MDM and Privacy: How Norypt MDM Compares to Jamf, Intune, and Workspace ONE
Jamf, Intune, and Workspace ONE solve real problems — but every one routes your fleet data through vendor cloud infrastructure. Here's what they collect, where it goes, and what Norypt MDM does differently.
Mobile Device Management has been a corporate IT staple for over a decade. Jamf, Microsoft Intune, VMware Workspace ONE, and SOTI dominate the enterprise market — and they solve real problems. But every one of them was built around a core assumption: the organisation managing the devices accepts data flowing to a US or EU cloud provider, and the devices being managed run stock Android or iOS.
That assumption breaks down the moment the organisation needs to remain operationally invisible, or the people carrying those devices face adversaries that include state actors or well-resourced institutions. This article explains what the major MDM platforms collect, where that data goes — and what Norypt MDM does differently.
🏢 What every mainstream MDM collects by default
To manage a fleet, an MDM needs some device information. The question is how much, and where it goes. Here is what the four dominant platforms collect in a standard deployment.
Intune is deeply integrated with Microsoft 365 and Azure Active Directory. Enrolled devices transmit:
- 📛 Device name, model, and serial number
- 🖥️ OS version and compliance state
- 📦 Full installed app inventory (fully managed mode)
- 📍 Location when configured
- 🪪 User identity tied to an Azure AD account
All of this flows to Microsoft Azure — subject to Microsoft's terms of service and US CLOUD Act jurisdiction. An organisation where operator identity must be confidential cannot use Azure AD as an identity anchor.
The dominant MDM for Apple devices. A Jamf-managed iPhone or Mac sends:
- 🔢 Hardware UUID and serial number
- 📋 OS version and installed profiles
- 📦 Full app inventory
- 📍 Location and network information (configurable)
Jamf Pro can be self-hosted, but it operates exclusively on stock iOS — meaning Apple's own telemetry layer runs independently of Jamf, and cannot be disabled. Jamf has no GrapheneOS support.
Supports Android, iOS, Windows, and macOS in a unified platform. On fully managed Android:
- 📦 Every installed app visible to the MDM server
- 🌐 Hardware identifiers and network state
- 📍 Real-time location (configured deployments)
- ✅ Compliance posture continuously reported
Workspace ONE uses Google's Play Managed Device infrastructure — meaning even in a Workspace ONE deployment, enrolled Android devices communicate with Google for app delivery and attestation. The privacy layer is only as strong as the weakest link.
Targets ruggedised industrial deployments — retail, logistics, healthcare. The data collection profile is similar to Workspace ONE: hardware identifiers, app inventory, location, compliance state. Enrolled devices check in with a SOTI server that logs their state continuously.
⚠️ The structural privacy problem with mainstream MDM
These platforms are not malicious. The problem is architectural: they were designed to give an organisation maximum visibility into its devices, and they achieve that by collecting maximum data and routing it through third-party cloud infrastructure that the organisation does not control.
🔍 The core issue
For an organisation whose threat model includes the cloud providers themselves — or the governments that can compel those providers — the MDM infrastructure becomes a liability. It creates a centralised record of who has what device, where they are, what apps they run, and when they were last active.
For a standard enterprise — a retailer managing point-of-sale terminals, a hospital managing workstations — this trade-off is acceptable. The organisation needs visibility, accepts the cloud dependency, and operates in an environment where data flowing to Microsoft or VMware is not itself sensitive.
For organisations where that data is sensitive, mainstream MDM creates exactly the record their adversaries want to find.
🛡️ What Norypt MDM does differently
Norypt MDM was built for a different threat model. The design decisions that distinguish it from mainstream platforms are not features added on top — they are structural choices made at the foundation.
No identity at enrolment
Mainstream MDMs tie enrolment to an Azure AD account, Apple ID, or Google account. That identity becomes the anchor for everything the platform tracks. Norypt MDM enrols devices with a token — no identity, no anchor, no person on record.
Self-hosted, no vendor cloud
No Microsoft, no Google, no VMware in the data path. The MDM server runs on infrastructure you control — or on Norypt-operated infrastructure hardened for operational security. No telemetry flows to any vendor, because there is no vendor cloud.
GrapheneOS-native
Norypt MDM manages GrapheneOS devices — meaning the OS layer has zero Google telemetry. Stock Android MDM deployments, however privacy-conscious at the MDM layer, still run on an OS maintaining its own Google connection. Both layers are clean here.
Minimal data by design
The server collects only what is operationally necessary: enrolment state, compliance posture, and the ability to push policies or wipe. No app inventory by default. No location record. No behaviour log. Administrators see whether a device is enrolled — not what the person carrying it is doing.
