How Apple Protects Your iPhone from Your Employer
In the deep dark past, when you used technology at work, you used what your employer gave you. In recent years, that has started to change, with the emergence of a concept called “Bring Your Own Device” (BYOD) where employees use their own hardware and the IT infrastructure of the organization adapts. Both the rise of BYOD and the ways IT has adjusted are in large part due to Apple’s influence, as I’ll explain.
But first, so you have a sense of what it was like until recently, here’s what I went through a mere 7 years ago. My mobile phone, BlackBerry (yes, I juggled both), and my computer were all owned and managed by my employer (Gartner). While someone who was non-technical might have been well served by having everything provided, it was frustrating for me, since I was restricted to approved devices, and they rarely matched what I would have chosen for myself. That said, Gartner was actually pretty good, giving me a decent choice of dumb phones and a relatively up-to-date BlackBerry. My laptop was an IBM (later, Lenovo) ThinkPad, replaced every 3 to 4 years.
Not only did I not get to choose my devices, but I also had no control over how they were configured. I could install most of the software I wanted on the ThinkPad, although some restrictions forced me to keep a particular configuration. For example, I made sure to eat lunch at noon every Wednesday when the antivirus scan kicked off and my laptop became unusable.
Having more of a technical bent than many of my colleagues, I managed to remove most of the corporate management and tune the computer to my needs. Then, after Apple released the first Intel-based MacBook Pro, I bought one for myself, virtualized my work computer and moved it to the MacBook Pro, and flaunted my newfound freedom at work events. I’m still not entirely certain how I managed to get away with that.
Since those days, we’ve seen an explosion of employee-owned devices in the workplace — hence the “Bring Your Own Device” phrase. Much of this was driven first by Apple’s Macs and iOS devices, later joined by Android-based smartphones and tablets, along with other platforms. Knowledge workers in particular expect more freedom to choose and configure the tools they need for their jobs.
Five years ago when I walked into a major corporation for a meeting, I generally had the only Mac in the room. These days Macs are a common sight, as are a range of smartphones. Sometimes companies allow employees to bring their own devices to enable them to enhance their productivity; at other times, having employees provide their own hardware is more seen as a way to cut costs.
As great as BYOD is for most employees, who hate having to carry and manage multiple mobile phones and laptops, it’s often a hassle for the IT department. Although many IT people personally appreciate the freedom to use whatever device one wants, such freedom drastically complicates support, compliance, auditability, and security. The compromise has been to force device management onto employee-owned devices through a variety of techniques, many of which degrade the native device user experience.
Apple’s BYOD Philosophy — With the release of iOS 7, Apple now divides business customers into two categories. There is BYOD, and there are enterprise-owned devices, with nearly completely different security and management models for each, defined by ownership of the device.
In Apple’s BYOD model, users own their iOS devices, their employers own work data and apps on the devices, and the user experience never suffers. Users allow the enterprise space on their devices, and the enterprise allows the user access to enterprise resources. No dual personas. No virtual machines. It’s a seamless experience, with data and apps intermingled, yet sandboxed apart from each other across the personal/work divide. The split is so clear that it is actually difficult for the enterprise to implement supervised mode on an employee-owned device, and employee data is always protected from IT department interference or snooping. This model is far from perfect today, with one major gap (AirDrop), but iOS 7 is a clear
expression of this direction.
In contrast, when the enterprise owns the iOS devices, Apple changes gears to give absolute control to the IT department, even down to the experience of setting up a new device. Organizations can remove or degrade features as necessary, but the devices will, to the extent that’s allowed, still provide the complete iOS experience.
Here are a few examples to highlight the different models.
On employee-owned devices:
- The enterprise sends a Configuration Profile that the user can choose to accept or decline.
- If the user accepts the Configuration Profile, certain minimal security can be required, such as passcode settings.
The user gains access to corporate email, but she can’t move messages to other email accounts without permission.
The enterprise can install managed apps, which can be set to allow data to flow only between them and managed accounts. These can be internal enterprise apps, or enterprise licenses for apps from the App Store. If the enterprise pays for it, the enterprise owns it.
Apart from the corporate email and enterprise-managed apps, the user otherwise controls all her personal accounts, apps, and information on the device.
All this is done without exposing any user data (like personal email or an iTunes Store account) to the enterprise.
If the user opts out of enterprise control (which can be done at any time), she loses access to all enterprise features, accounts, and apps. The enterprise can also erase its footprint remotely, whenever it wants (such as in the event of a layoff).
The device remains tied to the user’s iCloud account, including Activation Lock, to prevent anyone, even the enterprise, from taking the device and using it without permission.
However, the enterprise can still initiate a remote device wipe, making it important for the user to keep independent backups.
On enterprise-owned devices:
- The enterprise controls the entire provisioning process, potentially from even before the box is opened (if the device was purchased through a special Apple program).
When the user first opens the box and turns the provided device on, the entire experience is managed by the enterprise, even down to which setup screens display.
The enterprise controls all apps, settings, and features of the device. That includes even disabling the camera or restricting network settings to prevent access to external Wi-Fi networks.
The device can never be associated with a user’s iCloud account for Activation Lock; the enterprise owns it.
