Even with workers returning to the office—it might be a trickle or a flood depending on the organization—the shift towards remote work is moving from just a short-term necessity to a long-term reality. That shift has changed the face of business worldwide.

This change makes it more important than ever for IT and Security teams to prioritize endpoint management—in particular for bring-your-own-device (BYOD). This approach is already present in many enterprise organizations and set to grow, but needs to evolve quickly as remote work becomes a new standard.

There are several considerations to make when developing a BYOD policy (or even a corporate-owned, personally enabled device policy). A top priority is data leakage prevention (DLP), i.e., ensuring that sensitive data from mission critical applications does not find its way out of the corporate network. This need for DLP is eclipsed by the simultaneous need for end-user privacy controls and a frictionless user experience.

Register to watch on demand the Apple User Enrollment Webinar for MaaS360

Apple addressed many of these concerns in its iOS 13 release last year through the inclusion of User Enrollment, allowing for a separate partition, on any user device, specifically for corporate data. This partition can be accessed via a Managed Apple ID, while the rest of the device is still governed by a personal Apple ID, ensuring IT can manage sensitive data without gaining visibility into a personal information and activity. 

Apple User Enrollment for Enterprise-Grade BYOD 

User Enrollment, a BYOD-centric approach to iOS device management, was one of the most anticipated enterprise changes in the iOS 13 release and has been on the wish list of industry bloggers for years. Up until iOS 13, non-supervised iOS devices did not have any specific way to differentiate between corporate and personal information clearly, requiring IT to gain access to the entire device in an effort to secure the corporate resources.

Containment in unified endpoint management (UEM), to those unfamiliar, is the creation of a separate sandbox space on a device to secure corporate applications. IBM Security MaaS360, for example, provides its own applications for email, calendar, docs and contacts, allowing organizations to configure their mail server and file repositories to specifically flow into those apps. All content within that ecosystem can be blocked from being taken outside the confines of the “container.”

So, what does User Enrollment do differently, and why is it important?

Simply put, User Enrollment allows for the complete separation of the corporate and personal data on an employee’s personal device.

This presents an alternative to traditional containers since—while containers still enjoy significant popularity among organizations with UEM platforms—the pushback on containment has historically concentrated around the fact that end users do not want to learn an entirely new suite of productivity apps to continue conducting business. A new UI invites the potential for lost productivity due to the troubleshooting of simple issues that typically accompany users learning a new system. This, in turn, can put additional strain on already over-taxed IT and security teams. Additionally, these unfamiliar apps can occasionally be met with suspicion, especially when users are required to download them on their personal devices.

User Enrollment assuages these concerns. While the container is still an option, the primary focus of this new mode is on the native iOS productivity apps. Corporate data being fed into the enterprise iCloud, Notes, calendar, mail, Keychain and other applications is—upon enrollment in a UEM platform via this new method—stored on a separate Apple File System (APFS) volume and encrypted separately from personal data. Once a User Enrollment device is unenrolled, the corresponding data and decryption keys are destroyed.

This is all accomplished by the use of Managed Apple ID. Once a user enrolls in User Enrollment, a managed Apple ID will be associated with all corporate apps and data and will not interact with the personal side of the device. These managed Apple IDs, in most cases, will be federated.

Apple has been very vocal about its security and its commitment to user privacy. User Enrollment truly helps bolster that reputation.

IBM Users Enjoy Enrolling in User Enrollment

Now that we all have a good understanding of User Enrollment and what it accomplishes for organizations, what’s the next step? Well, MaaS360 is announcing its support for User Enrollment to enhance BYOD device capabilities. Covering the full range of features, from Managed Apple ID to enhanced privacy to complete data separation and encryption, MaaS360 is committed to delivering secure UEM with the user experience in mind.

To learn more about how MaaS360 support Apple device and what makes IBM a leader in UEM, please register for this upcoming webcast.

Register to watch on demand the Apple User Enrollment Webinar for MaaS360

More from Application Security

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers

Overview In this post, IBM Security X-Force Red offensive hackers analyze how attackers, with elevated privileges, can use their access to stage Windows Kernel post-exploitation capabilities. Over the last few years, public accounts have increasingly shown that less sophisticated attackers are using this technique to achieve their objectives. It is therefore important that we put a spotlight on this capability and learn more about its potential impact. Specifically, in this post, we will evaluate how Kernel post-exploitation can be used…

Detecting the Undetected: The Risk to Your Info

IBM’s Advanced Threat Detection and Response Team (ATDR) has seen an increase in the malware family known as information stealers in the wild over the past year. Info stealers are malware with the capability of scanning for and exfiltrating data and credentials from your device. When executed, they begin scanning for and copying various directories that usually contain some sort of sensitive information or credentials including web and login data from Chrome, Firefox, and Microsoft Edge. In other instances, they…