6.3 KiB
6.3 KiB
Mobile Device Management — Cascades
2026-04-18 note: the HIPAA rationale for moving from ManageEngine kiosk-only to Intune Shared Device Mode + Entra Conditional Access is that each of the ~39 caregivers / MedTechs / CCGs needs their own identity on the shared phones — not a device-level kiosk login. That identity list is documented in
docs/cloud/caregiver-m365-p2-rollout.mdand drives the Business Premium license count. Until those accounts exist and CA policies are in place, the phones + ManageEngine kiosk are a stepping stone, not the HIPAA end-state.
Product
- Platform: ManageEngine Mobile Device Manager Plus
- URL: https://mdm.manageengine.com/
- Account: Created (setup pending)
- Future consideration: Microsoft Intune Shared Device Mode (requires Business Premium upgrade, ~+$10/user/mo). Enables per-user sign-in/sign-out with automatic data wipe. Better HIPAA audit trail at device level. Revisit when budget allows.
Device Inventory
- 25 Android phones — shared among employees (rotation model)
- 9 Kitchen iPads — food service only, no PHI
- Mode: Device Owner (fully managed), shared device, no OS-level users
- Kiosk: Multi-app kiosk mode
Phase 0 — Baseline Decision
| Setting | Value |
|---|---|
| Devices | Android (Zero-touch supported) |
| Mode | Device Owner (fully managed) |
| Usage | Shared device (no OS-level users) |
| Control | Kiosk mode (multi-app) |
| HIPAA audit trail | Application layer (ALIS login, browser sign-in) — not device level |
Phase 1 — Prep MDM Environment
1.1 Configure MDM Tenant
- Set organization name (Cascades)
- Create admin accounts
- Configure email/SMS notification settings
1.2 Create Device Groups
| Group | Purpose |
|---|---|
| Cascades-Shared-Phones | 25 employee phones |
| Cascades-Kitchen-iPads | 9 kitchen iPads |
| Cascades-Test-Devices | 1-2 test devices |
1.3 Upload Apps to App Repository
- ALIS (EHR / medical records — go-alis.com, browser-based)
- Secure browser (if needed beyond Chrome)
- Microsoft Authenticator (if MFA required)
- Outlook (for shared mailbox access via SSO — future)
1.4 Build Baseline Policies
Security Policy
- Passcode required (6+ digits)
- Auto-lock: 2-5 minutes
- Encryption: ON
- Disable:
- USB file transfer
- Unknown app installs
- Developer options
Restrictions Policy
- Disable:
- Camera (if required by compliance)
- Bluetooth (optional)
- Screen capture
- Block personal Google accounts
App Policy
- Silent install required apps
- Force updates
- Prevent uninstall
Data Protection Policy
- Clear app data on logout (if supported)
- Disable copy/paste between apps
- Block cloud backups
Kiosk Profile (CRITICAL)
Multi-app kiosk mode — allow ONLY:
- Medical app (ALIS via browser)
- Browser (limited)
- Settings (optional, limited)
This turns the phone into a work terminal.
Phase 2 — Zero-Touch Enrollment
2.1 Register with Android Zero-Touch
- URL: https://enterprise.google.com/android/zero-touch/
- Link reseller (Verizon, AT&T, etc.)
- Add ManageEngine as EMM provider
- Use ManageEngine's EMM config
2.2 Create Zero-Touch Configuration
In Zero-touch portal:
- EMM: ManageEngine
- Enrollment profile: Fully managed device, Device Owner mode
- Auto-assign to all 25 devices
2.3 Link Zero-Touch to ManageEngine
- Go to Enrollment > Android > Zero-touch in MDM
- Paste configuration details
Result: Phone powers on > connects to WiFi > auto-enrolls into ManageEngine > gets policies + apps + kiosk mode. No manual setup per device.
Phase 3 — Device Staging
When phones arrive:
- Unbox
- Power on
- Connect to WiFi
Automatic:
- Device contacts Google
- Pulls Zero-touch config
- Enrolls into ManageEngine
- Receives: policies, apps, kiosk mode
No manual setup needed per device.
Phase 4 — Testing (DO NOT SKIP)
Test with 1-2 devices first:
- Auto enrollment works
- Apps install correctly
- Kiosk locks properly
- Cannot exit kiosk
- No personal account access
- Device wipes correctly from MDM
- ALIS login/logout works per user
- Browser doesn't save passwords or cookies
Phase 5 — HIPAA Workflow
5.1 App Login Behavior
- Require unique user login to ALIS
- MFA if possible
- Auto logout after 5-10 min idle
5.2 Session Control
- Browser: disable saved passwords, clear cookies on exit
- Apps: disable offline storage if possible
5.3 Physical Device Labels
Label each phone: "Cascades Device 01" through "Cascades Device 25"
- Helps auditing + troubleshooting
Phase 6 — Monitoring & Control
In ManageEngine MDM:
- Track: device compliance, app usage, last check-in, security status
- Enable: remote lock, remote wipe, lost mode
Phase 7 — Ongoing Maintenance
| Frequency | Task |
|---|---|
| Weekly | Check compliance dashboard, review failed devices |
| Monthly | Update apps, review security policies |
| As needed | Remote wipe lost/stolen, add/remove apps |
Kitchen iPads (9 units)
Separate from phones — food service only, no PHI.
Policies
- Kiosk/lockdown mode (food ordering app only)
- Restrict to kitchen thermal printers only (Bistro 192.168.2.207, Kitchen 10.0.20.225)
- No browser/email/app store access
- WiFi profile: CSCNet (INTERNAL VLAN 20) only
Enrollment
- Create iOS/iPadOS enrollment profile
- Apple DEP or manual enrollment (iPads may not support zero-touch without Apple Business Manager)
Future Upgrades
| Upgrade | Benefit | Requires |
|---|---|---|
| SSO Integration (Entra ID) | Faster logins, better audit trails | Entra Connect (planned) |
| Microsoft Intune Shared Device Mode | Per-user sign-in/sign-out with auto data wipe | Business Premium (~+$10/user/mo) |
| Per-app VPN | Encrypt only medical app traffic | VPN gateway |
| Audit logging | Track who logged in from which device | App-level or Intune |
Common Mistakes to Avoid
- Skipping kiosk mode
- Allowing Google accounts
- Not enforcing auto logout
- Testing on all 25 at once
- Letting users store data locally
Setup Status
- Phase 1 — MDM tenant setup
- Phase 2 — Zero-touch enrollment
- Phase 3 — Device staging
- Phase 4 — Testing (1-2 devices)
- Phase 5 — HIPAA workflow
- Phase 6 — Monitoring enabled
- Phase 7 — Ongoing maintenance schedule