In 2013, Apple’s introduction of built-in mobile app management frameworks in iOS 7 was an important turning point for EMM. It democratized MAM by taking features that previously required SDKs or app wrapping and making them available to any mobile device management provider. From that point on, iOS could better accommodate BYOD and dual work and personal usage. (For a full look at the state of MAM, and to learn about the pros and cons of the type of MAM that’s built into iPhones and iPads, see this series here.)
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
In recent years, most of Apple’s MDM improvements have focused on institutional devices. For example, Apple has continually enhanced Supervised Mode, a subset of MDM features designed for corporate devices; it has rolled out and fine-tuned the Device Enrollment Program, to simplify mass provisioning; it has revamped the Apple Configurator tool; and for education customers it introduced Apple School Manager and Shared iPad, iOS’s first multi-user mode.
Apple needs to cycle back and make another set of upgrades to iOS’s BYOD and work/personal management capabilities. There are multiple reasons why:
- MAM still isn’t perfect and doesn’t cover all use cases.
- There are still privacy issues with BYOD.
- Devices can only connect to one MDM server at a time.
- Android now has better BYOD/work/personal capabilities than iOS.
- It’s just time.
Let’s look at the current state of iOS, what the issues are, and what Apple could do to fix them.
The present state of BYOD and work/personal in iOS
This is about to get detailed: As I mentioned, iOS 7 extended MDM capabilities by introducing several important new MAM features, including:
- Per-app VPN;
- Managed open-in, to control document sharing between work and personal apps and accounts;
- Managed app configuration and feedback;
- SSO (for Kerberos environments);
- Restrictions to stop work apps from using iCloud.
These were on top of previous MDM features that cater to BYOD and work/personal usage:
- The MDM protocol has a concept of variable remote access rights, so that the scope of management can varied.
- During MDM enrollment, a disclaimer message explains the scope of these remote access rights (albeit in fairly general terms). The user is told: “Installing this profile will allow the administrator at [MDM server] to remotely manage your iPhone. The administrator may collect personal data, add/remove accounts and restrictions, list, install, and manage apps, and remotely erase data on your iPhone.” After tapping Install, a popup dialog asks for confirmation: “Do you trust this profile’s source to enroll your iPhone into remote management?”
- MDM is limited from seeing personal content including photos, messages, email contents, call logs, notes, reminders, frequency of app usage, and location. (MDM servers generally obtain location data through separate agent apps; in the well known privacy routine, users must explicitly grant permission.)
- While MDM can can view all the apps installed on the device, as well as install and remove in-house and App Store apps, it cannot remove user-installed apps. (Blacklisting is done indirectly.)
- MDM can be removed at any time by the user or the institution, and doing so will remove all work apps and accounts.
- (Note that some of this functionality is different under Supervised Mode, but supervision is intended only for institutionally-owned devices.)
In the last few years, iOS 8 added controls for iBooks, PDFs, and app extensions; iOS 9 added controls for AirDrop; and iOS 10 added the CallKit API, which enhances the user experience for third-party phone apps, making split work/personal calling more attractive. In addition, some MDM settings have been deprecated so that they are only available in Supervised Mode, including restrictions on app installation/removal, FaceTime, Safari, iTunes, explicit content, iCloud, and gaming. (For reference, here’s Apple’s guide to iOS MDM.)
What does iOS MDM lack for BYOD and work/personal useage?
While Apple has made many welcome improvements to MDM, the features introduced iOS 8, 9, and 10 have failed to keep up with the needs of BYOD and work/personal usage. Let’s go down the list.
There are many more MAM features, common in other types of MAM, that would be good to have in iOS, such as the ability to:
- Restrict additional forms of data sharing, like copy/paste and screenshots.
- Use a managed app for both work and personal purposes. Today, unless a given app has the functionality built in (like in Mail or other third-party apps) it can only be used in one context at a time.
- Easily manage notifications for all work apps and accounts at once.
- Place a passcode or TouchID challenge in front of work apps.
Some things MDM can do are still fairly invasive for personal devices:
- It can poll the device to find out what apps a user has installed.
- It can erase the device.
- It can configure a device-wide VPN to automatically connect under predefined conditions.
- There are still many device-wide restrictions that users may object to.
Another issue is that iOS devices can only connect to one server at a time. In the spreading gig economy, this is a limitation.
Finally, iOS simply doesn’t treat privacy and consent for MDM nearly as carefully as it treats privacy and consent for commercial apps. With MDM, users must accept all the conditions at once, and more detailed explanations about MDM functionality and privacy are left up to individual EMM providers. (Some do an admirable job of this, others do not.)
How to make iOS MDM better for BYOD and work/personal usage
There are several steps Apple could take to make iOS MDM better for BYOD and work/personal usage.
First, the enrollment UI could be modified to be more friendly and to explain more clearly what the MDM server can and cannot do. (In contrast to the present state of MDM, commercial apps that access sensitive data must now let the use know why.) On an ongoing basis, information about MDM could be placed under Settings/Privacy. Currently, this information is hidden several layers deep in other menus.
Overall, the MAM feature set could be expanded to cover more items listed in the previous section.
MDM could also be adapted to allow connections to multiple institutions (i.e. connect to multiple servers). The same concepts that keep work and personal data separate could be used to corral data from multiple companies.
Finally, Apple could bring these features together into a new MDM mode that’s more appropriate for BYOD:
- This could be de facto, by creating a more informative and informative user experience and encouraging EMM providers to use minimal remote access rights.
- Or more MDM controls and restrictions could be deprecated to Supervised Mode, such as remote wipe, polling installed apps, device-wide VPN on demand , and other restrictions.
- Apple could leave the current MDM mode as is, but create a new “BYOD Mode,” with limited device-wide controls.
Will this happen?
I proposed similar ideas a few years ago. At the time, it was probably still too early for enough of the enterprise to be worried about these issues. But today, the need clearer. As EMM spreads, concerns about BYOD privacy aren’t going away, and MAM still isn’t perfect. At the same time, iOS’s built-in MAM has fallen behind Android, which has a more progressive BYOD model.
Apple’s MDM protocol is powerful and elegant for many use cases. However, Apple could go farther and make BYOD easier and cover more MAM scenarios. Now is the time for another big step forward. The Worldwide Developers Conference is only 5 months away; I’ll be watching.