Use of UZH Owned Mobile Devices

The management scenarios specified on this page are available since 31 August 2021 and replace the previous scenarios.

Management Schemes for UZH Owned Devices

In addition to the management schemes for privately owned devices (Use of Privately Owned Mobile Devices), UZH owned devices may be registered and configured for particular use scenarios or additional hardware protection.

Choice of Management Scheme

IT responsibles can choose from these management schemes:

MDM methods COD

Hardware Protection

Registration of the devices with Apple DEP or Android Zero-Touch in order to attach them automatically to the UZH management solution. Registered devices can be handed out to users without the need of preconfiguring them. The link to the management system can be removed exclusively by an administrator.

Device Management with personal profiles

(Android only)

Works as "pure" device management with the addition of visual and logical separation of private apps by use of personal profiles. The contents of the personal profiles are inaccessible for UZH administrators.

Kiosk mode for Tablets

(Android only)

Restricts tablets to a single app or web page. 

Kiosk mode for Smart TVs

(Android only)

Restricts smart TVs to a single app or web page.

Which security settings are enforced?

Generally, the same security settings as with use of privately owned devices are enforced.

  1. Password: UZH365 data has to be protected by a password.
    1. The password must not be trivial (e.g. sequentially ascending numbers) and must have a minimal length of 6 characters.
    2. After 10 unsuccessful authentication attempts, UZH365 data must be wiped.
    3. When inactive, UZH365 apps or the device respectively must be locked after 5 minutes max. To resume, the password is required.
  2. Data:
    1. UZH365 data must be stored encrypted on the device to prohibit other apps from accessing them.
    2. If a device is lost or the owner leaves the UZH, UZH administrators must be able to wipe on-device UZH365 data.
  3. Device Safety:
    1. The device must run genuine, unaltered software as intended by the manufacturer. Tampered-with or alternative versions ("jail beaked", root access, etc.) are not allowed.
    2. The device must run a current operating system version to make sure, it is still supplied with security updates by the manufacturer.
    3. Microsoft 365 apps are available for download and installation in the official App Stores of Android, iOS/iPadOS and Windows (Google Play Store, Apple App Store and Windows-Store). On outdated hardware or operating systems it may not be possible to install the apps.
  4. There may be exceptions in kiosk mode.

How to Install/Uninstall?

Hardware-Schutz

IT responsibles can request device registration for Apple DEP or Android Zero-Touch via ticket. To complete the process after successful registration, the device has to be reset.

Device Management with personal profiles

(Android only)

Management is activated using a QR code when installing a new device. Devices already in use have to be reset.

Kiosk mode for Tablets

(Android only)

For this scheme, a particular policy has to be defined for each and every scenario. The activation procedure depends on the configured settings.

Kiosk mode for Smart TVs

(Android only)

For this scheme, a particular policy has to be defined for each and every scenario. The activation procedure depends on the configured settings.

Store Accounts (iCloud, Google Play,...)

UZH owned devices can be run without personal store accounts.

If you intend to purchase additional contents, however, we recommend using private store accounts. Please do not use a UZH mail address for these store accounts, as users with UZH mail addresses cannot access purchased contents (such as apps, music or even device backups) after having left the UZH.

Mobile Device Backup

We highly recommend backing up your mobile devices regularly. Device backups do not contain UZH365 data, these are saved within Microsoft 365, however. Central IT does not provide support for restoring private data. If questions arise, please consider contacting your device's manufacturer support instead.

Management Procedures – Capabilities of UZH Administrators

  1. Selective deletion – Retire (all management schemes):
    By deleting the management profile, all Microsoft 365 UZH data and account information can be deleted from the device without changing any other data on the device. This can be accomplished manually by the user in device settings. Alternatively, the user can delete the management profile in the Microsoft 365 Portal or the Enterprise Portal App (even from another device). In addition to this self-service, it is also possible to have the profile deleted by an administrator, for example if the user does not have access to the self-service options mentioned above.
  2. Reset to factory settings – Wipe (only device management):
    Just as selective deletion, a device can also be deleted completely. This makes sense especially in case of loss or theft of the device, as private data on the device is also deleted. This option is only available if device management is active.
  3. Locating the device (only device management):
    Through the Microsoft 365 Portal, the location of the device can be determined by the user (self-service) or an administrator. In addition to simply locating a device, this information can also be used for safety rules. For example, it is possible to block access from certain countries.
  4. Security settings:
    As long as the management profile (device profile or work profile) is installed on the device, the device itself ensures that the security settings described above are maintained. If the profile is removed, the Microsoft 365 UZH data is deleted and the device is no longer managed. If UZH365 apps are used after that, the app management scheme will automatically be activated regardless of the management scheme used before.
  5. Device data
    The administrator is able to (only device management):
    *) We use Microsoft Intune for mobile device management and starred features are not available for privately owned devices. That is, these features require a managed, UZH owned device.
    • View model, serial number and operating system
    • Identify your device by name
    • Reset lost or stolen devices to factory settings (only on explicit instruction of the user)
    • View apps you have installed* (apps within personal profiles are not visible)
    • Display the phone number of your device*
    • View information collected by enterprise apps and networks*
    • View the location of a lost device*
    The administrator is not able to (all management schemes):
    • View the browsing history on your device
    • View personal e-mail, documents, contacts or calendars
    • Display data from other apps
    • Access your passwords
    • View, edit or delete your photos
    Further information
    Further information about the features of the implemented management solution can be found at
    Microsoft Intune is an MDM and MAM provider for your devices
  6. Hardware protection
    UZH owned devices can be further protected by way of Apple DEP or Android Zero-Touch, which attach the devices to our UZH management system. Using this solution, the devices can be handed out to users without the need for preconfiguring them and the device management cannot be turned off by the user.

 

Further Reading

Management schemes for privately owned devices
Use of Privately Owned Mobile Devices

Features of our management solution:
Microsoft Intune is an MDM and MAM provider for your devices

About Intune Company Portal (MDM):
https://docs.microsoft.com/en-us/mem/intune/user-help/use-managed-devices-to-get-work-done

Self Service Portal for management of privately owned devices:
https://portal.manage.microsoft.com/devices