I discovered that if a device is assigned to a policy without the Remote Control module enabled, that device can be remote taken over. This seems like a security hole because if the remote control is not enabled in a policy, that would indicate that those devices assigned to that policy does not want to allow remote takeover for those devices by default.