“New configurations are now available for BYOD management, expanding options for companies looking to enable employees to use their personal devices”
What’s new with BYOD?
There was a time when the management of Bring-your-own or employee owned devices was delivered with a promise from IT that they could not see personal private information. Reality was different. If they wanted to, they could see quite a bit – like the real-time GPS location of a device, roaming details and what personal apps an employee had installed – and we all know that some apps are REALLY personal.
Thankfully, Mobile Device Management has come a long way and vendors have made huge improvements to their solutions for managing (or, in this case, not managing!) bring-your-own devices.
BYOD has seen a huge take up with COVID-19, and there are many benefits to enabling BYOD for an organisation, including
Enabling employee choice
Cost savings around device hardware procurement
Enabling employee productivity when working remotely
This article provides an overview of the solutions Apple, Google and Microsoft offer to enable BYOD for your company.
Apple User Enrolment
User Enrolment was released by Apple in 2019 and we have seen it rolled into many MDM platforms throughout 2020.
Apple now offers three options for device management depending on device ownership and enrolment.
Automated Device Enrolment (DEP)
This is the recommended management option for company owned devices. Devices are purchased via an authorised Apple reseller and provisioned to the Apple Business Manager portal. Additional controls, policies and management options are available for DEP enrolled devices once verified as “company-owned”.
This option allows devices to be shipped from the reseller directly to the employee and removes the need for personal Apple accounts to be used in the phones. Instead employees will sign in using their company email and password.
This option is available for both company-owned devices and personal devices. Devices are fully enrolled into MDM via an agent app downloaded from the public Apple app store. This mode has limited management options as device ownership is not verified.
This new enrolment option is specifically designed for BYOD — where the user owns the device. A separate secure volume is created on the device that contains a company managed version of Apps, Notes, Calendar, Mail and the keychain.
Set complex passcodes
Clear / reset the device passcode
Query personal app info or make manage personal apps
Query device info e.g. serial number or MAC address
An employee will set up their device using their personal Apple ID and then they will use a Managed Apple ID to enrol into MDM. This process will create an Apple File System (APFS) volume and then configure their work apps as defined by their organisation. This APFS volume will store company provisioned apps and associated data separate from personal data. The two are completely separated and even have separate encryption keys.
Managed Apple IDs are essentially Apple IDs using your company user account (identity) that are created by integrating Apple Business Manager with Azure Active Directory. You can learn more about Managed Apple IDs in this article.
For detailed steps on how to set up Apple User Enrolment in your MDM platform you can read this article.
Android Enterprise Work Profile
Android Enterprise Work Profile is designed to keep work and personal data separated. Rather than the whole device being enrolled and managed by MDM, a separate partition, or container on the device, is provisioned and company apps and data are deployed to the container separate from personal apps and data.
Work Profile is great for BYOD and can also be useful to provide access to devices that don’t support the other Android Enterprise management options due to operating system version limitations or where factory reset and device wipe is not desired when migrating to Android Enterprise.
We also see Android Enterprise Work Profiles being rolled out on Contractor devices where a private enterprise app is required to be pushed to a device, but management of the device is not needed or wanted.
Employees need a personal Gmail account to enable the Work Profile. MDM administrators can set policies and controls on the managed container but not the device itself.
For detailed steps on how to set up Android Enterprise Work Profile in your MDM platform you can read this article.
We have also published some videos demonstrating the difference in user experience between Work Only and Personally Enabled Android Enterprise devices.
Personally Enabled Android Enterprise user experience example
Work Only Android Enterprise user experience example.
Intune App Protection
If you are not interested in managing devices but still want to protect your Office 365 apps and data, or you have EM+S or Microsoft 365 E3 or E5 licenses but are using another MDM for device management, you should consider deploying Intune App Protection Policies (APP).
Intune APP are a set of policies that are applied to any app that leverages the Intune app SDK. This SDK allows you to
Control movement of company files outside the work app container
Configure clipboard restrictions (copy/paste from work to personal apps)
Enforce encryption on company data
Remotely wipe company data from the apps
Enforce PIN policy on company apps
Check device health and compliance before allowing access to company apps
The Intune app SDK is applied to the Microsoft Apps for Enterprise Suite – a list of these apps are referenced here.
Partner apps – any apps that have added the SDK and publicly listed their app – a list of these apps are referenced here.
Also – any internal or third party apps you are developing can use the SDK – you can find information about how to add the SDK via this link.
An employee just needs to download one of these apps, authenticate with their Azure Active Directory Identity and if there are Intune APP policies configured, the policies will be applied and approved O365 apps and data will be protected.
BYOD for Windows 10 and MacOS
Windows Information Protection (WIP)
Windows Information Protection is a solution offered by Microsoft to help protect enterprise apps and data against accidental data leakage on company owned and personal devices.
With Windows Information Protection administrators define managed or protected apps and allowed destinations where company data can reside.
More information around Windows Information Protection can be accessed via this link.
There is no ability to partition personal and company data on MacOS devices yet.
With the release of MacOS 11 (Big Sur) Apple has introduced the concept of managed apps, which can be pushed and removed via MDM. We are hoping that this will evolve into true segregation of personal and company data in the future.
Until then, employees can enrol their personal MacOS devices into MDM with limits of what policies can be configured on a non-company owned MacOS device.
Minimum Device Specs
One important thing to be aware of when you are looking to enable BYOD for your company is device requirements.
You cannot take just any device and enrol it into these BYOD solutions. There are minimum specifications, storage requirements and other considerations. These change all the time as new versions and operating systems are released.
For example, as of writing this article
iOS Outlook will only install on an iOS device running iOS 13 or higher
Android Enterprise Work Profile works on devices running OS 7.1 and higher
You need at least 300 MB of free space to install Outlook on an iOS device.
You will need over 500 MB of free space to install Outlook, Intune Company Portal and Microsoft Authenticator on an Android device.
It will be important to understand and document your minimum device requirements before inviting your employees and contractors to enrol into your BYOD program.
These new options provide for new ways to empower and enable your employees to use personal devices. You can ensure your corporate data is secure while respecting employee privacy in ways that were not previously possible. This can be a win win.
If you’re interested in learning how to enable BYOD in your business, check our BYOD 365 service, or contact us.
Since 2005 I have dedicated my professional capabilities to the advancement of wireless mobile data technologies. During my career I have worked with customers in markets large and small, including financial and government organizations in New Zealand, Europe and the United States.