eSIM Best Practices for iPhone & iPad: Setting the Gold Standard in Mobile Security for 2025 and Beyond

Modern mobile devices are the primary endpoint for an entire ecosystem of connectivity and sensitive corporate data. They are the cogs of communication within most companies’ daily activities.

As mobile devices began to edge their way into the office environment and integrate with key platforms and systems, they became a critical tool.

Always on, always connected – spanning multiple platforms.

Devices like the iPhone and the iPad are at the core of this mobile revolution across enterprise organizations, governments, retailers and healthcare – pretty much everywhere. There have always been challenges around how IT networks are secured – which is particularly acute, seeing as how key systems worldwide are reliant on such connectivity.

The fallout from getting this cybersecurity paradigm wrong can be seen the world over, be it failures at check-in desks at airports to retailers not being able to take card payments due to disruptions.

Downtime costs time, money and reputation.

This new cybersecurity reality means that every mobile device used within the business environment must be treated as a critical security touchpoint.

For decades, physical SIM cards have been the “trusted passport” for mobile network authentication. Its primary role is to store the unique International Mobile Subscriber Identity (IMSI) and a secret cryptographic key, which together prove a device’s legitimacy to the cellular network.

Yet, it is the SIMs physical nature – a removable piece of plastic – that proved its Achilles heel as companies scaled and cyber threats became more sophisticated.

Enter the era of eSIM

Today, Apple’s iPhone and iPad fleets rely almost entirely on eSIM technology, which usher in a great deal of advantages. Not the least of which are unprecedented levels of automation and security.

When combined with Zero-Touch deployment, MDM controls and trusted identity enforcement, eSIMs steadily and reliably set the gold standard in mobile security.

In this blog, we’ll look at how Jamf Pro, Jamf Trust and 1GLOBAL combine to deliver a secure, seamless experience for Apple users: from onboarding to offboarding. We will also dig into how enterprises can future proof their mobile strategy with eSIM technology that is built to scale.

Security limitations of physical SIMs

The traditional SIM card has been around since the early 1990s, but like a number of other technologies introduced decades ago, it now possesses some inherent vulnerabilities when operating in today’s hyperconnected world.

First, there is the physical risk. When corporate device is lost, stolen, or left unattended, its SIM card may easily be removed and used with another device, potentially giving that new device full access to the carrier network.

Second, it requires no technical expertise to immediately compromise the associated phone number and any services tied to it, such as SMS-based Two-Factor Authentication (2FA).  

Third, physical access creates the risk of SIM cloning: a process where an attacker creates a fully functional duplicate of a legitimate SIM. With physical access to the card, an attacker may use a standard SIM card reader and easily available software, to extract the IMSI – and more critically – its associated authentication key. The extracted data is then written to a programmable SIM card, creating a clone that is indistinguishable from the original to the mobile network.  

How does this impact data security?

SIM cloning allows an attacker to make and receive calls and messages, including one-time passcodes (OTP) sent via SMS for authenticating access requests for commonly used software tools, like corporate VPNs and cloud-based services, as well as websites used for business operations, such as financial accounts.

This capability effectively bypasses a widely used layer of security and can be the tip of the spear of a data breach.  

Lastly, another drawback of physical SIMs when compared to eSIM is operational inefficiency. Distributing, tracking and replacing SIM cards across a global workforce can be logistically taxing. IT teams have little visibility into how SIMs are being used once they’re unboxed and shipped out. These limitations highlight why enterprises are increasingly turning to a secure, digital-first approach with eSIMs.

eSIMs are the scalable, secure and tamper-proof solution

At its core, an eSIM is known as an Embedded Universal Integrated Circuit Card (eUICC) and soldered directly onto a device’s logic board. Unlike a physical SIM, it cannot be:

• Removed
• Tampered with
• or Swapped out

without detection. This physical integration is the first and simplest layer of security.

The eUICC functions as a Secure Element (SE), which is essentially a tamper-resistant microprocessor designed as a “digital vault” for identifying information. It stores operator profiles, credentials, and cryptographic keys, ensuring the protection of critical data from both physical tampering and software-based attacks. These secure elements are continuously certified against international standards, such as Common Criteria EAL5+, which signifies a high degree of confidence in their ability to withstand sophisticated, well-funded attacks.

As a global technology, eSIMs adhere to a common set of rules and standards set by the GSM Association (GSMA) – a non-profit organization for “achieving scale and interoperability for new mobile technologies”.

