iOS 13 is good news for businesses and device administrators: After there have been many improvements for company-owned devices in recent years – including the Device Enrollment Program (DEP) and the “Supervised Mode” – Apple is now following suit for BYOD devices in particular, and with the “User Enrollment” it is enabling a fundamentally new form of device management as well as more privacy for users. Because this has not been considered enough so far. Many users have therefore certainly resisted the installation of an MDM on their private device. A professional use of the devices was therefore not possible or associated with a risk and problem in terms of data protection. Companies have therefore often decided completely against the integration of BYOD devices.
We introduce you to the new features that you can probably use from the release of iOS 13 onwards and offer you completely new possibilities in device management – not only regarding BYOD devices, but also to the use of MDM solutions in general.
Privacy has been a problem with BYOD devices so far
Under iOS 12 and older versions, users of private devices that are also used for professional purposes have had to accept a loss of privacy if they were to be managed by the company via an MDM. The MDM profile was previously rolled out either via the Device Enrollment Program (DEP), via the Apple Configurator 2 or manually and then had extensive access to the device and limited the users in their rights.
While there have been some privacy improvements since iOS 7, the MDM protocol has still allowed several configurations, commands and queries that many users disagreed with. For example, the MDM could list all apps installed on the device, remotely lock the device, or delete all data. This has meant that many users have not placed their device under the management of an MDM. A professional usage was not possible or only with an inherent risk.
However, thanks to the MAM-only solutions of some providers, it was still possible to manage the applications on BYOD devices. These allow certain applications to be managed on devices that are not managed via an MDM system.
User Enrollment now provides more privacy for BYOD devices
iOS 13 introduces the so-called User Enrollment. This puts a much greater focus on the privacy of users and is therefore a major step forward in terms of data protection – for both users and businesses. This gives companies completely new possibilities for integrating BYOD devices.
Under iOS 13, an MDM will no longer be able to do the following:
- Have an insight into the installed applications or the device identifier
- Erase the device and the device password
- Define complex password requirements
However, the MDM can still do everything that is necessary to manage the enterprise applications, accounts and data, e.g:
- Install and configure enterprise apps
- Assign a Registration ID
- Force a passcode
- Query data relevant for professional applications, certificates and profiles
Storage of company data in a managed APFS volume
Data from managed applications is stored under iOS 13 in a separate, managed APFS volume that is created during registration, encrypted separately from user data, and deleted when unrolled.
Use of managed Apple IDs
With iOS 13, enterprise data, apps and policies are no longer bound to a single device, but to a managed Apple ID that can be created through Apple Business Manager and connected to the Microsoft Azure Acitve Directory using Security Assertion Markup Language. This allows users to use their AD user data as a managed Apple ID and log on to the device with this ID in addition to their private ID.
Easier user registration
The user registration process is also streamlined with iOS 13, as the interface is clear, and the dialog is simplified. The MDM system makes the profile for which the managed Apple ID is stored as a reference available to the user for download. After the download, the user selects the profile in the settings and performs the installation. In the last step, the user authenticates to the MDM with the managed Apple ID.
New possibilities in the classic MDM environment
Under iOS 13 there are not only changes with regard to BYOD devices, but also in the use of an MDM in general:
In the future, administrators will be able to control whether applications can be controlled by voice, add WPA3 as the encryption standard for WLANs, create a list of allowed mobile operators, and cause eSIM to retrieve new contract information. You can also enable or disable synchronization of Mail, Calendar, Contacts, Notes and Reminders applications with an Exchange server.
For application distribution, Apple now offers a new form of distribution that is user-defined and based on the B2B app deployment model that leverages Apple’s public app store infrastructure. This is intended to replace the distribution by means of company certificates.
iOS 13 offers companies completely new possibilities, especially when dealing with BYOD devices. We will be happy to advise you on the topic. Contact us now
