The professional use of personal devices can be an attractive approach for companies and employees. But so far, data protection has been a problem – for companies as well as for employees. To ensure the protection of corporate data, many companies rely on a Unified Endpoint Management solution that can securely manage the devices and data. UEM at iOS impaired the protection of personal data because UEM there had extensive access to the device – including personal data.
Many users refused to install a UEM client on their devices. Business use of the devices was therefore not possible or entailed a risk in terms of data protection. And this is exactly why many companies have decided not to adopt the use of BYOD devices.
iOS 13 introduces a completely new way of enrollment, with a major change that takes care of users‘ privacy: the introduction of User Enrollment, a fundamentally new form at Apple for device management.
We will show you why you can now integrate private devices into your device landscape with iOS 13.
What is BYOD?
Bring Your Own Device (BYOD) – this approach allows employees to use their personal devices for business purposes. At first glance, an advantage for the employee and the company: employees can work with the devices of their choice and do not have to carry multiple devices around. Employers save on device costs and increase their employer attractiveness through the flexibility they offer their employees. But what about the security of company data and the protection of personal data? Privacy continues to be a concern in this scenario.
BYOD scenarios require clear guidelines
If personal devices are used for business purposes, they could have access to the company’s IT infrastructure and sensitive data. A comprehensive security concept is required and should provide the employees with clear guidelines for the professional use of private devices – for example for passwords, screen locking, anti-virus protection, operating system updates, and app updates – and make them aware of their own responsibility for protecting sensitive data. iOS 13 introduces the so-called User Enrollment. This puts a much greater focus on BYOD and user privacy which makes it a major step forward in data protection for both users and businesses.
Because so far the UEM profile had extensive access to the device. This has led to inconvenience for many users which resulted in not wanting to put their device under the management of an UEM solution.
Under iOS 13, enrolled using User Enrollment, for example, a UEM will no longer be able to do the following:
- Have an insight into the installed applications or the device identifier
- Erase the device and the device password
- Define complex password requirement
However, the UEM can still do everything that is necessary to manage the enterprise applications, accounts, and data, e.g.:
- Install and configure enterprise apps
- Force a passcode
- Query data relevant for enterprise applications, certificates, and profiles
With iOS 13 data of managed applications is stored in a separate managed and encrypted APFS volume that is created during registration, separately from user data, and deleted when unrolled.
With iOS 13, enterprise data, apps and policies are no longer bound to a single device, but to a managed Apple ID that can be created through Apple Business Manager and optionally connected to the Microsoft Azure Active Directory using Security Assertion Mark-up Language. Users can use their AD user credentials as a Managed Apple ID and log on to the device.
The user registration process is streamlined with iOS 13, as the interface is clearer and the dialog is simplified. The UEM system makes the profile available for which the managed Apple ID is stored as a reference to the user for download. After the download, the user selects the profile in the settings and performs the installation. In the last step, the user authenticates himself to the UEM with the Managed Apple ID.