ManageEngine MDM app permissions

The objective of this document is to list out the hardware/software capabilities of managed devices utilized by the ME MDM app. The platform-wise permissions for mobile device management, along with their purpose are listed below.

NOTE: If the specific configuration/feature is not pushed by the IT Administrator, then the ME MDM app doesn't utilize the related permission. For example, if Geo-Tracking is disabled for a particular device, MDM doesn't track the device, even if the corresponding permission is listed.

Android

The ME MDM Android app utilizes the following capabilities of Android devices. These are listed, along with their purpose.

PERMISSION PURPOSE
 Camera Required for enrolling devices via Invites using QR code and EMM Token enrollment.
 Contacts  Required for fetching the Google account associated with the device, to be used for Android Enterprise. MDM doesn't read any other data present in Contacts.
 Location Required for Geo-Tracking, Location History, and Geofencing.
 Storage Required for storing app logs. Note: MDM doesn't read/access any other data stored in the device. 
 Telephone Required for obtaining the IMEI, MEID, and serial number of the managed device. Further, it can be used to temporarily disable Kiosk in the managed device. 
 Usage Data Access (Prompted only when Kiosk profile is applied) Required to detect and close unapproved apps running in the foreground in Kiosk devices. Also to perform actions like enabling status bar and notification bar, task manager and recent buttons, launch a specific app after idle time and few in custom settings like mobile data, bluetooth etc.
 Modify System Settings (Prompted only when Kiosk profile is applied) Required for modifying system settings such as brightness, screen rotation, etc., in Kiosk devices.
 Screen Overlay (Prompted only when Kiosk profile is applied) Required to draw over apps and display content on top of other applications running in the foreground in Kiosk non-Samsung devices running Android 5.0 or below.

Note: All the above permissions, other than Usage Data Access, Modify System Settings and Screen Overlay, will be automatically granted in devices enrolled as Profile Owner, Device Owner and Knox-enabled Samsung devices. 

iOS

The ME MDM iOS app permissions for iOS devices are listed below, along with its purpose.

PERMISSION PURPOSE
 Location Services Required for Geo-Tracking, Location History, and Geofencing.

macOS

The ME MDM macOS app permissions for macOS devices are listed below, along with its purpose.

PERMISSION PURPOSE
 Location Services Required for Geo-Tracking and Location History.

Windows

The ME MDM Windows app utilizes the following device capabilities. These are listed below, along with their purpose.

PERMISSION PURPOSE
 Location Services Required for Geo-Tracking.
 Device Network Services Required for periodical syncing of the App Catalog and the files distributed using Content Management. 
 Push Notifications Required for displaying information from the MDM server as notifications in the managed Windows device.
 Internet services Required for updating the files distributed using Content Management and the App Catalog present in ME MDM app.