I recently discussed the general guidelines that IT departments should follow when it comes to building enterprise mobility policies for their organizations and the need to create layered policies that can be as diverse and as target to different users, groups,and devices as needed. One of the biggest distinctions between policies is the difference between iOS and Android.
Although policies are applied to both platforms using a single enterprise mobility management (EMM) or mobile device management (MDM) solution, there are significant differences in the way each platform functions under-the-hood. This includes how they implement management and security options, meaning it’s a good idea to understand the unique aspects of each platform when developing management policies. I’ll tackle iOS policy considerations here.
Apple’s approach: make everything look seamless
One of the most important aspects of EMM on BYOD devices (and to some extent on corporate devices assigned to users and executives to use for both business and personal tasks) is separating corporate data from personal data on the devices. This ensures that personal content is walled off from corporate data, meaning that IT shouldn’t be able to see or delete a users’s family photos, health data or banking information. As our devices have become more personal, this separation has become even more important, so much so that Apple has declared privacy to be a basic human right.
Privacy may be one of Apple’s biggest hallmarks but delivering a smooth, intuitive and seamless experience is another one. It’s important to keep that in mind from an EMM perspective. Apple’s biggest goal beyond privacy is to give the user a single seamless experience.
This means that users should not perceive a distinction between business and personal apps, files, cloud services or settings. Business apps have no flags to mark them, share sheets don’t show any overt signs of restrictions imposed, and there’s no discernible shift when going from a business app installed by an EMM policy such as Word or Slack and a personal app like Netflix or Health.
In the same manner, there are no visual distinctions between accounts in iOS. Looking at Mail displays personal Gmail and iCloud accounts (see How iCloud works in business) along with corporate Exchange accounts. Likewise, Exchange calendar appointments and reminders appear alongside their personal counterparts (though often will appear as a separate calendar). Nor are their distinctions made on apps that can be used for both business and personal tasks like Safari bookmarks. The business and personal information is combined and there is only a single instance of any installed app.
This is a significant difference between iOS and Android. Although both platforms separate content and apps, Android for Work (and Samsung KNOX) make it clear to users which apps are enterprise-installed. Multiple instances of an app -- installed personally and via an enterprise app store or policy can appear as separate instances.
The long and short of it is that you need to assume users will not see or even realize there’s a difference between business and personal apps. Another key consideration is that apps installed by an EMM suite will take precedence if the user has already installed the app personally. This is a crucial distinction because when an enterprise app is deleted by IT or a policy (such as the user leaving the company or upgrading to a new devices), content stored in that app will be removed along with the app itself.
Who owns what?
So how are business apps and content separated and how is each treated? The simple answer is that any app installed by a policy or enterprise app store is considered a managed app. This means that IT can remove the app, update it, and even change its configuration at any time using an EMM command or policy.
Enterprise apps and their content are therefore “owned” by the employer and there will not be privacy protections around any content created by the app unless that content is stored in a personal cloud service like iCloud or Google Drive. Users should understand that IT can “see into” any enterprise app. The same is true with enterprise accounts -- accessing Exchange emails or calendars is no different from a user perspective than using Outlook on their work PC.
iOS restrictions
iOS allows a broad range of restrictions that can be applied through EMM. This includes limiting the capability to share or copy content from enterprise apps (and accounts) into personal apps. Again, there is no overt indication or these restrictions, items are simply not displayed in an app’s Share sheet.
Other restrictions can be applied to limiting access to device and iOS features like Game Center or the App Store, restricting access to printing, roaming and certain networks.
When applying restrictions, you may want to explicitly inform users about the restrictions that are in place. This can be done by a general policy that users agree to when they start work, one displayed during enrollment via EMM, or by periodic reminders through general corporate communication channels.
Configuring devices and apps
In addition to putting limitations on device and app use, you can also configure devices and apps via an EMM policy. This makes it faster and easier for a user to get up to speed following enrollments. Typical enterprise settings include corporate Wi-FI, VPN, web proxies, parental controls and so forth. Many of these options apply to the device itself or to the stock Apple apps that come installed on the device.
It is also possible to preconfigure virtually any app using a preference manifest for the app. This is an XML file that stores the app’s configuration. It is essentially the same as the file within iOS that stores user settings. The difference is that IT can create contents of that file in order to pre-configure the options and behavior of the app. This requires an understanding of Apple’s preferences XML libraries.
