Understanding MDM (Mobile Device Management)
What MDM is, why your company uses it, and what IT can and can't see on your device
MDM stands for Mobile Device Management. If your company or school gave you a laptop or phone (or asked you to enroll your personal device), there's a good chance MDM software is running on it. It's how IT manages devices at scale – pushing settings, enforcing security policies, and deploying apps without physically touching each machine.
This isn't spyware. It's infrastructure. But it's reasonable to want to know what it actually does.
What MDM does
MDM is a framework that lets IT administrators manage devices remotely. When your device is enrolled, the MDM server can:
- Push configuration profiles (Wi-Fi, VPN, email settings)
- Install and update approved software
- Enforce security policies (password requirements, encryption, screen lock)
- Check whether your device meets compliance standards
- Remotely lock or wipe a lost or stolen device
On Mac, MDM uses Apple's built-in management framework. On Windows, it typically works through Microsoft Intune or similar tools. On phones, it uses the management APIs built into iOS and Android.
What IT can see
This is the question everyone asks. The answer depends on whether the device is company-owned or personal (BYOD), and how the MDM is configured. On a company-owned device, IT can generally see:
- Device model, serial number, and OS version
- Storage capacity and whether encryption is enabled
- Installed apps (the list, not the content inside them)
- Compliance status (is the device up to date, encrypted, passcode set)
- Network information (Wi-Fi network name, IP address)
What IT typically can't see
Even on a managed device, MDM doesn't give IT a window into everything:
- Personal emails, messages, or photos
- Browsing history (unless a separate monitoring tool is installed)
- Content inside personal apps
- Passwords or keychain data
- Your physical location in real time (unless a specific tracking feature is enabled and disclosed)
The distinction matters. MDM manages the device, it doesn't monitor your activity the way surveillance software would. If your organization uses additional monitoring tools beyond MDM, that's a separate thing and they should disclose it.
Compliance policies
MDM enforces compliance policies – rules your device must meet to access work resources. Common ones include:
- Minimum OS version – your device must be running a recent enough version
- Encryption required – FileVault on Mac, BitLocker on Windows, or device encryption on phones
- Passcode complexity – minimum length, requiring letters and numbers
- Screen lock timeout – device locks after a set period of inactivity
- Jailbreak/root detection – blocked for security reasons
If your device falls out of compliance, you might lose access to work email, apps, or internal sites until you fix it. You'll usually get a notification explaining what needs to change.
Remote wipe
Remote wipe is probably the most anxiety-inducing MDM feature. Here's how it actually works:
- Company-owned devices: IT can perform a full device wipe, returning it to factory settings. This is primarily used for lost or stolen devices, or when an employee leaves.
- Personal devices (BYOD): On properly configured BYOD setups, IT can only perform a selective wipe – removing work apps, work email, and corporate data while leaving your personal files, photos, and apps untouched.
The type of wipe available depends entirely on how the device was enrolled. If you enrolled a personal device through a work profile or user enrollment, the selective wipe is the only option IT has.
Why your company uses it
MDM exists because organizations need to protect their data across hundreds or thousands of devices. Without it, IT would need to manually configure every laptop and phone, couldn't enforce encryption, and would have no way to secure a lost device. It's a security requirement for most organizations, especially those handling sensitive data or meeting regulatory standards.
Common MDM platforms
You might see these names mentioned by your IT department:
- Jamf – primarily for Apple devices (Mac, iPhone, iPad)
- Microsoft Intune – works across Windows, Mac, iOS, and Android
- Omnissa Workspace ONE (formerly VMware) – cross-platform
- Kandji – Apple-focused
- Mosyle – Apple-focused, common in education
Frequently Asked Questions
Can my employer read my personal texts or emails through MDM?▾
No. MDM manages device settings and policies, not your personal communications. It can see a list of installed apps but cannot read content inside personal email, messaging apps, or texts. If your employer is using separate monitoring software, that's distinct from MDM and should be disclosed to you.
Will I lose my personal files if IT does a remote wipe?▾
It depends on how your device is enrolled. On a personal device enrolled through BYOD (work profile on Android, user enrollment on iOS), IT can only wipe work data. On a company-owned device, a full wipe is possible and would erase everything. If you're unsure, ask IT which enrollment type your device uses.
Can I remove MDM from my device?▾
On a personal device, you can typically remove the MDM profile yourself, though you'll lose access to work apps and email. On a company-owned device, the MDM profile is usually locked and can't be removed without IT's involvement. Check your device management settings to see if a remove option is available.
Does MDM track my location?▾
Standard MDM configurations do not continuously track your location. Some MDM platforms have location-tracking capabilities, but enabling them requires deliberate configuration and most organizations only use it for locating lost devices. Your employer's IT policy should disclose if location tracking is active.
Does MDM slow down my device?▾
MDM itself has minimal impact on device performance. The management profiles are lightweight. If your device feels slow after enrollment, it's more likely due to additional security software (antivirus, endpoint protection) that IT deployed alongside MDM, not the MDM framework itself.