Even with workers returning to the office—it might be a trickle or a flood depending on the organization—the shift towards remote work is moving from just a short-term necessity to a long-term reality. That shift has changed the face of business worldwide.

This change makes it more important than ever for IT and Security teams to prioritize endpoint management—in particular for bring-your-own-device (BYOD). This approach is already present in many enterprise organizations and set to grow, but needs to evolve quickly as remote work becomes a new standard.

There are several considerations to make when developing a BYOD policy (or even a corporate-owned, personally enabled device policy). A top priority is data leakage prevention (DLP), i.e., ensuring that sensitive data from mission critical applications does not find its way out of the corporate network. This need for DLP is eclipsed by the simultaneous need for end-user privacy controls and a frictionless user experience.

Apple addressed many of these concerns in its iOS 13 release last year through the inclusion of User Enrollment, allowing for a separate partition, on any user device, specifically for corporate data. This partition can be accessed via a Managed Apple ID, while the rest of the device is still governed by a personal Apple ID, ensuring IT can manage sensitive data without gaining visibility into a personal information and activity. 

Apple User Enrollment for Enterprise-Grade BYOD 

User Enrollment, a BYOD-centric approach to iOS device management, was one of the most anticipated enterprise changes in the iOS 13 release and has been on the wish list of industry bloggers for years. Up until iOS 13, non-supervised iOS devices did not have any specific way to differentiate between corporate and personal information clearly, requiring IT to gain access to the entire device in an effort to secure the corporate resources.

Containment in unified endpoint management (UEM), to those unfamiliar, is the creation of a separate sandbox space on a device to secure corporate applications. IBM Security MaaS360, for example, provides its own applications for email, calendar, docs and contacts, allowing organizations to configure their mail server and file repositories to specifically flow into those apps. All content within that ecosystem can be blocked from being taken outside the confines of the “container.”

So, what does User Enrollment do differently, and why is it important?

Simply put, User Enrollment allows for the complete separation of the corporate and personal data on an employee’s personal device.

This presents an alternative to traditional containers since—while containers still enjoy significant popularity among organizations with UEM platforms—the pushback on containment has historically concentrated around the fact that end users do not want to learn an entirely new suite of productivity apps to continue conducting business. A new UI invites the potential for lost productivity due to the troubleshooting of simple issues that typically accompany users learning a new system. This, in turn, can put additional strain on already over-taxed IT and security teams. Additionally, these unfamiliar apps can occasionally be met with suspicion, especially when users are required to download them on their personal devices.

User Enrollment assuages these concerns. While the container is still an option, the primary focus of this new mode is on the native iOS productivity apps. Corporate data being fed into the enterprise iCloud, Notes, calendar, mail, Keychain and other applications is—upon enrollment in a UEM platform via this new method—stored on a separate Apple File System (APFS) volume and encrypted separately from personal data. Once a User Enrollment device is unenrolled, the corresponding data and decryption keys are destroyed.

This is all accomplished by the use of Managed Apple ID. Once a user enrolls in User Enrollment, a managed Apple ID will be associated with all corporate apps and data and will not interact with the personal side of the device. These managed Apple IDs, in most cases, will be federated.

Apple has been very vocal about its security and its commitment to user privacy. User Enrollment truly helps bolster that reputation.

IBM Users Enjoy Enrolling in User Enrollment

Now that we all have a good understanding of User Enrollment and what it accomplishes for organizations, what’s the next step? Well, MaaS360 is announcing its support for User Enrollment to enhance BYOD device capabilities. Covering the full range of features, from Managed Apple ID to enhanced privacy to complete data separation and encryption, MaaS360 is committed to delivering secure UEM with the user experience in mind.

To learn more about how MaaS360 support Apple device and what makes IBM a leader in UEM, please register for this upcoming webcast.