When setting up your Miradore site, one of your first steps will be the enrollment of your devices.
With Android and iOS offering diverse enrollment methods, understanding these options can help organizations strike the perfect balance between security, efficiency, and user experience.
In this post, we will explore the various enrollment techniques for Android and iOS devices when needing to separate professional and personal data.
You can also find a short summary with an overview here.
Android
BYOD (Bring your own Device) / Work Profile / Profile Owner
Android devices (version 7+) support work profiles via Google Play Services, enabling a separate, secure space for work apps and data, independent of personal apps. The work profile can be disabled to avoid notifications outside work hours. All data in the work profile is isolated and cross-domain copy-paste and screenshots are restricted between the private and work profile for security. Companies can only see apps installed when the work profile is created, and remote wipes via MDM only delete the work profile, leaving personal data untouched. However, users can remove the work profile at any time, and companies cannot control system updates or access the private area.
Important aspects to consider:
- Secures company data while protecting personal privacy
- Cannot prevent profile removal or control system updates
- Only available on pre-configured devices
- No access to private area or certain settings
COPE (Company owned, personal Enabled) /Fully Managed with Work Profile/ Work Profile on Fully Managed Device
Android devices running Android 11 and later versions support the creation of a work profile on managed devices. This work profile shares a similar set of functions as the device's standard profile. Moreover, it enables the device to be registered directly from its factory state, allowing for swift setup. Additionally, a range of features becomes accessible, including the ability to manage system updates, remotely wipe the entire device, and enforce device management, preventing users from removing it.
Important aspects to consider:
- The company's data is secured, and privacy is guaranteed
- The company can prevent removal of the device management
- Private data cannot be viewed "unintentionally" by the company, BUT it can be deleted by remotely wiping the device.
- The company can control system updates, which can bring more security.
- You can only enable COPE mode for devices that are in the factory state.
- Available from Android 10 and newer.
- It is not possible to access the private area, which means that the use of certain applications, services and the change of settings there are only very limited
iOS
Prevent access to data from managed sources for manually installed apps
On iOS, personal and corporate data are distinguished as "managed" or "unmanaged." Apps and accounts deployed via MDM are "managed," which restricts data sharing with user-installed apps. For example, a PDF in the MDM-installed Outlook app cannot be shared with the private WhatsApp.
Apps cannot be duplicated, so if Outlook is MDM-installed, it is managed. System apps like Mail handle data sharing at the account level: private accounts can share data with user-installed apps, while work accounts can only share with MDM-installed apps.
You can enable this separation by activating the iOS restriction found under "Security & Privacy," titled "Deny documents from managed sources in unmanaged destination"
However, contacts are an exception to this rule. For instance, if an Exchange account contains company contacts, which are sensitive and require protection, you need to enable this feature separately. This can be done by activating the iOS restriction named "Deny reading contacts from managed sources to unmanaged destination" under "Security & Privacy."
Enabling the separation between private and professional contacts restricts apps from writing contacts to the system database, except for a few exceptions like the native Mail app. For instance, if you receive a contact through the Outlook app from an Exchange server, the contact won't be recognized during calls. While you can still view and call the contact within the app, iOS offers a technical solution called CallKit to address this, although it's not implemented in the Outlook app. CallKit allows apps to register contacts in a specialized database, enabling caller ID functionality even when data isn't visible to other applications, ensuring top-tier data protection. Apps supporting CallKit include HubSpot (CRM), Secure PIM, or nContacts (ideal for testing).
Note: CallKit integration must be activated in iOS settings under "Block and identify phone > calls" for the respective app.
Starting with iOS 15, the "Copy & Paste" feature can distinguish between managed and unmanaged data via the "Require managed copy and paste" restriction.
Important aspects to consider:
- The company can always see all apps on the device. This is also the case if they have been installed manually by the user.
- The company can always remotely wipe the entire device. This also affects private data.
- Apps can't be installed multiple times, so some app developers like WhatsApp offer two versions (WhatsApp & WhatsApp for Business).
- Private data cannot be viewed by the company, BUT the company can see all installed apps.
- These features are available starting with iOS 13.
For further information on these topics, you can refer to our Knowledge Base.
If you have any questions on this topic, feel free to reach out to your Sales or Customer Success Manager here.
by Andreas Handler
Andreas works as a Senior Technical Consultant and Customer Success Manager at Miradore. He has been part of the Miradore family since 2016 and is passionate about providing value to organizations by showing them how to increase efficiency with Mobile Device Management. Outside of work, you might find him bouldering or playing volleyball.
