Boosting BYOD enrollment: It’s all about user privacy

Is BYOD security adoption lagging in your company? If so, it may be because users are worried about their privacy — especially if they don’t know what IT can see or access on their personal devices. This concern is totally justifiable, so it’s up to you to put their fears to rest.

The good news is, MobileIron has always made user privacy a top priority. We not only separate personal and business apps and data on mobile devices, we also make it easy for users to see which types of information IT can access by checking the Privacy section of the MobileIron app.

In addition to MobileIron, Apple’s recent iOS 13 release includes a new User Enrollment option that offers more ways to ensure privacy for BYOD users. User Enrollment offers another way to onboard employee-owned devices into a unified endpoint management (UEM) solution like MobileIron, all while keeping personal apps and data safe and out of IT’s reach on the device. (See the full recap of User Enrollment in our recent blog post.)


What are the BYOD enrollment options for iOS today?

With iOS 13, you now have more options for enrolling employee-owned Apple devices into your BYOD security program. Here are a few ways you can do that today:


Device Enrollment (using the MobileIron app)

This enrollment option can be used to onboard employee-owned devices that are enabled for work. To enroll the device in a BYOD program, users first register their personal device through the MobileIron app or web page. A profile is then pushed to the device to configure settings for company email, apps, and security. Although this allows IT to administer secure business apps, admins do not have controls such as clear passcode, clear activation lock, or granular system settings that can be pushed over the air. However, IT can still view all of the apps on the device. This level of IT visibility is one of the main reasons employees may hesitate to enroll their devices in a BYOD program.


New! User Enrollment from Apple

User Enrollment is Apple’s effort to boost BYOD solutions with improved privacy features while still allowing IT to support seamless app distribution, VPN, and single sign-on (SSO) on employee-owned devices. When a user enrolls the device, iOS creates a separately managed APFS volume that uses separate cryptographic keys. It essentially creates two distinct volumes for work apps and personal apps. When the user retires the device, iOS destroys the cryptographic keys and the volume. This removes all of the business data from the device without interfering with the user’s personal apps or data.

Although User Enrollment should help alleviate some user concerns about privacy, it still requires a profile to be downloaded and installed, which some users may not like. To address this concern, MobileIron offers another enrollment option — MobileIron AppStation — that does not require MDM profiles.


MobileIron AppStation enrollment

AppStation is a mobile application management (MAM) solution that enables IT to allow contractor and employee devices to use business apps. AppStation is designed for situations where it may not be ideal to fully control device settings by installing profiles. For example, a doctor may contract with hospital “A” in the morning and hospital “B” in the afternoon. In this case, it’s not practical for the doctor to carry two separate work devices, nor is it feasible to expect the doctor to retire and re-enroll each device every time he switches hospitals.

Instead, MobileIron AppStation can protect hospital A’s apps and data inside a secure container on the device. This prevents hospital B’s unmanaged apps or data from accessing them. Even if hospital B uses a similar app container solution, apps and data from hospitals A and B will still remain separate and secure on the device. AppStation also works in similar use cases that require short-term employees or contractors to access business apps from their personal devices without installing a profile.


Automated Device Enrollment with Apple Business Manager (ABM)

This device enrollment option is not strictly for BYOD, but can be applied to corporate-owned, personally enabled (COPE) devices. Automated Device Enrollment gives IT a wide range of controls such as device wipe, clear passcode, clear activation lock, set/clear a lock passcode, dictate passcode strength, tweak granular phone settings, and deploy proxy controls. Admins also have visibility into all of the apps — including personal apps — on the device. The admin can take over management of an app, remove apps from the device, and much more. So while Automated Device Enrollment technically enables devices for personal use, it doesn’t offer much in the way of privacy features for BYOD programs.

Want to learn more about these BYOD device enrollment options, as well as iOS device management and Apple device management? Check out our User Enrollment blog here and our AppStation blog here.

Watch the webinar here to learn more about iOS13 and macOS Catalina on mobile device management.


Tohsheen Bazaz

Lead Technical Marketing Engineer

About the author

Tohsheen is a member of the MobileIron Technical Marketing team and focuses on Apple products. Identity and security are areas that interest him. Tohsheen has over seven years of industry experience in the field of security and networking.