How could the Apple and FBI encryption dispute affect enterprise mobility management?

Many other media outlets have covered Apple and the FBI over encryption from all sorts of angles, but there's also an enterprise mobility management angle: This case could affect how companies use mobile device management and what type of mobile app management they choose.

The biggest tech news this week is the dispute between Apple and the FBI over encryption. Many other media outlets have covered this from all sorts of angles, but naturally there’s also an enterprise mobility management angle: This case could affect how companies use mobile device management and what type of mobile app management they choose.

If you’re not caught up on the story, you can read about it here, but the short version is this: The FBI wants Apple to provide a way to get past the encryption in iOS devices. The FBI says they want it for just one case, the San Bernardino shooting from last December. Apple doesn’t want to comply, because they say a creating a back door would set dangerous precedent for law enforcement, and that the back door could fall into the wrong hands. (Here’s Apple’s statement.)

What does this mean for enterprise mobility management?

Much of what is done with EMM—especially with iOS—relies on devices’ own built-in encryption. Companies use MDM to ensure that the phone is encrypted. And since recent versions of iOS have mobile app management features built into the device, reliance on these techniques is growing.

If a back door to iOS encryption existed, then companies that rely on MDM and built-in MAM features could be at risk, and this would be a setback for enterprise mobility in general.

Now as we know Apple is fighting to make sure this doesn’t happen, and of course this issue is bigger than just EMM—it’s about the intersection of the government, privacy, and technology. (These are huge issues and I can’t do them justice on my own, so I’m just sticking to the EMM angle.)

Fortunately if companies can’t rely on the encryption built into iOS, there are other options. Now, unlike on a desktop, it’s not possible to buy third-party software that can just encrypt everything on an iPhone—Apple won’t allow that. But instead it is possible for encryption to be built directly into individual applications, and in fact this is very common. It was especially important in the early days when MDM wasn’t advanced, and it’s still crucial in cases where companies don’t want to or are not able to manage a device.

There are some limitations to this technique. Third-parties can’t encrypt the apps that come pre-installed in iOS, and they can’t encrypt other apps that come from the public Apple App Store. Instead, there has to be some sort of agreement with the original creator of the application to add encryption and mobile app management features.

This is the way mobile app management has been for a while, and it’s just what we have to deal with in EMM. I’ve written about this many times, but here’s the basic version:

  • There are two types of mobile app management (MAM): MAM that’ built into devices, and MAM that’s built into apps.
  • If you rely on MAM that’s built into devices (along with MDM) then you can apply encryption to any app. You just have to trust the device and the device’s encryption.
  • If you build MAM and encryption into apps themselves, then you don’t have to worry as much about the device, and you can build in whatever you want. This is often done with the help of SDKs or app wrapping tools. The problem with this is that you’re limited to specially-built apps. (So for example, that would mean using a third-party browser and email app instead of the ones that come with iOS.)

Today, there’s a balance between mobile app management techniques—there are important use cases for both. And in fact many vendors provide both types of MAM and many customers leverage both as well.

However, by understanding of different types of mobile app management, you can see that if Apple is forced to give the FBI with a way to get around iOS encryption, this could affect the EMM industry. I’m not trying to spread FUD or use a slippery slope argument—I’m just saying there would likely be fallout:

Vendors and customers the rely more on device-level encryption and MAM could be at risk, and as I said earlier in general this could be a setback for the industry. MDM will still be useful for a lot of different reasons, but it would be another potential issue to take into account in enterprise mobility plans. At the same time, vendors that emphasize app-level encryption and MAM could be given a bigger market opportunity. (You can read here and here for a comprehensive description of the current MAM industry landscape.)

Again, Apple is fighting the FBI on their request, and overall this issue is bigger than EMM. For now we’ll be waiting—with everybody else—to see how this pans out.

Update, Friday, February 12, 2:30pm PST

Another angle has been raised on this: Ojas Rege from MobileIron commented to Reuters that if the San Bernardino shooter's iPhone had been enrolled in MDM, then the FBI could simply use the MDM to send an unlock command. 

I didn't cover that angle in my original story since I was concentrating on the idea that a back door to iOS encryption would be a risk to MDM and device-based MAM. But this is interesting to consider, and a capability that has been around a long time.

A few more thoughts:

As the article mentions, MDM could be used to unlock a phone for law enforcement. All law enforcement has to do is go to the employer and ask them to do it, instead of going to Apple. This certainly makes the decision about enrolling BYOD phones in MDM more interesting, though.

Companies that rely on device-based MAM/encryption/MDM and are worried about criminals accessing iOS encryption back doors also have a few other options (besides the specially encrypted apps mentioned above). They can use MDM to remotely wipe lost phones, or if they're worried about criminals putting the phone in airplane mode or sticking it in Faraday bag, they can set the MDM profiles to expire after a certain amount of time. 

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

It would take no effort for the Feds to get a company to submit if they have MDM.  Most workers are too afraid of the Feds to even think about not complying.  Who would want their assets frozen and background criminally charged.