iOS MDM needs to get better at BYOD, but Apple might make it harder (December 2018 update)

A deep dive into BYOD-oriented MDM features in iOS

A year after the iPhone arrived on the scene, the enterprise got two important features in iPhone OS 2: configuration profiles, and support for Exchange ActiveSync. But it was iOS 4 in 2010 that really introduced MDM as we know it, which helped address the initial wave of BYOD.

Baseline MDM features for BYOD

iOS MDM has always done a reasonable job at accommodating BYOD. Most importantly, it has always been an opt-in experience. Users can wirelessly enroll or un-enroll their iOS device from MDM at any time, adding and removing enterprise resources and management policies with ease. If you don’t like an invasive management policy—say an extra long passcode, or the idea that your company could erase your device—you can leave at any time.

Furthermore, the scope of what any particular MDM instance can do on a device is defined by a set of remote management rights. In other words, when a user enrolls their BYOD iPhone into their company’s MDM instance, the company could choose to configure the connection so that it’s impossible for MDM connection to do certain things, like erase the device or view what apps are installed on the device.

And overall, there are many types of iOS data that MDM cannot see, no matter what. This includes personal content, such as photos, messages, email contents, call logs, notes, reminders, frequency of app usage, or location. In addition, MDM cannot directly remove or blacklist user-installed apps.

Mobile app management evolution

The initial baseline MDM features were not enough to fully deal with BYOD, though. Both users and IT admins needed more flexibility to manage what they care about, e.g., corporate data, while leaving the personal stuff alone. As a result mobile app management (MAM) stepped up to address BYOD.

Early forms of MAM worked by building security and management policies directly into enterprise versions of apps. This solved some BYOD problems, but brought new challenges: Sometimes user didn’t like the enterprise versions of apps (for example, early enterprise email apps were much slower than the iPhone’s built-in app). And, the enterprise had to figure out how to source all these special apps.

In 2013, iOS 7 spread a new approach in the industry: it had features to keep work and personal data separated built directly into the operating system, managed via MDM. iOS 7 had a profound impact, as this new form of MAM was easier for software vendors to implement.

(Quick side note: iOS 7 didn’t mean that the app-based MAM approach disappeared. In fact, this is still useful in many situations where MDM enrollment is not appropriate or just doesn’t work. For more, see my guide to MAM, and my infographic on EMM use cases.)

The current state of BYOD in iOS MDM

The important new BYOD features that arrived in iOS 7 are based on the idea of scoping specific management features to specific sources of enterprise data. MDM could already be used to install apps and accounts, but now, new management policies could be applied:

• Per-app VPN: Only traffic from managed apps (and not the whole device) is routed through a VPN.
• Managed open in: Documents in managed apps and enterprise email accounts cannot be shared into personal apps, and vice versa.
• MDM-based app configuration: Developers can enable features in their apps to be controlled by MDM servers.
• Kerberos-based single sign on for managed apps.
• Prevent managed apps from storing data in iCloud.

Subsequent versions of iOS expanded the sources of data that could be considered managed enterprise data, and thus locked down more potential routes for data leakage, expanding potential BYOD use cases.

• iOS 8 added managed web domains and keyboards.
• iOS 9 made AirDrop a managed destination, so that managed corporate apps, accounts, and domains cannot share documents via AirDrop.
• iOS 11.3 made Contacts a managed destination. For example, a random app that asks for access to a user’s contacts can’t access the contacts associated with a corporate-managed email account.

There are several management policies, known as restrictions, that Apple is planning to deprecate from the standard iOS MDM mode that is used for BYOD to Supervised mode, a subset of stricter MDM policies intended for corporate-owned devices. (Supervised devices must be enrolled via USB, or flagged to Apple’s servers as being corporate devices at the time of purchase.) These restrictions include the ability for MDM to control personal app installation, app removal, FaceTime, iTunes, Safari, iCloud data usage, multiplayer gaming and Game Center friends, explicit content, and Siri. Deprecating these restrictions will be a big step towards making the standard iOS MDM mode much more friendly for BYOD.

Growing discontent

Despite all of the BYOD features in iOS MDM, the EMM industry and customers still need Apple to go farther.

