WavebreakMediaMicro - Fotolia
Apple and Google simplify BYOD management with new OSes
IT must weigh user privacy and endpoint security when it shapes its BYOD policies. Luckily, new features in iOS 13 and Android Q make this balance easier for IT to strike.
Organizations with a BYOD policy may find that it helps with lowering costs, but BYOD forces IT to address issues such as data leakage and user privacy.
Enterprise mobility management (EMM) and unified endpoint management (UEM) platforms accommodate BYOD with features such as mobile app-wrapping and mobile app containers, but these privileges can lead to compromises. These features can cause an IT department to have more power than users are comfortable with, or lack the power to guarantee the safety of its organization's data.
App inventory and device location are just two examples of data that users may want to keep out of IT's hands. Recent feature announcements for Android Q and iOS 13, however, show that both Apple and Google have taken significant steps toward addressing the balance of security and privacy for BYOD management.
Google added several key features in Android Q to improve BYOD management for IT, including the following controls and policies:
Screen lock quality check
In Android Q, IT can use third-party security applications to determine the complexity of the device unlock code and establish its own unlock code thresholds before granting access to corporate resources.
Personal and work calendar sync
Separate calendars for personal events and work matters are great for security, but don't allow users to check their work appointments through smartwatches, Android Auto or other accessory devices. Android Q's calendar sync will enable users to access their schedules without a connection to the corporate network.
Users may become distracted by social media and other personal app notifications when they work on a personally enabled device. Focus Mode allows users to mute these distractions while they are on the clock without having to delete or disable their personal apps.
Block unknown sources on work profile devices
Work profiles are great for segregating business apps from personal ones, but if users can access third-party app stores, the chances of malware infection increase significantly. With Android Q's BYOD management, admins can block access to these third-party app stores without taking control of the entire device.
If users have a preference for a particular keyboard, IT can apply their personal keyboard settings to a work profile. When users do not have the discipline to use Focus Mode, IT can employ app timers to prevent users from spending excessive time on personal apps. This feature still requires user setup, so IT needs the user to opt into such a policy.
Apple's iOS 13 introduces User Enrollment, which is an entirely new method of BYOD management with the following features:
Segregated app management
IT admins can install apps and accounts, but they have no visibility of personal apps and cannot apply app restrictions. Managed open-in restricts user access to sensitive data in an unmanaged part of the device to ensure that users don't open business files in personal apps. IT can require biometrics for single sign-on as well, even for business apps.
EMM or UEM overreach restrictions
This new feature prevents IT from erasing users' private content without restricting IT's ability to erase data and apps from the managed part of the device. IT does not get access to device identifiers such as serial number and international mobile equipment identity number through an EMM or UEM. IT cannot examine users' personal passwords and passcodes through EMM or UEM, which helps users ensure their personal passwords remain secure.
IT professionals cannot convert personal apps that the user installed on their own to managed apps. They can store business apps and data in a dedicated Apple File System location to ensure complete segregation of work and personal information. IT cannot set device-wide VPN requirements through an EMM or UEM either, ensuring that user traffic is not monitored or redirected.