A significant share of modern enterprise work happens on mobile devices: email, document access, calendar, banking, health applications, audit systems. Field staff, sales teams, healthcare workers, and executives use phones and tablets as work devices.
Yet for most enterprise security infrastructure, the mobile device stays invisible. ADC and WAAP platforms see mobile browser/app traffic but can't collect data about the device itself. The MDM need is typically filled by a separate product, separate license, separate operations team.
This separation creates two problems. First: mobile device access policy doesn't merge with AAM; device posture and access decisions live in different places. Second: SOC and IT teams have to consult two different consoles during incidents.
TR7 ETM closes that separation. Mobile management ships as a natural extension of desktop management, on the same platform.
TR7 ETM offers the same operational model for mobile and desktop devices — telemetry, action, policy, and audit in common.
Commands flow to devices through the platform-native push and MDM standards of iOS and Android. No third-party MDM solution is required; ETM functions as built-in MDM.
An operator can push policy to an Android device and run a live query against desktops in the same session. No separate tool, no separate training, no separate audit — through a single TR7 platform.
Mobile compliance signals — jailbreak, root, OS level, encryption, MDM-controlled state — flow directly to AAM conditional-access policy. Access decisions for mobile devices follow device trust, not just user identity.
Android work profile and iOS managed app configuration separate work data from personal data. In Personal Device (BYOD) scenarios, personal apps are untouched while work data is managed; on device loss, only the work profile is wiped.
Built-in MDM brings every device type in the field into the TR7 management plane without distinction.
Enrollment flow is scenario-shaped: zero-touch enrollment for corporate-owned devices, self-service enrollment for user-brought devices, MDM command chain for corporate devices. Platform-native enterprise device program integrations are supported.
Enterprise Wi-Fi networks, VPN configurations, email account definitions, and client certificates are delivered as profiles. Users don't manually configure; policy changes propagate across the device estate automatically.
Enterprise apps install automatically; outdated versions get update enforcement; banned apps are blocked or removed. Apps within iOS managed app and Android work profile are under full control.
Conditions for a device to be considered compliant are defined: OS version, disk encryption, lock screen type, biometric activation, USB debugging state. Non-compliant devices are blocked or restricted from access.
Jailbroken or rooted devices are automatically moved to non-compliant class. The signal flows immediately to AAM conditional-access decisions; in high-sensitivity scenarios — banking, healthcare, government — access is blocked outright.
On device loss, two options exist: full wipe (factory reset, both work and personal data) or selective wipe (work profile only). In Personal Device (BYOD) scenarios, selective wipe preserves user personal data.
With organizational policy permission, device location is observable; a policy trigger runs when a device crosses a geographic boundary. Especially useful in sectors with cross-border data transfer restrictions.
Client certificates, root certificates, and application signing certificates are distributed automatically. Renewal, revocation, and distribution are managed centrally; users don't manually install.
For high-security environments, camera use, microphone access, screen recording, and external device connection are policy-managed. Suitable for meeting rooms, sensitive sites, or government/defense environments.
When a new policy is defined, the device is notified via the platform-native push channel; policy applies within minutes. Users don't wait for reboots or reconnections.
Built-in MDM is not just a technical capability — it offers a full management model for mobile device estates.
Mobile and desktop device actions accumulate in the same audit trail. Compliance teams don't run separate reports; data from both device types arrives together for incident response.
Mobile posture signals (compliance, jailbreak, OS version) feed AAM conditional-access policy directly. Access policy is written against device trust, not device type.
Zero-touch enrollment is supported for corporate-purchased devices. When the device powers on, it enters MDM scope automatically; the user doesn't take extra steps in the setup wizard.
Android work profile and iOS managed app configuration separate personal and work data physically. The organization sees and manages only the work profile; it has no access to personal data.
Data collected from devices stays in the organization's network, in TR7 management storage. No cloud MDM dependency is required. Suitable configurations exist for data minimization and cross-border data transfer restrictions.
Tens of thousands of mobile devices can be managed from a single TR7 cluster. Bulk policy distribution, estate-wide app installation, and live compliance querying all scale.
Clinicians on personal tablets must align with health data compliance. ETM MDM deploys a work profile; personal apps are untouched while corporate email, patient management system, and certificate-based access live inside the secure profile. On device loss, only the work profile is wiped.
Field staff in logistics, energy, or infrastructure use corporate devices. Zero-touch enrollment brings devices into MDM scope on first power-on; field apps install automatically, Wi-Fi and VPN settings deploy without manual steps.
For banking or finance services, AAM access policy ties to mobile device trust. Jailbroken devices, outdated OS versions, or disabled encryption mark devices non-compliant; they don't get app access. Decisions run on a live signal.
When a user reports device loss, the IT operator applies selective or full wipe with one click. In Personal Device (BYOD) scenarios, the user's personal photos and apps survive; only the work profile is cleared. Corporate data is removed within minutes.
Let's see ETM MDM live across your own mobile inventory — a deployment session for a pilot group.