This model is quite different from how security and management was handled on iOS 6, and runs deeper than most people realize. While there are gaps, especially in the BYOD controls, it’s safe to assume these will slowly be cleaned up over time following Apple’s usual iterative improvement process. The big hole today is that the enterprise can’t restrict AirDrop or certain other sharing options through which data could leak off a device.
How Apple Enables Device Management — There are five key features that Apple uses to implement these two models of device ownership:
- Supervised Mode enables an organization to control an iOS device completely. It lets the IT department manage all settings, what apps can be installed and run, what kinds of networks can be accessed, and even which screens you see when setting up a new device. This is the option for enterprise-owned devices, and is used for everything from iPhones provided to employees to iPads used by classrooms or in store displays. Supervised mode can be triggered by connecting the device to a Mac and using the Apple Configurator utility, or by purchasing the device through a special Apple program. Once enabled, supervised mode can be
disabled only by reconnecting it to the same Mac and turning it off with Apple Configurator.
A Configuration Profile is a small file placed on an iOS device to manage certain settings. It’s the hook an organization uses to tie a device into its Mobile Device Management (MDM) system, using some standard connection methods provided by Apple (push notifications to trigger updates, and a Mobile Device Management API for managing settings). The Configuration Profile is what allows an employee-owned device to access enterprise email and other resources, and in exchange it can enforce certain settings (like the aforementioned passcode requirement). But Apple never exposes any of a user’s personal information, apps, or accounts back through this channel, and the user can remove the profile at any time (and thus
lose access to work resources).
Apple’s Volume Purchase Program enables organizations to purchase apps, books, and other iTunes content in volume, and then hand licenses out to employees. When a license is given to an employee-owned device, Apple ties together the user’s personal Apple ID with the organization’s licenses so users can download the apps from the App Store directly, without their personal information being permanently tied to work, or otherwise exposed. Alternatively, MDM can automatically push these apps onto a device, so the user doesn’t need to install everything manually. When you leave a job and the enterprise reclaims its license, you have a period of time to purchase your own version of the app before it is removed
from your device.
Managed Accounts are your work email, calendar, and contacts accounts. Although these accounts are still accessed using the native Mail, Calendar, and Contacts apps, the enterprise, using MDM and the Configuration Profile, can lock these accounts down so you can’t move email messages or other content into folders of your personal accounts. It can also restrict the apps in which you can open email attachments to Managed Apps.
Managed Apps are apps licensed on your device through the Volume Purchasing Program, or apps written by and distributed directly by the enterprise outside the App Store. An enterprise can designate Managed Apps and then restrict them to exchange data only with other Managed Apps, or with Managed Accounts. Managed Apps can also pull down configuration settings for both mundane options and those that the enterprise cares about deeply, such as tying the app back to an enterprise server.
Here’s how it all fits together. A enterprise-owned device is fully managed and restricted. That’s entirely appropriate for many types of organizations.
But when it’s not, when BYOD is in play, the employee accepts a Configuration Profile, which establishes certain device settings. These may include access to a work mail server and apps licensed by the organization. The organization can then keep all work-related material within a sandbox of a sort, allowing it to be accessed only by Managed Accounts and Managed Apps. The device owner has to opt into this, can opt out any time, and doesn’t have to worry about the IT department being able to snoop in personal accounts or data.
This may sound obvious and sensible, but it’s a new development with iOS 7. Previously, the options were quite different. The organization could always fully manage a device, and some tried to force employees into handing over control of their personal devices since there were no other good management options. As an alternative, an employee could still install a Configuration Profile that would implement organizational settings, but there was no way for the organization to restrict which apps accessed corporate data, and many settings could significantly degrade the iOS user experience. Some enterprises instead installed custom apps to replace Mail and lock down corporate data, but this irritated many users who preferred the native
With BYOD in iOS 7, Apple split the difference. Organizations can protect their property, employees can use their own devices, and everyone enjoys the full iOS experience, with no compromises. It’s a new way to look at BYOD, and one I suspect will be quite popular with both users and IT departments.
If you want more technical details on how this works, take a look at my new whitepaper Defending Data on iOS 7.
What is the current application for creating and managing Configuration Profiles for employee-owned devices?
The iPhone Configuration Utility is still version 3.5 from March 2012, so it dates to iOS 5 and is lacking controls for current features. The Apple Configurator from the Mac App Store is for employer-owned devices, because it totally takes over its managed devices.
I had found that in helping family members set up their iOS devices, the iPhone Configuration Utility is convenient to make Configuration Profiles with things like Mail and WiFi settings. I can update settings just by sending the family member a new Configuration Profile. I'd really like to know the up-to-date way to do this.
The Apple Configurator app in the app store replaced the iPhone config utility.
Because "the enterprise can still initiate a remote device wipe" I still do not allow them to install their profile on my device. If my company wants to insist that I read their email and carry their work calendar in my pocket out of office hours, they can damn well buy me a phone. Otherwise, too bad, I'll find out about it when I'm in the office.
I wondered about that, too. If "[t]he enterprise can also erase its footprint remotely, whenever it wants", then under what circumstances would there still be a need for the capability to initiate a remote device wipe?
Can you comment on (a) how the application called "Afaria" changes all this?, and (b) if one is in a BYOD situation and leaves that employer, how does one remove the employer's ability to remote-wipe the device? Thanks!