This Mobile Device Management (“MDM”) Service Schedule forms part of the Master Services Agreement (“MSA”) between Empreus IT Support (“Provider”) and the Client. This Service Schedule should be read in conjunction with the MSA and all referenced legal documents.

In the event of any conflict between this Service Schedule and the MSA, the terms of this Service Schedule shall prevail to the extent of the inconsistency.

This Service Schedule governs the provision of mobile device management services, including device policy enforcement, application management, security controls, and compliance monitoring for the Client’s mobile and portable devices. The Provider delivers the MDM Service through a third-party MDM platform.

In addition to the definitions set out in the MSA, the following definitions apply to this Service Schedule:

• “MDM Service” means the mobile device management service provided by the Provider under this Service Schedule, including device enrolment, policy enforcement, application management, security controls, and compliance monitoring.
• “MDM Platform” means the third-party mobile device management software platform used by the Provider to deliver the MDM Service. The identity of the MDM Platform may change from time to time at the Provider’s discretion.
• “Managed Device” means any mobile phone, tablet, laptop, or other portable device enrolled in the MDM Platform and managed under this Service Schedule.
• “MDM Service Term” means the minimum subscription period for the MDM Service, as specified in the applicable Quote.
• “Monthly MDM Fee” means the recurring monthly subscription fee payable by the Client for the MDM Service, as detailed in the Quote. The Monthly MDM Fee includes MDM Platform licence costs.
• “Corporate Device” means a Managed Device that is owned by the Client or provided to the Client under the Hardware as a Service – Service Schedule (EMPREUS-SS-HAAS-001).
• “BYOD Device” means a Managed Device that is personally owned by the Client’s employee or contractor and enrolled in the MDM Platform with the device owner’s consent for work purposes.

3.1 Supported Platforms

The MDM Service supports the following device operating systems:

• macOS (Apple Mac computers and laptops)
• iOS (Apple iPhone and iPad)
• Android (phones and tablets)

Windows and ChromeOS devices are not supported under this Service Schedule. Management of Windows devices is available through Microsoft Intune under the Microsoft 365 Services – Service Schedule (EMPREUS-SS-M365-001), where the Client’s M365 licence plan includes Intune.

3.2 Device Compliance Policies

The Provider shall configure and enforce device compliance policies on all Managed Devices, including:

• Passcode and biometric authentication requirements
• Encryption enforcement (device-level and storage encryption)
• Minimum OS version requirements
• Jailbreak and root detection
• Screen lock timeout policies
• Compliance status reporting and automated remediation actions (e.g., blocking access to corporate resources for non-compliant devices)

3.3 Application Deployment and Management

The Provider shall manage the deployment and lifecycle of applications on Managed Devices, including:

• Deployment of approved business applications to Managed Devices
• Automatic application updates and version management
• Application whitelisting and blacklisting policies
• App configuration management (e.g., pre-configuring email, VPN, and business apps)
• Removal of corporate applications upon device unenrolment or employee departure

3.4 Device Configuration Profiles

The Provider shall create and deploy device configuration profiles to Managed Devices, including:

• Wi-Fi network configuration (automatic connection to corporate networks)
• VPN configuration for secure remote access
• Email account configuration (e.g., Exchange Online, Gmail)
• Certificate deployment for authentication and encryption
• Restrictions profiles (e.g., disabling camera, limiting app store access, restricting data sharing between managed and personal apps)

3.5 Remote Lock and Wipe

The Provider shall maintain the capability to remotely lock and wipe Managed Devices, including:

• Remote lock: Immediately lock a Managed Device to prevent unauthorised access
• Full remote wipe: Erase all data on the device and restore to factory settings (for Corporate Devices)
• Selective remote wipe: Remove only corporate data and applications while preserving personal data (for BYOD Devices)
• Passcode reset for locked-out devices

Remote lock and wipe actions will be initiated by the Provider upon written or verbal request from an authorised representative of the Client. The Provider will confirm the action with the Client before executing a full wipe.

