Device Enrolment Terms and Conditions MAM

These terms and conditions apply to all employees, contractors, and consultants (User) who use Microsoft Endpoint Manager to access data & applications (Company Data) of any company that is a client of IT Foundations Ltd (Company) on their mobile devices. By accessing Company Data on your mobile device through Microsoft Endpoint Manager you agree to comply with these terms and conditions. If you do not agree to these terms and conditions, do not access Company Data on mobile devices through Microsoft Endpoint Manager.


Microsoft Endpoint Manager (the Service) provides authorised Users with access to Company Data on their personally supplied device (BYO) while protecting the confidentiality, privacy, integrity, security and availability of Company data and systems.


These terms and conditions apply to BYO devices. Devices running the following operating systems are able to use Microsoft Endpoint Manager:

  • iOS
  • iPadOS
  • Android
  • Windows 10 or 11
  • MacOS

Terms of Use

By accepting these terms and conditions the User acknowledges that they have read and agree to all relevant company policies relating to accessing company data including but not limited to any Acceptable Use Policy, Fair Use Policy, Data Protection Policy, General IT Policy, or Bring Your Own Device Policy that has been issued by the Company.

Your Obligations

Each User agrees to comply with the following conditions of use as a requirement of enrolling in and using the Service:

  1. Keep the security code on the device secret and not disclose it to any other person;
  2. Keep the device compliant with all of the security settings set out above;
  3. Not modify or attempt to modify the configuration of the Service application on the device or attempt to circumvent any security measures implemented as part of the Service or install malware; and
  4. When connected to the Company’s network:
    1. Not allow any other person to access Company Data using the BYO device;
    2. Not leave the device connected or unattended without adequate security code protection;
    3. Ensure that all Company Data is viewable only in an environment where the content cannot be observed or heard by persons who are not authorised to access the information.

Responsibility and Liability

The User is solely responsible for backing-up their personal information on the device. This includes personal information like photos and personal contacts. Neither IT Foundations nor the Company assumes any responsibility for the loss of personal data stored on the device.

The User is responsible for all carrier and other costs associated with the use of a BYO device and acknowledges that neither IT Foundations nor the Company shall be liable for any loss, including any costs, or damage directly or indirectly related to the BYO device or any other personal hardware, software or information of the authorised User or any other person, or any performance degradation, diminished functionality or inconvenience.

The User indemnifies IT Foundations and the Company for any loss or damage to the extent it results from the User’s use of the Service other than in compliance with this User agreement.

Data Management

By agreeing to these terms, the User permits the Company, IT Foundations and Microsoft to control access to Company Data on their device. These controls may restrict their ability to access, manage or download Company Data via file access, email or other means. Company Data may be remotely removed or managed by their employer or by IT Foundations on behalf of their employer.

Data Collection

By using a corporate or personal device to access Company Data, Microsoft, IT Foundations and the User’s employer will collect, process, and share some personal data to support business operations and facilitate access to Company Data on the device. This process collects some personal data from the device. This data is tied to a User, device, or application and is essential to the nature of device management.

Personal data includes identifiable data, which may directly identify the end User, or pseudonymised data with a unique identifier generated by the system, used to deliver the enterprise service to Users, support data and account data. Non-personal data includes service-generated system metadata and organisational/tenant information. Access control data is also collected to manage access to administrative roles and functions through features like Role Based Access Control.

Required data collected may include, but is not limited to:

  • User information
    • Owner name/User display (the Azure-registered name of the User as identified by AzureUserID)
    • User Principal Name or email address
    • Phone number
    • Third-party User identifies (like AppleID)
  • Hardware inventory information
    • Device name
    • Manufacturer
    • Operating system
    • Serial number
    • IMEI number
    • IP address
    • Wi-Fi MacAddress
    • ICCID
  • Audit log information, including data about the following activities
    • Manage
    • Create
    • Update (edit)
    • Delete
    • Assign
    • Remote tasks
  • Support information
    • Contact information (name, phone number, email address)
    • Email discussions with Microsoft support, product, and/or customer experience team members
  • Access control information
    • Static authenticators (customer’s password)
    • Privacy keys for certificates
  • Admin and account information
    • Admin User first name and last name
    • Admin User name
    • UPN (email)
    • Phone number
    • Email address of account owner
    • Active Directory ID of each customer IT admin
    • Payment data for customer billing
    • Subscription key
  • Admin created data, like
    • Profile names
    • Compliance policies
    • Group policy
    • PowerShell scripts
    • Line-of-Business (LOB) application
  • Application inventory, like
    • app name
    • version
    • app ID
    • size
    • installation location
    • Application inventory data is only collected when marked by the Admin as a corporate-owned device or the compliant app feature is turned on.
  • Customer third party tenant IDs (like Apple ID)
  • Device data
    • Microsoft Endpoint Manager device ID
    • Azure Active Directory device ID
    • Microsoft Endpoint Manager device management ID
    • Tenant ID
    • Account ID
    • EAS device ID
    • Platform-specific IDs
    • AppleID for iOS/iPadOS devices
    • Mac Address for Mac devices
    • Windows ID for Windows devices
  • Managed application information
    • Managed application ID
    • Managed application device tag
    • Microsoft Endpoint Manager device management ID
    • Azure Active Directory device ID
    • Encryption keys
  • Admin usage data from across all Microsoft Endpoint Manager tenants (for example, admin controls selected when interacting with the Admin console)
  • Tenant account information (this data is available from the Microsoft Endpoint Manager)
    • Number of devices or Users enrolled
    • Number of identified device platforms
    • Number of installed devices
    • installedDeviceCount: The number of devices on which the application is installed.
    • notApplicableDeviceCount: The number of devices for which the application is not applicable.
    • notInstalledDeviceCount: The number of devices for which the application is applicable but not installed.
    • pendingInstallDeviceCount: The number of devices for which the application is applicable and installation is pending.

End User Data that is never Collected

The enrolment platform does not collect nor allow an Admin to see an end Users’ calling or web browsing history, personal email, text messages, contacts, passwords to personal accounts, calendar events or photos, including those in any photo app or camera.

Data Storage

Data collected using this service is stored according to Microsoft’s Data Handling Standard policy for Microsoft 365.

Data Sharing

Some data gathered by this platform will be shared with required third parties in order for the service to operate. Data will be sent and received from Apple or Google as appropriate for the device that is being enrolled. Details of the data shared can be found on Microsoft’s Endpoint Manager website. Only data required for the service to function is shared.

Data Retention

Data is retained and deleted in line with Microsoft 365 Data Handling Standard policy.

Data Privacy

No data that is collected through the enrolment of the device is sold to any other party.


If a device has not accessed the Service for 90 calendar days IT Foundations may automatically disenroll the device from the Service and erase all data stored on the device through the Service.