MobileIron UEM Product Privacy Statement
Effective: April 1, 2020
Scope and purpose
This Privacy Statement covers MobileIron's unified endpoint management platform (Platform), including the related MobileIron device applications. It does not cover MobileIron Access, MobileIron Threat Defense or MobileIron Technical Support Services. MobileIron may collect certain data related to the Platform for its own purposes, as described in MobileIron's Privacy Notice.
This Privacy Statement’s purpose is to inform the Platform’s purchasers (Employers) and the individual users of devices managed by the Platform (Users) about the data the Platform collects.
This Privacy Statement is a general description of MobileIron’s Platform and practices as of the above date. The functionality of the Platform and the specific data it collects are determined by several factors controlled by the Employer, including the specific deployment model, version and bundle purchased, the privacy-related Platform settings the Employer chooses, the third-party services the Employer uses with the Platform, and the device platforms (iOS, Android, Windows, etc.) and applications (apps) used by the Users. In addition, MobileIron is constantly updating and modifying the Platform’s features and functionality. The Employer is responsible for ensuring it uses the Platform in accordance with its internal policies and legal requirements, provides any required notices to Users and obtains any required authorizations or consents. Users should reach out to their Employer for specific details about the Employer's policies.
This Privacy Statement may be updated from time to time as new features and functionality are added.
The Platform provides controls that enable the Employer to manage the access and security of the devices employed by its Users. The Employer can choose a cloud deployment with MobileIron Cloud or an on-premises deployment with MobileIron Core.
The Platform includes:
- an Employer-specific Admin Portal, an online console that enables the Employer to manage devices and their installed software
- for MobileIron Core only, Employer-specific System Managers, online consoles that enable the Employer to manage network settings and configure, manage and maintain Core
- a User-specific Self-Service Portal, an online console that enables Users to self-manage their devices
- MobileIron Go app for MobileIron Cloud or Mobile@Work app for MobileIron Core, which is installed on the User’s device to facilitate communication between the device and the Admin Portal
For MobileIron Cloud, MobileIron hosts the Admin Portal, the Self-Service Portal and some collected data. For MobileIron Core, the Employer hosts the Admin Portal, System Manager and Self-Service Portal. MobileIron Go, Mobile@Work® are installed on the User’s device. MobileIron only uses data we collect as stated in MobileIron's Customer Agreement.
MobileIron provides various optional productivity and other apps not covered by this Privacy Statement for use with the Platform, such as the Apps@Work app store, Email+ email client, Web@Work® web browser, Docs@Work content management app, Bridge and Tunnel. If used, some of these apps collect or share additional data in order to support their specialized functionality. In addition, they may share crash reports and other technical data with MobileIron and the Employer to enable troubleshooting, support and Platform improvement. The data collected and shared will vary depending on the functionality provided by the app, as detailed further in the product documentation.
As noted above, the specific data collected in connection with the Platform depends on factors determined by the Employer. Users should reach out to their Employer for specific details. Examples of the type of data that may be collected are listed below. Some of the data may be personally identifying or identifiable.
User identity and authentication data. In connection with its core unified endpoint management functions, the Platform collects user identity and authentication information, such as:
- identity details (name, email address)
- login credentials and security authentication data (including certificates, domain information, login and logout dates and times, usernames, registration PINs, etc.)
- a unique ID generated by the Platform
- additional information maintained in the Employer's directory service, as determined by the Employer
- if applicable, a unique Google user ID, as determined by the Employer for an Android enterprise-managed domain
Device information. In addition, the Platform collects information about the device, such as:
- phone number
- device type, name, make, model, manufacturer, and device identifiers such as universal unique identifier (UUID), unique device identifier (UDID) for iOS and macOS devices or Android ID (SSAID) for Android devices, International Mobile Station Equipment Identity (IMEI), mobile equipment identifier (MEID), serial number, International Mobile Subscriber Identity (IMSI) number, Internet Protocol (IP) address and Media Access Control (MAC) address
- last-seen information, such as when the device last connected to the Admin Portal, and log data
- device operating system, operating system build, version and firmware/kernel versions
Data about Employer-managed apps. The Platform may collect data about Employer-approved apps that are either pushed to User devices by the Employer or made available for download through MobileIron Apps@Work or a public app store (such as the Apple App Store or Google Play). These apps may be public applications or Employer-developed apps. Information collected in connection with these apps may include:
- names and details of the Employer-managed apps installed on the device, such as app name, version number, configuration settings
- log files from MobileIron apps
Data about personal apps. The Platform can be set by the Employer to collect limited data about the apps Users purchase or download from a public app store to their devices, such as their name, version, identifier and the total size of personal apps installed on the device. This data is not intended to be used to infer or deduce personally identifying data from the app’s name or purpose. It is to be used only to match the apps installed on a device with a pre-existing list of malware or to otherwise detect and remediate problems on the device that may pose a security threat. Without the data, the Employer may not be able to detect certain security threats because personal apps are not automatically pushed to the User's devices by the Employer and are not managed via the Platform. The Platform does not collect or have access to any of the data in personal apps.
