BYOD stands for “Bring Your Own Device.” It is a mobile industry term that refers to the use of an employee’s personal device – such as a smartphone, tablet or laptop – for work purposes.
Unmanaged systems represent a primary threat to our network and PHI or PII data.
Our BYOD policy provides a way to more safely accommodate staff and students who prefer to use their own personal devices to remotely access the UNM Health and Health Sciences network and data. Many healthcare organizations prohibit BYOD entirely. In our case, remote access from personal devices has been part of the culture for many years. This practice accelerated rapidly due to Covid measures, increasing the number of people working and learning remotely. Our policy is a compromise to permit access but only from personal devices that meet industry-wide security standards. These are the key risks that our BYOD policy addresses:
Section 6.2.3.2 of the Information Security Program Plan
Under certain circumstances, UNM HHS allows use of what is commonly called a "BYOD." Devices in this section means any system that connects to UNM HSS networks, systems or data, including personally owned desktops, laptops, tablets, phones and other common user devices.
Because UNM HHS does not manage BYODs, we do not know if the owner is following good security practices. This represents a risk that the device could spread malware while remotely connected to the UNM HHS network.
To mitigate these BYOD risks, UNM HHS requires the user to enroll the BYOD with the MDM. In the BYOD configuration, the MDM requires that an encrypted storage "container" used on the device when storing UNM HHS in case the device is lost or stolen. UNM IT staff, when authorized, have the capability of using the MDM to remote wipe this container.
Approved corporate applications such as email clients, must be downloaded from the MDM
"store" to ensure that they are kept current.
Users have the following responsibilities in using UNM HSS' BYOD technology:
• Backup and Recovery: MDM software is very reliable and UNM HHS will make the best effort to assist. However, backup of the mobile device and recovery of the device are the responsibilities of the users.
• Loss or Disclosure Reporting: Users are responsible for reporting the loss or unauthorized disclosure through their supervisor, through the Privacy Officer or through the Information Security Officer. If UNM HHS data was stored on a lost or stolen personal device, the user must report that so that the encrypted container can be remotely wiped.
• Security Updates: Prior to allowing a BYOD device to access the UNM HSS network and/or data, the MDM checks whether the device is current on operating system and application security updates. Users who have agreed to the conditions for BYOD, they must agree to allow the MDM to perform updates or perform the updates manually.
• Termination of Affiliation: If a user terminates affiliation with UNM HSS, any data or UNM HHS applications will be remotely recovered from the device.
• Agreement to Terms Documentation: Users shall acknowledge the terms in this section in a documented fashion.
BYOD (Bring Your Own Device) enrollment and compliance will be required for personal devices to access enterprise applications such a VPN, Office applications (Outlook, Word, Excel, etc.), OneDrive, and others, as well as being required for access HSC’s internal (secure) WiFi networks. Devices marked as non-compliant will lose access to these resources until they have been updated to meet compliance.
Enrollment is not required for MFA (Multi-Factor Authentication). MFA is a separate service.
Q. Will I need InTune on my home PC?
A. Yes. All personal devices that need access to HHS internal resources need to have InTune. That includes cell phone, tablet, personal desktop PC, laptop. If you have an Apple Watch you will need to see the importatn information link on the enrollment section.
Q. Will I need to uninstall Authenticator?
A. No. Authenticator is the application is for approval of access for MFA. InTune is to manage HHS resources on you personal device. You need both.
Q. What happens to my phone when it’s enrolled in the BYOD program?
A. When you enroll your personal device, it creates a separate work area on your device, which allows IT to push down applications and company access.
Q. What applications will be installed on my device?
A. The Company Portal, Outlook, and the Authenticator apps by default.
Q. How do I know what my company can and can’t see on my phone when it’s enrolled?
A. Please see this link. What information your company can see.
Q. Can my company see anything personal, like my apps, photos, videos or texts?
A. No. Your personal data and information stay completely separate, un-viewable, and unmanageable by your IT department. They can only manage corporate apps and data that you have on your device.
Q. Why can't I share anything from the managed partition to the non-Intune partition on my device?
A. Data in managed applications or stored on the Intune partition on a BYOD device is not accessible or transferrable to the unmanaged or Non-Intune partition on a BYOD device. This includes share, copy and paste, exporting of files, ETC. This is to prevent HSC data from being removed from the Intune managed portion of the device. Data can still be copied into the Intune partition or Manage application from outside, using share, copy paste, and open into.
Q. Can my IT department track my location through my phone?
A. No, the company does not have the ability to track or pinpoint your location at any point through your device.
Q. What do I do if I get an error saying there's no policy assigned to my device?
A. Wait 5-10 minutes and tap/click 'Retry'. Do not attempt to re-enroll the device.
Q. What do I do if I receive an error and prompt for the MDM URL?
A. If you receive an error and prompt for the MDM URL use: https://enrollment.manage.microsoft.com/enrollmentserver/discovery.svc and sign in with your work or School account
Q. How do my personal apps stay separate from my work apps?
A. Companies cannot access or manage apps or data that are housed outside of the corporate container.
Q. What happens if I choose not enroll my personal device? Will I lose any mobile functionality?
A. No. Although you will not be able to use your mobile device to access certain enterprise applications like email.
Q. Who do I contact for work-related technical support issues?
A. Contact the UNMH Service Desk at 272-3282 or the HSC Service Desk at 272-1694. Instead of calling you can enter a help ticket at Help.HSC.
Q. What happens if I leave the company?
A. If you leave the company, your IT administrator is required to remove access to all corporate data and apps. This can be done while preserving personal data. For example, should you leave the company, the company will perform a selective wipe of your personal device to remove access to corporate resources, leaving your personal data, photos, and other files intact.
Q. What happens if I lose my phone?
A. If you lose your phone, be sure to report it to the IT department immediately so they can remove access to corporate data immediately.
Q. What if I decide I no longer want my device enrolled. Is it easy to remove?
A. Yes, you have total control over your device. You have the ability to completely unenroll your device. As the owner of the device, the control is completely yours.
To self-enroll your device, please use the instructions below:
Next, enroll your device.
Important Information for people with Apple Watches
Additional Information for Android User
You can view, sync, lock and remove your personal devices from this portal.
What happens if you remove device from Intune
If you are asked for a MDM URL, Please use this: https://enrollment.manage.microsoft.com/enrollmentserver/discovery.svc
Apple MAC - This Device Will Soon Be Unable to Access Resources
Physical Location:
Health Sciences Library and Informatics Center
Room 317A
Phone: 505-272-1694
Monday - Friday 8:00 am - 5:00 pm
