Policy for mobile devices (A.6.2.1)

On this page you will find the current policy for securing mobile devices that have access to AU IT infrastructure and data. This applies to AU mobile devices and private devices used to access AU information, data and systems.


Objective

The objectives of AU's policy and rules for mobile devices are:

  • to ensure the secure use of mobile devices
  • to ensure supporting security measures to manage the risks entailed in using mobile devices.

This applies to mobile devices provided by AU as well as private mobile devices used to access AU information, data and systems which are subject to access control and which must be protected according to the data classification.

Registration of devices and responsibility for data

All mobile devices belonging to AU must be registered as an information asset by the unit providing the device.

The primary user of a mobile device is responsible for the data on the device. On mobile devices without a primary user, the most recent user is responsible for removing data from the device after use. Users of the university's mobile devices are responsible for protecting the devices and the data processed on these devices.

Physical protection of devices

Mobile devices must be removed, locked securely, kept under surveillance (e.g. carried in hand luggage on business trips) or in some other way secured against theft or misuse whenever an associated risk assessment so dictates.

A number of initiatives have been planned and established centrally in order to comply with the above requirements:

Limitation of software installation and requirements for software versions and patching

Please see the AU Patch policy and Rules regarding information security

Limitations regarding information services

Aarhus University wants to ensure minimum levels of protection for mobile devices that can access AU IT infrastructure and AU data. This is part of overall efforts to protect employees against malicious cyber and information security incidents such as hacking attacks and loss of data. 

The use of  MDM ensures that Aarhus University complies with two mandatory technical minimum requirements defined in the national cyber and information security strategy for government agencies and institution

All employees who want to access AU’s Microsoft 365 and OneDrive solutions must comply with the AU MDM requirements. This is ensured by installing AU's MDM software on the mobile device, regardless of whether it is an AU or a private device.


AU MDM solutions must meet the following minimum requirements:

  • Six-digit numerical code or biometric identification is required to access the unit.
  • Device must be encrypted.
  • Regular update of operating systems on mobile devices:
    • Latest version of the device’s operating system. Device will be marked as incompatible after 30 days.
    • User of the device will be notified via email when the device is no longer compatible
    • In the event of a security patch concerning vulnerability with CVE* > 8, the device’s operating system must be updated immediately.
  • Mobile devices must be secured with malware protection as a starting point, and whenever an associated risk assessment so dictates

*CVE is an index from 0 to 10 indicating how critical a vulnerability is for the device. An index of more than 8 means high to critical. CVE is an abbreviation for Common Vulnerabilities and Exposures.

A number of initiatives have been planned and established centrally in order to comply with the above requirements:

  • Re. MDM:
    • For Instructions to install Intune.
  • Re. access control:
  • Re. cryptography:
  • Re. updates
    • Recording to the general rules regarding antivirus, updates and equipment at Aarhus University devices provided by AU will often have an activated automatic update functionality, but if this is not available on your device, like private devices used for work at AU, you must keep the device up-to-date, so that they do not compromise the university's security.

Deactivating, deleting and blocking

Regardless of whether the data is owned by AU, individuals or a third party, AU may freely dispose of its own devices. For example, AU may reset and delete user content on mobile phones, computers, network drives and various storage devices and media without prior user consent and without liability for losses in connection with the end of study or employment periods.

A number of initiatives have been planned and established centrally in order to comply with the above requirements:

  • Re. return your material and devices:
    • As mentioned in the Rules regading information security (antivirus, updates and equipment) at Aarhus University computers, telephones, software, key cards, documents and other material provided or financed by Aarhus University must be returned, when your formal affiliation with AU stops, unless these are covered by a special agreement.

A mobile device is a small handheld device that has a touchscreen and/or a QWERTY keyboard, and which can function as a telephone. Examples include smartphones and tablets.


Mobile Device Management (MDM) is software that makes it possible for users to have any apps they want on their device while still allowing for AU'S policies regarding university data to be enforced on the device. AU uses Intune for MDM.