Managing AI apps with MDM: How IT admins can stay in control
AI apps such as ChatGPT, Claude or Gemini can make day-to-day work much easier. However, they can also pose security risks to mobile devices if used without appropriate guidelines.
Many companies sometimes find it difficult to properly assess the risks associated with using AI systems, as they are evolving rapidly and are extremely complex.
In the following article, we therefore aim to shed some light on the matter and explain the risks posed by AI apps on company mobile phones, how to use AI correctly, and what you need to do if AI apps are not to be used on company mobile phones at all.
What risks do AI apps pose on mobile devices?
Using AI apps on company mobile phones offers all sorts of exciting opportunities to enhance and streamline one’s work. Nevertheless, there are frequent reports of data leaks involving apps such as ChatGPT or Claude, as well as cyberattacks made possible by vulnerabilities in these AI apps.
Data protection & data hoarding:
The biggest issue regarding the use of AI apps on company mobile phones is data protection compliance. Many of the apps currently in widespread use, such as ChatGPT, Perplexity and Claude, are developed by US-based companies. Although these must comply with EU regulations to be used within the EU, the data is still processed in the US. For EU-based companies wishing to use US-based AI systems, there is no way of knowing how secure their data really is. As the AI apps send and process information via the internet, the company’s IP address may also be revealed. Unprotected data exchange between AI apps and servers can serve as a gateway for cyber security attacks. Companies should therefore consider using a VPN. Furthermore, no personal or sensitive data should be shared with the AI app.
Another important point is the excessive data collection carried out by these apps. Under the GDPR, data collection and storage must be purpose-limited and proportionate. This applies not only to customer data, but also to that of employees. The fact that apps such as ChatGPT collect and store large amounts of data – even when the data is no longer being used for its original purpose – leads to breaches of data protection regulations.
In any case, when using AI apps, employees should always refuse permission to store data for training purposes and delete chats with the AI when they are no longer needed.
Mobile Endpoint Security Risks Posed by AI Apps
In addition to data protection concerns, there are other threats facing mobile devices. Due to the greater mobility of staff and the increased interconnectivity of devices, mobile endpoints have increasingly become a target for attackers. In the worst-case scenario, methods such as phishing can be used to gain access to a company’s entire system via smartphones and tablets. The resulting consequences can be catastrophic, for example if spyware or ransomware is spread from device to device.
AI-powered systems also make it easier for attackers to carry out a large number of attacks within a short period of time.
To identify potential threats at an early stage and avoid falling victim to fraud attempts, employees must be trained accordingly. Of particular importance here is the handling of AI applications, as well as the recognition of AI-generated content and deepfakes. This is crucial to ensure that deceptively realistic-looking phishing attacks and scams can be identified. The EU AI Act provides for AI training for certain groups of companies. Nevertheless, we also recommend that all other companies address this issue adequately and conduct AI training – at the very least to provide basic information on the risks and the use of AI apps at work.
Dealing with AI on company mobile phones: implementing guidelines
According to a recent report, AI systems significantly increase the scope for attacks on corporate security infrastructure. It is therefore essential that companies do not simply allow the unregulated use of apps such as Gemini, Claude or ChatGPT, but instead draw up specific guidelines on how to work with these systems. It is also generally advisable to address the issue of AI proactively to ensure clarity and security.
The following questions provide guidance beyond the technical aspects:
1. Which AI systems are actually permitted for use within the company?
It is not uncommon for employees to already be using AI systems or large language models (LLMs) for research purposes, to draft emails, create summaries and much more. As there are several major AI providers, it is necessary to clarify which systems may already be in use and whether these AI systems actually comply with the company’s compliance guidelines. In any case, an assessment must be carried out to determine where data is stored and how it is processed.
