Even with workers returning to the office—it might be a trickle or a flood depending on the organization—the shift towards remote work is moving from just a short-term necessity to a long-term reality. That shift has changed the face of business worldwide.

This change makes it more important than ever for IT and Security teams to prioritize endpoint management—in particular for bring-your-own-device (BYOD). This approach is already present in many enterprise organizations and set to grow, but needs to evolve quickly as remote work becomes a new standard.

There are several considerations to make when developing a BYOD policy (or even a corporate-owned, personally enabled device policy). A top priority is data leakage prevention (DLP), i.e., ensuring that sensitive data from mission critical applications does not find its way out of the corporate network. This need for DLP is eclipsed by the simultaneous need for end-user privacy controls and a frictionless user experience.

Register to watch on demand the Apple User Enrollment Webinar for MaaS360

Apple addressed many of these concerns in its iOS 13 release last year through the inclusion of User Enrollment, allowing for a separate partition, on any user device, specifically for corporate data. This partition can be accessed via a Managed Apple ID, while the rest of the device is still governed by a personal Apple ID, ensuring IT can manage sensitive data without gaining visibility into a personal information and activity. 

Apple User Enrollment for Enterprise-Grade BYOD 

User Enrollment, a BYOD-centric approach to iOS device management, was one of the most anticipated enterprise changes in the iOS 13 release and has been on the wish list of industry bloggers for years. Up until iOS 13, non-supervised iOS devices did not have any specific way to differentiate between corporate and personal information clearly, requiring IT to gain access to the entire device in an effort to secure the corporate resources.

Containment in unified endpoint management (UEM), to those unfamiliar, is the creation of a separate sandbox space on a device to secure corporate applications. IBM Security MaaS360, for example, provides its own applications for email, calendar, docs and contacts, allowing organizations to configure their mail server and file repositories to specifically flow into those apps. All content within that ecosystem can be blocked from being taken outside the confines of the “container.”

So, what does User Enrollment do differently, and why is it important?

Simply put, User Enrollment allows for the complete separation of the corporate and personal data on an employee’s personal device.

This presents an alternative to traditional containers since—while containers still enjoy significant popularity among organizations with UEM platforms—the pushback on containment has historically concentrated around the fact that end users do not want to learn an entirely new suite of productivity apps to continue conducting business. A new UI invites the potential for lost productivity due to the troubleshooting of simple issues that typically accompany users learning a new system. This, in turn, can put additional strain on already over-taxed IT and security teams. Additionally, these unfamiliar apps can occasionally be met with suspicion, especially when users are required to download them on their personal devices.

User Enrollment assuages these concerns. While the container is still an option, the primary focus of this new mode is on the native iOS productivity apps. Corporate data being fed into the enterprise iCloud, Notes, calendar, mail, Keychain and other applications is—upon enrollment in a UEM platform via this new method—stored on a separate Apple File System (APFS) volume and encrypted separately from personal data. Once a User Enrollment device is unenrolled, the corresponding data and decryption keys are destroyed.

This is all accomplished by the use of Managed Apple ID. Once a user enrolls in User Enrollment, a managed Apple ID will be associated with all corporate apps and data and will not interact with the personal side of the device. These managed Apple IDs, in most cases, will be federated.

Apple has been very vocal about its security and its commitment to user privacy. User Enrollment truly helps bolster that reputation.

IBM Users Enjoy Enrolling in User Enrollment

Now that we all have a good understanding of User Enrollment and what it accomplishes for organizations, what’s the next step? Well, MaaS360 is announcing its support for User Enrollment to enhance BYOD device capabilities. Covering the full range of features, from Managed Apple ID to enhanced privacy to complete data separation and encryption, MaaS360 is committed to delivering secure UEM with the user experience in mind.

To learn more about how MaaS360 support Apple device and what makes IBM a leader in UEM, please register for this upcoming webcast.

Register to watch on demand the Apple User Enrollment Webinar for MaaS360

More from Application Security

What’s up India? PixPirate is back and spreading via WhatsApp

8 min read - This blog post is the continuation of a previous blog regarding PixPirate malware. If you haven’t read the initial post, please take a couple of minutes to get caught up before diving into this content. PixPirate malware consists of two components: a downloader application and a droppee application, and both are custom-made and operated by the same fraudster group. Although the traditional role of a downloader is to install the droppee on the victim device, with PixPirate, the downloader also…

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today