Google Apps: Setting up Mobile Devices for Accounts with Access to HIPAA or Other Sensitive Data

In May 2019, in an effort to comply with security requirements of devices with access to Protected Health Information (PHI) the University started restricting users with access toPHI from using certain applications that use IMAP or POP3. This policy change has a projected completion in September 2019. The change is being staggered by unit to allow for better support for users having difficulties with the transition. Further information about this project can be found at z.umn.edu/hcc-device-security

This change means employees in the BAA are no longer allowed to use third party applications to access their University accounts. Instead, employees that fall into the BAA category need to use officially supported Google Apps and Google Apps Websites

There are three ways you can access your University email account and other Google Apps:

  • On your desktop, using the web interface (calendar.umn.edu, mail.umn.edu, etc).
  • On your mobile device, using the web interface (mail.umn.edu).
  • On your mobile device, using the official Google provided app from the Android Play Store or the iTunes App Store (Gmail App, Google Calendar App, Google Drive App, etc) with the Google Device Policy app installed and configured on your device.

Note: Third party Desktop and mobile email apps (such as AppleMail, Thunderbird, Outlook and SamsungMail) are not authorized for use with BAA Accounts.

In this article:

Exceptions to This Policy 

The Office of Information Technology understands that some people may need an exception to this policy for a variety of reasons. Examples of possible exceptions include but are not limited to: 

  • Older devices that cannot use the apps
  • Apps that fulfill a business need that haven't been documented
  • There is Mobile Device Management (MDM) software from another institution that conflicts with the Google Device Policy App on your device.

To request an exception to this policy, please fill out this Google Form (per campus):

Early Opt-In

If you would like to opt-in to this change early, you can visit our early opt-in form (per campus):

Setting up Your Email on Your Mobile Device

Follow these steps to prepare and setup your mobile device for Google Apps use:

  1. Review the Minimum Security Requirements for Setting up The Google Device Policy App
  2. Review Accounts from Other Institutions
  3. Backing Up Your Data
  4. Updating Your Devices Software
  5. Encrypting and Setting a Passcode on Your Device
  6. Setting up Your Device

Review the Minimum Security Requirements for Setting up The Google Device Policy App

  • Basic Screenlock (at least one type listed below)
    • 4 digit pin (required for encryption)
    • Pattern
    • Biometrics
    • 6+ Letter Password
  • Device is Encrypted
    • This also requires a 4 digit PIN to be set up in the device. This PIN would only be required to sign in to the device when it is initially powered up or rebooted. Afterwards, any of the above screen unlock methods may be used instead. 
  • Able to install the certificate
  • Device is not rooted (Android) or Jailbroken (iOS, iPad OS)
  • Versions of iOS and Android Supported
    • Refer to Work profiles section for Android devices and Advanced Management section for iOS devices
  • No other Mobile Device Management (MDM) applications installed on the device, including other instances of the Google Device Policy App

Review Accounts from Other Institutions 

Other institutions you work with may already have Mobile Device Management (MDM) software that they require you to use to access their systems. Some of this MDM software may conflict with The University's Google Device Policy App and wherever possible, we would like to limit the disruption to your daily work.

  • If you believe you have MDM software for another institution on your device, please request an exception to this policy
    • Important Note: Include the name of the other institution that has this software and, if known, any details of the software they use.

Backing Up Your Data

We highly recommend you back-up your device's data and contacts before you encrypt your device. 

Note: Technology Help does not do data recovery for personal devices.

  • Check your Android device's version
    • Some older versions of Android require a Factory Reset when encrypting the device so backing up your data is especially important if your device version is older than Android 7.0
  • Check your iOS device's version
    • Backing up your data is especially important if your device version is older than iOS 9.0. 

Note: Backing up the data on your device can take some time depending on your device and network. You should do this process when you don't need to use your device for a while.

  • Be sure your device is plugged in and charged before beginning. If your device powers off during the process, you will likely be unable to use it without professional assistance.

Updating Your Devices Software

The Google Device Policy App requires iOS 9.0 on iPhones/iPads or Android Version 4.0 on Android devices. Previous versions are not supported. 

If your device needs to be updated, follow the steps below:

Note: Updating your device can take some time depending on your device and network. You should do this process when you don't need to use your device for a while.

  • Be sure your device is plugged in and charged before beginning the update process. If your device powers off during the process, you will likely be unable to use it without professional assistance.

Encrypting and Setting a Passcode on Your Device

Required: Phones must be encrypted and configured to have a passcode. This is to ensure that anyone attempting to access your device using unapproved means cannot read the data on it. 

Note: By setting up encryption on your device, the passcode you set up will be required each time you power the device off and turn it back on. After this initial passcode entry, any further unlocks of the device can be accomplished through other means if applicable (fingerprint, PIN, etc). 

Setting up Your Device

Information Collected by the Google Device Policy Application

The Google Device Policy App collects some information about the status of your device. This information is only available to University of Minnesota Google Apps administrators and will only be used in the context of supporting access to your Google Apps Account.

In case your device is lost or stolen, the Google Device Policy App also allows UMN Google Apps Administrators to remotely wipe either your devices Work Profile or all data on your device. 

The information collected includes:

  • What apps are installed on the device.
  • Which apps are installed from sources other than the Play/iTunes stores
  • Whether the camera is active or not.
  • Device Security Information (listed in table below)
  • Device Information (listed in table below)
  • User Information (listed in table below)
  • Installed Apps (listed in table below)

Note: This does not include content displayed on the screen, or the video/audio that cameras/microphones may be capturing, nor what apps are in use. 

Device Security Information Collected

Device Information Collected

User Information Collected

Installed Apps

  • Management level (basic, adv)
  • Password status (on/off)
  • Compromised status (Yes/No)
  • Encryption status (Yes/No)
  • Camera status (Allowed/Not)
  • Privilege (of the device policy app)
  • First sync
  • Last sync
  • User agent (dev policy version)
  • Managed account on owner (Yes/No)
  • ADB status (Enabled/Disabled)
  • Apps from Unknown sources (Enabled/Disabled)
  • Developer options (Enabled/Disabled)
  • Verify apps (Enabled/Disabled)
  • Device ID
  • Serial number
  • Ownership (User/University owned device)
  • Type (example: Android)
  • Operating system
  • IMEI
  • Brand
  • Manufacturer
  • Build number
  • Kernel version
  • Bootloader version
  • Hardware
  • Baseband version
  • OS security patch
  • Work profile (Supported/not supported)
  • Default language
  • Name
  • Primary email
  • Device Apps (Names and Version Numbers of apps that come with the phone. NOT user installed apps)
  • Potentially harmful apps (Names and Version Numbers) - These include malicious apps like trojans, spyware, and phishing apps, as well as user-wanted apps

Additional Support

Please contact Technology Help. You can call 612-301-4357 (1-HELP from any campus landline phone) Chat with, or email us 24 hours a day, 7 days a week.