Join other Information Security Professionals and Subscribe

to receive monthly insights on securely enabling business transformation

Bridgeway Insights

Dissecting Apple's new approach to BYOD

Dissecting Apple's new approach to BYOD

Posted by Lisa Higgins 5 July 2019

As more and more organisations employ BYOD policies there becomes more of a need to investigate the best way to balance user privacy with the right levels of corporate security. So it's great to see Apple have announced plans to introduce a new way of managing iOS devices: User Enrollment!

Bridgeway - Email Template - D5_Page_1_Image_0004

Previously you could just manage via device-wide management capabilities for admins or combined with an automated setup process. But at Apple's recent Worldwide Developer Conference (WWDC) they revealed that their third method will "better balance the needs of IT to protect sensitive corporate data and manage the software and settings available to users, while at the same time allowing users' private personal data to remain separate from IT oversight."

New call-to-action

According to Apple, when both users' and IT's needs are in balance, users are more likely to accept a corporate "bring your own device" (BYOD) programme - something that can save organisations money, reducing the investment needed in hardware.

The new User Enrollment option for MDM has three components: a managed Apple ID that sits alongside the personal ID; cryptographic separation of personal and work data; and a limited set of device-wide management capabilities for IT.

The managed Apple ID will be the user's work identity on the device, and is created by the admin in either Apple School Manager or Apple Business Manager -- depending on whether this is for a school or a business.

shutterstock_210979948

So how does it work?

First the user signs into the managed Apple ID during the enrollment process.

From that point forward until the enrollment ends, the company's managed apps and accounts will use the managed Apple ID's iCloud account.

Meanwhile, the user's personal apps and accounts will use the personal Apple ID's iCloud account, if one is signed into the device.

Third-party apps are then either used in managed or unmanaged modes, meaning users won't be able to change modes or run the apps in both modes at the same time. However, some of the built-in apps like Notes will be account-based, meaning the app will use the appropriate Apple ID - either the managed one or personal - depending on which account they're operating on at the time.

To separate work data from personal, iOS will create a managed APFS volume at the time of the enrollment. The volume uses separate cryptographic keys which are destroyed along with the volume itself when the enrolment period ends. (Note - iOS had always removed the managed data when the enrolment ends, but this is a cryptographic backstop just in case anything were to go wrong during unenrolment.)

The managed volume will host the local data stored by any managed third-party apps along with the managed data from the Notes app. It also will house a managed keychain that stores secure items like passwords and certificates; the authentication credentials for managed accounts; and mail attachments and full email bodies.

The system volume does host a central database for mail, including some metadata and five line previews, but this is removed as well when the enrolment ends.

With this method users' personal apps and their data cannot be managed by the IT admin so are never at risk of having their data read or erased. IT won't even be able to find out what personal apps are installed on the device. And with user enrolments there will be no need for a full device wipe.

SolvingOffice365s-Multi-Identity-Crisis-on-iOS-BANNER

Another new feature related to User Enrollment is how traffic for managed accounts is guided through the corporate VPN. Using the per-app VPN feature, traffic from the Mail, Contacts and Calendars built-in apps will only go through the VPN if the domains match that of the business. For example, mail.acme.com can pass through the VPN, but not mail.aol.com. In other words, the user's personal mail remains private.

This addresses what has been an ongoing concern about how some MDM solutions operate - routing traffic through a corporate proxy meant the business could see the employees' personal emails, social networking accounts and other private information.

User Enrollment also only enforces a six-digit non-simple passcode, as the MDM server can't help users by clearing the past code if the user forgets it.

In summary, Apple's new policy is a step toward striking a greater balance, but it will require that users understand the nuances of these more technical details. There are still a lot of mixed feelings from users about BYOD MDM policies, who are wary about how much remote management capability the company they work for will have. Therefore organisations will need to educate their users on what their policies are and what access/control they will have. But it's pleasing to see the tech giants such as Apple, moving forward and recognising this new way of working for us all.

Find out more about Apple Business Manager at our free 30 minute webinar on 18th July, 2pm. We will be showcasing the range of resource and cost-saving features Apple Business Manager has to offer your organisation. 

Register now below:

New call-to-action