Balancing privacy with security on clinicians’ devices

VUMC has made significant investments in its technology stack in recent years and embraced Microsoft 365 to secure and empower 33,000 clinicians and staff.

Many employees use their personal devices for work and as VUMC deploys more apps to its employees, data security became a top priority for IT leadership.

In a high-trust environment like VUMC, it is just as important to respect the personal privacy of the device owner, as it is to protect the data. Therefore, VUMC needed to take a balanced approach to ensure that privacy and security are considered as two sides of the same coin.

“The expertise that Mobile Mentor provided to the team became the catalyst that enabled us to rapidly complete the BYO activity”

– Scott Hogan, Director Cloud Services Management


3-Phase BYOD program

VUMC engaged Mobile Mentor to help build a balanced policy and deploy a BYOD solution across the organization. The project had three distinct phases over 18 months:

1) BYOD policy development
2) technical implementation in the Microsoft tenant
3) deployment to 22,000 people using personal devices across the organization.

The Mobile Mentor team consulted with the business to develop a written BYOD policy that addressed the known risks and issues from the perspective of stakeholders in IT, Security, Finance, HR, and of course, the employees. After a drafting and review process, this policy document was sent to leadership for approval.

The second step was the detailed technical design for the configuration of Microsoft Intune with App Protection Policies. This is an elegant solution that protects Office 365 apps (Outlook, Teams, Excel, etc.) on a personal device that is not enrolled or managed by IT.

Once the technical design was approved, Intune was configured in the production environment, tested, and validated with a pre-defined group of test users.

Securing Office 365 data on clinicians’ personal devices

So how do the Intune app protection policies actually work?

Granular controls can be applied to the Office 365 apps to ensure that sensitive data is not misplaced.

For example, work-related email attachments in Outlook cannot be saved to a personal folder or file storage.

These App Protection Policies go a long towards safeguarding Vanderbilt and its patients from data breaches.


“Working with Mobile Mentor was a great experience. The fact that you have done this before and could guide us on what works, and what doesn’t work, based on experience with others, was really great”.

– Andrew Hutchinson, Chief Information Security Officer

At the same time, the employee’s personal device is off limits.  Vanderbilt IT has no visibility of the employee’s personal apps, browsing, social media activity etc. In the event of a device loss or device repair, Vanderbilt can remove data from the Office 365 apps without touching any of the employee’s private apps and photos etc. This approach ensures that personal privacy is respected which company information is secured.



Change Management

The third and most critical phase was articulating the policy, developing detailed migration instructions and guides and then supporting people through the change from VMware Workspace ONE (AirWatch) to Microsoft Intune.

This was a highly collaborative effort across many teams and included the creation of a short video called “Meet Us Half-Way” to explain how the BYOD policy works and to proactively address privacy concerns from the clinical community.

Some aspects of the migration were automated and straight forward, but certain use-cases were very challenging.  One category of devices required a factory reset and had to be registered in Intune.  This presents multiple challenges to busy clinicians.

Mobile Mentor assembled a 3-tier support team for the rollout – answering 2,245 calls and resolving 2,226 tickets from people with issues, escalating technical issues to Tier 2 support and leaning on Tier 3 for the most complex problems.


This was not the only change happening at VUMC, and this BYOD project was one small part of a much larger modernization project.  Mobile Mentor is part of the IT steering group to ensure that changes are sequenced optimally for the clinicians.



Contact a Mobile Mentor expert today

Mobile Mentor is Microsoft’s 2021 Partner of the Year for Endpoint Management. Our engineers are certified by Microsoft, Apple and Google.

Complete our contact form below and one of our consultants will get back to you within 24 hours.


Vanderbilt University Medical Center is the largest healthcare employer in middle Tennessee with 33,000 employees across its hospitals and clinics. Vanderbilt University Medical Center is a level one trauma center and is widely regarded as being among the top teaching hospitals in the USA.



Mobile Mentor is a global leader in the endpoint ecosystem, helping clients to navigate the right balance between endpoint security and employee experience.  We are a Microsoft ELITE partner and the 2021 global partner of year for Modern Endpoint Management.  If you would like to learn more about how we can secure your endpoints and empower your employees, please contact us here.