ProGet MDM - securing mobile devices

Editorial note: This article is about Proget Software sp. z o.o. (proget.pl), a Polish MDM system from Bielsko-Biala, unrelated to the product Inedo ProGet (a package manager for NuGet/npm/Docker). All features described below (policies, geofencing, selective wipe, device encryption) refer to the MDM platform from Proget Software.

Mobile devices outside IT control are one of the most underrated risk vectors. Per the Verizon Data Breach Investigations Report 2025, unmanaged devices (private devices and BYOD) account for a materially higher share of corporate credential exposure than managed devices. The threat does not have to be a sophisticated attack: a corporate phone with encryption off, no password policy, connected to public Wi-Fi is enough. MDM (Mobile Device Management) is not just "phone management": it is a risk-management tool that reduces risk to an acceptable level. In this article I show how ProGet MDM and ManageEngine Mobile Device Manager Plus deliver that in practice.

~46% of corporate credential exposure comes from unmanaged devices (Verizon DBIR 2025)

selective wipe remote removal of corporate data from a lost device

3 layers of security policies protect the device at every level

What ProGet MDM is and how it works

ProGet MDM is a mobile device management solution built by Proget Software sp. z o.o., a Polish company from Bielsko-Biala specializing in mobile fleet management software for enterprise and SME. The platform offers MDM, MAM and UEM features tailored to the Polish market, with Polish-language technical support.

The basic MDM mechanism relies on the enrollment protocol: the device registers in the management system, receives a configuration profile and from that point follows the IT policy. On iOS this is delivered by Apple DEP/ABM; on Android by Android Enterprise (formerly Android for Work). Without enrollment, the device simply does not get access to company resources.

Key insight The difference between a "secured" and a "controlled" device is exactly the difference between a door lock and an alarm with monitoring. A lock gives a sense of safety. An alarm gives data and time to react. MDM is the alarm.

Three generations of device management are worth distinguishing: MDM (managing the device itself), MAM (managing applications) and UEM (Unified Endpoint Management, managing all endpoint types). ProGet MDM operates mainly in the MDM and MAM layers. ManageEngine Mobile Device Manager Plus offers full UEM, covering laptops, tablets, smartphones, and even IoT devices.

Key MDM security features

Modern MDM platforms deliver several independent layers of protection. The failure of one does not bring down the whole. Below are the key mechanisms that any enterprise-grade MDM should offer:

Device and data-in-transit encryption

The MDM policy can force device encryption on (FileVault on macOS, BitLocker on Windows, hardware-based encryption on iOS/Android). Data in transit is protected by enforced per-app VPN: corporate apps always connect through an encrypted tunnel, no exceptions, no user bypass.

Geofencing and conditional access

Geofencing defines geographic zones where the device has access to corporate resources. Crossing the boundary - for example, a device traveling abroad or entering an unapproved location - automatically triggers an action: from a notification, through blocking access to mail, up to a full device lock. Especially important in regulated industries where data cannot leave a defined jurisdiction.

Selective wipe and full wipe

Selective wipe removes only corporate data: apps, emails, documents, VPN configurations, certificates. The employee's private photos and apps stay untouched. It is key for BYOD. Full wipe restores the device to factory settings and is used only for theft or loss of a device with especially sensitive data.

Why this matters With MDM deployed, responding to a lost device - remote lock and selective wipe - takes minutes and is done from the admin console. Without MDM there is no technical way to remotely wipe corporate data, and the device with access to mail or company systems becomes a real data breach risk.

App control and App Catalog

MDM policies define a whitelist and blacklist of apps. The App Catalog gives employees an approved toolset, with no installation of external APKs outside the official store or company catalog. In kiosk (single-app) mode the device can run only one approved app; useful for tablets on production lines or in retail.

3 policy layers protecting devices

In practical deployments, MDM policies form three layers that address different threat scenarios. Each layer is independent. They can be rolled out gradually, starting from layer one.

Layer 1

Enforce the basics

Device encryption, password strength (min 8 chars, upper/lower/digit/special), automatic lock after 5 minutes idle. No exceptions, no "just for a minute".

Layer 2

Access control

Geofencing, conditional access to corporate resources, enforced per-app VPN, block on unapproved Wi-Fi networks, device certificates as a second authentication factor.

Layer 3

Incident response

Remote lock, selective wipe, full wipe, location tracking (corporate devices only, with consent), automated compliance reports, alerts on jailbreak/root attempts.

Rolling out all three layers at once may meet employee pushback, especially for private devices (BYOD). The recommended approach is layer-by-layer with clear messaging for users explaining what is collected, what is not, and why.

ProGet MDM vs ManageEngine MDM vs Microsoft Intune

The MDM/UEM market is mature and competitive. The three solutions most often seen in Polish enterprise companies are ProGet MDM, ManageEngine Mobile Device Manager Plus and Microsoft Intune. They differ in integration model, price and feature scope.

Criterion	ProGet MDM	ManageEngine MDM+	Microsoft Intune
ITSM integration	Limited (API)	Native with SDP	Via connector
Mobile app distribution	App Catalog (on-prem)	App Catalog	Win32/LoB apps
BYOD / selective wipe	Yes	Yes	Yes
Geofencing	Basic	Advanced	Via Compliance
Licensing model	Per-server (on-prem)	Per-device or SaaS	Microsoft 365 bundle

For companies using the ManageEngine ecosystem (ServiceDesk Plus, AssetExplorer, Log360), the natural pick is ManageEngine Mobile Device Manager Plus: native integration removes the need to build custom connectors and delivers a consistent view of incidents, assets and policies in one place. ProGet MDM (Proget Software) fits where the priority is Polish-language support, on-premises deployment and dedicated SME/enterprise service for the Polish market. Intune is the choice for companies deeply rooted in the Microsoft 365 ecosystem with Azure AD as the identity center.

