During the induction week of university, a first-year student is told that to access her university email and course materials, she must open “access work or school” settings on her laptop and click “connect”. In a moment, her laptop – and phone, if she chooses – is enrolled in the university’s mobile device management (MDM) system and is centrally managed by the university. This allows the university to keep security updates current on students’ devices and supports enforcement of credential policies by verifying device compliance.
However, this also gives IT administrators the ability to change settings and install software, and – depending on the type and configuration of a user’s device – can also include the abilities to run commands and issue a remote lock or wipe. Precautions like role-based access and logging help, but they do not, by themselves, prevent a privileged identity (e.g., an administrator or an attacker using an administrator account) from issuing high-impact actions at scale.
- How not to fall victim to a cyberattack
- There’s nothing technical about cybersecurity
- Everything you need to know about cyberattacks (but were afraid to ask)
Even some of the stronger precautions like multi-admin approval can sometimes be undermined if the same administrator can create new approvers or disable the precaution. In other words, in most MDM deployments, the limits on how far IT administrators (and attackers impersonating them) can go are policy choices, not technical constraints – and as a result, requiring MDM enrolment of personal devices to access university services introduces a systemic risk.
There are understandable reasons why universities are adopting this model. In recent years, cyberattacks have dealt substantial damage to universities all around the world, including the UK, US, Netherlands, Australia and Germany. Attackers commonly employ social engineering techniques to exploit individuals, gaining an initial foothold in networks before using technical tools to escalate privileges.
Universities also often face expectations for permissive bring-your-own-device policies and remote access to the network for a growing number of hybrid employees and distance-learning students. Such policies and practices inevitably broaden the attack surface. Cybersecurity teams in universities are also typically small and overloaded.
Given these challenges, many universities increasingly turn to MDM systems to shift security controls away from end users – students and staff – and to the IT team. Yes, this approach may decrease the likelihood of low-level incidents, such as isolated cases of malware infection. But it also expands the potential impact of a serious breach.
Large-scale hacks resulting from attackers taking control of MDM systems are not merely theoretical. For instance, in 2024, attackers gained access to an MDM system and wiped the devices of 13,000 students across 26 schools in Singapore. In this case, the attackers did not seem to access personal data or install malware for continued access – but they had the capability to do so.
For example, in another case from 2020, attackers breached a multinational conglomerate’s MDM system and used it to push the Cerberus banking trojan on to about 75 per cent of its managed Android devices. They then remotely controlled the phones and stole passwords, as well as two-factor authentication codes. In a separate instance from 2018, attackers tricked users into enrolling their devices in a rogue MDM system, which was then used to spy on their iPhones. This again illustrates how much control a device relinquishes once it is enrolled in an MDM system.
Enrolling students’ and staff members’ personal devices into the university’s MDM system significantly increases an attacker’s capabilities if the central system is hacked. This presents not only heightened risks for students and staff, but also potential liabilities for universities, including lawsuits and reputational damage.
While the examples above focus on external threats, it is also possible for a member of the IT team to abuse their access. Although such cases may seem unlikely, several large companies have experienced incidents where employees accessed remote cameras and microphones to spy on customers. Furthermore, many university students, such as those in executive or professional programmes, hold roles in other organisations. If their devices are compromised through the university’s MDM system, attackers could leverage those students’ access to pivot into other organisations.
Enrolling personal devices in MDM systems clearly carries significant risks – and the additional cybersecurity benefit to universities may be relatively modest. After all, universities can already enforce strong credential policies on institutional accounts, such as password complexity or multi-factor authentication, without enrolling personal devices into MDM systems. Most operating systems now apply security updates by default.
Furthermore, by choosing to have broad control over a large number of personal devices, some of which are used by individuals who have access to other organisations, universities may actually be increasing their appeal as high-value targets. For example, the level of access a hacked MDM system provides (e.g., mass malware push, pivoting to other organisations) can increase an attacker’s expected payoff from compromise. As a result, this may create conditions in which attackers are more willing to invest in costlier techniques, such as long-term persistence methods and even zero-day exploits, attacks that exploit a software vulnerability with no publicly available patch.
Overall, I’m not arguing against the use of MDM systems per se; they are very useful tools for universities and other organisations to manage institution-owned devices. Similarly, certain contexts present a materially elevated risk, such as regulated data (personal, clinical, governmental) and specialised laboratories, which can sometimes justify applying MDM controls on the personal devices of the researchers who must access them.
The problem arises when university policy compels all students and staff to enrol their personal devices into the university’s MDM system, enlarging the potential harm from the compromise of an admin account. Universities can mitigate this risk by rescoping the use of MDMs to devices owned by the university and case-by-case high-risk scenarios. In recent years, some alternative solutions limiting administrators’ power over personal devices, such as Mobile Application Management without Enrollment (MAM-WE), have become available, although many universities still require device enrolment. This suggests the need for universities to consciously update their policies in this area.
Cybersecurity is not only about lowering the risk of compromise, but also about minimising the damage when one occurs. By intentionally limiting their access to personal devices, universities can decrease the harmful consequences of a serious breach.
Aybars Tuncdogan is reader and associate professor in digital innovation and information security at King's College London.
If you would like advice and insight from academics and university staff delivered direct to your inbox each week, sign up for the Campus newsletter.
comment