Apple’s iOS MDM protocol needs to get better for BYOD. Will iOS 12 finally fix it?

The iOS MDM experience for BYOD has fallen behind the latest versions of Android, and some customer needs aren’t being met. It’s time for some big changes in iOS device management.

For two or three years now, enterprise mobility folks have been quietly agreeing that iOS MDM needs a major update, so that it can better support BYOD. This is especially apparent in light of all the advancements in Android enterprise. I originally published this article on January 9, 2017; since then, iOS 10.3, iOS 11, and iOS 11.3 came and went with no huge changes. The 2018 WWDC and unveiling of iOS 12 are next week, so I updated this article, and I’m once again wondering if Apple will finally give iOS MDM the BYOD-oriented update it needs.

In 2013, a set of new management features in iOS 7 marked an important turning point for the whole EMM field: iOS 7 democratized mobile app management by taking features that previously required SDKs or app wrapping tools and making them available with any app and MDM server by building them into iOS and Apple’s MDM protocol. From that point on, iOS could better accommodate BYOD and dual work/personal usage, and MAM became much easier—it was a big deal.

(Quick side note: This didn’t mean that SDKs, app wrapping, and other app-level MAM tools went away, though. While iOS 7 brought many new options, MAM features built into apps remain essential for many use cases today.)

Since 2013, most of Apple’s MDM improvements have focused on institutional devices. For example, Apple has continually enhanced Supervised Mode, a subset of MDM features designed for corporate devices; it has rolled out and fine-tuned the Device Enrollment Program, to simplify mass provisioning; and for education customers, it introduced Apple School Manager and Shared iPad.

At the same, improvements for BYOD use cases have been merely incremental, and Android enterprise has leapfrogged iOS MDM.

So, for a few years now, many of us in the EMM industry have believed that Apple needs turn its enterprise attention back to BYOD and make a sweeping round of updates. Why? Mobile app management (of all types) still involves tradeoffs and doesn’t quite cover every single scenario yet; there are still privacy and usability issues with iOS MDM; iOS’s BYOD features are no longer state of the art; and it’s just plain time.

Today I’ll take a close look at the current BYOD-oriented features in iOS; where they need to improve; and what Apple could do.

The current state of iOS MDM for BYOD

The important new features in iOS 7 applied to apps that are installed by an MDM server, known as managed apps. They were:

  • Per-app VPN;
  • Managed open in;
  • App configuration and feedback;
  • SSO (based on Kerberos); and
  • The ability to prevent apps from using iCloud.

These were on top of existing MDM features that catered to BYOD and work/personal usage:

  • In iOS, the connection between a device and an MDM server can be configured so that the server has various remote management rights; in other words, the scope of what the server can do and see can be limited as needed. For example, it’s possible to block an MDM server from erasing a personal device or viewing the names of personal apps.
  • When a user enrolls their device in MDM, as system-generated message explains what rights the MDM server has and asks the user for permission to continue.
  • The MDM server can’t see most types of personal content, such as photos, messages, email contents, call logs, notes, reminders, frequency of app usage, or location.
  • MDM cannot directly remove or blacklist BYOD user-installed apps. (This has to be done indirectly.)
  • Users can always unenroll their device from MDM at any time, removing any restrictions and enterprise-provisioned resources.

More recent BYOD features have come gradually:

  • iOS 8 added managed domains and keyboards;
  • iOS 9 made AirDrop a managed destination;
  • iOS 10 added the CallKit API, which enhances the user experience for third-party phone apps, making split work/personal calling more attractive; and
  • iOS 11.3 made Contacts a managed destination.
  • For several years now, Apple has said that they would deprecate certain restrictions so that they only function in Supervised Mode. This has been promised for 2018, and the restrictions affected will be: app installation/removal, FaceTime, Safari, iTunes, explicit content, iCloud, and gaming.

Note that under Supervised Mode and the Device Enrollment Program, MDM can lock down the device to a much greater degree. However, these functions are only intended for institutionally-owned devices.

You might be wondering about device location. Many EMM products track this, but this is done via a separate agent app (with the standard location permissions), so this is an issue for EMMs to address, not Apple. Many EMMs aim to treat this data carefully, for example, requiring certain admin roles or user notifications in order to actively view device location.