3.6 Lost and Stolen Device Management

In the event a Managed Device is reported lost or stolen, the Provider will:

• Immediately lock the device remotely upon notification from the Client
• Attempt to locate the device using the MDM Platform’s location tracking capabilities (subject to platform and device settings)
• Execute a remote wipe (full or selective) upon the Client’s instruction
• Remove the device from the MDM Platform enrolment and revoke access to corporate resources
• Provide the Client with a report of actions taken for insurance or HR purposes

The Client shall notify the Provider as soon as practicable after becoming aware that a Managed Device is lost or stolen. The Provider shall not be liable for any data loss, unauthorised access, or security breach occurring prior to the Provider being notified.

3.7 BYOD Management

Where the Client permits employees or contractors to use personal devices for work purposes (Bring Your Own Device), the Provider shall manage BYOD Devices under a separate BYOD enrolment profile that:

• Creates a managed work container or profile on the device, separating corporate data from personal data
• Enforces compliance policies on the work container only (without affecting personal apps or data)
• Deploys corporate applications and configuration profiles within the work container
• Allows selective wipe of corporate data only, preserving personal data
• Respects the device owner’s privacy by limiting the Provider’s visibility to corporate data and compliance status only (the Provider will not access personal photos, messages, browsing history, or personal apps)

The Client is responsible for obtaining consent from employees and contractors before enrolling BYOD Devices in the MDM Platform. The Provider recommends that the Client implement a BYOD Acceptable Use Policy and obtain signed acknowledgement from each BYOD user.

3.8 OS Update Management

The Provider shall manage operating system updates for Managed Devices, including:

• Monitoring available OS updates across macOS, iOS, and Android
• Testing critical updates for compatibility with corporate applications before deployment (where feasible)
• Enforcing OS update policies (e.g., requiring updates within a specified timeframe)
• Deferring or blocking updates where known compatibility issues exist
• Reporting on device OS version compliance across the fleet

3.9 Geofencing and Location Tracking

Where supported by the MDM Platform and enabled with appropriate consent, the Provider may configure:

• Geofencing policies that trigger actions when a Managed Device enters or leaves a defined geographic area (e.g., enabling Wi-Fi profiles on premises, restricting features off-site)
• Location tracking for Corporate Devices to assist with asset management and lost/stolen device recovery

Location tracking for BYOD Devices is limited to the work container and will not track the device owner’s personal location outside of work hours, unless explicitly consented to and required for legitimate business purposes.

The Client is responsible for ensuring that any use of geofencing and location tracking complies with applicable privacy laws, workplace surveillance legislation (including any applicable state or territory laws), and employee notification requirements. The Provider shall not be liable for the Client’s non-compliance with privacy or surveillance laws.

3.10 Compliance Reporting and Dashboards

The Provider shall provide the Client with access to compliance reporting and dashboards, including:

• Device compliance status (compliant, non-compliant, not evaluated)
• Enrolled device inventory with device type, OS version, and last check-in
• Application inventory across the managed fleet
• Security incident and policy violation reports
• OS update compliance across the fleet
• Periodic summary reports (frequency as agreed in the Quote or upon request)

3.11 Conditional Access Integration

Where the Client holds an active Microsoft 365 Services – Service Schedule (EMPREUS-SS-M365-001) with a licence plan that includes Conditional Access, the Provider shall integrate the MDM Platform with Azure Active Directory (Entra ID) to enforce conditional access policies. This enables:

• Blocking access to Microsoft 365 resources (Exchange Online, SharePoint, Teams) from non-compliant or unenrolled devices
• Requiring device enrolment in the MDM Platform as a condition for accessing corporate cloud resources
• Risk-based access decisions combining device compliance, user identity, and location signals

Conditional Access integration requires coordination between the MDM Service and the Microsoft 365 Service. Changes to Conditional Access policies will be agreed with the Client before implementation.

3.12 IT Support

All IT support related to the MDM Service — including helpdesk, troubleshooting, on-site visits, after-hours support, and associated service levels and rates — is provided under the Managed IT Services – Service Schedule (EMPREUS-SS-MIT-001). The Client must hold an active Managed IT Services subscription to receive support for the MDM Service.

