For years Apple has been steadily advancing the enterprise mobility management features in iOS. The next steps should be to let devices connect to multiple MDM servers, and to do so in a way that emphasizes app management, not device-wipe policies.
Why we need another way to do MDM
Everybody was really excited about the mobile app management features that came out with iOS 7, and rightly so: they let IT use MDM to apply granular policies to specific apps. This meant that instead of using just special enterprise versions of apps to do MAM, any app from the app store—including popular, best-of-breed apps—could have MAM policies applied to them.
However, there are some limitations with this approach. First, iOS devices can only be connected to one remote MDM server at a time. This means that people that work multiple companies can’t take full advantage of MDM. For an example, think of doctors that work in multiple hospitals. There are also many companies have multiple MDM products from different vendors. Another problem with using the built-in iOS MAM features is that they do rely on an MDM connection after all, which is generally associated with taking control of the entire device. This means you still have to deal with all the same privacy and liability concerns as with MDM.
But what if this wasn’t the case? What if you could connect iOS devices to multiple MDM servers, and have them interact with the device in a way that emphasizes app-level control, not device-level control? For now I’ll call this concept “Limited MDM.”
How “Limited MDM” could work
Thanks to all the effort Apple has put into iOS management, most of the frameworks and concepts for Limited MDM are already in place. In fact, there’s even a precedent for having different types of MDM. (We already have Supervised Mode in addition to regular MDM, so Limited mode would fit right in.)
iOS MDM can already manage several different types of entities that aren’t the whole device, including individual email accounts, apps, Safari domains, and even content (in the form of books and PDFs in the iBooks app). Limited MDM mode would simply focus on these entities and not device-wide configurations.
Going farther, MDM can also keep the content in these managed entities separate from personal apps. There’s the “managed open in” restriction, which prevents documents from managed apps, Safari Domains, and email accounts from being opened in unmanaged entities; VPNs can be configured just for managed apps and domains; emails from managed accounts can be blocked from being moved into other accounts; and managed apps can be blocked from backing up data to iTunes or iCloud. If MDM can keep all this content away from personal apps, then it should be just as easy to separate content in entities managed by different MDM servers.
Finally, iOS can already work with multiple Exchange accounts and accept configuration profiles from multiple sources. (Profiles from secondary sources, i.e. not the remote MDM server, must be installed manually.)
The main difference for Limited MDM mode would simply be to allow connections to multiple MDM servers.
With multiple MDM servers, the key would be to limit their rights so they don’t conflict with each other or take over the whole device. Instead, their visibility and control would need to be limited to just the managed entities they’re responsible for.
This shouldn’t be too hard, though. Indeed the iOS MDM protocol already has provisions to limit the rights of the remote server, it’s just that in practice most MDM products are set up to take all the rights by default. To make Limited MDM mode work, certain device-wide rights would just not be available at all.
For example, you probably wouldn’t want a Limited MDM server to be allowed to wipe the whole device or poll it for what other apps or configuration profiles are installed. These functions are the very liabilities that make MDM inappropriate for certain use cases in the first place.
Other device-wide policies, like encryption and passwords, might still have to apply, though. Here the device could default to whichever MDM server has the strictest policy. (This is how iOS handles multiple Exchange accounts.) The only way around this that I could think of is if Apple came up with some way of selectively partitioning devices, so that passwords and encryption could only be applied to entities managed by MDM. This seems like a pretty big leap, though.
One thing that might have to change for Limited MDM mode is how tightly MDM can control data sharing between managed entities. Since a Limited MDM server doesn’t have as much visibility or control over the rest of the device as regular MDM, it would need to have tighter control over what it does manage. For example, take screen captures and lockscreen notifications, which can be restricted for the entire device using regular MDM. For Limited MDM, they would have to be modified so that restrictions would only apply to managed entities. Apple might also have to consider restricting other features like cut and paste.
Will it happen?
We can only guess what Apple’s plans are for MDM and MAM in iOS. And as I’ve written many times before, using built-in OS features is just one way to do MAM. Apps with built-in management that doesn’t depend on the device will continue to be important, if not grow in importance as more enterprise-specific apps get built.
But looking at the limitations of the built-in iOS MAM features today, along with the use cases and scenarios people talk about, I think the concept Limited MDM mode that I outlined could be an important tool for enterprise mobility management.