This article originally appeared in TidBITS on 2014-02-13 at 5:09 a.m.
The permanent URL for this article is:
Include images: Off

How Apple Protects Your iPhone from Your Employer

by Rich Mogull

In the deep dark past, when you used technology at work, you used what your employer gave you. In recent years, that has started to change, with the emergence of a concept called “Bring Your Own Device” (BYOD) where employees use their own hardware and the IT infrastructure of the organization adapts. Both the rise of BYOD and the ways IT has adjusted are in large part due to Apple’s influence, as I’ll explain.

But first, so you have a sense of what it was like until recently, here’s what I went through a mere 7 years ago. My mobile phone, BlackBerry (yes, I juggled both), and my computer were all owned and managed by my employer (Gartner). While someone who was non-technical might have been well served by having everything provided, it was frustrating for me, since I was restricted to approved devices, and they rarely matched what I would have chosen for myself. That said, Gartner was actually pretty good, giving me a decent choice of dumb phones and a relatively up-to-date BlackBerry. My laptop was an IBM (later, Lenovo) ThinkPad, replaced every 3 to 4 years.

Not only did I not get to choose my devices, but I also had no control over how they were configured. I could install most of the software I wanted on the ThinkPad, although some restrictions forced me to keep a particular configuration. For example, I made sure to eat lunch at noon every Wednesday when the antivirus scan kicked off and my laptop became unusable.

Having more of a technical bent than many of my colleagues, I managed to remove most of the corporate management and tune the computer to my needs. Then, after Apple released the first Intel-based MacBook Pro, I bought one for myself, virtualized my work computer and moved it to the MacBook Pro, and flaunted my newfound freedom at work events. I’m still not entirely certain how I managed to get away with that.

Since those days, we’ve seen an explosion of employee-owned devices in the workplace — hence the “Bring Your Own Device” phrase. Much of this was driven first by Apple’s Macs and iOS devices, later joined by Android-based smartphones and tablets, along with other platforms. Knowledge workers in particular expect more freedom to choose and configure the tools they need for their jobs.

Five years ago when I walked into a major corporation for a meeting, I generally had the only Mac in the room. These days Macs are a common sight, as are a range of smartphones. Sometimes companies allow employees to bring their own devices to enable them to enhance their productivity; at other times, having employees provide their own hardware is more seen as a way to cut costs.

As great as BYOD is for most employees, who hate having to carry and manage multiple mobile phones and laptops, it’s often a hassle for the IT department. Although many IT people personally appreciate the freedom to use whatever device one wants, such freedom drastically complicates support, compliance, auditability, and security. The compromise has been to force device management onto employee-owned devices through a variety of techniques, many of which degrade the native device user experience.

Apple’s BYOD Philosophy -- With the release of iOS 7, Apple now divides business customers into two categories. There is BYOD, and there are enterprise-owned devices, with nearly completely different security and management models for each, defined by ownership of the device.

In Apple’s BYOD model, users own their iOS devices, their employers own work data and apps on the devices, and the user experience never suffers. Users allow the enterprise space on their devices, and the enterprise allows the user access to enterprise resources. No dual personas. No virtual machines. It’s a seamless experience, with data and apps intermingled, yet sandboxed apart from each other across the personal/work divide. The split is so clear that it is actually difficult for the enterprise to implement supervised mode on an employee-owned device, and employee data is always protected from IT department interference or snooping. This model is far from perfect today, with one major gap (AirDrop), but iOS 7 is a clear expression of this direction.

In contrast, when the enterprise owns the iOS devices, Apple changes gears to give absolute control to the IT department, even down to the experience of setting up a new device. Organizations can remove or degrade features as necessary, but the devices will, to the extent that’s allowed, still provide the complete iOS experience.

Here are a few examples to highlight the different models.

On employee-owned devices:

On enterprise-owned devices:

This model is quite different from how security and management was handled on iOS 6, and runs deeper than most people realize. While there are gaps, especially in the BYOD controls, it’s safe to assume these will slowly be cleaned up over time following Apple’s usual iterative improvement process. The big hole today is that the enterprise can’t restrict AirDrop or certain other sharing options through which data could leak off a device.

How Apple Enables Device Management -- There are five key features that Apple uses to implement these two models of device ownership:

Here’s how it all fits together. A enterprise-owned device is fully managed and restricted. That’s entirely appropriate for many types of organizations.

But when it’s not, when BYOD is in play, the employee accepts a Configuration Profile, which establishes certain device settings. These may include access to a work mail server and apps licensed by the organization. The organization can then keep all work-related material within a sandbox of a sort, allowing it to be accessed only by Managed Accounts and Managed Apps. The device owner has to opt into this, can opt out any time, and doesn’t have to worry about the IT department being able to snoop in personal accounts or data.

This may sound obvious and sensible, but it’s a new development with iOS 7. Previously, the options were quite different. The organization could always fully manage a device, and some tried to force employees into handing over control of their personal devices since there were no other good management options. As an alternative, an employee could still install a Configuration Profile that would implement organizational settings, but there was no way for the organization to restrict which apps accessed corporate data, and many settings could significantly degrade the iOS user experience. Some enterprises instead installed custom apps to replace Mail and lock down corporate data, but this irritated many users who preferred the native apps.

With BYOD in iOS 7, Apple split the difference. Organizations can protect their property, employees can use their own devices, and everyone enjoys the full iOS experience, with no compromises. It’s a new way to look at BYOD, and one I suspect will be quite popular with both users and IT departments.

If you want more technical details on how this works, take a look at my new whitepaper Defending Data on iOS 7 [2].