# Mobile Device Management — Cascades

> **2026-04-18 note:** the HIPAA rationale for moving from ManageEngine kiosk-only to Intune Shared Device Mode + Entra Conditional Access is that each of the ~39 caregivers / MedTechs / CCGs needs their own identity on the shared phones — not a device-level kiosk login. That identity list is documented in `docs/cloud/caregiver-m365-p2-rollout.md` and drives the Business Premium license count. Until those accounts exist and CA policies are in place, the phones + ManageEngine kiosk are a stepping stone, not the HIPAA end-state.

## Product
- **Platform:** ManageEngine Mobile Device Manager Plus
- **URL:** https://mdm.manageengine.com/
- **Account:** Created (setup pending)
- **Future consideration:** Microsoft Intune Shared Device Mode (requires Business Premium upgrade, ~+$10/user/mo). Enables per-user sign-in/sign-out with automatic data wipe. Better HIPAA audit trail at device level. Revisit when budget allows.

## Device Inventory
- **25 Android phones** — shared among employees (rotation model)
- **9 Kitchen iPads** — food service only, no PHI
- **Mode:** Device Owner (fully managed), shared device, no OS-level users
- **Kiosk:** Multi-app kiosk mode

## Phase 0 — Baseline Decision

| Setting | Value |
|---------|-------|
| Devices | Android (Zero-touch supported) |
| Mode | Device Owner (fully managed) |
| Usage | Shared device (no OS-level users) |
| Control | Kiosk mode (multi-app) |
| HIPAA audit trail | Application layer (ALIS login, browser sign-in) — not device level |

## Phase 1 — Prep MDM Environment

### 1.1 Configure MDM Tenant
- [ ] Set organization name (Cascades)
- [ ] Create admin accounts
- [ ] Configure email/SMS notification settings

### 1.2 Create Device Groups
| Group | Purpose |
|-------|---------|
| Cascades-Shared-Phones | 25 employee phones |
| Cascades-Kitchen-iPads | 9 kitchen iPads |
| Cascades-Test-Devices | 1-2 test devices |

### 1.3 Upload Apps to App Repository
- [ ] ALIS (EHR / medical records — go-alis.com, browser-based)
- [ ] Secure browser (if needed beyond Chrome)
- [ ] Microsoft Authenticator (if MFA required)
- [ ] Outlook (for shared mailbox access via SSO — future)

### 1.4 Build Baseline Policies

#### Security Policy
- Passcode required (6+ digits)
- Auto-lock: 2-5 minutes
- Encryption: ON
- Disable:
  - USB file transfer
  - Unknown app installs
  - Developer options

#### Restrictions Policy
- Disable:
  - Camera (if required by compliance)
  - Bluetooth (optional)
  - Screen capture
- Block personal Google accounts

#### App Policy
- Silent install required apps
- Force updates
- Prevent uninstall

#### Data Protection Policy
- Clear app data on logout (if supported)
- Disable copy/paste between apps
- Block cloud backups

#### Kiosk Profile (CRITICAL)
Multi-app kiosk mode — allow ONLY:
- Medical app (ALIS via browser)
- Browser (limited)
- Settings (optional, limited)

This turns the phone into a work terminal.

## Phase 2 — Zero-Touch Enrollment

### 2.1 Register with Android Zero-Touch
- URL: https://enterprise.google.com/android/zero-touch/
- [ ] Link reseller (Verizon, AT&T, etc.)
- [ ] Add ManageEngine as EMM provider
- [ ] Use ManageEngine's EMM config

### 2.2 Create Zero-Touch Configuration
In Zero-touch portal:
- EMM: ManageEngine
- Enrollment profile: Fully managed device, Device Owner mode
- Auto-assign to all 25 devices

### 2.3 Link Zero-Touch to ManageEngine
- [ ] Go to Enrollment > Android > Zero-touch in MDM
- [ ] Paste configuration details

**Result:** Phone powers on > connects to WiFi > auto-enrolls into ManageEngine > gets policies + apps + kiosk mode. No manual setup per device.

## Phase 3 — Device Staging

When phones arrive:
1. Unbox
2. Power on
3. Connect to WiFi

**Automatic:**
- Device contacts Google
- Pulls Zero-touch config
- Enrolls into ManageEngine
- Receives: policies, apps, kiosk mode

No manual setup needed per device.

## Phase 4 — Testing (DO NOT SKIP)

Test with 1-2 devices first:
- [ ] Auto enrollment works
- [ ] Apps install correctly
- [ ] Kiosk locks properly
- [ ] Cannot exit kiosk
- [ ] No personal account access
- [ ] Device wipes correctly from MDM
- [ ] ALIS login/logout works per user
- [ ] Browser doesn't save passwords or cookies

## Phase 5 — HIPAA Workflow

### 5.1 App Login Behavior
- Require unique user login to ALIS
- MFA if possible
- Auto logout after 5-10 min idle

### 5.2 Session Control
- Browser: disable saved passwords, clear cookies on exit
- Apps: disable offline storage if possible

### 5.3 Physical Device Labels
Label each phone: "Cascades Device 01" through "Cascades Device 25"
- Helps auditing + troubleshooting

## Phase 6 — Monitoring & Control

In ManageEngine MDM:
- Track: device compliance, app usage, last check-in, security status
- Enable: remote lock, remote wipe, lost mode

## Phase 7 — Ongoing Maintenance

| Frequency | Task |
|-----------|------|
| Weekly | Check compliance dashboard, review failed devices |
| Monthly | Update apps, review security policies |
| As needed | Remote wipe lost/stolen, add/remove apps |

## Kitchen iPads (9 units)

Separate from phones — food service only, no PHI.

### Policies
- Kiosk/lockdown mode (food ordering app only)
- Restrict to kitchen thermal printers only (Bistro 192.168.2.207, Kitchen 10.0.20.225)
- No browser/email/app store access
- WiFi profile: CSCNet (INTERNAL VLAN 20) only

### Enrollment
- [ ] Create iOS/iPadOS enrollment profile
- [ ] Apple DEP or manual enrollment (iPads may not support zero-touch without Apple Business Manager)

## Future Upgrades
| Upgrade | Benefit | Requires |
|---------|---------|----------|
| SSO Integration (Entra ID) | Faster logins, better audit trails | Entra Connect (planned) |
| Microsoft Intune Shared Device Mode | Per-user sign-in/sign-out with auto data wipe | Business Premium (~+$10/user/mo) |
| Per-app VPN | Encrypt only medical app traffic | VPN gateway |
| Audit logging | Track who logged in from which device | App-level or Intune |

## Common Mistakes to Avoid
- Skipping kiosk mode
- Allowing Google accounts
- Not enforcing auto logout
- Testing on all 25 at once
- Letting users store data locally

## Setup Status
- [ ] Phase 1 — MDM tenant setup
- [ ] Phase 2 — Zero-touch enrollment
- [ ] Phase 3 — Device staging
- [ ] Phase 4 — Testing (1-2 devices)
- [ ] Phase 5 — HIPAA workflow
- [ ] Phase 6 — Monitoring enabled
- [ ] Phase 7 — Ongoing maintenance schedule