Android Enterprise, which was announced in 2014 and launched in 2015, now has stronger privacy for users and more DLP policies for the enterprise in its BYOD-oriented Work Profile mode. In the time that Work Profiles have become the default choice for Android BYOD, iOS’s BYOD features have barely changed.

Instead, Apple’s focus for iOS MDM has remained squarely on corporate and school-owned devices, with many enhancements for the previously mentioned Supervised Mode. Apple has rolled out and refined automated device enrollment capabilities (also known as the Device Enrollment Program); they’ve totally revamped the Volume Purchase Program (for buying apps in bulk); and they’ve create new interfaces for these service (creating Apple School Manager and Apple Business Manager). For educational customers, Apple has also created multi-user iPad functionality.

All in all, there are many new, long-sought features designed for corporate devices, such as full control over app and operating system updates, and APIs to manage many other aspects of iOS. Apple also rolled out MDM for Apple TV devices. Today, iPads, iPhones, iPods, and Apple TVs are well suited for usage as kiosks, point-of-sale devices, barcode scanners, digital signage, and high-security uses. This is all in stark contrast to the state of iOS MDM for BYOD.

In fact, owing to security threats, some aspects of BYOD are becoming harder. Because MDM is so powerful, it can cause harm when used maliciously; for example, if an attacker uses social engineering to install a malicious MDM profile or sideload a malicious app.

With iOS 9 in 2015, Apple placed guardrails around the installation of enterprise-signed apps. After users install an enterprise app, they have to go into the Settings and approve the developer. This can be done automatically via MDM, but the result was that it made deploying enterprise apps to non-enrolled BYOD iPhones and iPads—once a common deployment method—more difficult and impractical.

Now, Apple is again slated to make another aspect of enterprise BYOD more difficult. As covered over at the MaaS360 community blog, iOS is adding a similar approval step when enrolling devices into MDM. Today, when an MDM profile is downloaded (usually via a link in a website, SMS, email, EMM agent app, etc.), it kicks off the enrollment process automatically. But a beta of iOS, showing functionality that’s likely to come out in iOS 12.3, showed an added step. After the profile is downloaded, the user must navigate to Settings –> General –> Profiles to find the enrollment profile and install it. These extra few taps in unfamiliar menus will make it harder for enterprise users to get their BYOD iPhones and iPads enrolled in MDM.

Admittedly, the BYOD scenarios I’m talking about in this article do not cover all users. Many contractors and franchisees interact with corporate data through publicly distributed apps on their personal, unmanaged devices—for example, think of  gig economy workers like rideshare drivers. And on the other end of the spectrum, there are plenty of companies that have sensitive data and want to avoid the challenges of BYOD, and just go with corporate-owned devices.

But the middle segment is where things are interesting and challenging. These are often corporate office employees, where BYOD first started and is still desired. Today, I’m seeing just as many people say no to BYOD and carry two phones as I did back in the days when the corporate phone would have been a BlackBerry. There are plenty of reasons for this, which we’ll look at next.

Where does iOS need to improve MDM for BYOD?

Most enterprise mobility management vendors have put a lot of work into making iOS MDM palatable for BYOD users; this is embodied in the choices that they make in their user-facing agent apps and admin-facing management consoles. And we have to acknowledge that Apple put together a good fundamental system for MDM. However, EMM vendors and customers are pushing up against the limitations of Apple’s iOS MDM fundamentals, and it’s time for some changes.

Transparency, consent, and user experience.

Apple has done a great job with privacy and consent in consumer-facing apps. When an app needs to access sensitive data, it has to ask for permission at the time the data is first accessed, and tell the user why it needs access to the data.

But iOS MDM isn’t nearly as transparent about what it’s doing. Yes, vendors can show their own privacy messages before they kick off the MDM enrollment, but the system-generated messages that are built in to iOS MDM are brief and not very informative. It says: “Installing this profile will allow the administrators at [the full URL of your MDM server] to remotely manage your [iPhone/iPad/iPod]. The administrator may collect personal data, add/remove accounts and restrictions, install, manage, and list apps, and remotely erase data on your [iPhone/iPad/iPod].”

Apple could fix this by making the system warning message more transparent and detailed, and allow the MDM server to customize the message. Furthermore, considering the privacy implications of MDM enrollment, the MDM relationship and remote management rights should be listed under the Privacy menu in the iOS Settings app.

