Hi Lance, I can only tell you how we deal with some of the same concerns. We are running Workspace ONE UEM Saas as well in rather large health care setting. Your request is broad, but perhaps I can provide a little in site on how we lock down and manage our MDM solution. I just responded to an earlier post from a user that offered some disturbing comments on how liberal they are with user access and apps. So here is how we manage MDM. On profiles, we created roles to ensure users don't have the ability to change or create profiles. We see profiles the same and Group Policy and we only allows certain admins to create or edit profiles. Every build is documented, and with respect to security, we provide our security team with the base build of every project to ensure all settings are appropriately locked down. Whenever any of the policies change in an build it gets documented. Also, it maybe worth taking sometime to think about how you plan on developing your structure around existing policy. We had to come up with good policy to ensure users are aware of what they can and can't do. WorkSpace ONE is huge with many moving parts, so there is a lot to consider. We have corporate owned devices, and BYOD devices. We also have corporate owned devices that users are allowed to use as personal, but we restrict the user from downloading personal apps on a corporate device same for music. Phones are immediately wiped if not seen for over 30 days, or reported missing. We don't use Geo fencing because if you think about it, what happens if a device is stolen and the sim is removed or turned off. We are more concerned with protecting the data and not so much the device it self. Also, not so sure if upper management would appreciate tracking of their location. When it comes to corporate owned phones we also have a tech review process for each build, to make sure it falls inline with protecting PHI. Last thing you want is to have an employee ask to have Words with Friends on a corporate owe phone that presents a security risk. You may want to look into intelligence for WorkSpace and see if there are additional benefits you may want to leverage. There is much to consider with your structure, and from what I see out there, many organizations managed their MDM solution like they manage their personal iPad or Android. We are also DEP, so that adds another layer to the security concerns we have. Rather Geo fence we setup profiles to only allow the device to connect to certain Wifi. The device can't even be used at home if removed from location. We are also AD integrated, and restrict access to apps by AD groups as well. Where admins seem to miss the mark in my personal opinion is focusing on builds and not structure, policy and documentation. We also have asset recovery, but that's more for devices that are not being used in the organization that someone has stored in their cabinet. We are very concerned here with PHI, so we disable things like screen shots, Bluetooth, certain wifi, and require exception approval that has a specific use case. We build out exceptions for those and control with AD security groups. I can go on forever. We really spent a lot of time trying to get this right. So far so good. It took a while for users to understand this is not your home iPad or Android device. We also lock down what you can and can't do with email like attachments. Hope this helps or starts the conversation on how to build out a reliable MDM solution. finally internal workflows we have in place for things like Kiosk, and clinical device that require 24 hour turn around time. All purchases are managed via our purchasing department, to keep track of assets, recovery, and hardware consistency. Again, much to consider. I hope the info was helpful in anyway. Feel free to share your experience as you move forward. -Abe