BRING YOUR OWN DEVICE (BYOD) - FAQ

BYOD Frequently Asked Questions (FAQ)

If the following FAQ does not address your questions about this change, please contact the UTMB Office of Information Security (security@utmb.edu or 409-772-3838).

  1. WHY? (Controls? ...Intune? ...Now?)
    • Controls – The controls have been part of policy.  UTMB Security Practice Standards 1.4 Portable Computing (created Jan. 1, 2008) and 5.1 Platform & Application Hardening (created Sept. 3, 2002) require computers (UTMB and personally owned) to be securely configured to access UTMB networks and data.  The updated BYOD process just confirms secure configuration prior to allowing access to UTMB resources.
    • Intune – Intune is a component of UTMB’s Microsoft licensed management and security tools.  Intune adds a small application to enrolled systems to allow it to respond to configuration checks (and eventually to request applications from a UTMB app store).
    • Now – Intune has been undergoing extensive configuration development and testing to ensure that the controls are effective and minimally invasive.  Pilot group testing has been completed and practices for ongoing controls development have been generated and approved via UTMB management.

  2. What classes of mobile devices are included?
    In this phase of the roll-out, only iOS-based and Android devices (tablets, smartphones, etc.) are included, however additional development and configurations are progressing to include Windows-based laptops and other device classes.

  3. Does Intune have access to my personal files?
    No, Intune will only monitor for compliant configuration settings and allow access to UTMB resources, as appropriate.  No access to personal data/files is established and only limited device information (Model, MAC Address, OS version, etc.) is collected and maintained by Intune.

  4. Does Intune track my location or activity?
    No, location services, call logs, etc. are maintained as personal settings or are controlled via personal applications.  Intune does not have access to personal device settings or personal app settings.

  5. Can Intune WIPE (erase data and/or reset configuration) or PUSH apps/software/configuration changes to my personal device?
    No, the Personal Device profile used by Intune does not allow wiping or “factory settings reset” on personal devices.  If/when changes to device setting are required to establish or maintain access to UTMB resource or updates to apps loaded from the UTMB Store are required, enrolled devices/users will receive notices and guidance to make the changes, however the device/user MUST INITIATE the change/update.

  6. Is Intune required for Duo multifactor authentication for remote work/access?
    No, Duo MFA device registration (to receive Duo push, passcode or phone call notifications for remote access via VPN/Citrix/etc.) is a completely separate process and does not require Intune enrollment. Please note: The system used to access UTMB resources via VPN/remote access, will need to be enrolled in Intune to confirm compliance.

  7. Are there "productivity" options for users or personal devices that are not enrolled in Intune?
    Yes.  Devices not enrolled in Intune (or determined to not be security controls compliant by Intune) will still have access to the Citrix virtual desktop (Storefront) environment.  Please note: access to UTMB email via Outlook, webmail, POP/SMTP will be restricted to Intune enrolled/confirmed compliant devices.

  8. Can “jailbroken” or “rooted” devices enroll in Intune and be confirmed as compliant for accessing UTMB networks, resources and data?
    Jailbroke or rooted devices can enroll in Intune, however they are NOT compliant, and will not be able to be used to access UTMB networks, resources, and data.

  9. Does the March 31 deadline to install Intune on personal devices apply to students?
    No. The March 31, 2025, deadline to enroll personal devices in Intune applies only to UTMB employees. Students, including those who are also employed by UTMB, are not required to enroll their devices.