Geo-location data.The Platform can be set by the Employer to enable collection of geo-location data to help locate missing devices or to distribute functionality and content within specific geographic boundaries. The type of geo-location data collected can vary by device operating system and Platform settings. For example, it may come from estimating a position from beacons (such as Wi-Fi access points and cell towers), from the device's IP address, or from other sources such as a GNSS or GPS device. The accuracy of the geo-location data depends on the source, with the estimated latitude and longitude of the device varying from one source to another.
The Platform collects geo-location data only if enabled by all four of the following:
- the Employer’s Admin Portal settings
- the User’s device settings
- the device’s ability to produce geo-location data
- the device being turned on at the time scheduled for geo-location data collection
For certain device operating systems and platforms, the User may be presented with an operating system notice, requesting the User's consent to collect geo-location data. The User can change the selection by going into the device settings and revoking the location permission.
Telecom and network information.The Platform may collect certain telecom information. This information helps the Platform determine how the device is connected, communicate with the device and enforce any restrictions set on the Platform, such as preventing large apps from automatically being pushed to a roaming device. This telecom and network information may include:
- carrier information (such as carrier settings versions, phone number, signal strength, roaming status, current and subscriber mobile country code and country location, current and subscriber mobile network code, SIM Carrier Network information)
- information about the device's cellular technology (such as its Global System for Mobile Communications Standard (GSM) and Code Division Multiple Access (CDMA))
- SSID, IP and MAC addresses for the Wi-Fi network being used
Communication data. The Employer can set MobileIron Core (not MobileIron Cloud) to collect information about communications from Android devices that make the data available for collection and that are deployed in a particular mode. The communications data may include:
- text messages sent or received
- phone call logs (phone numbers of calls sent or received, duration of calls, date and time)
Remotely accessed data.The Employer can use the Platform to establish remote control access, allowing its IT administrators to troubleshoot issues on a User's device. Help@Work®, a remote-control app, must be installed on the device and, depending on platform and Platform settings, remote control may need to be approved by the User at the time remote control is to be taken. This functionality enables the Employer to remotely perform remote locks, screen capture, remote device reboots, or remote restart of the device.
Analytics data. If allowed by the Employer, MobileIron collects certain configuration, performance, usage and other analytics data from Employers and Users for a variety of purposes, including to improve our products and services, fix problems, help us understand better how our Employers use the Platform, and advise our Employers on how best to deploy and use the Platform.
As permitted by applicable law, MobileIron may share data we collect with:
- the Employer and the User in connection with the operation of Platform or the exercise of data protection rights
- providers of products and services integrated into our software and service providers that perform services on our behalf (listed as “Subprocessors” on our website), or on the Employer’s behalf, who need to know such information for the purposes described in this Privacy Statement
- our affiliates and resellers if they need to know the data in connection with providing the Platform
- as required by law or in response to a request by governmental authorities
- to enforce our terms and conditions or to protect or defend the rights or property of MobileIron, Users or Employers
MobileIron does not share User and device data with other third parties for their own purposes, unless the Employer instructs us or we are compelled by law to do so.
User privacy is always a concern when deploying management software to User devices. Neither MobileIron nor the Employer can use the Platform to access or obtain any of the following on a User’s device:
- data stored by an app
- activities that occur in an app
- the microphone
- the camera, unless set by the Employer to allow QR code scanning for device provisioning
- photos or videos
- phone calls, personal instant messages, personal text messages (except as described above) or personal emails
The MobileIron Go and Mobile@Work apps, which enable devices to be managed by the Admin Portal, run in the background of the devices. They may not show any obvious signs when these functions are occurring in real time. Several features of the Platform are designed for sharing privacy information or to give Users control over settings that affect the collection of data.
In some cases, the User may also have the ability to control the enablement of certain features of the Platform, via the Self-Service Portal and/or their device or app settings.
MobileIron Go and Mobile@Work have a privacy disclosure feature, which enables the User to review a summary of the settings enabled for the Platform on their device and, in some cases, the effect of those settings on the collection of data. This privacy disclosure is presented to Users during device registration, when they must acknowledge the disclosure. Following registration, the disclosure remains available to the User from within MobileIron Go or Mobile@Work.
Employers have the ability to include privacy statements or a link to an online notice within the terms of service that can be displayed to the User during device registration.
MobileIron does not have a direct relationship with Users Because the Employer purchases and provides Users with access to the Platform. As a result, Users’ use of the Platform is subject to their Employer’s policies, if any, and not MobileIron’s. Users who would like to understand their choices and rights with respect to their personally identifying or identifiable data should direct their inquiries to their Employer. MobileIron addresses Employer requests related to such choices and rights in accordance with our agreement with the Employer or as required by applicable law.