Policy for mobile devices (A.6.2.1)

All mobile devices belonging to AU must be registered as an information asset by the unit providing the device.

The primary user of a mobile device is responsible for the data on the device. On mobile devices without a primary user, the most recent user is responsible for removing data from the device after use. Users of the university's mobile devices are responsible for protecting the devices and the data processed on these devices.

Mobile devices must be removed, locked securely, kept under surveillance (e.g. carried in hand luggage on business trips) or in some other way secured against theft or misuse whenever an associated risk assessment so dictates.

A number of initiatives have been planned and established centrally in order to comply with the above requirements: Re. acceptable use of mobile device: See the general Rules regarding information security at Aarhus University

Please see the AU Patch policy and Rules regarding information security

Aarhus University wants to ensure minimum levels of protection for mobile devices that can access AU IT infrastructure and AU data. This is part of overall efforts to protect employees against malicious cyber and information security incidents such as hacking attacks and loss of data. 

The use of  MDM ensures that Aarhus University complies with two mandatory technical minimum requirements defined in the national cyber and information security strategy for government agencies and institution

All employees who want to access AU’s Microsoft 365 and OneDrive solutions must comply with the AU MDM requirements. This is ensured by installing AU's MDM software on the mobile device, regardless of whether it is an AU or a private device.

AU MDM solutions must meet the following minimum requirements:

• Six-digit numerical code or biometric identification is required to access the unit.
• Device must be encrypted.
• Regular update of operating systems on mobile devices:
  • Latest version of the device’s operating system. Device will be marked as incompatible after 30 days.
  • User of the device will be notified via email when the device is no longer compatible
  • In the event of a security patch concerning vulnerability with CVE* > 8, the device’s operating system must be updated immediately.
• Mobile devices must be secured with malware protection as a starting point, and whenever an associated risk assessment so dictates

*CVE is an index from 0 to 10 indicating how critical a vulnerability is for the device. An index of more than 8 means high to critical. CVE is an abbreviation for Common Vulnerabilities and Exposures.

A number of initiatives have been planned and established centrally in order to comply with the above requirements: Re. MDM: For Instructions to install Intune. Re. access control: Refer to the general rules regarding password at Aarhus University. Re. cryptography: See the guide How to encrypt your data. Re. updates Recording to the general rules regarding antivirus, updates and equipment at Aarhus University devices provided by AU will often have an activated automatic update functionality, but if this is not available on your device, like private devices used for work at AU, you must keep the device up-to-date, so that they do not compromise the university's security.

Regardless of whether the data is owned by AU, individuals or a third party, AU may freely dispose of its own devices. For example, AU may reset and delete user content on mobile phones, computers, network drives and various storage devices and media without prior user consent and without liability for losses in connection with the end of study or employment periods.

A number of initiatives have been planned and established centrally in order to comply with the above requirements: Re. return your material and devices: As mentioned in the Rules regading information security (antivirus, updates and equipment) at Aarhus University computers, telephones, software, key cards, documents and other material provided or financed by Aarhus University must be returned, when your formal affiliation with AU stops, unless these are covered by a special agreement.