For more on all of these features, check out Apple’s official iOS deployment guide, the MDM protocol reference, and the configuration profile reference.

Where does iOS need to improve MDM for BYOD?

First, iOS doesn’t treat privacy and consent for MDM nearly as carefully as it treats privacy and consent for commercial apps. With MDM, users must grant all permissions at once, and the system-level disclaimer and enrollment process isn’t very user-friendly. Detailed explanations about MDM functionality and privacy are left up to individual EMM providers—many do an admirable job of this, but not all.

Privacy and user experience are important because some of the things that MDM can do are fairly invasive for personal devices:

  • MDM can poll a device to find out what apps a user has installed, and erase the device. As mentioned, these rights can be limited at the protocol level. Many EMM products take all rights all by default and then restrict them in the server logic.
  • MDM can configure a device-wide VPN to automatically connect under predefined conditions, possibly capturing personal traffic without the user noticing.
  • There are still many device-wide restrictions that BYOD users may object to, such as blocking Touch ID.

There are still many features commonly found in SDKs, app wrapping, and other forms of app-level MAM that could be good to have in iOS, such as the ability to restrict additional forms of data sharing, like copy/paste and screenshots, or the ability to place a passcode or Touch ID challenge in front of work apps and email accounts. Another missing features is the ability to use a managed app for both work and personal purposes. Today, unless a given app has the functionality built in (like in Mail or other third-party apps) it can only be used in one context at a time. Or, how about the ability to configure notifications for all enterprise-managed apps at once? Many users would love “Work Do Not Disturb” for weekends and vacation.

Another issue is that iOS devices can only connect to one MDM server at a time. In the spreading gig economy, this is yet another limitation, though to be fair, Android enterprise has not yet enabled multiple Work Profiles, either.

How Apple could make iOS MDM better for BYOD

Most leading EMM providers have put a lot of work into making sure that their products respect privacy and have a good user experience; and in theory, the variable remote management rights in MDM mean that it can be used in a lightweight way.

However, Apple needs to go further.

First, the enrollment UI needs be modified to be friendlier and to explain more clearly what the MDM server can and cannot do. For example, information about MDM could be placed in the settings app under Privacy—currently, this information is hidden several layers deep in other menus.

Second, the managed app features need to expand even more. For example, how about splitting browser state and certificates between managed and unmanaged apps and domains?

Third, iOS devices should be able to connect to multiple MDM servers at once. The same concepts that keep work and personal data separate could be used to corral data from multiple companies. To avoid conflicts, devices could default to the strictest policy, and some MDM rights (remote wipe, app polling) could be limited.

Running two instances of an app together (managed and unmanaged) would be helpful, too, though it might mean some EMM vendors have to change the way they do conditional access.

Finally, Apple could bring these features together into a new MDM mode that’s more appropriate for BYOD:

  • Apple could get more aggressive and move the more intrusive MDM features into Supervised Mode.
  • Apple could leave the current MDM mode as is, but create a new “BYOD Mode,” with limited device-wide controls.
  • Or, it could be a de facto mode, by creating a better enrollment flow and encouraging EMM providers to use minimal remote management rights.

Will this happen?

I proposed similar ideas all the way back in 2014. At the time, it was probably still too early for much of the enterprise to be worried about these issues. In 2017, when I first published this article, the need was much more clear, but we were still disappointed by iOS 11.

Now, once again, the Worldwide Developers Conference is less than a week away. I know plenty of people have feature wish lists that they want Apple to build, and that these things don’t come out of thin air. But I also know that many in the EMM industry feel the same way (this comes up in a lot of conversations!) so we’ll be watching to see what iOS 12 brings.

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.


We are considering registering student BYOD ipads to our DEP (School Manager) and enroll and supervise them with our MDM using Apple Configurator 2.5. After they graduate we will remove them from DEP.

What would you think about this solution?
in our company we are using Samsung's devices with MaSS360 mainly because on iOS we are not able to 'flag' a Contact as 'not exportable / not backuped on iCloud' (in fact we could disable iCloud but on a BYOD situation...)
Do you agree or it's a limitation of our MDM solution ? I'm afraid that it's a limitation of iOS ;-(what do you mean 'contact as a managed destination ?)