iOS Device Management: Everything About Apple at Work

In this guide, IT decision makers and administrators can learn the best ways to purchase, configure and deploy Apple devices professionally, thereby reducing security risks and keeping iOS management simple.

Whether iPhone, iPad or Mac, Apple devices are perfect for work. You just need the correct MacOS / iPhone device management solution

Overview:

For the worldwide consumer market, Apple’s iOS operating system has a long-established legacy of quality and innovation. With the right iOS management tools and mobile device management (MDM) software, it is possible for businesses, organizations and schools to utilize the power of the iPhone, iPad and other Apple devices for professional and educational purposes too.

This article introduces the most important aspects of iOS management. It gives an overview of Apple’s own MDM tools and iOS-specific features that IT admins in particular should familiarize themselves with to enable secure, productive mobile work.

Devices That Revolutionize How We Work

The strengths are clear: mobile devices have evolved into fantastic productivity tools that give people a new degree of freedom for getting their work done.

As a major player in the manufacturing of mobile devices, it is impossible to ignore the hardware and software that Apple produces. With the required technical specifications and a suite of great apps, iPhones, iPads and other Apple hardware are especially suited for a wide range of end-use cases or day-to-day tasks.

Thanks to their eye-catching and user-friendly design, all kinds of end users tend to enjoy using iOS devices – from school children to high level executives. This aspect of user acceptance should not be underestimated, because if companies or educational organizations wish to alter existing work behavior, end users need to be motivated to use them and be able to identify benefits for themselves.

Now more than ever, there is a deep urge to welcome this new trend of digitalization which many believe will usher in new levels of economic productivity and worker satisfaction. If iOS devices are deployed and managed correctly, using a Mobile Device Management (MDM) solution that can leverage its built-in enterprise capabilities, this vision can become a reality.

Why Should iOS Devices Be Managed?

Organizations need to maintain control over all devices which can access the IT infrastructure, sensitive information or workplace resources. iOS devices are no exception.

A remote management tool is the most effective way to protect corporate information, implement security restrictions on devices and carry out regular monitoring of these inherently mobile devices.

The major motive behind the use of iOS management software is not just precautionary however. It also speeds up the process of getting fully-configured iOS devices into the hands of users, preloaded with all the necessary apps, settings and user permissions. Whether for 10 or 1000 workers, the scalable nature of the tools keeps everything manageable.

Taking a look at common challenges helps illuminate where leveraging iOS device management processes provides clear benefits.

  • How do you plan to set up devices and deploy them with necessary business apps?
    The entire setup process for each work device involves many initial configurations for accounts, apps and policies. Instead of implementing every single configuration by hand on each device, IT admins can use specially developed iOS management tools to streamline and improve the entire process.
  • How do you plan to make sure that all devices are used as you intend?
    iOS devices are made for the consumer market and are supported by the second largest consumer app store with almost 2 million different apps. Many organizations want to restrict access to some of these apps or limit specific device functions for legal or security reasons but are unsure on the most effective way to do this, particularly when the device is privately owned. Via MDM, individual device capabilities are exposed and can be activated/deactivated accordingly.

  • How do you plan to ensure that corporate assets on devices are protected?
    One common concern is that mobile devices are not exclusively connected to the organization’s protected network. Users can use untrusted public Wi-Fi hotspots, where sensitive data can be intercepted by third-parties. Another threat is posed by private apps, which can access company data stored on mobile devices. iOS management settings can address these concerns by making individual apps and data flows manageable.

  • How do you intend to monitor devices during their use and install new software or apps?
    A level of visibility and control over devices in operation is needed to update software, install new applications and to generally remain flexible to new demands or requirements. These demands are easily taken care of remotely, once iPhones and iPads are enrolled into management software.

  • How do you deal with the end of a device’s lifecycle, for instance when a worker leaves the company or when a device needs to be reconfigured for a new purpose?
    End users that leave an organization, sometimes upon short notice, may continue to have access to corporate assets on their device and app licenses may still be attributed to their personal Apple ID. Companies need a solution for this situation that they can depend upon.

Which iOS Management Software Is Needed?

With an MDM solution and Apple Business Manager, you can do the following:

  • easily identify and purchase suitable iOS devices.
  • enroll then into an MDM server so that an IT admin can easily configure them over the air.
  • deploy them into the enterprise, ready with the necessary apps, profiles and configurations out-of-the-box.
  • separate corporate data and assets from the personal side of the device.
  • monitor devices and update system software or settings when necessary.
  • delete or transfer data in response to a lost device or employee departure.

A third-party management solution dedicated to the purpose of mobile device management is essential and recommended by Apple. A range of supplementary iOS management tools that Apple has developed – which require the MDM solution in place – are also of considerable use.

1) MDM Solution

A MDM/MAM solution provides a single point of contact for almost all device management tasks, like establishing a connection with Apple’s MDM platforms, enrollment, assigning users, creating profiles, pushing apps to devices, setting device policies, encrypting data and updating software. It also acts as a reporting tool and reference for all the devices currently integrated into the company network.


Free Beginner’s Guide to MDM »

For newcomers to the topic of mobile device management, take a look at our free white paper to learn what MDM involves and why it is so important to modern, digital businesses.

