Skip to content

Mobile Device Management Standard

Organization: FrontRunnerHC, Inc. (FRHC)
Parent Policy Reference: Summit Technology Holdings – Mobile Device Management Policy
Framework Reference: Secure Controls Framework – Mobile Device Management (MDM)


This standard defines how FrontRunnerHC (FRHC) implements the enterprise-wide Mobile Device Management requirements established by Summit Technology Holdings, LLC (STH). It documents the controls and practices used to manage, secure, and monitor mobile devices that access or store FRHC data, including ePHI and other regulated or sensitive information.


This standard applies to all corporate-issued and personally-owned (BYOD) mobile devices—including smartphones, tablets, and laptops—used by FRHC employees, contractors, and third parties to access FRHC systems or data. It applies regardless of device ownership when FRHC data is accessed.


3.1 Centralized Management of Mobile Devices

Section titled “3.1 Centralized Management of Mobile Devices”

FRHC enrolls all corporate-issued and approved personally-owned mobile devices in Microsoft Intune, the centralized MDM platform used across the FRHC Microsoft 365 / Azure environment. Intune enforces configuration policies, manages patch deployment, provides security monitoring, and enforces compliance policies across enrolled devices.

  • Parent Policy Mapping: STH Mobile Device Management Policy, Section 3.1
  • SCF Mapping: MDM-01 (Centralized Management Of Mobile Devices)

FRHC requires multi-factor authentication (MFA) for all mobile device access to FRHC systems and data. Devices are configured with inactivity screen locks and account lockout policies consistent with FRHC’s Identification & Authentication Standard. These controls are enforced via Intune Conditional Access and Entra ID policies.

  • Parent Policy Mapping: STH Mobile Device Management Policy, Section 3.2
  • SCF Mapping: MDM-02 (Access Control For Mobile Devices)

3.3 Full Device & Container-Based Encryption

Section titled “3.3 Full Device & Container-Based Encryption”

All FRHC-enrolled mobile devices must have full-device encryption enabled. Intune compliance policies enforce this requirement and flag non-compliant devices. Encryption standards align with FRHC’s Cryptographic Protections Standard.

  • Parent Policy Mapping: STH Mobile Device Management Policy, Section 3.3
  • SCF Mapping: MDM-03 (Full Device & Container-Based Encryption)

FRHC’s Intune environment supports remote lock and remote wipe capabilities for all enrolled devices. In the event a device is reported lost, stolen, or compromised, IT Security initiates remote wipe procedures in accordance with FRHC’s Incident Response procedures. Records of remote wipe actions are retained.

  • Parent Policy Mapping: STH Mobile Device Management Policy, Section 3.4
  • SCF Mapping: MDM-05 (Remote Purging)

3.5 Personally-Owned Mobile Devices (BYOD)

Section titled “3.5 Personally-Owned Mobile Devices (BYOD)”

FRHC permits personally-owned devices for business use only when enrolled in Intune. BYOD devices are subject to the same security compliance policies as corporate-issued devices. FRHC uses application-level management to scope controls to FRHC data, and selective wipe (rather than full device wipe) is applied to BYOD devices to protect personal data.

  • Parent Policy Mapping: STH Mobile Device Management Policy, Section 3.5
  • SCF Mapping: MDM-06 (Personally-Owned Mobile Devices)

FRHC evaluates geofencing controls on a case-by-case basis for high-sensitivity systems. Where geofencing is applied, it is enforced via Entra ID Conditional Access location policies to restrict access from high-risk or unauthorized geographic regions.

  • Parent Policy Mapping: STH Mobile Device Management Policy, Section 3.6
  • SCF Mapping: MDM-09 (Mobile Device Geofencing)

FRHC maintains evidence of device enrollment, compliance status, encryption configuration, and remote wipe actions within Intune reporting. IT Security reviews compliance dashboards periodically and escalates non-compliant devices for remediation. Evidence is retained to support SOC 2 Type II audits and HIPAA Security Rule compliance assessments.


All users (employees, contractors, part-time and temporary workers) and those employed by others to perform work for the organization, or who have been granted access to IT assets or facilities, are covered by this standard and must comply with its associated policies, procedures, standards and guidelines.

Failure to comply with this standard and associated guidelines may result in suspension of use privileges or other disciplinary actions up to and including termination and/or legal action.


Parent Policy:

  • Summit Technology Holdings – Mobile Device Management Policy

Regulatory Requirements:

  • HIPAA Security Rule:
    • 45 CFR §164.312(a)(2)(iv) – Encryption and Decryption
    • 45 CFR §164.312(e)(1) – Transmission Security
  • AICPA SOC 2 Trust Services Criteria:
    • Security (CC6.1, CC6.2)
    • Confidentiality (C1.2)

Framework Alignment:

  • MDM-01 – Centralized Management Of Mobile Devices
  • MDM-02 – Access Control For Mobile Devices
  • MDM-03 – Full Device & Container-Based Encryption
  • MDM-05 – Remote Purging
  • MDM-06 – Personally-Owned Mobile Devices
  • MDM-09 – Mobile Device Geofencing

RevDescriptionDateApproved
-Policy createdJuly 2021M Machin
1.0Formatting UpdateSeptember 2022WSI
2.0Updated and approved for 2024July 2024WSI
3.0Updated and approved for 2025July 2025M Machin
4.0Converted to StandardApril 2026M Machin
4.1Corrected parent policy mapping references to current section format (Section N → Section 3.x)April 2026M Machin

Internal Use Only