Actually, that's wrong. I work for a company that develops MDM software, and what you can do to a smartphone is incredibly limited, especially non-Samsung devices and iPhones.
Firstly, the iPhone can never be touched or targeted directly by an MDM server, it can only relay information through apple's Push Notification Services servers.
Secondly, Apple explicitly blocks any tool sets of access to contents of the device, including personal information. It is literally impossible to read that data on an iOS device. We never could. I can at most see a list of apps on the device and hardware details like Serial Numbers or IMEI data.
Thirdly, Apple explicitly blocks MDM software from leveraging Geolocation except under very specific circumstances. The only way to do this is by building an iOS app and registering it through Apple's Enterprise iOS developer program, which then generates private provisioning profiles and code-signs the apps to be trusted on the iOS device. No apps in the App Store are allowed to provide geolocation to third-party services without express end-user consent. Our product does offer the functionality, but in order to use it even under these circumstances, there has to be a signed app installed and opened on the device to authorize it. I cannot force it to be authorized.
Fourthly, on the android side, an app has to be installed, and configured and authorized on the device in order to bring the device into management. Geolocation is limited here, too.
Fifth, unless the device is registered to a company and enrolled in Apple's Device Enrollment Program, or is manually configured on a Mac using apple's configurator software, the level of restrictions and control is limited. Only corporate owned devices enrolled through those methods can be made to be "supervised" in order to allow additional restrictive features.
Sixth, there is no means in any current MDM to enable or perform any type of screen sharing or access anything like cameras or other electronics.
Bottom line, MDMs are quite limited in their ability to do any snooping of any user data. The worst that can happen is someone issuing a remote erase command or device lock command. Nothing more invasive can be done.