azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
2c5f10faaa14799a49ee7be4cb128d757bdf7913
claudetools/clients/cascades-tucson/docs/security/mdm.md
Howard Enos d2e375df8a sync: auto-sync from ACG-TECH03L at 2026-04-18 10:17:42 
Author: Howard Enos
Machine: ACG-TECH03L
Timestamp: 2026-04-18 10:17:42
2026-04-18 10:17:45 -07:00

196 lines
6.3 KiB
Markdown
Raw Blame History

# Mobile Device Management — Cascades
> **2026-04-18 note:** the HIPAA rationale for moving from ManageEngine kiosk-only to Intune Shared Device Mode + Entra Conditional Access is that each of the ~39 caregivers / MedTechs / CCGs needs their own identity on the shared phones — not a device-level kiosk login. That identity list is documented in `docs/cloud/caregiver-m365-p2-rollout.md` and drives the Business Premium license count. Until those accounts exist and CA policies are in place, the phones + ManageEngine kiosk are a stepping stone, not the HIPAA end-state.
## Product
- **Platform:** ManageEngine Mobile Device Manager Plus
- **URL:** https://mdm.manageengine.com/
- **Account:** Created (setup pending)
- **Future consideration:** Microsoft Intune Shared Device Mode (requires Business Premium upgrade, ~+$10/user/mo). Enables per-user sign-in/sign-out with automatic data wipe. Better HIPAA audit trail at device level. Revisit when budget allows.
## Device Inventory
- **25 Android phones** — shared among employees (rotation model)
- **9 Kitchen iPads** — food service only, no PHI
- **Mode:** Device Owner (fully managed), shared device, no OS-level users
- **Kiosk:** Multi-app kiosk mode
## Phase 0 — Baseline Decision
| Setting | Value |
|---------|-------|
| Devices | Android (Zero-touch supported) |
| Mode | Device Owner (fully managed) |
| Usage | Shared device (no OS-level users) |
| Control | Kiosk mode (multi-app) |
| HIPAA audit trail | Application layer (ALIS login, browser sign-in) — not device level |
## Phase 1 — Prep MDM Environment
### 1.1 Configure MDM Tenant
- [ ] Set organization name (Cascades)
- [ ] Create admin accounts
- [ ] Configure email/SMS notification settings
### 1.2 Create Device Groups
| Group | Purpose |
|-------|---------|
| Cascades-Shared-Phones | 25 employee phones |
| Cascades-Kitchen-iPads | 9 kitchen iPads |
| Cascades-Test-Devices | 1-2 test devices |
### 1.3 Upload Apps to App Repository
- [ ] ALIS (EHR / medical records — go-alis.com, browser-based)
- [ ] Secure browser (if needed beyond Chrome)
- [ ] Microsoft Authenticator (if MFA required)
- [ ] Outlook (for shared mailbox access via SSO — future)
### 1.4 Build Baseline Policies
#### Security Policy
- Passcode required (6+ digits)
- Auto-lock: 2-5 minutes
- Encryption: ON
- Disable:
- USB file transfer
- Unknown app installs
- Developer options
#### Restrictions Policy
- Disable:
- Camera (if required by compliance)
- Bluetooth (optional)
- Screen capture
- Block personal Google accounts
#### App Policy
- Silent install required apps
- Force updates
- Prevent uninstall
#### Data Protection Policy
- Clear app data on logout (if supported)
- Disable copy/paste between apps
- Block cloud backups
#### Kiosk Profile (CRITICAL)
Multi-app kiosk mode — allow ONLY:
- Medical app (ALIS via browser)
- Browser (limited)
- Settings (optional, limited)
This turns the phone into a work terminal.
## Phase 2 — Zero-Touch Enrollment
### 2.1 Register with Android Zero-Touch
- URL: https://enterprise.google.com/android/zero-touch/
- [ ] Link reseller (Verizon, AT&T, etc.)
- [ ] Add ManageEngine as EMM provider
- [ ] Use ManageEngine's EMM config
### 2.2 Create Zero-Touch Configuration
In Zero-touch portal:
- EMM: ManageEngine
- Enrollment profile: Fully managed device, Device Owner mode
- Auto-assign to all 25 devices
### 2.3 Link Zero-Touch to ManageEngine
- [ ] Go to Enrollment > Android > Zero-touch in MDM
- [ ] Paste configuration details
**Result:** Phone powers on > connects to WiFi > auto-enrolls into ManageEngine > gets policies + apps + kiosk mode. No manual setup per device.
## Phase 3 — Device Staging
When phones arrive:
1. Unbox
2. Power on
3. Connect to WiFi
**Automatic:**
- Device contacts Google
- Pulls Zero-touch config
- Enrolls into ManageEngine
- Receives: policies, apps, kiosk mode
No manual setup needed per device.
## Phase 4 — Testing (DO NOT SKIP)
Test with 1-2 devices first:
- [ ] Auto enrollment works
- [ ] Apps install correctly
- [ ] Kiosk locks properly
- [ ] Cannot exit kiosk
- [ ] No personal account access
- [ ] Device wipes correctly from MDM
- [ ] ALIS login/logout works per user
- [ ] Browser doesn't save passwords or cookies
## Phase 5 — HIPAA Workflow
### 5.1 App Login Behavior
- Require unique user login to ALIS
- MFA if possible
- Auto logout after 5-10 min idle
### 5.2 Session Control
- Browser: disable saved passwords, clear cookies on exit
- Apps: disable offline storage if possible
### 5.3 Physical Device Labels
Label each phone: "Cascades Device 01" through "Cascades Device 25"
- Helps auditing + troubleshooting
## Phase 6 — Monitoring & Control
In ManageEngine MDM:
- Track: device compliance, app usage, last check-in, security status
- Enable: remote lock, remote wipe, lost mode
## Phase 7 — Ongoing Maintenance
| Frequency | Task |
|-----------|------|
| Weekly | Check compliance dashboard, review failed devices |
| Monthly | Update apps, review security policies |
| As needed | Remote wipe lost/stolen, add/remove apps |
## Kitchen iPads (9 units)
Separate from phones — food service only, no PHI.
### Policies
- Kiosk/lockdown mode (food ordering app only)
- Restrict to kitchen thermal printers only (Bistro 192.168.2.207, Kitchen 10.0.20.225)
- No browser/email/app store access
- WiFi profile: CSCNet (INTERNAL VLAN 20) only
### Enrollment
- [ ] Create iOS/iPadOS enrollment profile
- [ ] Apple DEP or manual enrollment (iPads may not support zero-touch without Apple Business Manager)
## Future Upgrades
| Upgrade | Benefit | Requires |
|---------|---------|----------|
| SSO Integration (Entra ID) | Faster logins, better audit trails | Entra Connect (planned) |
| Microsoft Intune Shared Device Mode | Per-user sign-in/sign-out with auto data wipe | Business Premium (~+$10/user/mo) |
| Per-app VPN | Encrypt only medical app traffic | VPN gateway |
| Audit logging | Track who logged in from which device | App-level or Intune |
## Common Mistakes to Avoid
- Skipping kiosk mode
- Allowing Google accounts
- Not enforcing auto logout
- Testing on all 25 at once
- Letting users store data locally
## Setup Status
- [ ] Phase 1 — MDM tenant setup
- [ ] Phase 2 — Zero-touch enrollment
- [ ] Phase 3 — Device staging
- [ ] Phase 4 — Testing (1-2 devices)
- [ ] Phase 5 — HIPAA workflow
- [ ] Phase 6 — Monitoring enabled
- [ ] Phase 7 — Ongoing maintenance schedule
Reference in New Issue View Git Blame Copy Permalink