Security-centric standards

Notably, these specifications are SGP.22, SGP.02 and the newest IoT-focused standard, SGP.32. To enforce these standards, the GSMA operates the Security Accreditation Scheme (SAS), which involves rigorous security audits of the facilities involved in the eSIM lifecycle.

The GSMA framework is built on a foundation of strong and dynamic cryptography to protect the entire Remote SIM Provisioning (RSP) lifecycle.

All communications between a device and the RSP servers for downloading or managing an eSIM profile are protected by end-to-end encryption. This is typically achieved using Transport Layer Security (TLS) to create a secure channel, with advanced algorithms like the Advanced Encryption Standard (AES) used to encrypt the profile data itself during transmission.

The entire ecosystem's security is anchored by a Public Key Infrastructure (PKI), a tried-and-tested cryptographic model based on issuing certificates for verifying credentials, for which the GSMA acts as the certifying authority. Every legitimate entity in the provisioning chain, such as a network operator’s SM-DP+ server, must possess a digital certificate issued and verified by the GSMA.

This PKI enables a secure handshake that prevents any third parties covertly inserting themselves into the connection, known as a Man-in-the-Middle (MitM) attack. When a device needs to download a new profile, its onboard Local Profile Assistant (LPA) initiates a connection to the MNO's server.

The first step in this process is for the LPA to request and verify the server's digital certificate. The LPA checks that the certificate is valid and has been signed by the GSMA. If not, the connection is immediately terminated. This ensures that authenticated devices communicate only with a legitimate, GSMA-certified server to receive a profile.

This architecture represents a dynamic security model, where identities and configurations may be adjusted over time, unlike the static nature of physical SIM cards.

For enterprises, it means flexibility without compromising trust.

Zero-Touch provisioning: The gold standard for eSIM

Fully automated by an organization’s MDM platform, Zero-Touch elevates eSIM deployment from a manual, potentially risk-introducing process into a secure, scalable and automated workflow.

Complementing Zero-Touch provisioning is the so-called Zero Trust security model, which works by treating every device as untrusted and uses automated, policy-based controls to establish a secure, verifiable identity.

A popular analogy is comparing Zero Trust to establishing checkpoints throughout a secure base, rather than just a single gatekeeper checking everyone once upon entry.

Zero Trust is more of a design ethos than a specific product, but a typical secure provisioning would look like this:

Device registration

An enterprise purchases corporate devices in bulk and the seller registers devices on the enterprise's dedicated portal, called Apple Business Manager (ABM). The process is automated by the seller and contains key information on the devices, such as purchase date, serial number, IMEI, etc.

MDM integration

The IT admin links this portal to the company's MDM, such as Jamf Pro, and creates an enrollment profile that specifies all the required configs, security policies and applications for the devices.

Automated enrollment

When a box-fresh iPhone or iPad is powered on by the user for the first time and connects to the internet, it contacts Apple's activation servers. These servers identify the device as corporate-owned and automatically redirect it to enroll in the designated MDM platform.

Identity and Access Management (IAM)

At this stage, the MDM can be configured to require IAM verification by the end-user. Popular IAM vendors are Microsoft Entra ID, Okta, Google Cloud or whichever IAM the customer is using. If the user cannot be verified, the device will not activate, protecting the company asset and denying access. It acts as an inactive paper weight: one that cannot be activated, wiped or used. If the user is verified, the device continues to activate and that device can then be enrolled and supervised.

Automated eSIM provisioning

Once enrolled, the MDM server takes control and pushes all the predefined configurations to the device. Critically, this includes a command to securely download and install the corporate eSIM profile, completely bypassing the need for a QR code or any additional end-user action.

The entire process is completely automated, takes seconds and entirely removes the ever-fallible human element from the secure provisioning loop for any Apple device anywhere in the world.

Existing and already enrolled users can also benefit by simply being moved to an associated group that requires an eSIM.

Protecting enrolled devices from cyber threats

So, we now have devices enrolled, secured apps and happy end-users. But what stops the user from clicking on a phishing link within a message? Scanning a suspicious QR code? Or visiting a website the organization doesn’t trust?

This is where the next level of endpoint protection arrives in the form of Jamf for Mobile, which can be automatically installed during the enrollment stage, alongside the eSIM.

Jamf blocks applications that are deemed risky or do not meet organizational requirements. Jamf’s comprehensive security also mitigates against multiple threat types, such as:

• Phishing
• Malware
• Cryptojacking
• Malicious domains
• Command and Control server traffic

Jamf for Mobile guards against novel and known threats, preventing attackers from intercepting internet traffic – no matter where your employees work.

