Enrolling BYOD devices during the COVID-19 pandemic
What is Bring-Your-Own-Device?
Bring-Your-Own-Device (BYOD) describes the growing enterprise trend of employees using their own personal devices, such as smartphones and laptops, to connect to their organization’s network and access their critical business data.
It has become increasingly popular in recent years due to its ability to enable employees to work from home, and on the go. The COVID-19 pandemic will only accelerate its popularity as organizations shift from working exclusively in the office to an Everywhere Enterprise model of working.
While BYOD has many benefits for businesses, such as enhanced productivity and reduced device costs, it also further erodes the traditional network perimeter, meaning that more advanced security protocols are needed. Deploying a zero trust security model that verifies the user, device, application, network and threat landscape before granting access to corporate data can go a long way towards securing business data in a BYOD framework.
BYOD and user privacy
One of the potential challenges of adopting a BYOD policy is getting employees to adhere to your organization’s security protocols. This is largely because users are worried about their privacy — especially if they don’t know what IT can see or access from their personal devices. This concern is totally justifiable, so it’s up to you to put their fears to rest.
The good news is, MobileIron has always made user privacy a top priority. We not only separate personal and business apps and data on mobile devices, we also make it easy for users to see which types of information IT can access by checking the Privacy section of the MobileIron app – and the best part is BYOD devices can all be enrolled remotely, meaning businesses can grow their BYOD programs despite the COVID-19 lockdown.
To make things even better, Apple’s most recent major operating system - iOS 13 - includes a User Enrollment option that offers more ways to ensure privacy for BYOD users. User Enrollment offers another way to onboard employee-owned devices into a unified endpoint management (UEM) solution like MobileIron, all while keeping personal apps and data safe and out of IT’s reach on the device. (See the full recap of User Enrollment in our recent blog post.)
What are the BYOD enrollment options for iOS today?
With iOS 13, there are more options for enrolling employee-owned Apple devices into your BYOD security program. Here are a few ways you can do that today:
Device Enrollment (using the MobileIron app)
This enrollment option can be used to onboard employee-owned devices that are enabled for work. To enroll the device in a BYOD program, users first register their personal device through the MobileIron app or web page. A profile is then pushed to the device to configure settings for company email, apps, and security. Although this allows IT to administer secure business apps, admins do not have controls such as clear passcode, clear activation lock, or granular system settings that can be pushed over the air. However, IT can still view all the apps on the device. This level of IT visibility is one of the main reasons employees may hesitate to enroll their devices in a BYOD program.
User Enrollment from Apple
User Enrollment is Apple’s effort to boost BYOD solutions with improved privacy features while still allowing IT to support seamless app distribution, VPN, and single sign-on (SSO) on employee-owned devices. When a user enrolls the device, iOS creates a separately managed APFS volume that uses separate cryptographic keys. It essentially creates two distinct volumes for work apps and personal apps. When the user retires the device, iOS destroys the cryptographic keys and the volume. This removes all the business data from the device without interfering with the user’s personal apps or data.
Although User Enrollment should help alleviate some user concerns about privacy, it still requires a profile to be downloaded and installed, which some users may not like. To address this concern, MobileIron offers another enrollment option — MobileIron AppStation — that does not require MDM profiles.
MobileIron AppStation enrollment
AppStation is a mobile application management (MAM) solution that enables IT to allow contractor and employee devices to use business apps. AppStation is designed for situations where it may not be ideal to fully control device settings by installing profiles. For example, a doctor may contract with hospital “A” in the morning and hospital “B” in the afternoon. In this case, it’s not practical for the doctor to carry two separate work devices, nor is it feasible to expect the doctor to retire and re-enroll each device every time he switches hospitals.
Instead, MobileIron AppStation can protect hospital A’s apps and data inside a secure container on the device. This prevents hospital B’s unmanaged apps or data from accessing them. Even if hospital B uses a similar app container solution, apps and data from hospitals A and B will still remain separate and secure on the device. AppStation also works in similar use cases that require short-term employees or contractors to access business apps from their personal devices without installing a profile.
Automated Device Enrollment with Apple Business Manager (ABM)
This device enrollment option is not strictly for BYOD, but can be applied to corporate-owned, personally enabled (COPE) devices. Automated Device Enrollment gives IT a wide range of controls such as device wipe, clear passcode, clear activation lock, set/clear a lock passcode, dictate passcode strength, tweak granular phone settings, and deploy proxy controls. Admins also have visibility into all of the apps — including personal apps — on the device. The admin can take over management of an app, remove apps from the device, and much more. So, while Automated Device Enrollment technically enables devices for personal use, it doesn’t offer much in the way of privacy features for BYOD programs.
To find out more about enrolling BYOD devices in MobileIron’s AppStation, click here.