Invasive features in MDM

Earlier in this piece, I covered all the the BYOD-friendly aspects of iOS MDM. However, on the flipside, MDM can still do plenty of things that users might not like.

MDM can see the names of all the apps that a user has installed, and erase the device. Again, most vendors put guardrails around these features, but still, having this power over personal devices in the first place is something that needs to be reconsidered.

MDM can also configure a device-wide VPN to automatically connect under predefined conditions, possibly capturing personal traffic without the user noticing. And even when the restrictions that I mentioned earlier are fully transitioned to Supervised mode, there will still be other restrictions that BYOD users may object to, such preventing users from taking screenshots.

(For more on all of these features, check out Apple’s official iOS deployment guide and the MDM settings reference.)

You might be wondering about device location. Many EMM products track this, but this is done via a separate agent app, and like other apps, the user has more visibility and control over when the app accesses their location. Many EMM products put some restrictions around how administrators can use this data.

These days, almost all corporate devices use Supervised mode; so I think more of the potentially invasive features should be deprecated so that they’re only available in Supervised mode, and not in the standard MDM mode that’s used for BYOD.

Or, Apple could encourage EMM vendors to use only minimal MDM remote access rights on BYOD devices, combined with more transparency as described above.

Multiple MDM connections

Another issue is that iOS devices can only connect to one MDM service at a time. For contractors that work with multiple companies, this means that MDM is not an option to secure and manage corporate data and apps—they either need to use other techniques or have multiple devices.

I don’t think this is an impossible issue for Apple to solve. The same MDM concepts that keep work and personal data separated could also separate the data from multiple companies.  To avoid conflicts, devices could default to the strictest management policies, and some MDM rights (erasing the device, setting up device-wide VPNs, listing all the apps on the device) could be limited when mobile MDM connections are in place.

Work and personal app usage

A smaller feature we could use is the ability to use an app for both work and personal purposes. Today, unless a given app has the functionality built in (like in iOS Mail or some other third-party apps) it can only be used in one context at a time. Corporate MDM can essentially try to “take over” personal apps.

To fix this, Apple will have to let a second MDM-managed instance of an app co-exist with personal instances.

Pausing work notifications and background activity

Many users would love to be able to turn off the notifications from all their work apps all at once—say they’re on vacation or want to leave work behind over the weekend. In addition, they may want to limit background activity to save their battery. Sometimes, this is even a legal requirement.

Android Enterprise work profiles can be completely disabled; this is a feature that Apple could reproduce with a “Work Do Not Disturb” toggle. It could be exposed to the user, or configurable via MDM commands.The

More powerful DLP options

There are still many data loss prevention features that EMM vendors build into specialized apps—for example, blocking copy/paste or adding a seperate passcode before an app is launched.

These would be welcome as addition restrictions, that could be scoped to managed apps and accounts.

Trusted MDM enrollment

As mentioned, Apple is concerned about malicious MDM enrollment. But as some industry colleagues have recently pointed out, there’s a precedent for Apple vetting app developers that seek to use particular iOS frameworks, such as CarPlay, GPS apps, and VoIP.

Apple could create a similar vetting program for apps that seek to install MDM profiles, so that established EMM vendors could kick off enrollments from their apps, but a random website would still require the extra approval process.

When will Apple finally improve?

Apple always works at its own slow, deliberate pace, responding mostly to established precedents and needs. There are plenty of folks in the industry that are frustrated about the current state of BYOD in iOS MDM—but is this really the time that a change will happen? I have no idea and can’t make any big predictions.

While I’d love to see a sweeping new “BYOD MDM Mode,” it’s more likely that some of the features I described will arrive gradually over a few years. Apple typically makes MDM changes in the major iOS releases and the X.3 (iOS 9.3, 10.3, 11.3) releases, so we have two chances per year to see what happens.

There have always been arguments about whether or not Apple understands enterprise needs. In the short term, they can seem closed off. And we could be jaded and say that Apple might not really want to fix BYOD, because if there’s no BYOD, then they can sell more phones.

But in the long term, there overall management and security strategy has benefited the enterprise immensely—for example, device encryption and OS updates have always been easy.

For now, we need to just keep on giving feedback about what we need, and dealing with whatever comes our way.