End of the line

Now on to the process of secure offboarding. The device has been deployed securely with Zero-Touch, it’s compliant and “in life”. Additionally, it has been secured with SIMs that cannot be removed, and the traffic has been protected.

But what about the end of life for the device?

By using Jamf Pro and MDM commands, a device can be wiped remotely: whether it is at its end of life, has been lost or stolen. The secure wipe of an asset may also involve the removal of the eSIM, should the organization so desire.

This is the gold standard for mobile devices – the complete solution from onboarding to offboarding across the full device lifecycle.

In short, Zero-Touch deployment allows IT administrators to:

• Push eSIM profiles to iPhones and iPads automatically during device enrollment via Jamf Pro.
• Eliminate insecure QR codes, manual activations or carrier-dependent steps.
• Ensure that the very first network connection the device makes is secure and compliant.

By removing human hands from the loop, Zero-Touch provisioning reduces the attack surface, eliminates errors and ensures consistent policy enforcement across every device, anywhere in the world.

Think of it as connectivity as code – secure, automated and policy-driven.

Managing multiple eSIM profiles

eSIMs can support multiple profiles on a single device. For enterprises, this opens several possibilities, including regional optimization to reduce roaming costs, the separation of corporate and personal profiles on a single device and improved resiliency where connectivity to a secondary provider is instantaneous should the primary operator fail.

With MDM orchestration and 1GLOBAL’s APIs, organizations can remotely install, switch or revoke profiles at scale without touching the device. This control ensures that devices are always connected under corporate governance, while providing flexibility for users.

Onboarding, day-to-day security and Jamf

Connectivity alone does not equal security. That’s where Jamf Trust comes in. When a new iPhone or iPad is enrolled, Jamf Trust:

• Verifies the device’s integrity
• What OS version it is running
• And its compliance status

Before allowing access to corporate resources. This ensures that only trusted devices with valid eSIMs are permitted.

Jamf Trust continuously monitors device posture, protecting against profile tampering, risky connections and compromised networks. Combined with eSIM control, it ensures that only compliant devices remain connected to carrier networks.

And when an employee leaves or a device is retired, the eSIM profile can be revoked immediately, cutting off access to sensitive data and networks. This full lifecycle approach of onboarding, usage and offboarding ensures that security is maintained and indeed paramount to every step.

Integration with 1GLOBAL: API-driven global connectivity

While eSIM provides the secure foundation, 1GLOBAL delivers the intelligence, scale and flexibility that enterprises require. Through its API-first platform, 1GLOBAL enables:

• Bulk provisioning: deploy eSIM profiles across thousands of devices in minutes.
• Dynamic management: activate, suspend or swap profiles instantly via API calls.
• Policy enforcement: integrate with Jamf workflows to ensure that connectivity aligns with compliance rules.
• Global reach: access secure, localized connectivity across more than 160 countries without managing dozens of carrier contracts.
• Visibility and analytics: track usage, status and history of every profile for audit and security purposes.

This API-driven model transforms connectivity into a centralized IT function rather than a fragmented telecom headache. Together with Jamf, 1GLOBAL makes Zero-Touch global deployment a reality.

Conclusion

The gold standard in mobile device security is built on eSIM technology – automated, API-driven and secured by MDM and Zero Trust principles.

By combining the power of Jamf Pro, the security assurances of Jamf Trust and the global connectivity experience of 1GLOBAL, iPhone and iPad users can enjoy a mobile device experience that is both seamless and scalable for the end user, and uncompromisingly secure for IT teams.

From onboarding to offboarding, across borders and operators, eSIM technology provides the foundation for a safer, smarter and scalable enterprise mobility strategy.

An eSIM-dominant future represents a full digital transformation for enterprises. Empowering a new level of cybersecurity that directly addresses the fundamental flaws of physical hardware while allowing enterprises to secure their hardest-to-monitor endpoints.

The result? A mobile workforce, operating under a robust, automated and defensible security posture.

To see live demo sessions or to learn more, come and talk to us at JNUC 2025, 1GLOBAL | Booth 205. At the booth, we will hold 15-minute spotlight sessions on iPad, iPhone and all things eSIM daily.

Our sponsor session will be held on Wednesday afternoon at Mile High Ballroom 4A - Level 4. It will cover what’s new with iOS 26 and eSIM, as well as the gold standard in mobile device setup and security: eSIM Best Practices for iPhone & iPad: Setting the Gold Standard in Mobile Security for 2025 and Beyond - with Zero-Touch global deployment.

Date: Wednesday, Oct 8, 3:00 PM - 3:45 PM MDT