3.13 Exclusions

The following are not included in the MDM Service:

• Windows or ChromeOS device management (see Microsoft 365 Services for Intune)
• Supply of mobile devices or hardware (see HaaS or Mobile Services schedules)
• Mobile voice and data plans (see Mobile Services schedule)
• Physical device repair or replacement
• Custom MDM platform development or API integration
• IT support services (provided under Managed IT Services)
• Creation of the Client’s BYOD Acceptable Use Policy (the Provider can advise but the Client is responsible for legal review and implementation)

Legal advice regarding privacy, surveillance, or employee monitoring laws

4.1 Enrolment Process

The Provider shall enrol Managed Devices into the MDM Platform following acceptance of the Quote. Enrolment methods may include:

• Apple Business Manager (ABM) for automated zero-touch enrolment of iOS and macOS devices
• Android Enterprise enrolment for corporate and BYOD Android devices
• Manual enrolment via QR code, URL, or invitation email for devices not covered by automated enrolment
• User-initiated BYOD enrolment with appropriate consent workflow

4.2 Enrolment Prerequisites

The Client shall provide the Provider with:

• A list of devices to be enrolled, including device type, serial number (where available), and assigned user
• Apple Business Manager access (for iOS/macOS zero-touch enrolment)
• Android Enterprise organisation credentials (for Android management)
• Written confirmation that employee consent has been obtained for BYOD enrolment

4.3 Unenrolment

Managed Devices may be unenrolled from the MDM Platform upon request from an authorised representative of the Client (e.g., when an employee departs or a device is retired). Upon unenrolment, all corporate data, applications, and configuration profiles will be removed from the device. For BYOD Devices, personal data will not be affected.

5.1 Minimum Term

The MDM Service is subject to a minimum MDM Service Term of 12 months from the activation date, unless otherwise agreed in writing in the Quote.

5.2 Renewal

At the expiry of the MDM Service Term, the MDM Service shall automatically renew on a month-to-month basis under the same terms, unless either party provides at least 30 days’ written notice of non-renewal prior to the expiry of the current term.

5.3 Changes to Service

The Client may request changes to the MDM Service during the MDM Service Term, including adding or removing devices, changing policies, or enabling additional features. Changes may result in a variation to the Monthly MDM Fee. The Provider will confirm any fee changes before processing the request.

6.1 Monthly MDM Fee

The Client shall pay the Monthly MDM Fee as specified in the accepted Quote. The Monthly MDM Fee is calculated on a per-device basis and includes the MDM Platform licence cost. Monthly MDM Fees are invoiced in advance in accordance with the Payment – Terms & Conditions.

6.2 Inclusions

Unless otherwise stated in the Quote, the Monthly MDM Fee includes:

• MDM Platform licence for each Managed Device
• Device compliance policy configuration and enforcement
• Application deployment and lifecycle management
• Device configuration profiles (Wi-Fi, VPN, email, certificates)
• Remote lock and wipe capabilities
• Lost/stolen device management
• BYOD work container configuration
• OS update management
• Geofencing and location tracking configuration (where supported)
• Compliance reporting and dashboard access
• Conditional Access integration with Microsoft 365 (where applicable)
• Ongoing policy management and optimisation

6.3 Exclusions

The following are excluded from the Monthly MDM Fee and may be charged separately:

• Mobile devices (see HaaS or Mobile Services schedules)
• Mobile voice and data plans (see Mobile Services schedule)
• Apple Business Manager setup (if not already configured — one-off fee may apply)
• Android Enterprise setup (if not already configured — one-off fee may apply)
• Custom MDM policies or configurations beyond the standard scope
• IT support services (provided under Managed IT Services)
• Third-party application licence fees (if not included in the Quote)

6.4 MDM Platform Price Changes

The MDM Platform licence pricing is set by the third-party vendor and may change from time to time. If the vendor increases licence prices, the Provider reserves the right to pass through the increase to the Client. The Provider will notify the Client at least 30 days in advance of any price change taking effect.

6.5 Payment Terms

All payment obligations under this Service Schedule are subject to the Payment – Terms & Conditions published at empreusitsupport.com.au/payment-terms-and-conditions, which are incorporated by reference.

