Before long, all staff at Aarhus University will be required to install the Mobile Device Management (MDM) app Microsoft Intune on mobile devices like smartphones and tablets.

The InTune app will give system administrators an overview of all AU mobile devices and ensure that a variety of security measures are complied with.

Staff who don’t install the app will no longer be able to access AU Microsoft 365 products they use for work, including email and calendar, on their mobile devices.

Keeping data out of the wrong hands

According to Peter Bruun Nielsen, head of AU IT, the InTune MDM app is being installed to give the university better control over what kind of data different mobile devices and tables can access and a better overview of the devices used by staff.

"When a user at AU uses their smartphone or tablet to read emails, they have access to potentially confidential and important data."

"There is a not insignificant risk that such devices will be hacked if they’re not updated, and that means hackers will have access to any mails on them. There’s AU data on these phones, and we need to keep that data out of the wrong hands," Peter Bruun Nielsen explained.

Academia is under constant attack by cybercriminals. We saw this just a few months ago, in December 2021, when a global software error caused a security risk in many of the university’s IT systems.

The MDM app will ensure that the underlying operating systems on AU devices are kept updated to the newest, most secure version. The roll-out of the app was approved by the AU’s central information security committee (FISU) i December.

But not without reservations; FISU noted that “a certain degree of resistance to the roll-out, particularly from staff who use their private mobile devices,” was to be expected.

AU IT tested the app on the devices of its own staff first, and according to Peter Bruun Nielsen, there were no hiccups. On 11 January, 1,000 staff at selected departments and in the administrative division AU Student Administration and Services were also asked to install the app. On 24 January, these staff lost access to their AU emails if they had not installed the app.

The next phases of the roll-out will depend on the experiences gained from the initial stages of the implementation. AU employees will receive more information in the newsletter when the trial period is over, and AU IT has gained more experience with med MDM, Peter Bruun Nielsen explained.

Joint union representative: There will most likely be some discontent

Not everyone at the university thinks the decision to introduce the InTune app is uncontroversial. Olav W. Bertelsen, an associate professor and joint union representative for academic staff (VIPs) at AU, doesn’t understand why staff weren’t consulted about the decision to introduce the app to a greater extent.  

"I’m actually a little piqued that something that has such an invasive effect on people use their work equipment isn’t something we were informed about in the Main Liaison Committee," Berthelsen said.

While he acknowledges the need to improve data security at the university, he believes that management should have involved employees.

"There will most likely be some discontent. And I also think that it’s important it’s communicated properly. What are the rules to ensure that employees aren’t being monitored? And how will the university ensure that this doesn’t become a surveillance device? It’s presumably not been done in bad faith, but it’s off the mark not to involve the liaison committee if the project is so far advanced," he said.

Associate professor: These restrictions may affect my work

Diego Aranha is an associate professor at the Department of Computer Science. And like Bertelsen, he feels that there are still a lot of unanswered questions about the app. Aranha is himself an expert on security systems; and as he explained, there are potential risks associated with introducing MDM systems:

"It’s still not clear how intrusive MDM will be for the different devices: work phones, private phones and other personal devices used for work. With an intrusive MDM model, someone at AU IT could have the power to limit my activities."

"For example, by forbidding me from installing certain apps or carrying out other activities, which might impact the way I teach or conduct my research."

Aranha acknowledges that MDM systems are widespread in private companies. But the university is different, he explained. And he called for evidence that hackers have been able to breach the current security measures already in place.

"It’s easy for the university say that this isn’t about surveillance, but that’s not sufficient. The decision and the implementation should be taken after weighing risks against benefits and carefully communicating this assessment to users, in the interests of transparency."

"The conditions for devices in the grey area on the boundary between personal and work-related data are particularly sensitive. It’s fine that AU IT is testing the process, but I’d like to note that their activities aren’t representative for the entire university. I write, do research, collect data and collaborate with businesses, so these restrictions will affect my work differently," Aranha explained.

AU isn’t going to read over your shoulder

Peter Bruun Madsen, head of AU IT, is fully aware that the decision to implement the InTune MDM app may be concerning for many staff members. But he described the new system as "an important box to tick" in regard to ensuring data security at AU. He also stressed that individual users at AU will not be monitored.

"We’ll fence off the data that’s work-related and make sure special rules apply to it. We’re not going to monitor traffic or what people search for on Google. We can already read everyone’s mails, but we don’t do that. The only thing we’ll check is the operating system, and we’ll only give access to the device if security is up to date," Madsen explained.

Peter Bruun Nielsen, head of AU IT, understands that staff might be concerned about the MDM app, but stresses that AU won’t use the app to monitor traffic on the devices. Photo: Lars Kruse, AU Photo

It’s a question of AU’s data security, which takes priority over any potential concerns on the part of staff, Madsen stressed:

"We have no interest at all in monitoring how staff use smartphones or tablets. Our job is to protect AU’s data and protect staff from misuse of their mobile devices."

Security expert: MDM is not a surveillance tool

Peter Kruse, an IT expert and founder of CSIS Security Group, does not classify MDM as a surveillance tool. According to him, staff shouldn’t be concerned that the university has the technical capacity to look over their shoulder as they write mails on their smartphone or computer, he said.

"You have to expect that a solution of this kind will be on a telephone that’s part of your work. If you have email on your own phone, then you have to decide whether you want to use it for work, because it makes sense that there’s some kind of monitoring of what staff do in connection with reading mails."

"MDM does not introduce an increased risk that you as a staff member will be monitored as long as it is administered in the right way. It’s used more as a measure to protect data from external intruders," Kruse explained.

Ensuring that security is kept updated on mobile devices that contain work-related data is one of the 20 technical requirements for IT systems in state-sector organisations in Denmark.  

Large and medium-sized companies use MDM for this purpose because once the company no longer has an overview of its devices, it also loses an overview of its data, according to IT expert Kruse.

"MDM has become particularly necessary at the very largest companies. You’d have to say that the university qualifies as a large workplace, so it actually makes a lot of sense, and the time might also be ripe to introduce MDM now," Kruse concluded.