Mobile Device Management Standard
Organization: FrontRunnerHC, Inc. (FRHC)
Parent Policy Reference: Summit Technology Holdings – Mobile Device Management Policy
Framework Reference: Secure Controls Framework – Mobile Device Management (MDM)
1. Purpose
Section titled “1. Purpose”This standard defines how FrontRunnerHC (FRHC) implements the enterprise-wide Mobile Device Management requirements established by Summit Technology Holdings, LLC (STH). It documents the controls and practices used to manage, secure, and monitor mobile devices that access or store FRHC data, including ePHI and other regulated or sensitive information.
2. Applicability
Section titled “2. Applicability”This standard applies to all corporate-issued and personally-owned (BYOD) mobile devices—including smartphones, tablets, and laptops—used by FRHC employees, contractors, and third parties to access FRHC systems or data. It applies regardless of device ownership when FRHC data is accessed.
3. Standard
Section titled “3. Standard”3.1 Centralized Management of Mobile Devices
Section titled “3.1 Centralized Management of Mobile Devices”FRHC enrolls all corporate-issued and approved personally-owned mobile devices in Microsoft Intune, the centralized MDM platform used across the FRHC Microsoft 365 / Azure environment. Intune enforces configuration policies, manages patch deployment, provides security monitoring, and enforces compliance policies across enrolled devices.
- Parent Policy Mapping: STH Mobile Device Management Policy, Section 3.1
- SCF Mapping: MDM-01 (Centralized Management Of Mobile Devices)
3.2 Access Control for Mobile Devices
Section titled “3.2 Access Control for Mobile Devices”FRHC requires multi-factor authentication (MFA) for all mobile device access to FRHC systems and data. Devices are configured with inactivity screen locks and account lockout policies consistent with FRHC’s Identification & Authentication Standard. These controls are enforced via Intune Conditional Access and Entra ID policies.
- Parent Policy Mapping: STH Mobile Device Management Policy, Section 3.2
- SCF Mapping: MDM-02 (Access Control For Mobile Devices)
3.3 Full Device & Container-Based Encryption
Section titled “3.3 Full Device & Container-Based Encryption”All FRHC-enrolled mobile devices must have full-device encryption enabled. Intune compliance policies enforce this requirement and flag non-compliant devices. Encryption standards align with FRHC’s Cryptographic Protections Standard.
- Parent Policy Mapping: STH Mobile Device Management Policy, Section 3.3
- SCF Mapping: MDM-03 (Full Device & Container-Based Encryption)
3.4 Remote Purging
Section titled “3.4 Remote Purging”FRHC’s Intune environment supports remote lock and remote wipe capabilities for all enrolled devices. In the event a device is reported lost, stolen, or compromised, IT Security initiates remote wipe procedures in accordance with FRHC’s Incident Response procedures. Records of remote wipe actions are retained.
- Parent Policy Mapping: STH Mobile Device Management Policy, Section 3.4
- SCF Mapping: MDM-05 (Remote Purging)
3.5 Personally-Owned Mobile Devices (BYOD)
Section titled “3.5 Personally-Owned Mobile Devices (BYOD)”FRHC permits personally-owned devices for business use only when enrolled in Intune. BYOD devices are subject to the same security compliance policies as corporate-issued devices. FRHC uses application-level management to scope controls to FRHC data, and selective wipe (rather than full device wipe) is applied to BYOD devices to protect personal data.
- Parent Policy Mapping: STH Mobile Device Management Policy, Section 3.5
- SCF Mapping: MDM-06 (Personally-Owned Mobile Devices)
3.6 Mobile Device Geofencing
Section titled “3.6 Mobile Device Geofencing”FRHC evaluates geofencing controls on a case-by-case basis for high-sensitivity systems. Where geofencing is applied, it is enforced via Entra ID Conditional Access location policies to restrict access from high-risk or unauthorized geographic regions.
- Parent Policy Mapping: STH Mobile Device Management Policy, Section 3.6
- SCF Mapping: MDM-09 (Mobile Device Geofencing)
4. Compliance & Governance
Section titled “4. Compliance & Governance”FRHC maintains evidence of device enrollment, compliance status, encryption configuration, and remote wipe actions within Intune reporting. IT Security reviews compliance dashboards periodically and escalates non-compliant devices for remediation. Evidence is retained to support SOC 2 Type II audits and HIPAA Security Rule compliance assessments.
5. Enforcement
Section titled “5. Enforcement”All users (employees, contractors, part-time and temporary workers) and those employed by others to perform work for the organization, or who have been granted access to IT assets or facilities, are covered by this standard and must comply with its associated policies, procedures, standards and guidelines.
Failure to comply with this standard and associated guidelines may result in suspension of use privileges or other disciplinary actions up to and including termination and/or legal action.
6. References
Section titled “6. References”Parent Policy:
- Summit Technology Holdings – Mobile Device Management Policy
Regulatory Requirements:
- HIPAA Security Rule:
- 45 CFR §164.312(a)(2)(iv) – Encryption and Decryption
- 45 CFR §164.312(e)(1) – Transmission Security
- AICPA SOC 2 Trust Services Criteria:
- Security (CC6.1, CC6.2)
- Confidentiality (C1.2)
Framework Alignment:
- MDM-01 – Centralized Management Of Mobile Devices
- MDM-02 – Access Control For Mobile Devices
- MDM-03 – Full Device & Container-Based Encryption
- MDM-05 – Remote Purging
- MDM-06 – Personally-Owned Mobile Devices
- MDM-09 – Mobile Device Geofencing
7. Revision Tracking
Section titled “7. Revision Tracking”| Rev | Description | Date | Approved |
|---|---|---|---|
| - | Policy created | July 2021 | M Machin |
| 1.0 | Formatting Update | September 2022 | WSI |
| 2.0 | Updated and approved for 2024 | July 2024 | WSI |
| 3.0 | Updated and approved for 2025 | July 2025 | M Machin |
| 4.0 | Converted to Standard | April 2026 | M Machin |
| 4.1 | Corrected parent policy mapping references to current section format (Section N → Section 3.x) | April 2026 | M Machin |