7.1 Device Inventory

The Client shall maintain an accurate inventory of all Managed Devices and promptly notify the Provider of any additions, removals, or changes (e.g., new devices, departing employees, lost/stolen devices, device replacements).

7.2 Employee Consent and BYOD Policy

The Client is solely responsible for obtaining appropriate consent from employees and contractors before enrolling personal (BYOD) devices in the MDM Platform. The Client is responsible for creating, maintaining, and enforcing a BYOD Acceptable Use Policy that clearly communicates to employees what data the MDM Platform can and cannot access, what actions the Provider can perform remotely (including selective wipe), and the employee’s rights and obligations.

The Provider shall not be liable for any claims, disputes, or legal proceedings arising from the Client’s failure to obtain consent or implement an adequate BYOD policy.

7.3 Privacy and Surveillance Compliance

The Client is responsible for ensuring that the use of MDM capabilities (including location tracking, geofencing, and device monitoring) complies with all applicable privacy laws, workplace surveillance legislation, and employee notification requirements in the Client’s jurisdiction. This may include but is not limited to the Privacy Act 1988 (Cth), applicable state workplace surveillance laws, and any relevant enterprise agreement or employment contract provisions.

The Provider will configure MDM features as instructed by the Client but is not responsible for advising on or ensuring the Client’s legal compliance regarding employee monitoring and surveillance.

7.4 Apple Business Manager and Android Enterprise

Where automated device enrolment is required, the Client shall provide the Provider with access to Apple Business Manager and/or Android Enterprise accounts. The Client is responsible for maintaining these accounts and ensuring device serial numbers are correctly associated.

7.5 Timely Reporting of Incidents

The Client agrees to promptly report any lost, stolen, or compromised devices, and any suspected security incidents, through the Provider’s designated support channels as set out in the Managed IT Services – Service Schedule.

7.6 Acceptable Use

The Client shall ensure that all Managed Devices are used in compliance with applicable laws, the Client’s acceptable use policies, and the MDM Platform’s terms of service.

8.1 Corporate and Personal Data Separation

The Provider shall configure the MDM Platform to maintain separation between corporate data and personal data on BYOD Devices. The Provider will not access, collect, or monitor personal data on BYOD Devices, including personal photos, messages, browsing history, personal apps, or personal location data outside of the managed work container.

8.2 Data Collected by the MDM Platform

The MDM Platform may collect the following information from Managed Devices for management and compliance purposes:

• Device type, manufacturer, model, and serial number
• Operating system version and patch level
• Installed applications (managed container only for BYOD)
• Device compliance status (encryption, passcode, jailbreak)
• Device location (Corporate Devices, and BYOD only within the work container if enabled)
• Network and connectivity information
• Last check-in time and device health status

This information is used solely for device management, security enforcement, and compliance reporting. The Provider shall not use device data for any other purpose.

8.3 Confidentiality

All data collected through the MDM Platform is Confidential Information and shall be treated in accordance with the confidentiality obligations of the MSA and this Service Schedule. The Provider shall not disclose MDM data to any third party without the Client’s prior written consent, except as required by law.

8.4 Data Breach Notification

In the event of a confirmed or reasonably suspected security breach affecting Managed Devices or MDM data within the Provider’s control, the Provider shall promptly notify the Client and provide sufficient details about the nature and scope of the breach.

8.5 Data Protection Laws

Both parties shall comply with all applicable data protection legislation, including the Australian Privacy Act 1988 (Cth), the Australian Privacy Principles (APPs), and if applicable, the General Data Protection Regulation (GDPR) (EU) 2016/679.

8.6 Survival

The data, privacy, and confidentiality obligations under this section shall survive termination of this Service Schedule for as long as the Provider possesses or controls any data collected through the MDM Platform.

9.1 Relationship

The Provider delivers the MDM Service through a third-party MDM Platform. The Client’s contractual relationship is solely with the Provider. The Client has no direct contractual relationship with the MDM Platform vendor and shall not contact the vendor directly regarding the MDM Service without the Provider’s prior written consent.

