Privacy Notice, include the lookup value
|Message Body||Compose the Push notification to send to your users. If you have enabled the Visual Privacy Notice, include the lookup value
Striking a balance between your business needs and the privacy concerns of your employees can be challenging. There are a few simple practices that can manage Privacy Settings to strike the best balance.
Important: Every deployment is different. Tailor these settings and policies that fit your organization in the best way by consulting with your own legal, human resource, and management teams.
In general, you display user information such as the first name, last name, phone number, and email address for both employee-owned and corporate-owned devices.
In general, it is appropriate to set the collection of application information to either do not collect or collect and do not display for employee-owned devices. This setting is important because public apps installed on a device, if viewed, can be considered personally identifiable information. For corporate-owned devices, Workspace ONE UEM records all installed applications on the device.
If Do Not Collect is selected, only personal application information is not collected. Workspace ONE UEM collects all managed applications, whether public, internal, or purchased.
The collection of GPS coordinates relates to privacy concerns in a fundamental way. While it is not appropriate to collect GPS data for employee-owned devices, the following notes apply to all devices enrolled in Workspace ONE UEM.
It is only appropriate to collect telecom data for employee-owned devices if they are a part of a stipend where cellphone expenses are subsidized. In this case, or for corporate-owned devices, consider the following about data you can collect.
The Workspace ONE UEM infrastructure collects and stores many types of user-generated data. The following matrix matches each data type to the platforms and operating systems from which the data can be collected.
Use this matrix to determine which data collection is necessary for your deployment. Workspace ONE UEM also defines optional data that you can collect, such as Bluetooth MAC. You can configure these options and assign privacy settings by ownership type: dedicated corporate, shared corporate, and employee owned.
✓ - Can be collected.
X - Cannot be collected.
✓* - Can be collected on Workspace ONE Intelligent Hub deployments.
✓** - Can be collected on Workspace ONE Intelligent Hub or iOS 9.3+Supervised Mode deployments.
|Android||Apple iOS||macOS||Windows Rugged||Windows Desktop|
|View installed internal apps||✓||✓||✓||X||✓|
|View app versions||✓||✓||✓||X||✓|
|Capture app status||✓||X||✓||X||✓|
|View list of installed certificates||✓||✓||✓||X||✓*|
|Device serial number||✓||✓||✓||✓||✓|
|Device model name (Friendly)||X||✓||✓||✓||X|
|Track device errors||X||X||✓||✓||✓|
|Wi-fi IP Address||✓||✓||✓||✓||✓|
|Wi-fi signal strength||X||X||✓||✓||✓|
|Carrier Settings version||✓||✓||X||X||X|
|Cell signal strength||✓||X||X||X||X|
|Cell technology (none, GSM, CDMA)||✓||✓||X||X||X|
|SIM card number||✓||✓||X||X||✓|
|SIM carrier network||✓||✓||X||X||X|
|Show IP addresses||✓||✓||✓||X||X|
|Show LAN adapters||X||X||✓||X||X|
|Show MAC address||✓||✓||✓||X||X|
|Detect roaming status||✓||✓||X||X||X|
|Disable Push notifications when roaming||X||✓||X||X||X|
|Voice roaming enabled (allowed)||X||✓||X||X||X|
|Track data usage through cell network||✓||✓||X||X||X|
|Track data usage through Wi-fi network||X||X||X||X||X|
|Track call history||✓||X||X||X||X|
|Track SMS history||✓||X||X||X||X|
|Current Carrier network||✓||✓||X||X||X|
|Current network status||✓||✓||X||X||X|
|Remotely control device||✓||X||✓||✓||✓|
|Screen capture (save, email, print, and so on)||✓||X||✓||✓||✓|
|Screen sharing (remote view within apps)||✓||✓||X||✓||✓|
|Access device file manager||✓||X||✓||✓||✓|
|Access device registry manager||X||X||X||✓||✓|
|Download files from device||✓||X||✓||✓||✓|
|Rename folders and files||✓||X||✓||✓||✓|
|Upload files to device||✓||X||✓||✓||✓|
Workspace ONE UEM permits you to deploy different security policies and restrictions to employee-owned and corporate-dedicated devices.
Using restriction profiles, you can set tight restrictions for corporate-dedicated devices, and looser restrictions for employee-owned devices. For example, restrictions to apps like YouTube or native App Stores are not typically deployed to employee-owned devices. Instead, you can create security profiles and restrictions that increase the level of device security without having a negative impact on functionality.
Workspace ONE UEM makes the following restrictions available for every device and platform:
Each platform has its own set of enforceable restrictions. Evaluate these restrictions individually to determine their value to your deployment. Some, like iOS restrictions limited to supervised devices, do not apply, because employee-owned devices must not be enrolled with Apple Configurator.
For more information about creating security profiles and restrictions, see Add a Compliance Policy.
An essential aspect of your BYOD deployment is removing corporate content when an employee leaves, or when a device is lost or stolen. Workspace ONE UEM allows you to perform an Enterprise Wipe on devices to remove all corporate content and access, but leaves personal files and settings untouched.
While a Device Wipe restores a device to its original factory state, Workspace ONE UEM lets you decide how far an Enterprise Wipe goes when applying to public and purchased VPP applications that sit in a gray area between corporate and employee-owned devices. An Enterprise Wipe also unenrolls the device from Workspace ONE UEM and strips it of all content enabled through MDM. This content includes email accounts, VPN settings, Wi-Fi profiles, secure content, and enterprise applications.
If you used Apple Volume Purchase Plan redemption codes for devices running iOS 6 and earlier, you cannot reclaim any redeemed licenses for that application. When installed, the application is associated to the user App Store account. This association cannot be undone. However, you can redeem license codes used for iOS 7 and later.
Device Wipe – Send an MDM command to wipe a device clear of all data and operating system. This action cannot be undone.
Enterprise Wipe – Enterprise Wipe a device to unenroll and remove all managed enterprise resources including applications and profiles. This action cannot be undone and re-enrollment is required before Workspace ONE UEM can manage this device again. This device action includes options to prevent future re-enrollment and a Note Description text box for you to add information about the action.
An enterprise wipe unenrolls the device from Workspace ONE UEM and strips it of all enterprise content, including email accounts, VPN settings, profiles, and applications.
For security and privacy reasons, you can disable the ability to perform a full wipe on a BYOD Device.
If you disable full wipe for select iOS ownership types, then users enrolling under that ownership type do not see "Erase all content and settings" permissions during profile installation.