Encrypted communications throughout
All communication between enrolled devices and the MDM server uses end-to-end encrypted channels. Policy pushes, compliance checks, and wipe commands are encrypted in transit and authenticated with device-specific keys. An attacker intercepting MDM traffic cannot determine which organisation operates the server, which devices are enrolled, or what commands are being sent.
📊 Side-by-side comparison
| Capability | 🏢 Jamf / Intune / Workspace ONE | 🛡️ Norypt MDM |
|---|---|---|
| 🪪 Identity required at enrolment | Yes — Apple ID, Azure AD, or Google account | ✅ No — token-based, no identity anchor |
| ☁️ Data flows to vendor cloud | Yes — Microsoft, Apple, VMware, or Google | ✅ No — self-hosted or Norypt-operated |
| 📱 GrapheneOS support | ❌ No | ✅ Yes — purpose-built |
| 📡 OS-level telemetry | Yes — stock iOS/Android maintain their own | ✅ None — GrapheneOS removes all Google telemetry |
| 📦 App inventory collection | Yes (fully managed mode) | ✅ Not collected by default |
| 📍 Location tracking | Yes (configurable) | ✅ Not collected by design |
| ⚖️ Vendor data-access risk | Yes — CLOUD Act, vendor policies apply | ✅ No third-party vendor in the data path |
| 👁️ Admin can link device to person | Yes — by design | ✅ No — enrolment is identity-free |
| 🗑️ Remote wipe capability | ✅ Yes | ✅ Yes |
| 🔧 Policy enforcement | ✅ Yes | ✅ Yes |
| 📲 App deployment | ✅ Yes | ✅ Yes |
🎯 Who needs privacy-first MDM
Conventional MDM platforms are the right answer for most organisations. If you are issuing phones to a sales team, Intune or Jamf will serve you well. The cloud dependency is not a problem if your adversaries are opportunistic thieves and careless employees — which describes most corporate threat models accurately.
Norypt MDM is built for organisations where the threat model goes further:
Journalism & investigative reporting
Source protection requires that infrastructure managing reporters' devices cannot be compelled by a government to reveal who those reporters are or what devices they carry. Mainstream MDMs, by design, can be.
Legal & attorney-client privilege
Law firms handling sensitive cases — criminal defence, human rights litigation, corporate disputes — need device management that does not create a third-party record accessible under legal process.
NGOs in restrictive environments
Organisations operating in countries with surveillance infrastructure need MDM that cannot be queried by hostile governments — directly or through legal pressure on US or EU cloud providers.
Security research & intelligence
Teams whose operational security depends on not leaving digital footprints in vendor infrastructure — where even the metadata of a managed fleet is operationally sensitive.
Executive protection
High-profile individuals or organisations where the existence of a managed fleet is itself sensitive information — and where a vendor's infrastructure cannot be allowed to hold that record.
✅ The practical result
A Norypt MDM deployment gives administrators the core capabilities that make fleet management viable — remote wipe, policy enforcement, app deployment, compliance monitoring — without creating the metadata trail that makes mainstream MDM a liability for privacy-sensitive operations.
🛡️ Three layers of protection, working together
OS layer
GrapheneOS removes all Google telemetry — the device does not phone home to any third party at the OS level.
MDM layer
No vendor cloud. No identity anchor. The MDM server holds no record linking a device to a person.
Enrolment layer
Token-based enrolment — no Microsoft account, no Apple ID, no Google account required or created.
The result: a managed fleet where administrative controls exist, but the surveillance surface does not.
If you are evaluating MDM for an organisation where that distinction matters, Norypt MDM is the starting point. If you are not sure whether your threat model requires it, contact us — the first question is always whether your adversaries include the organisations your current MDM vendor reports to.
Ready to take control?
Every Norypt device arrives pre-configured, verified, and ready to use — no technical knowledge required.
Related Product
Norypt
Custom Devices
Camera removal, MDM deployment, bespoke builds for organisations.
Quote on request
See detailsRelated reading
Why a custom-built device outperforms anything off the shelf
Off-the-shelf devices are built for the average user. If your requirements aren't average, a custom build gives you hardware and software configured precisely to your situation.
MDM and remote wipe: why every organisation issuing phones needs central control
A lost or stolen device without remote wipe is a data breach waiting to happen. Here's how MDM solves that — and why the control it gives you matters.
Why removing your camera and microphone is the only guarantee of hardware silence
Software 'off' switches for cameras and microphones can be reversed. Physical removal cannot. Here's when hardware modification is the right call — and why.