9.2 Platform Changes

The Provider may change the MDM Platform at any time, provided that the change does not materially reduce the capabilities or security of the MDM Service. The Provider will notify the Client in advance of any platform change and will manage the migration of devices to the new platform.

9.3 Platform Terms

The MDM Service may be subject to the MDM Platform vendor’s terms of service and acceptable use policies. The Client shall comply with any such terms communicated by the Provider. The Provider does not assume liability for restrictions, feature changes, or actions imposed by the MDM Platform vendor.

9.4 Platform Availability

The MDM Platform is a cloud-based service. The Provider does not guarantee uninterrupted availability of the MDM Platform. In the event of a platform outage, the Provider will liaise with the vendor and keep the Client informed.

10.1 Provider Warranty

The Provider warrants that the MDM Service will be performed in a professional and workmanlike manner, consistent with generally recognised industry standards.

10.2 No Guarantee of Complete Security

While the MDM Service implements device-level security controls, no MDM solution is infallible. The Provider does not warrant complete protection against all device compromises, data breaches, or unauthorised access. MDM is one layer of a broader security strategy.

10.3 Third-Party Disclaimer

The MDM Service is delivered through a third-party MDM Platform and relies on Apple, Google, and device manufacturer APIs for management capabilities. The Provider does not make any representations or warranties regarding the performance, reliability, or feature availability of the MDM Platform, Apple Business Manager, Android Enterprise, or device manufacturer management APIs. Changes by Apple, Google, or device manufacturers may affect MDM capabilities, which is outside the Provider’s control.

10.4 BYOD Disclaimer

The Provider does not warrant that MDM management of BYOD Devices will be fully transparent to the device owner in all cases. Device behaviour during enrolment, policy enforcement, and unenrolment may vary by device manufacturer, OS version, and MDM Platform capabilities.

10.5 Disclaimer of Implied Warranties

Except as expressly set out in this Service Schedule and the MSA, the Provider disclaims all implied warranties, including warranties of merchantability, fitness for a particular purpose, and non-infringement, to the maximum extent permitted by law. Nothing in this Service Schedule excludes or limits any consumer guarantee or statutory right that cannot be excluded under Australian Consumer Law.

11.1 The Provider shall not be liable for any indirect, incidental, consequential, or special damages arising from the MDM Service, including lost profits, lost data, business interruption, employee disputes, or loss of goodwill, regardless of the legal theory, even if advised of the possibility of such damages.

11.2 The Provider’s aggregate liability under this Service Schedule shall not exceed the total Monthly MDM Fees actually paid by the Client in the six (6) months immediately preceding the date on which the claim arose.

11.3 The Provider shall not be liable for data loss resulting from remote wipe actions initiated at the Client’s request or as a result of the Client’s compliance policies.

11.4 The Provider shall not be liable for any claims, disputes, or legal proceedings arising from the Client’s use of MDM capabilities in breach of privacy laws, workplace surveillance legislation, or employment obligations.

11.5 The Provider shall not be liable for MDM Platform outages, feature limitations, or API changes imposed by the platform vendor, Apple, Google, or device manufacturers.

11.6 Any claim must be brought within twelve (12) months from the date on which the Client first became aware, or reasonably should have become aware, of the basis for such claim.

11.7 The limitations in this section shall not apply to damages resulting from the Provider’s gross negligence or wilful misconduct, or any liability that cannot be excluded by law.

12.1 By the Provider: The Provider shall indemnify and hold the Client harmless from any third-party claims arising from the Provider’s gross negligence or wilful misconduct in performing Services under this Service Schedule.

12.2 By the Client: The Client shall indemnify and hold the Provider harmless from any third-party claims (including employee claims) arising from the Client’s use of the MDM Service, failure to obtain employee consent for BYOD enrolment, non-compliance with privacy or workplace surveillance laws, data collected through the MDM Platform, or violation of applicable laws or regulations.

Neither party shall be liable for delays or failures due to events beyond their reasonable control, including natural disasters, war, strikes, pandemics, governmental actions, MDM Platform outages, or Apple/Google service disruptions. The affected party shall notify the other promptly and use reasonable efforts to resume performance as soon as feasible.