Rollout step by step

MDM is a project, not a one-off setup. Below is the approach we use with clients:

Device inventory: a list of all mobile devices with access to company resources: corporate and personal (BYOD). This is the baseline for policy and licensing.
Security policy definition: decide what is mandatory (encryption, password) and what is optional (geofencing, single-app mode). Policies should be approved by HR and legal before rollout.
MDM server configuration and Active Directory integration: the MDM server connects to AD/Azure AD, pulls user groups and assigns configuration profiles per group. For Apple: Apple Business Manager (DEP) setup. For Android: Android Enterprise setup.
Pilot enrollment (10-20 devices): roll out to a pilot group, collect feedback, refine policies before the full rollout. This step is often skipped and that is the most common mistake.
Full rollout and employee communication: enrollment of all devices, training employees on the MDM app (Intelligent Hub / Company Portal), documentation of what is monitored.
Compliance monitoring and review cycle: weekly compliance reports, quarterly policy reviews, policy updates with every operating system change.

Integration with ServiceDesk Plus

The biggest advantage of ManageEngine Mobile Device Manager Plus over standalone MDM tools is integration with ServiceDesk Plus. In practice it means:

Automatic tickets for MDM incidents: an employee reporting a lost device automatically creates a ticket in SDP, assigns it to the right technician and triggers the selective wipe workflow.
CMDB synchronization: every MDM-managed device appears automatically as an asset in the ServiceDesk Plus CMDB with a full profile: model, OS, version, compliance, owner, location.
Compliance dashboards: the SDP view shows which devices fail the security policy, with the ability to take immediate remediation action without switching between systems.
Service catalog alerts: employees report device issues through the Service Catalog, not by phone to the helpdesk, which shortens reaction time and creates a full incident history.

With ProGet MDM or Microsoft Intune, integration with ServiceDesk Plus can be built through the API, but that requires custom development or connector purchase. The cost and complexity of that integration is one of the key arguments for ManageEngine MDM+ in companies already using SDP.

Question for your company Does MDM run with you as a standalone tool, or is it integrated with ServiceDesk Plus and CMDB - so that a device incident creates a ticket automatically? If not, that is a gap worth closing before a security event forces it on you.

Summary and recommendations

MDM is not a one-off project and not an audit checkbox. It is an ongoing process that needs maintenance: policy updates with new OS versions, reviewing the device list as employees rotate, and regular testing of wipe procedures.

Three decisions worth making before you start rollout:

On-premises or SaaS? On-prem gives full data control, SaaS removes server maintenance cost. For sensitive data (healthcare, finance, defense), on-prem is often a compliance requirement.
One ecosystem or best-of-breed per category? If you already run ManageEngine, MDM+ is the obvious pick. If you are on Microsoft 365, Intune is the natural step. Mixing ecosystems generates integration cost.
Which devices first? Start with devices that access the most sensitive resources: executive email, VPN to ERP systems, client data access. Only then expand enrollment to all employees.

FAQ: Top questions about MDM

Answers to the questions most often asked before deciding to deploy MDM.

How does ProGet MDM differ from ManageEngine Mobile Device Manager Plus?

ProGet MDM (Proget Software, Bielsko-Biala) is a Polish MDM platform focused on managing mobile devices in enterprise environments, with Polish-language technical support and an on-premises license model. ManageEngine Mobile Device Manager Plus offers a full UEM scope with native integration to ServiceDesk Plus, CMDB and other ManageEngine tools, which makes it a better choice when the company already uses the ManageEngine ecosystem. Note: do not confuse ProGet MDM with Inedo ProGet, an unrelated package repository (NuGet, npm, Docker).

How long does an MDM rollout take in a company?

A basic MDM rollout with device enrollment typically takes 1-2 weeks. A full rollout with policy configuration, Active Directory integration and IT team training is 3-6 weeks, depending on device count and infrastructure complexity.

What is selective wipe and when should it be used?

Selective wipe removes corporate data only (emails, corporate apps, documents, VPN) from the device, leaving the employee's private photos and apps. Use it when a device is lost or an employee leaves. Full wipe restores the device to factory settings, used only when the device falls into the wrong hands.

Does MDM work on private employee devices (BYOD)?

Yes. Both ProGet MDM and ManageEngine Mobile Device Manager Plus support BYOD (Bring Your Own Device). In BYOD an isolated container is created for corporate data. Selective wipe removes only that container, the employee's private data stays untouched.

Is MDM required by GDPR or ISO 27001?

MDM is not explicitly named by regulations, but it is practically essential to meet GDPR Article 32 requirements (technical measures protecting personal data) and ISO 27001:2022 control A.6.7 (mobile device policies). Lack of MDM in an ISO audit or during a data protection authority inspection can be treated as missing adequate safeguards.

Jakub Roszkiewicz

CTO - Rotech Group / ILUN Systems

ManageEngine expert with many years of experience in ITSM, MDM and IT security rollouts at manufacturing and distribution companies. Responsible for the technical architecture of Rotech Group solutions. Author of ServiceDesk Plus On-Prem and MSP rollouts for clients in automotive, FMCG and retail.

Free assessment

Pick the right MDM for your company

We run a free environment review: which devices need management, what policies are needed and which platform fits your infrastructure.

Book a free assessment Back to Blog

Planning an MDM or ManageEngine rollout in your company? See what an implementation with Rotech Group looks like →

ITSM for MSPs - how to choose and roll out a system How to convince the board to invest in ITSM Oxari ITSM - 8 key features for an IT Manager

← All articles

Back to Blog

MDM: managing mobile devices in manufacturing and MSP companies