  10. What can I expect on my device after enrollment?

    11. iPhone/iPad:
    - Your device cannot be modified to bypass Apple restrictions, also known as ‘jailbroken’
    - Your device must be on an iOS version currently receiving security updates.
    - Your device must have a passcode to unlock.
    • Passcode must have a length of 6.
    • Must not contain easy sequences, such as 1111 or 1234.
    • Unlock patterns cannot be used.
    - Screen will lock after 15 minutes of inactivity.
    - Passcode will be required 15 minutes after screen lock.
    - Passcode will expire every 180 days.
    - You will not be able to access UTMB resources in apps installed outside of Intune.
    • This includes the native mail client on your device. UTMB email will only be available via the Outlook app download from the UTMB Company Portal.
    - Any apps installed via Intune will only allow UTMB accounts.
    • Personal accounts and non-UTMB work accounts will not be allowed in the Outlook app and Teams app.
    • This policy will apply to any future apps that may be added.
    - Only one instance of an app can be on a device.
    • If Outlook is installed from Intune, you will be unable to download Outlook from the app store to use with personal accounts.
    • This will apply to all apps available in the Company Portal.
    - You will not be able to Airdrop to or from UTMB resources.
    - As required by Microsoft, the Microsoft Authenticator must be installed.
    • If you are currently using Microsoft Authenticator for MFA outside of UTMB, you will need to manually re-activate your accounts after enrolling.
    • Instructions for this will vary based on what service is being used. Please check with the service provider for instructions on reactivating Microsoft Authenticator.
    - Any iCloud backups done on apps installed by Intune will backup to your corporate AppleID and will not be accessible outside of UTMB’s Intune instance.
    - Apps installed by Intune will be unable to access personal iCloud backups.

    Android:
    - Your device cannot be modified to bypass Android restrictions, also known as ‘rooted’
    - Your device cannot use ‘USB Debugging’
    - Your device must be on an Android version currently receiving security updates.
    - The device must have a passcode to unlock.
    • Passcode must have a length of 4.
    • Must not contain easy sequences, such as 1111 or 1234.
    • Unlock patterns cannot be used.
    - Passcode will be required after 15 minutes of inactivity.
    - Passcode will expire every 180 days.
    - A ‘work profile’ will be created on your device.
    - Only apps installed in the ‘work profile’ will have access to UTMB resources.
    • Apps in the 'work profile' will only allow UTMB accounts.
    • This includes the native mail client on your device. UTMB email will only be available via the Outlook app download from the UTMB Company Portal in the ‘work profile’.
    - Screen capture will be disabled in the ‘work profile’
    - Copy and paste will not be allowed between ‘work profile’ apps and personal apps.

  11. When/how can users begin to enroll devices in Intune?Voluntary enrollment of personal devices in Intune can be done now, by following the instructions for your device found below:

    12. iPhone/iPad:
    1. If already present on the device, backup and remove the Microsoft Teams and Microsoft Authenticator apps. 
    2. Ensure your device is not connected to ‘UTMBWifi’. The enrollment process will fail otherwise. 
    3. Navigate to Settings > General > VPN & Device Management > Sign In to Work or School Account
    4. Type in full UTMB e-mail address into the Work or School Account prompt
    5. Complete UTMB log in prompt. This may require DUO Authentication.
    6. Sign in to iCloud prompt with UTMB password. This may require DUO Authentication.
    7. Complete the prompt to ‘Allow Remote Management’
    8. The device will now receive 3 new apps. UTMB Company Portal, Microsoft Authenticator, and Microsoft Teams.
    9. A prompt for installing apps may appear. These must be accepted.
    10. Open the Microsoft Teams app.
    11. Sign in with UTMB credentials.
    12. Once sign in is complete, the device is enrolled.
    - Optional: To receive UTMB email on your device, open UTMB Company Portal and install the Outlook app.
    Android:
    - Follow the instructions found here:
    - Optional: To receive UTMB email on your device, open UTMB Company Portal and install the Outlook app.


Where can we learn more about Intune?
If you have additional questions regarding Intune or the changes to UTMB’s BYOD practices, please see Microsoft’s Intune knowledgebase page (link below) or contact the Office of Information Security (Email: security@utmb.edu, Phone (voicemail); 409-772-3838). 

What info can your organization see when you enroll your device? | Microsoft Learn

What if I need help enrolling my device in Intune?
If you need assistance enrolling your device in Intune, please contact the UTMB Service Desk 24/7 at 409-772-5200. 

Search the National Vulnerability Database

Quick Links