If a Force Majeure event prevents performance for more than 30 days, either party may terminate this Service Schedule upon written notice. The Client remains liable for all fees accrued up to the termination date.

14.1 Termination

Termination of this Service Schedule is governed by the Termination – Terms & Conditions published at empreusitsupport.com.au/termination-terms-conditions, which are incorporated by reference.

14.2 Early Termination

If the Client terminates this Service Schedule prior to the expiry of the MDM Service Term, the Client shall be liable for the Early Termination Cost as defined in the Termination – Terms & Conditions, which includes one hundred percent (100%) of the remaining Monthly MDM Fees for the unexpired portion of the MDM Service Term.

14.3 Effect of Termination on Devices

Upon termination, the Provider will:

• Remove all corporate data, applications, and configuration profiles from Managed Devices (selective wipe for BYOD, full unenrolment for Corporate Devices)
• Unenrol all Managed Devices from the MDM Platform
• Remove Conditional Access integration (if applicable)
• Revoke the Provider’s administrative access to the MDM Platform
• Provide a final device compliance report to the Client

The Client should be aware that unenrolment may remove corporate Wi-Fi, VPN, and email configurations from Managed Devices, which may temporarily affect user productivity until reconfigured by the Client or a successor provider.

14.4 Data Retention Post-Termination

MDM Platform data (device inventory, compliance history, reports) will be retained for 30 days following termination to allow the Client to request final reports or data exports. After 30 days, MDM data will be securely deleted from the Provider’s systems.

15.1 Relationship to MSA

This Service Schedule supplements and forms part of the Master Services Agreement. All terms of the MSA (including the Director’s Guarantee, Governing Law and Dispute Resolution, and Privacy Policy reference) apply to this Service Schedule as if set out in full herein.

15.2 Prerequisite Service Schedule

The Client acknowledges that an active Managed IT Services – Service Schedule (EMPREUS-SS-MIT-001) is required to receive IT support for the MDM Service.

If the Managed IT Services subscription is terminated or expires, the Provider will continue to maintain MDM policies and platform administration under this Service Schedule, but helpdesk and user-facing support will not be available.

15.3 Related Service Schedules

The MDM Service may interact with the following Service Schedules:

• Microsoft 365 Services (EMPREUS-SS-M365-001) — for Conditional Access integration and Entra ID synchronisation
• Mobile Services (EMPREUS-SS-MOB-001) — for SIM and mobile plan management on Managed Devices
• Hardware as a Service (EMPREUS-SS-HAAS-001) — for Corporate Devices leased via HaaS

15.4 Cross-References

This Service Schedule is subject to the following Empreus IT Support legal documents, all of which are incorporated by reference:

• Master Services Agreement (EMPREUS-MSA-001)
• Managed IT Services – Service Schedule (EMPREUS-SS-MIT-001)
• Microsoft 365 Services – Service Schedule (EMPREUS-SS-M365-001) — if Conditional Access integration applies
• Mobile Services – Service Schedule (EMPREUS-SS-MOB-001) — if applicable
• Hardware as a Service – Service Schedule (EMPREUS-SS-HAAS-001) — if devices leased via HaaS
• Payment – Terms & Conditions (empreusitsupport.com.au/payment-terms-and-conditions)
• Termination – Terms & Conditions (empreusitsupport.com.au/termination-terms-conditions)
• Quote – Terms & Conditions (empreusitsupport.com.au/quote-terms-conditions)
• Privacy Policy (empreusitsupport.com.au/privacy-policy)

15.5 Amendments

No modification to this Service Schedule shall be valid unless made in writing and signed by both parties.

15.6 Severability

If any provision of this Service Schedule is found to be unenforceable, the remaining provisions shall remain in full force and effect.

15.7 Entire Agreement

This Service Schedule, together with the MSA and all incorporated documents, constitutes the entire agreement between the parties regarding the Mobile Device Management Services described herein and supersedes all prior agreements, representations, and understandings on this subject matter.