2) Apple Business Manager / Apple School Manager

The Apple Business Manager (ABM) is a web-based portal that helps IT administrators to automate deployment of iOS, macOS and tvOS devices in organizations, starting at the point where you purchase devices from Apple or a reseller. It consolidates the Device Enrollment Program (DEP) and Volume Purchasing Program (VPP) tools into a single interface.

A separate web portal that is specialized on educational deployments is available in Apple School Manager. As previously mentioned, an MDM solution is required to use all tools.

Automated Device Enrollment with DEP

The Apple Device Enrollment Program helps companies and educational institutions easily and quickly enroll a large quantity of corporate devices into your MDM solution, automatically opening the door for iOS devices to be controlled as soon as they are unpacked. This solves the challenge of enrolling large numbers of devices efficiently.

Volume Purchasing Plan (VPP)

Apple’s VPP (Volume Purchase Program) enables companies and educational institutions to centrally purchase app licenses in bulk for iOS and macOS devices. Once the right apps have been selected for mobile users, they can be rolled out to the iOS devices quickly and easily via the MDM solution and companies retain ownership of app licenses too.

A complete guide to managing devices with Apple Business Manager is available on our blog.

Which Device Management Settings Do iPhones and iPads Have?

Measures to handle device enrollment, app provisioning and management (MDM) are now settled. With those tools at hand, IT administrators are ready to utilize the following features and define policies. This is by no means a complete list, solely a summary of key iOS management features which are especially useful for professional use of Apple devices.

Managed Apps

Any app installed by the MDM client is classified as managed and can be controlled. A distinction between private apps and managed apps becomes possible for BYOD schemes, and communication between both types can be regulated. This creates “containers” for work and personal use on one device.

It is a vital feature as an organization’s sensitive data which is accessed by iPhones and iPads can then be isolated and controlled.

Building upon this principal, “managed domains”, native e-mail apps and Safari can also be included in a secure container by specifying managed URLs and subdomains. Once set up, downloaded documents remain in the container and can only be used with MDM controlled managed apps.

Managed Open In

Via the managed open in configuration, admins can specify which apps are capable of opening documents. For example, admins can classify their managed apps and only allow all Microsoft Office documents to be viewed and processed via other managed apps. When combined with the managed app and managed domain features, it is possible to regulate how company data may flow through and be stored by each device.

Per-App VPN

A per-app VPN configuration ensures that only managed apps use the company’s VPN connection. This results in a lower VPN load for the organization, as personal apps can be ignored, while still providing effective and secure VPN access for the user.

Managed Contacts

A final important restriction can be placed on contacts. Admins can define if contact information from managed accounts (e.g. a company Exchange profile) can be read or used by unmanaged apps/accounts. Correct utilization of this feature is necessary for basic data protection compliance, thereby preventing private, third party apps from accessing work contact information.

How to Manage and Enroll iPhones and iPads

User Enrollment (for BYOD)

A key management strategy for iPhone device management is User Enrollment. This is a multi-persona enrollment option designed for companies implementing BYOD (Bring Your Own Device). When privately owned iPads and iPhones are used at work, User Enrollment creates a separate APFS volume for all corporate data associated with managed apps. This ensures better data separation, and once a device is unenrolled, all managed data is removed.

Some restrictions that an admin can implement on the device include the following:

Force password and define complexity Disable automatic-backups (Enterprise Books, Notes, Highlights) Force lock-screen
Disable lock screen notification view + today view Prevent managed apps from syncing with iCloud Disable screenshots and Siri
Force encrypted backups Force fraud warning in Safari Disable Control Center

One of the biggest advantages of User Enrollment is the improved protections over the user’s own privacy. As a result, there has never been a better time to start using BYOD with iOS devices in the enterprise. To learn more, read our report on User Enrollment.

Corporate-Owned Devices in Supervised Mode (Automated Device Enrollment)

For scenarios where corporate-owned devices are used – when perhaps no private use is allowed at all – there is “supervised mode”. In addition to making MDM unremovable, supervised mode unlocks a greater degree of management over the device.

Supervised mode goes hand-in-hand with Apple Business Manager and its automated deployment feature. It is best to activate supervised mode when deploying large amounts of corporate-owned iPhones or iPads at once, especially when stringent data security rules or strict legal requirements have to be followed.

Added Security: Supervised-mode gives the admin extra restrictions and control over (but not limited to):

  • Pre-installed apps: Safari, iTunes, Facetime, Messages
  • Basic device functions: App installation and removal, camera, multiplayer gaming.
  • Connectivity: AirDrop, AirPlay, AirPrint, Bluetooth, USB, iCloud documents and data
  • Explicit content
  • Credentials: Password sharing and Autofill, fingerprint modification

Takeaways

It is impossible to fully cover all aspects of iOS device management while doing justice to the complex number of implementation scenarios that differ from company to company – really a one-to-one consultation is required in many cases. Nevertheless, it should be clearer that once a company uses an MDM solution and tools like Apple Business Manager, it becomes more convenient and cost effective for IT admins to deploy and furnish iPhones and iPads for enterprise use cases.

Simply activate Cortado MDM for free for 14 days to get started.

Learn more …

Comments are closed.