2. What kind of tasks can be handled by AI:
Quite a few apps that, at first glance, appear to have nothing to do with AI are already using LLMs to, for example, generate automatic suggestions for users, fill in forms or enter data. Essentially, this means that repetitive tasks can often be streamlined even today. However, not every task should be delegated to AI. If tasks are highly complex, require a great deal of supervision or correction, or are of an iterative nature, it is not advisable to hand them over entirely to AI. AI is also only recommended to a limited extent for medical diagnoses, safety checks or the compilation of statistics. The reason for this is that AI does not ‘think’ in the traditional sense, as it can only draw conclusions from the data it receives, generate new data or recognise patterns. The programme cannot detect whether there are errors or gaps in the database.
3. What data can be shared?
As briefly mentioned above, the data entered into AI apps does not remain on the devices, as the AI systems rely on an internet connection and a link to their servers to generate results. The barrier to using AI apps such as Claude or ChatGPT is also often much lower on mobile devices, as tasks can be quickly completed ‘in between’ other activities. Companies should therefore advise their employees that no sensitive, personal data may be shared. Internal company data, such as salaries, turnover or similar information, should also never be entered directly into the AI.
What should you do if you don’t want to use AI on mobile devices?
For data protection reasons, companies may decide not to permit the use of AI on mobile devices at all. There are various ways to completely ban AI applications on mobile devices. An MDM solution helps to implement these policies quickly and efficiently across all company devices.
The most radical option for Android and Apple devices is to place AI apps directly on a blocklist. This prevents apps such as ChatGPT, Gemini or Claude from being installed in the first place. If the apps have already been installed, they can also be removed from mobile devices using an uninstall command.
In addition to the blocklist, we also recommend configuring the app catalogue on mobile devices accordingly. On Android, the Google Play Store can be configured via MDM so that only apps approved by the company appear there and can be installed at all. On Apple DEP devices, apps must be installed that have been approved by the admin in the Apple Business Portal. Without the VPP licence, employees cannot install apps.
However, a wide range of mobile devices now feature built-in AI that is integrated into the system. On Samsung devices, for example, this is Galaxy AI, whilst on Apple devices it is Apple Intelligence. You can find out more about managing Apple Intelligence via MDM here: Apple Intelligence MobiVisor. Apple Intelligence can be completely disabled via MDM.
Samsung also offers extensive options for managing AI features: for example, individual applications such as Note Assist, Circle to Search and Live Translate can be disabled. Additionally, you can specify that AI apps should only be processed within the app itself. To make use of these options, however, the MDM must support the Samsung Enterprise API.
Other Android devices also have internal AI systems – on Google Pixel devices, for example, this is Google Gemini. Here too, the app can be completely blocked. To prevent the use of Gemini in Google Chrome, the use of AI within the browser can be disabled via browser settings. As many other Android devices also use Google Chrome as their default browser, this approach is also suitable for them.
In principle, however, full management of AI apps or device-internal AI systems is only possible for fully managed mobile devices (Company-Owned – Business Only model). With all other deployment models (BYOD, COPE), there is a private profile on the device that cannot be managed by the IT administrator. If mobile devices are used in this way within the company, employees should definitely be advised on the correct use of AI apps. Apple does not have this strict separation of profiles – but here too, privately installed apps cannot be managed. On Apple devices in COPE mode, however, AI apps can be installed via MDM, for example, and are therefore manageable. You can find out more in this article: Apple BYOD
Conclusion:
Although the use of AI apps such as ChatGPT, Claude or Google Gemini may seem trivial at first glance, these apps – as well as the AI systems integrated into mobile devices – harbour far greater risks than is immediately apparent. Companies must therefore not only consider how and whether AI should be used in principle, but also how their sensitive data should be handled within these applications. This requires the development of data protection-compliant guidelines for the handling and use of AI, which must also be implemented technically. An MDM offers various options for this: from completely blocking AI apps to configuring Google Chrome.
Depending on the usage model of the mobile devices, various options are available here. For companies, the management of AI applications within the organisation therefore involves several interlinked levels.
