The thing is, it's not his phone. It's the company's phone - they're lending it to him for work use.
Putting personal files / info on a work phone should be a big no-no.
This.
It's a damn work phone. It's not for installing Angry Birds. It's not for browsing the internet at home. It's a phone so you can call your colleagues, use work related apps, and have access to email.
You really don't want to be doing anything on your workphone other than work, it's highly likely that its in your employee handbook or ToS, and if they ever want to get rid of some people to save money, they'll just use it as an excuse to fire you.
Now OP, if your work don't mind you doing any of the above, then fine. But you need to find out for sure first, find out what their exact policy is.
As for the mobile device management stuff, well I spend a lot of my day doing this stuff. Here is what I can personally see and do using AirWatch MDM (your work will probably use something else with different features):
Track your phones location every 15 minutes
Track your data, phone and sms usage
Track your battery life, cell coverage
View every app installed on your phone
Remotely upload files, documents, apps to your phone and install them
Wipe your device
Change your password/pincode
Restrict data usage, restrict what websites you can go on (our phones connect to our Proxy over the internet for web filtering)
Check log files for apps
Browse the entire phone file system, all system folders, application folders and so on.
So basically pretty much everything.
Oh and as for installing apps to circumvent it. If it's anything like our place, we blacklist every app except the ones used for work. Even if you try and install something, it won't let you. Whether it be off the play store or an APK you got from elsewhere.