How to Enforce Restrictions Inside Office Premises?

Problem and Use Cases

Companies across industries face challenges in securing proprietary data and preventing unintentional or malicious leaks. Common scenarios include:

• Employees capturing sensitive information (e.g., R&D designs, financial data, patient records) via camera or screenshots.
• Unauthorized sharing of corporate data through personal apps, email, or removable storage (USB/SD cards).
• BYOD (Bring Your Own Device) complexities, where personal and work data coexist, make enforcement tricky.

Industries affected:

• Manufacturing: Prototypes, schematics.
• Finance/Banking: Customer financial data.
• Healthcare: Patient records.
• Education: Secure content and student privacy.

MDM Capabilities

MDM can address these challenges by:

1. Enforcing policies based on enrollment type:
   • Corporate-Owned Devices: Full device control (e.g., disabling camera, blocking USB).
   • BYOD (Work Profile): Work container with controlled app/data access.
2. API integrations: Sync with HR/attendance systems to manage device groups dynamically.
3. Geo-fencing: Apply/remove restrictions automatically when devices enter/exit office premises.

Implementation

API Integration: To automate device management based on presence

1. To Find Device for User, Use MDM API: GET /api/v1/users/{userId}/devices , it returns a list of devices associated with the user
2. To Add Device to Group, Use MDM API: POST /api/v1/groups/{groupId}/devices , Body: {"deviceId": "device123"} , it applies all group policies to the device
3. To Remove Device from Group, Use MDM API: DELETE /api/v1/groups/{groupId}/devices/{deviceId} , it removes device from policy enforcement group
4. To integrate with HRMS/Attendance Systems to trigger device group changes based on badge-in/badge-out events and to automatically apply/remove restrictions when employees enter/exit premises

Android Devices

1. For corporate-owned devices (full management):
   • Enroll devices in MDM with full administrative privileges such as Zero touch Enrollment, Knox Mobile Enrollment, QR Code (EMM Token) Enrollment
   • Create an Android restriction profile that disables the camera app and apply the profile to groups where the devices will be added through API Integration.
2. For BYOD (work profile only):
   • Enroll devices with work profile management such as Using a direct QR Code or Enrollment link, Self Enrollment.
     Note:Camera on the personal side cannot be disabled
   • Create an Android Restriction Profile to disable camera access for all work profile apps and apply the profile to groups where the devices will be added through API Integration.

Apple Devices

For corporate-owned devices (full management):

• Enroll devices with work profile management such as Automated Device enrollment(ABM/ASM) , Apple Configurator App in iPhone/Mac
• Create an iOS restriction profile that disables the camera app and apply the profile to groups where the devices will be added through API Integration. 

Enforce Camera Restriction with Geo Fence, Time Fence on Android Devices

1. Define your office premises as a geo-fenced area in MDM
2. On the MDM Console navigate to Device Management->App Repository->Open the ManageEngine MDM App->Click on the Configuration->Block Camera App section. Enable the option "Block Camera App for Geo Fence". Additionally, enable the other option as per the need. For more details, visit our ME MDM App Configuration guide.
   

Best Practices

1. For maximum control, use corporate-owned devices with full management
2. For BYOD, focus on securing work profile data rather than device-wide controls
3. Combine technical controls with employee education about data protection policies
4. Regularly audit policy effectiveness and adjust as needed
5. Clearly communicate restrictions to employees to maintain trust