App licensing in iOS
App licensing for iOS is done through the company’s Volume Purchase Program (VPP) or through Apple Business Manager for public App Store apps. Apps can be licensed in two different ways. One of which is better for corporate devices and the other for BYOD.
Note: Going forward Apple Business Manager, which offers more flexibility, will become the only way to manage apps.
The first option essentially buys the app and gives it to a user, similar to gifting an app to someone. Once the user installs the app using a custom code, they own a copy of the app. When they leave the company, they continue to own the app, albeit without any corporate content. This approach works best for company-owned devices, particularly devices that are not assigned to a single individual but are pooled or shared -- iPads at a hospital nursing station, devices checked in and out each day by field service workers, or iPhones/iPod touches that are used as inventory or POS devices.
The second option is called managed distribution. Apps installed under this model do not associate a permanent license relationship between the app itself and a user’s Apple ID. This means that apps can be installed on devices and when they are removed, the license for the app can be reassigned to another user/device. This is much more similar to corporate licensing in the desktop world. When an app is removed via EMM, the user will be presented with the option to purchase the app themselves.
A third option that is becoming more common is app subscriptions. Apps that use this model are typically free to install but require that a user to pay a subscription fee every month or year to be able to use the core features of the app. Netflix is a good personal example, Office apps using an Office 365 subscription is a good business example. In this case the apps can be installed via EMM or an enterprise app store as a managed app and the subscription is used to identify current licensing. In theory this could also allow a personally installed app to use a corporate subscription -- in practice this wouldn’t be a good idea since the IT will then not be able to remove or manage the app and its content.
Supervised vs. unsupervised
This is, perhaps, one of the most important things to understand about managing Apple devices. The company provides a superset of management capabilities for devices that are “supervised.” These are devices that are corporate-owned and where little personal use is anticipated, thus much more stringent management capabilities might be expected.
Supervising devices is the most effective way to lock down devices that may be used by multiple individuals, students or the general public like with a kiosk device.
Not all devices can be supervised and Apple has made it virtually impossible to enroll personal devices as supervised. There are two ways to apply supervision. The first is to use a Mac application called Apple Configurator 2. The second and preferred is the company’s Device Enrollment Program (DEP).
DEP devices must have been purchased by an organization and associated with that organization -- this means they must be purchased directly from Apple or from an approved corporate reseller. The reason for this is that it allows Apple to identify the device as a DEP device during activation and to enroll the device using a specific EMM solution, which allows a zero-touch deployment. New devices and previously purchased devices (within three years) can be added to a company’s roster of DEP devices. The requisite information and process can be handled by Apple or the approved reseller.
For other devices, Apple Configurator 2 can apply supervision, auto-enroll devices and prepare them for use. Each device needs to be connected to the Mac(s) running the app via USB. This means the process is not as fast or easy as using DEP.
To ensure that personal devices are not configured as Supervised using Apple Configurator, the configuration process will wipe the device to remove any personal apps or content. This is important because Supervision allows significantly more restrictions and can be used to monitor devices to a much greater extent, which has privacy implications.
User enrollment in iOS 13
With iOS 13, Apple will add a new user enrollment option in addition to the Supervised and unsupervised device enrollment options. The new enrollment process is designed to be initiated by the user. It requires that the user authenticate using enterprise credentials and creates a separate APFS volume for the device that stores enterprise content and is cryptographically separate and secure -- a step up in separation and security from device enrollments.
User enrollment focuses on personal privacy. To that end most device commands (like clearing the passcode) and restrictions are not available. Information that can be queried is much more need-to-know. Most configuration data is not provided including apps that are not managed enterprise apps.
Putting it all together
The actual mechanics of applying devices can be accomplished using a number of EMM and MDM solutions. Each of these solutions will typically implement the same functionality, though each will have different housekeeping features, licensing (including bundling with other components of the IT stack) and integration with other enterprise systems. Some focus in application management to a greater degree and that can be used for fine tuning the user experience and security options. Microsoft Intune, for example, offers explicit permission options and conditional access features for Office 365 apps.
The major concepts to keep in mind when developing mobile policies for iOS is the distinction of Supervised mode and the seamless integration of business and personal experiences and content. Individual policies can be tailored for all iOS devices, corporate-owned and/or BYOD devices, how devices will be used (single user vs. shared), and needed apps or security settings. As I’ve said before, policies should be limited and as specific as possible as this allows granular deployment options that can be tailored efficiently for employees.