Implementing mobile device technology across the healthcare continuum requires a significant investment, both in time and money, as new protocols and software are required to maintain and protect devices. The natural solution is a remote management framework called Mobile Device Management or MDM. MDM allows you to configure and secure mobile devices from a central location, standardize software across your organization, and implement security patches and software releases (the operating systems and any apps) regardless of whether the devices are owned by the hospital or the employee.

Mobile Heartbeat partners with Jamf, an Apple focused management and security vendor that helps organizations automate and scale IT and security workflows. Jamf Pro – their flagship MDM – empowers IT professionals and end users to remotely deploy devices to any employee or location, automate ongoing management and security tasks, deploy and update apps, gain visibility into devices and apps used – while at the same time, preserving the native Apple experience. Jamf’s focus on Apple means they build off of native Apple frameworks which lets admins confidently update to the newest operating system the day it is released.

The remote-monitoring capabilities of modern MDMs sometimes raise red flags for hospital employees and clinicians who are looking to use their personal device for work. Typically, these concerns stem from a misunderstanding of exactly what information is being pulled from the device by the MDM. There are often two deployment types: organizationally owned (also known as a supervised device) and personally owned (also known as BYOD) devices. A device owned by the hospital allows the organization more control, like applying certain settings to a device, while personally owned devices have built in limitations and restrictions on what MDM and your organization can do. An organization utilizing Jamf Pro for a personally owned device will never be able to view, access, or alter personal information. In fact, Apple has very clear instructions that MDM cannot collect, store or view any personal information on a BYO device used for work. Compiled here are some of the most common misconceptions so that as healthcare employees, you have a better understanding of how personally owned devices are managed.

1. They Can Remotely Control My Phone

It’s true that the whole point of MDM software is to be able to manage the device. But no matter how the device is owned – by the organization or the employee – your IT department won’t be able to move files around or send messages on your behalf. The element on control is strictly tied to the work data on your device. For example, your organization could require updating your operating system or applications before accessing work resources or not allowing you to copy & paste information from a managed application to an unmanaged application. On the other hand, if the device is a supervised device, meaning it is corporately owned, an organization will have more control over the device and the ability to apply additional settings. Supervised devices are typically for shared devices used in a nursing ward or patient bedside devices. Since these devices have specific workflows and use cases, organizations need to apply certain settings or restrictions, and the MDM protocol gives organizations more ways to control these types of devices.

2. They Can Read My Messages

Your technology team will not have access to your usage data, logs, texts, emails or any other personal messages. Some MDMs will collect general inventory information, such as number of contacts, number of messages, etc., but this will depend on the operating system and device type. MDM protocol does not provide IT the ability to access data within apps on a device, including text messages. Some industries require IT to monitor employee messages for compliance purposes, but a third-party vendor would typically be enlisted in such cases. For more clarity on this topic, we recommend you discuss it with your IT department.

3. They Can View My Photos

Enrolling your personal phone via account-driven user enrollment into your hospital’s MDM will not provide your IT team with access to your photos. Like the inventory information above, your specific hospital may require access to information like the number of photos you have, but not contents. This general logging would be deployed using a third-party app rather than an MDM. If you have concerns about your photos being accessible, address this specifically with your technology team.

4. They Can Track My Location

It’s true, many MDMs have location-tracking capabilities—this can be an incredibly useful feature. Tracking location can be crucial to recovering sensitive hospital information if a device is stolen or lost. There’s a big difference, though, between Realtime Location Tracking and Managed Lost Mode. Realtime Location Tracking, which is not part of MDM protocol, pulls GPS coordinates to the MDM for reporting. Managed Lost Mode – a feature specific to supervised devices only – allows an IT admin to temporarily pull the device’s coordinates and notify the end user that the device has been pinged. Many users are already familiar with this sort of function, in the form of find-my-device apps that allow smartphones to be remotely located.

If you enroll your personal device that supports Apple’s account-driven user enrollment workflow, the MDM nor your organization can track the location of your device.

5. It Makes My Phone Less Secure

The logic here is that, by handing your device over to your hospital’s IT team, you’re breaching your own privacy. This simply isn’t the case. The whole point of MDM is to maintain high security in order to protect patients, employees and the hospital itself, while allowing staff to preserve their personal freedoms. For instance, depending on your specific organization’s protocols and the MDM they select, there may be some restrictions around the apps you can download onto hospital-owned devices. The idea is that, for safekeeping, only reputable and secure apps should live on the smartphone. This restriction usually does not apply to BYOD management, though IT can still push updates and/or uninstall apps.

Furthermore, the ability to remotely lock or wipe a device means any sensitive personal information will be protected should the phone be misplaced. At the end of the day, your hospital’s technology team is setting up safeguards to protect the security of the hospital. This means making sure devices—including your own smartphone—don’t end up in the wrong hands, where they could seriously jeopardize hospital and patient information.

For a deeper dive into MDM do’s and don’ts, reach out to Jamf directly by clicking here or contact your Mobile Heartbeat representative.