BYOD programs are popping in workplaces of virtually every shape and size. One of the big advantages of these programs is that you can decide what kind of mobile device (iPhone, iPad, or other device) and what apps make the most sense for your job and how you work. Some companies even offer reimbursement of some of the expenses associated with using your personal tech in the office – an example being your iPhone or iPad’s data plan (or a portion of it).
That sense of freedom is very empowering, but it often comes with the tradeoff of your company’s IT department enrolling your device in a mobile management system. This means that certain features of your device are likely to be restricted for security purposes. It also means that your company will be able to monitor and track how you use your iPhone or iPad and can wipe data remotely at any point.
Apple introduced mobile device management (MDM) capabilities in iOS 4 two years ago. In doing so, Apple created a framework of settings that mobile management vendors can use to manage iOS devices.
Though there are dozens of MDM companies out there, they all manage and monitor iPhones and iPads using that framework that Apple put in place. Where they differentiate is additional administrative features and support for other mobile platforms like Android and Windows Phone. This means that whatever solution your company opts to use, the areas that IT can manage or monitor on your iOS device will be consistent across the board.
What IT can do using MDM breaks down into four categories: configure settings (with or without giving you the option to change them), require passcode policies, restrict access to specific features, and monitor a range of details about your iPhone or iPad.
Let’s start with what IT departments can configure. These options are mostly used to ensure that you can access corporate resources and streamline the setup process because you don’t need to go looking for information to enter into various parts of the iOS Settings app. For the most part, these options can be permanently enforced (you can’t change them) or simple pre-configured for you (you can adjust them if you want).
- Wi-Fi – Configure access to corporate network(s) complete with network name and password (including hidden networks) as well as whether your device will automatically join the network when it’s in range.
- VPN – Setup secure remote access to your company’s network (with the option to store login credentials or require you to enter them when connecting). Also includes the ability to use the VPN connection for all Internet traffic, which means all online activity will be redirected through your company’s network where it can be monitored or filtered.
- Email and Exchange – Preset the required server information for your company’s email or Exchange Server (typically you’ll need to enter your username and password the first time you launch Mail). IT can also set your account to be only available in the Mail app and not when starting an email from an outside app like Safari or Photos. The ability to move messages to another folder or email account on your device can also be disabled. For Exchange accounts, the amount of email to sync to your device can also be pre-set (the default being three days worth).
- Shared contacts – If your company uses Exchange or a shared contacts service based on the open LDAP or CardDAV standards, IT can configure access so that shared contacts appear in the Contacts app.
- Shared calendar systems – If your company uses Exchange or a calendaring product based on the open CalDAV standard, IT can configure the settings for the Calendar app to integrate with it and your user account. IT can add subscribed calendars that you can see but not alter. Some examples include company holiday lists, company events, and payroll dates.
- Web clips – IT can populate your device’s home screen with icons for specific websites and web-based tools, which open in Safari when tapped.
Passcode policies are a universal part of mobile management (and most business computing). Here are the options that IT has when requiring a passcode on your iOS device.
- Require a simple four digit PIN as a passcode
- Require an alphanumeric passcode
- Set a minimum passcode length and/or level of complexity (mix of cases and special characters)
- Force you to change your passcode periodically and/or prevent you from re-using passcodes
- Set how long your device can be idle before it auto-locks
- Set a grace period during which you can unlock your device without being prompted for a passcode
- Specify a number of failed passcode attempts after which your device will wipe all data automatically
MDM systems can also be used to remotely remove your passcode and unlock your device. If you call your company helpdesk because you’ve forgotten your passcode, an IT staff member can send a command to your device that removes the existing passcode, allowing you to unlock the device and then set a new passcode. Along similar lines, MDM solutions can send a command to immediately lock your device or to wipe it.
Beyond relying on passcode policies, businesses often restrict access to certain features, apps, and functionality in order to ensure greater device and data security. Doing so can also ensure compliance with company policies, industry regulations, and local laws (if relevant). Here’s the list of things that IT can restrict you from doing on your iPhone or iPad.
- Using the camera(s)
- Participating in FaceTime chats
- Taking screenshots
- Voice dialing
- Installing apps
- Making in-app purchases
- Accessing the iTunes Store
- Playing multiplayer cames
- Adding contacts to Game Center
- Launching YouTube
- Using location services (applies globally to all apps)
- Accessing secure websites and other online services that use an untrusted security certificate (one where your device cannot verify the service’s identity)
- Accessing iCloud functionality including Photostream, document and settings sync, and iCloud backup (each of which can be restricted independently of the others)
- Using Siri on the iPhone 4S (IT can disable Siri complete or limit access while the phone is locked and/or restrict Siri’s use of explicit language or profanity)
- Sending diagnostic and usage data to Apple
There’s also a slew of options for restricting access to content on an iOS device. Content is broken down into movies, TV shows, apps, and music/podcasts. Movies, TV shows, and apps can be disallowed completely or restricted based on their rating. Music and podcasts can be disallowed if they are flagged as explicit in iTunes.
If access to the iTunes Store is enabled, IT can require that you enter your iTunes account information and password for every purchase in the iTunes, App Store, and iBooks apps as well as for in-app purchases – overriding the traditional grace period that let’s you make multiple purchases one after another once you’ve provided your account details.
IT can also require that device backups on a computer (at home or work) be stored in encrypted form and can prevent automatic sync operations if a device is roaming on an alternate carrier’s network (to limit data roaming charges).
Now that we’ve looked at how IT can use MDM to setup services for you and lock down your iPhone or iPad, let’s move on to what information can be monitored and reported. MDM tools can setup regular automated monitoring of all managed devices or they can query specific devices as needed. Provided the device is on and connected to the Internet, it will respond. Here’s the list of things your iPhone or iPad can report back to your IT department.
- Unique Device Identifier (UDID) for the device
- Device name
- Phone number
- iOS and build version
- Device type/model
- Serial number
- Total storage capacity and available free space
- Battery level
- Network (MAC) addresses of Wi-Fi and Bluetooth hardware
- Carrier that the device was activated on and the carrier network that it is currently using
- Whether or not the device is allowed to use mobile data while roaming
- Whether or not the device is capable of hardware encryption
- Whether a passcode has been set
- All apps installed on the device – the following information is included about each app: the App ID (used by the developer and App Store), name, version, file size of the app itself, and the amount of on-device storage used for app data (documents, settings, and so forth)
- All restrictions currently being enforced on the device
- What configuration profiles have been installed
- Security certificates and provisioning profiles installed and their expiration dates – used for things like secure access to network resources, private/internal apps created by your company, and the MDM software
- Carrier settings information – this can be used when troubleshooting carrier-related issues
- Modem firmware version (again for troubleshooting information)
- IMEI and ICCID numbers – used to identify a cellular capable a device and SIM card respectively
It’s important to note that these items represent what IT can manage using Apple’s MDM framework. Network monitoring and management technologies can often track the ways your device accesses the Internet and company resources when connected to corporate Wi-Fi or VPN. Many network services, such an Exchange, email, or web server can also record details about devices and user accounts as they connect. Some mobile management solutions like Mobilisafe can use techniques like these to monitor and/or manage your device on your company’s network.
Ultimately, it’s rare for a company will actively use all of these capabilities, particularly in a BYOD program – there is typically an understanding that this is your personal device. There’s also an ongoing debate in IT circles as to whether a more effective approach is to manage business data on a device as opposed to managing the device itself. That said, if you’re considering signing up for a BYOD program, you should ask questions, read company policies, and make sure that you have a clear understanding of how your IT department may manage your personal property.