Data privacy and security on BYOD devices

Picture this: you’ve just joined a company and want to access your work email from your iPhone. You click the link IT sent you that requires you to enroll in their system to get access to work apps. After following the prompts, you’re met with this:

Installing this profile will allow the administrator at [your company] to remotely manage your iPhone. The administrator may collect personal data, add/remove accounts and restrictions, install, manage, and list apps, and remotely erase data on your iPhone.

You think, “This isn’t what I signed up for!” You don’t want your IT admins looking at your family photos, your social media, your personal information or even the cat gifs you saved on Reddit.

Don’t worry!

Let’s talk about what’s really going on here (it’s better than you think). In this blog, we’ll discuss:

• How admins can use native Apple features to maintain user privacy and security
• What information is actually collected and why
• How enrolling your device in your company’s mobile device management (MDM) software can actually improve your work experience

User privacy and security with Apple

In reality, IT doesn’t want your personal information — the heaps of data that would be collected doesn’t generally provide value when keeping company data secure. But beyond this, Apple has built-in privacy protections that prevent IT from looking at your personal data in the first place.

When you enroll in your company’s MDM, two separate containers are created: one for work, and one for personal use. Each container is sealed off from the other — you can’t share work information on your personal accounts, and your personal information is hidden from the work account.

Apple created User Enrollment (UE) for user-owned devices in a BYOD program — with user privacy and security in mind. User Enrollment requires that your organization provide a managed Apple ID. When you click on that link IT sends you to gain access to company resources and you log on based on your user credentials, the enrollment profile configured by IT is sent to your device. After it successfully installs, you can access the apps you need. You can remove the profile at any time — note that this will also remove your access to company resources and any managed apps, books or accounts.

What data is collected?

Ok, so you install a work profile to your device. What can this actually do? Your company’s MDM can:

• Configure and install apps
• Configure per-app VPN
• Configure accounts
• Enforce a passcode and certain restrictions (e.g. the inability to copy/paste work data into a personal email)
• View what work apps are installed on your device
• Remove work data

Your MDM cannot:

• Access personal information (including email, messages and browsing history)
• View what personal apps are installed on your device
• Remove personal data
• Gather device logs
• Take over or remove personal apps
• Require a complex passcode
• Remotely wipe the entire device
• Access device location

In other words, your MDM can only configure and change apps and data on the work container of your device, which excludes your personal information. The actions your MDM can take are chosen for a reason. For example:

• Your employer might install apps (like the Jamf Trust app) that help defend your device from threats or facilitate network connections.
• To keep work data and access contained, apps, documents or other types of data related to work may be removed if you unenroll from the MDM.
• Work-specific apps may route traffic through a per-app VPN into your company network, and your company may see when you access these apps and what actions are being taken.

What are the benefits of enrolling into MDM software?

Both you and your organization benefit from MDM enrollment. Organization’s gain:

• Visibility into what devices are accessing their resources
• The ability to contain company data on authorized devices with passcode requirements and content restrictions
• Secure access to corporate networks via per-app VPN connections
• The ability to deploy work-approved apps (reducing the likelihood users download unapproved shadow IT apps)

In other words, your IT department requires enrollment into MDM to keep company data secure.

Users benefit from:

• Reliable, on-the-go access to the apps they need to do their job
• Less ambiguity on what apps are approved and reduced need to contact IT — especially when you have a Self Service app portal available
• The ability to use only one device for work and personal purposes without sacrificing user privacy

Get the security and privacy you need with Apple and Jamf

Apple gives you containerization to unyieldingly separate your work and personal information. Jamf provides the best-in-class, Apple-first MDM and security solution to give employees and admins the security, convenience and privacy they need.